User Administration:
- adduser UserName
- deluser UserName
- usermod: to modifiy user information..
- chage: change expiration date for user account.
- always when you use a directory as a share for a group, use SGID, for ex: chmod 2770 /share-dir
for login/logout scripts and bash, refer to this topic: bash loging, startup scripts and shell initialization files
bash loging, startup scripts and shell initialization files..
ok, i will talk about bash,
When a user logs in, environment variables are set from various places.
startup scripts in order is like this:
- /etc/passwd
- /etc/shadow
- /etc/group
- /etc/profile will run.
- then all the files (that end with sh) in the /etc/profile.d directory
- then bash will look for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order, and reads and executes commands from the first one that exists and is readable. (i.e if ~/.bash_profile is not exists then bash will look for ~/.bash_login then ~/.profile and sources that instead). may be ~/.bash_profile source ~/.bash_login and ~/.bashrc in it.
- ~/.bashrc might point to /etc/bashrc
- at logout ~/.bash_logout may run
- bash command history are kept in ~/.bash_history
some of this scripts may not exists in your system (~/.bash_profile, ~/.bash_login, ~/.profile, ~/.bashrc, /etc/bashrc and and ~/.bash_logout),
lets we explain them:
1. /etc/passwd
/etc/passwd file contains basic user attributes. This is an ASCII file that contains an entry for each user. Each entry defines the basic attributes applied to a user.
An entry in the /etc/passwd file has the following form (one entry per line):
Name:Password:UserID:PrincipleGroup:Gecos:HomeDirectory:Shell
For security reasons, most Linux Distributions no longer store password in this file (store it in /etc/shadow).
A corrupt /etc/passwd file can easily render a Linux box unusable.
for more info about /etc/passwd see:
manpages: man passwd
2. /etc/shadow
shadow contains the encrypted password information for user’s accounts and optional the password aging information (other information such as account or password expiration values, etc).
for more info:
manpages: man shadow
3. /etc/group
/etc/group is an ASCII file which defines the groups to which users belong. There is one entry per line, and each line has the format:
group_name:passwd:GID:user1,user2,user3….userN
as you see, you have to sperate each user with comma.
for more info see:
manpages: man group
4. /etc/profile
/etc/profile file contains system wide environment stuff and startup programs, all settings that you want to apply to all your users environments should be in this file.
5. /etc/profile.d/*.sh
/etc/profile.d is a good place to put application specific settings and their environment variables.
6. ~/.bash_profile, ~/.bash_login, and ~/.profile
they can be used like /etc/profile file but for a specific user… they are user-specific bash environmental default settings, contains extra configuration options or change default settings.
bash will look for ~/.bash_profile, ~/.bash_login, and ~/.profile, in that order, and reads and executes commands from the first one that exists and is readable.
~/.profile is good when use another shell (like csh) that will not understand bash command and will look for this file.
* ~/.bashrc
this file used for user-specific aliases, export and user functions.
~/.bashrc might point to /etc/bashrc to run global things.
finaly may be you would like to know that when you create a new user, then the home directory for that user will initialised with files from the /etc/skel directory (i.e /etc/skel directory contains subdirectories and files used to populate a new user’s home directory). The system administrator can create files in /etc/skel/ directory that will provide a default environment for users.
i dont know a good site talking about that, but take a look at this one:
ACL:
mount with acl, ex:
mount -o remount, acl /dev/sda5 /home
as root: touch /home/idle-boy/a
getfacl /home/idle-boy/a
getfacl: Removing leading ‘/’ from absolute path names
# file: home/idle-boy/a
# owner: root
# group: root
user::rw-
group::r–
other::r–
setfacl -m u:idle-boy:rw -m g:idle-boy:rwx /home/idle-boy/a
getfacl: Removing leading ‘/’ from absolute path names
# file: home/idle-boy/a
# owner: root
# group: root
user::rw-
user:idle-boy:rw-
group::r–
group:idle-boy:rwx
mask::rwx
other::r–
Quotas:
- check if kernel support quota:
grep CONFIG_QUOTA /boot/config-`uname -r`
you should see:
CONFIG_QUOTA=y
- quota package: quota
Using Quota
two file have to be presented in the file system you need to activate quota in:
quota.user: for user related quota
quota.group: for group related quota
to create this files, you need to mount the file system with quota support:
mount -t ext3 /dev/sdaX /mount-point -o remount, usrquota, grpquota
now create the files using quotacheck command:
quotacheck -cugm /mount-point
to activate quota in the mount point use quotaon:
quotaon /mount-point
to edit users quota, use edquota command, for example:
edquota -u f00
to report quota usege use repquota command…
it’s better to automate quotacheck, use a cronjob for that..
###############################
PAM:
A very good book to read about/understand PAM is: Pluggable Authentication Modules for Kenneth Geisshirt, from Packt Publishing.
you can find information about PAM at this location:
/usr/share/doc/pam-version-num/txts
to prevent other users login but root:
touch /etc/nologin
and /etc/pam.d/login must contain:
account required pam_nologin.so
after the last auth module.
you can type a msg in that file, the msg will appear for successful login (root) and failed login (other users)
to control root access into tty, edit /etc/securetty
Four different type of PAM modules:
- auth: username/password are here..
- account: allows or denies access according to the account policies (ex/ password expiration date)
- password: manages other password policies.
- session: applies settings for an application..
###############################
LDAP (client):
needed rpm packages:
openldap, openldap-client, nss_ldap
two files to be edited:
/etc/ldap.conf: change the following:
host IP ldap server ip is written here..
base dc=sqawasmi,dc=com sets the default base distinguished name, in this case, sqawasmi.com
ssl strt_tls needed if you want TLS support to encrypt passwords..
pam_password supports encryption schemes for passwords, options are: crypt, nds and ad
nss_init, groups_ignoreusers root, ldap assumes no supplemental groups in LDAP server.
/etc/openldap.conf
BASE dc=sqawasmi,dc=com same as dc in /etc/ldap.conf
URI ldap://IP LDAP server ip..
make sure that your client will look for LDAP server for key authentication, for example:
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
there is no services to run in the boot process..
###############################
NIS (client):
rpm packages:
to activate NIS client you need to edit one file:
/etc/yp.conf:
domain NIS-DomainName server NIS-Server
make sure that your client will look for NIS server for key authentication, for example:
passwd: files nis
shadow: files nis
group: files nis
you need to activate ypbind and also chkconfig it to run in boot..
service ypbind start && chkconfig ypbind on
##############################
NFS
man exports; to see the format of /etc/exports
on server:
/etc/init.d/portmap start && /etc/init.d/nfs start
edit /etc/exports, ex:
/data *.sqawasmi.com(rw,sync) *(ro,sync) 10.0.0.0/24(ro,sync)
exportfs -a
on client:
mount -t nfs 10.0.0.1:/data /mnt/share -o soft,timeo=300
if you used the hostname to export to, then you need a working DNS, it use dnslookup to know the IP..
to know that every thing is running in the server:
rpcinfo -p HOST
show mounts on the server:
showmount -e HOST
put it in the boot process: chkconfig nfs on && chkconfig portmap on
for selinux see man nfs_selinux
securing using iptables:
edit /etc/sysconfig/nfs, and configure rcp* ports:
LOCKD_TCPPORT=33332
LOCKD_UDPPORT=33333
MOUNTD_PORT=33334
STATD_PORT=33335
in /etc/services put rquotad tcp/udp ports:
rquotad 33330/tcp
rquotad 33331/udp
grep nfs /etc/services
grep portmap /etc/services
open the ports…
###################################
vsFTPD:
enable anonymous access:
anonymous_enable=yes
enable remote users write:
write_enable=yes
enable local users login:
local_enable=yes
to enable pam authintication:
pam_service_name=vsftpd
support the use of security commands of tcp_wrappers:
tcp_wrappers=yes
welcome msg:
ftpd_banner=Welcome..
or in users home directory, in .message, but you need to enable:
dirmessage_enable=yes
controlling who can loging using /etc/vsftpd/user_list file, yes means don’t allow, no means allow them
userlist_enable=yes
(pam also check /etc/vsftpd/ftpusers for allowed users)
for selinux see ftpd_selinux
#####################################
DNS
install bind bind-utils caching-nameserver, and bind-chroot if you need it in chrooted environment..
Caching Name Server:
cp /etc/named.caching-nameserver.conf /etc/named.conf
edit /etc/named.conf and change the following as you like:
listen-on port 53 { 127.0.0.1; }; // for example: listen-on port 53 { 127.0.0.1; 10.0.0.1;};
allow-query { localhost; }; allow-query // ex: { localhost; 10.0.0.0/24; }; to serv for 10.0.0.0/24 network
/etc/named start
chkconfig named on
Slave Name Server:
same as Caching file but add a zone (look at /etc/named.rfc1912.zones) for your domain and it’s master server, for example:
zone “sqawasmi.com” IN {
type slave;
file “slaves/sqawasmi.com”;
masters {
10.0.0.1;
};
}
also you may add another zone for ptr, example:
zone “0.0.10.in-addr.arpa” IN {
type slave;
file “slaves/sqawasmi.rr.com”;
masters {
10.0.0.1;
};
}
A Forwarding Only Name Server:
you need to add two things into options:
forward only;
forwarders {
10.0.0.1;
10.0.0.2;
};
Master Name Server:
selinux: setsebool -P named_write_master_zones 1
(look at /etc/named.rfc1912.zones) for your domain and it’s master server, for example:
zone “sqawasmi.com” IN {
type slave;
file “sqawasmi.com”;
}
also you may add another zone for ptr, example:
zone “0.0.10.in-addr.arpa” IN {
type slave;
file “slaves/sqawasmi.rr.com”;
}
now you need to create a zones file under /var/named, you can use /var/named/localhost.zone as template for your zone, for example:
/var/named/sqawasmi.com.zone
$TTL 86400
@ IN SOA @ sqawasmi.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
IN A 10.0.0.10
blog IN A 10.0.0.1
other IN A 10.0.0.2
IN AAAA ::1
for ptr zone:
/var/named/sqawasmi.com.rr.zone
$TTL 86400
@ IN SOA @ sqawasmi.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
10 IN ptr sqawasmi.com.
1 IN ptr blog.sqawasmi.com.
2 IN ptr other.sqawasmi.com.
finally you have to create a rndc key, use this:
rndc-confgen -a -b 512
add this to your named.conf file:
include “/etc/rndc.key”;
###################################
NTP
Client:
choose one of the servers listed in /etc/ntp.conf, then:
ntpdate 0.rhel.pool.ntp.org
/etc/init.d/ntpd start
chkconfig ntpd on
server:
allow other servers in your client to connect to you:
restrict 10.0.0.0 mask 255.255.255.0 nomodify notrap
or you can allow one client:
restrict 10.0.0.2 mask 255.255.255.255 nomodify notrap
####################################
DHCP
Server:
package: dhcp
configuration file: /etc/dhcp.conf
see: /usr/share/doc/dhcp-*/dhcpd.conf.sample
Client:
package: dhclient
####################################
SQUID
port number:
http_port 3128
don’t cache URLs contain cgi-bin or ?
use hierarchy_stoplist directive and urlpath_regex in acl
hierarchy_stoplist cgi-bin ?
acl DontCache urlpath_regex cgi-bin \?
cache deny DontCache
specify a freshness for a service:
you can use refres_pattern directive:
refresh_pattern regex: Min percent Max
where
Min: is the time (in minutes) an object without an explicit expiry time should be considered fresh.
Max: is an upper (in minutes) limit on how long objects without an explicit expiry time will be considered fresh.
example:
refersh_pattern ^ftp: 1440 20% 10080
use acl with src to create acl, ex:
acl my_lan src 10.0.0.0/24
use http_access to allow or deny all, networks, host, or ports, for example, allow my_lan and deny others
http_access allow my_lan
http_access deny all
specify the local computer name:
visible_hostname LocalComputerName
to create a basic cache directories in /var/spool/squid use:
squid -z
squid with nating:
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 –j REDIRECT –to-ports 3128
for selinux see;
/etc/squid/squid.conf has a lot explanation…
####################################
sendmail, Postfix and dovecot:
sendmail:
add your domain into /etc/mail/local-host-names
vi /etc/mail/sendmail.mc
allow other computers to to use your sendmail server, comment the following:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA’)dnl
don’t accept unresolvable domains, comment the follwoing:
FEATURE(`accept_unresolvable_domains’)dnl
edit /etc/mail/access to relay/reject/discard outgoing domains, for example
@example.org REJECT
deny.sqawasmi.com REJECT
sqawasmi.com RELAY
10.0.0 RELAY
edit /etc/aliases to for aliasing and then do newaliases command
me : shaker
idle : shaker
~ # newaliases
/etc/mail/virtusertable used to map virual address to real address
send from another host:
define(`SMART_HOST’, `smtp.sqawasmi.com’)dnl
you should add access for this server in /etc/mail/access
make -C /etc/mail/
Postfix:
configuration file: /etc/postfix/main.cf
edit variables:
myhostname: this is the host will appear in the hello…
mydomain: your domain name
myorigin: this is the origin of the domain, for example sqawasmi.com, then all emails for shaker will be shaker@sqawasmi.com
inet_interfaces: what interfaces should i listen for?
mydestination: specifies the list of domains that this machine considers itself the final destination for.
mynetworks: specifies a list of trusted smtp clients.
access goes in this file: /etc/postfix/access
virual: /etc/postfix/virtual you need
Dovecot:
configuration file:
/etc/dovecot.conf
variables:
protocols: choose the protocol you want to use..
listen: if you don’t use the standard ports
ssl listen: same as above…
activate ssl:
ssl_disable = no
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
creating ssl certificates:
you need to edit /etc/pki/dovecot/dovecot-openssl.cnf file as rquired
issue this command:
/usr/share/doc/dovecot-versionNumber/examples/mkcert.sh
/etc/init.d/dovecot start && chkconfig dovecot on
####################################
tcp_wrappers
two files:
/etc/hosts.allow: tcp_wrappers look at this, if it find a match for the service it grants access, no additional searches are required, if no match in that file then it continue to read the next file:
/etc/hosts.deny: if it finds a match then deny access, if no match then access is automatically granted.
format:
daemon_list: client_list or ALL : ALL
for example:
/etc/hosts.allow:
sshd : 10.0.0.2
/etc/hosts.deny:
sshd : ALL
depending on those files, ssh login is permitted just for 10.0.0.2 host.
you can use subnet or a domain like this:
/etc/hosts.allow:
sshd : 10.0.0.0/255.255.255.0, .sqawasmi.com
/etc/hosts.deny:
sshd : ALL
depending on those files, ssh login is permitted for 10.0.0.0 network and all computers in sqawasmi.com domain.
you can use EXPECT operator to expect hosts/networks or daemons..
twist or spawn command to send messages, track access and log problems.. ex:
/etc/hosts.deny
sshd : nossh.sqawasmi.com : twist /bin/echo %c not allowed
iptables:
huh?