|
- Please note that the following guide should be followed
in order because some of the testing require previously installed
components.
- The components including base, networking, etc. are listed in
Red Hat Linux 7.0 Installation CD 1 "/mnt/cdrom/RedHat/base/comps".
The following system environment is assumed:
- Linux = RedHat Linux 7.0 (Standalone)
- BIOS = Award Modular BIOS 4.51 PG
- CPU = Intel Celeron 466 MHz
- Primary Master Hard Disk (IDE) = 6.4 GB [Windows 98 Installed]
- Primary Slave Hard Disk (IDE) = 1.2 GB [Linux Installation]
- Secondary Master CD Drive (IDE) = RICOH RW7063A
- Mouse + Keyboard + Floppy Drive
- CD-ROM Drive [Windows 98] = D:\
Download the Demo sample,
extract it and test it.
- Turn on the computer and wait until it prompts you to "Press
DEL to enter SETUP". Then press DEL.
- "7. understand different
approaches to multiple-boot installations and be familiar with
installation-related tools (rawrite, fips)sometimes used during multiple-
boot installations":
- "2. be thoroughly familiar with,
and capable of, Red Hat installation, particularly network installations":
- Reboot the computer with the boot.img floppy and at the
"boot: " prompt, type:
text
- "1. understand disk
partitioning and know how to use Red Hat's install-time partitioning tools":
Configure the Installation
with the following settings, otherwise choose the default option provided.
Note: Be careful not to modify the disks
with data in them, e.g. Primary Master (hda) with Windows 98 installed,
particularly its partition and the Master Boot Record (MBR). This is because
the Windows 98 can only be booted from the MBR.
-
Installation Type: Custom System
-
Disk Setup: fdisk
/dev/hdb (1.2GB) [That is, the blank Primary Slave harddrive.]
Print Partition Table
Command: p
Delete every partition numbers on that disk if exist.
Command: d
Add new partitions (Primary Partition "/boot". Only 4 Primary Partitions.)
Command: n (add new partition)
Command Action: p (primary partition)
Partition Number: 1 (In a 16M separate partition to overcome the PC BIOS limitation.)
First Cylinder: (default 1) [Enter]
Last Cylinder: +16M
Add new partitions (Extended Partition with logical partitions: swap, "/home", "/")
Command: n (add new partition)
Command Action: e (extended partition)
Partition Number: 2
First Cylinder: (default 4) [Enter]
Last Cylinder: (default 155) [Enter]
Add new partitions (Logical Parition swap [Swap size >= (RAM * 2)])
Command: n (add new partition)
Command Action: l (logical partition)
Partition Number: 5 (The first 4 partitions are Primary/Extended Partitions)
First Cylinder: (default 4) [Enter]
Last Cylinder: +128M
Change partition type (Logical Partition swap)
Command: t (change partition id type)
Partition Number: 5
Hex code: 82
Add new partitions (Logical Partition "/home" for testing user disk usage quota)
Command: n (add new partition)
Command Action: l (logical partition)
Partition Number: 6
First Cylinder: (default 21) [Enter]
Last Cylinder: +1M
Add new partitions (Logical Partition "/" will fill up the remaining disk space)
Command: n (add new partition)
Command Action: l (logical partition)
Partition Number: 7
First Cylinder: (default 21) [Enter]
Last Cylinder: (default 155) [Enter]
Set boot partition
Command: a
Partition Number: 1
Save and Exit
Command: w
Disk Setup: Done [It will then load Disk Druid.]
/dev/hdb
Primary/Extended: /dev/hdb1 /dev/hdb2
Logical: /dev/hdb5 /dev/hdb6 /dev/hdb7
[ /boot | swap | /home | / ]
Note: Logical partitions are needed if there
are more than 4 partitions needed for the disk.
- "3. understand install-time
configuration of install-time options":
- Root Password: Enter your root password twice.
- Package Group Selection: Do not install any of the listed packages.
The status should show:
Total install size: 195M
Choose [OK]
- Bootdisk: Choose [Yes] and place a
blank floppy disk into the floppy drive then hit [OK].
This disk will be used to boot the Linux hard disk.
- "4. understand
and be able to implement post-installation configuration of
install-time options":
- After installation, boot the Linux disk from the Bootup
floppy disk.
- "5. be familiar with
RedHat Linux filesystem layout":
- Observe the mounted filesystem table and see how a mount point
can have a separate partition. e.g. /boot and /dev/hdb1; /home and /dev/hdb6
/usr/bin/man fstab
/bin/cat /etc/fstab | /usr/bin/less
LABEL=/ / ext2 defaults 1 1
LABEL=/boot /boot ext2 defaults 1 2
LABEL=/home /home ext2 defaults 1 2
/dev/cdrom /mnt/cdrom iso9660 noauto,owner,ro 0 0
/dev/fd0 /mnt/floppy auto noauto,owner 0 0
none /proc proc defaults 0 0
none /dev/pts devpts gid=5,mode=620 0 0
/dev/hdb5 swap swap defaults 0 0
/bin/mount | /bin/sort | /usr/bin/column -t
/dev/fd0 on /mnt/floppy type vfat (rw)
/dev/hdb1 on /boot type ext2 (rw)
/dev/hdb6 on /home type ext2 (rw)
/dev/hdb7 on / type ext2 (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
none on /proc type proc (rw)
usbdevfs on /proc/bus/usb type usbdevfs (rw)
/bin/mount /dev/fd0 /mnt/floppy
/bin/ls -alrt /mnt/floppy
/bin/umount /dev/fd0
/bin/ls -alrt /mnt/floppy
- File System Hierarchy Standards
- /etc, host-specific configuration data
- /sbin, binary files for system administrator
- /home, users' home directories
- /lost+found, recovered files during file system rebuilds
- /mnt, mount points for temporarily mounted file systems
- /proc, system information
- /root, home directory for the root user
- /usr, shareable files not essential to basic system operation
- /var, non-shareable files not essential to basic system operation
- "6. understand
the role of the scripts and configuration files under
/etc/sysconfig/network-scripts":
Configure and activate for an extra loopback device i.e. the
standalone system uses localhost.localdomain (127.0.0.1).
Setting an IP alias (192.168.1.10) for the loopback device
can act as a server while (127.0.0.1) can act as the client:
- "8. understand kickstart
installation basics (kickstart files, floppy- vs. network-based, installation
media, boot disk preparation, etc.)":
- "9. possess a thorough
knowledge of the rpm command and its switches, particularly those
related to the installation and querying of packages":
- To list all of the installed packages:
/bin/rpm -qa
- To find which package that a file belongs to and its information:
/bin/rpm -qif /bin/pwd
- Use a file to list the files that belongs to the same package:
/bin/rpm -qlf /bin/tar
- "10. be familiar with the basic
elements of source (*.src.rpm) rpm packages":
- "11. know how to
boot into and use the rescue environment for system recovery":
- Insert the Linux Rescue floppy (boot.img) into the floppy drive.
Insert CD 1 into the CD drive.
- Reboot the computer and at the "boot: " prompt, type
linux rescue
- "13. know how to
configure the user environment":
- "14. be familiar with
system and user bash configuration files":
- In /etc/skel/.bashrc, under "# User specific aliases and functions",
type:
alias ls='/bin/ls -alrt'
- "12. know how to
create different kinds of user accounts":
Ordinary Users
- Test by typing "exit" then login with user "red" and or user "hat".
Mail User (POP)
- "15. understand quotas,
quota concepts, and be able to implement user and group quotas":
- User Quota:
/bin/cp /etc/fstab /etc/fstab.1
/bin/vi /etc/fstab
##################################################
# Change this line...
#
# LABEL=/home /home ext2 defaults 1 2
#
# to...
LABEL=/home /home ext2 defaults,usrquota 1 2
##################################################
/bin/mount -o remount /home
/usr/sbin/repquota -a
/sbin/quotacheck /home
/usr/sbin/repquota -a
/sbin/quotaon /home
/usr/sbin/edquota -u red
############################################################
# Change this line...
#
# inodes in use: 4, limits (soft = 0; hard = 0)
#
# to...
inodes in use: 4, limits (soft = 5; hard = 10)
# 1 block is approximately 1 kilobytes
############################################################
/usr/sbin/repquota -a
Test the quota by logging in as "red".
Copy the files to red's home until a (soft) warning is prompted and
keep using up the space until a (hard) error message is prompted:
/bin/cp /usr/share/magic /home/red/magic1
/bin/cp /usr/share/magic /home/red/magic2
/home: warning, user file quota exceeded
/bin/cp /usr/share/magic /home/red/magic3
/bin/cp /usr/share/magic /home/red/magic4
/bin/cp /usr/share/magic /home/red/magic5
/bin/cp /usr/share/magic /home/red/magic6
/bin/cp /usr/share/magic /home/red/magic7
/home: write failed, user file limit reached
/bin/cp: cannot create regular file `./7': Disk quota exceeded
/bin/df -m
/usr/bin/du -am
/bin/rm -rf /home/red/magic[1-6]
- Group Quota:
setgid:
#
# Press [Ctrl-Alt-F1] (Virtual Console 1) and login as root
#
/usr/sbin/groupadd usergroup
/bin/mkdir /home/usergroup
/bin/ls -alrt /home
/bin/chown root.usergroup /home/usergroup
/bin/chmod 2775 /home/usergroup
/bin/ls -alrt /home
#
# Press [Ctrl-Alt-F2] (Virtual Console 2) and login as red
#
/bin/vi /home/usergroup/share.txt
################################################
hello
# Press [Esc] then type :wq to save and exit
################################################
#
# Press [Ctrl-Alt-F3] (Virtual Console 3) and login as hat
#
/bin/vi /home/usergroup/share.txt
################################################
world
# Press [Esc] then type :wq to save and exit
################################################
#
# Press [Ctrl-Alt-F2] (Virtual Console 2) with red logged
# in to that terminal.
#
/bin/cat /bin/cat /home/usergroup/share.txt
/bin/ls -alrt
Test Group Quota:
/bin/vi /etc/fstab
##########################################################
# LABEL=/home /home ext2 defaults,usrquota 1 2
#
# to...
LABEL=/home /home ext2 defaults,usrquota,grpquota 1 2
##########################################################
/bin/mount -o remount /home
/sbin/quotacheck -g /home
/sbin/quotaon -g /home
/usr/sbin/edquota -g usergroup
##########################################################
# Change this line...
#
# inodes in use: 2, limits (soft = 0; hard = 0)
#
# to...
inodes in use: 2, limits (soft = 5; hard = 10)
# 1 block is approximately 1 kilobytes
##########################################################
#
# Login as red and fill up the quota until error message
# is prompted.
#
/bin/cp /usr/share/magic /home/usergroup/magic1
/bin/cp /usr/share/magic /home/usergroup/magic2
/bin/cp /usr/share/magic /home/usergroup/magic3
/bin/cp /usr/share/magic /home/usergroup/magic4
/bin/cp /usr/share/magic /home/usergroup/magic5
/home: write failed, user file limit reached
/bin/cp: cannot create regular file `5': Disk quota exceeded
- "16. understand the cron
system and be capable of setting up the scheduled jobs under cron":
- Schedule a cron job for truncating a file to at most 10 lines
every minute of every hour of every day of every month.
/bin/vi /etc/crontab
#########################################################
# Append the following to the /etc/crontab file
0-59/1 * * * * root /bin/cat /var/log/messages | /usr/bin/tail -n 10 > /var/log/messages
#########################################################
/bin/cat /var/log/messages
# Try logging in and out of another virtual console which will invoke
# the system logger to log PAM security activities. After 2 minutes, type
# the following and see if the file has been truncated successfully.
/bin/cat /var/log/messages
- "17. understand essential
kernel concepts, such as monolithic vs. modular kernels, initial ramdisks,
etc.":
- Monolithic kernels has support built-in
/sbin/sysctl -a
- Modular kernels support are only loaded when needed
/sbin/lsmod
- "18. be able to install
kernel sources and development tools needed in order to rebuild the Linux
kernel":
- Installing Development Tools
kgcc-1.1.2-40.i386.rpm
GNU C Compiler for kernel compilation
gcc-2.96-54.i386.rpm
GNU Compilers needed for making menuconfig
cpp-2.96-54.i386.rpm
GNU C preprocessor
dev86-0.15.0-5.i386.rpm
80x86 assembler and linker
glibc-devel-2.1.92-14.i386.rpm
header files and libraries for the standard C library
make-3.79.1-5.i386.rpm
GNU make utility
ncurses-5.1-2.i386.rpm
ncurses library, which provides a terminal-independent
application programming interface for character-mode
video displays
ncurses-devel-5.1-2.i386.rpm
headers files and libraries for development using ncurses
(needed only when building the kernel by using the menuconfig
utility)
/bin/rpm -Uvh kgcc-1.1.2-40.i386.rpm \
cpp-2.96-54.i386.rpm dev86-0.15.0-5.i386.rpm \
glibc-devel-2.1.92-14.i386.rpm \
make-3.79.1-5.i386.rpm \
ncurses-*.rpm
If you get an error prompt
"package ncurses-5.1-2 is already installed",
then type in the following instead.
/bin/rpm -Uvh kgcc-1.1.2-40.i386.rpm \
cpp-2.96-54.i386.rpm dev86-0.15.0-5.i386.rpm \
glibc-devel-2.1.92-14.i386.rpm \
make-3.79.1-5.i386.rpm \
ncurses-devel-5.1-2.i386.rpm
/bin/umount /dev/cdrom
- "19. be able to configure,
build, and install the Linux kernel and modules from source and understand
LILO configuration and the elements -- first stage, second stage, and
installer -- that makes up LILO":
- Configuring and building the kernel and its modules
/usr/bin/make menuconfig
#
# Switch off the following Kernel support
#
# - Telephony Support: Linux telephony
# - SCSI support: SCSI support
# - I2O device support: I2O support
# - Network device support:
# Ethernet (10 or 100Mbit)
# Ethernet (1000 Mbit) [Disable all]
# - Appletalk devices
# - Token Ring driver support
# - IrDA (infrared) support: IrDA subsystem support
# - ISDN subsystem: ISDN support
# - Old CD-ROM drivers (not SCSI, not IDE)
# - Character devices:
# Joystick support
# I2C support
# Video For Linux
# Ftape, the floppy tape device driver
# - USB support
# - Sound
#
# Save and exit
#
/usr/bin/make dep;/usr/bin/make clean
/bin/ps -ef
/usr/bin/make bzImage 2>errors.txt
/bin/cat errors.txt | /bin/grep -i "error"
/usr/bin/make modules 2>errors.txt
/bin/cat errors.txt | /bin/grep -i "error"
- Post-Installation Procedures and Issues:
Procedure
/sbin/mkbootdisk --device /dev/fd0 2.2.16-22custom
/bin/mount /dev/fd0 /mnt/floppy
/bin/cp /boot/map /mnt/floppy/boot/map
/bin/umount /dev/fd0
/sbin/reboot
Issue:
There are some files that maybe needed to be
modified after reconfiguration of the kernel.
e.g. If the USB support is turned off, the system
might give the following error at the bootup sequence:
Initializing USB controller (usb-uhci):
modprobe: Can't locate module usb-uhci
The RedHat Linux 7.0 bootup sequence for Intel
PC BIOS: Processor -> BIOS -> ROM -> Device Interface
-> Drive -> MBR -> LILO -> Kernel -> Init -> /etc/rc.d/rc.sysinit
-> /etc/inittab -> /etc/rc.d/rc -> /etc/rc.d/rc#.d
-> forks /sbin/mingetty processes for terminal logins
The log messages are logged in:
/var/log/dmesg
/var/log/boot.log
/var/log/messages
/bin/cat /var/log/boot.log
######################################
# Search the error string by typing
# /Can't locate module usb-uhci
#
localhost rc.sysinit: Setting hostname localhost.localdomain: succeeded
localhost modprobe: modprobe:
localhost modprobe: Can't locate module usb-uhci
localhost rc.sysinit: Initializing USB controller (usb-uhci): failed
localhost fsck: /: clean, 42810/134784 files, 97429/269080 blocks
localhost rc.sysinit: Checking root filesystem succeeded
#
# It happened during the rc.sysinit execution.
######################################
/bin/cat /etc/rc.d/rc.sysinit
#######################################
# Find the string usb by entering /usb
# Initialize USB controller and HID devices
usb=0
if ! grep -iq "nousb" /proc/cmdline 2>/dev/null && ! grep -q "usb" /proc/devices 2>/dev/null ; then
alias=`egrep -s "^alias[[:space:]]+usb-controller[[:space:]]+" /etc/modules.conf | awk '{ print $3 }'`
if [ -n "$alias" -a "$alias" != "off" ] ; then
action "Initializing USB controller ($alias): " modprobe $alias
[ $? -eq 0 ] && usb=1
fi
fi
# Notice how the usb-controller is determined by a regular expression
# search on the /etc/modules.conf file.
######################################
/bin/vi /etc/modules.conf
#######################################
# Comment it out.
alias parport_lowlevel parport_pc
#alias usb-controller usb-uhci
#######################################
/sbin/init 6
- Procedures during Kernel Compilation:
While compiling the kernel, go to other Virtual
Consoles by pressing [Ctrl-Alt-F2] [Ctrl-Alt-F3] etc.
and work on other things. e.g. Installing other
services such as Apache, DNS, etc.
Dialup Setting:
Insert CD 1 into the CD drive and type:
/bin/mount /dev/cdrom /mnt/cdrom
# Install the ping utility for testing a PPP connection from
# the iputils package
/bin/rpm -ivh /mnt/cdrom/RedHat/RPMS/iputils-20000418-6.i386.rpm
/bin/rpm -ivh /mnt/cdrom/RedHat/RPMS/ppp-2.3.11-7.i386.rpm
/bin/umount /dev/cdrom
/usr/bin/man pppd
/bin/vi /etc/ppp/ispchat.script
################################################
ABORT "NO DIALTONE"
"" "ATDT12345678"
"ogin:" "username"
"assword:" "password"
################################################
/bin/ln -s /dev/ttyS1 /dev/modem
/bin/mkdir /etc/ppp/peers
/bin/vi /etc/ppp/peers/ispconnect.script
################################################
noauth
defaultroute
connect '/usr/sbin/chat -v -f /etc/ppp/ispchat.script'
/dev/modem
38400
################################################
/usr/sbin/pppd call ${1:-ispconnect.script}
#
# After the connection has been made, test the connection
# by pinging an IP address of a nameserver
#
/bin/ping 206.53.103.1
/usr/bin/killall pppd
################################################
# Note: IP Addresses for Primary DNS and Secondary DNS
# maybe needed for resolving domain name.
/bin/cp /etc/resolv.conf /etc/resolv.conf.1
/bin/vi /etc/resolv.conf
################################################
# The following DNS servers help converting domain names
# to IP addresses.
nameserver 206.53.103.1
nameserver 206.53.103.3
################################################
# Test it by connecting to the internet and type:
/bin/ping hotmail.com
Script for finding which rpm package containing a given file:
/bin/vi /root/findpack.bash
##########################################
#!/bin/sh
RPMS_PATH="/mnt/cdrom/RedHat/RPMS"
until [ ${#} -le 0 ]
do
PACKAGES=`/bin/ls -alrt ${RPMS_PATH} | /usr/bin/awk '{print $9}'`
for PACKAGE in ${PACKAGES}
do
/bin/rpm -qlp ${RPMS_PATH}/${PACKAGE} | /bin/grep -q ${1}
if [ ${?} -eq 0 ]
then
/bin/echo ${PACKAGE}
fi
done;
shift;
done;
##########################################
/bin/chmod 700 /root/findpack.bash
/root/findpack.bash libutil.so.1 /bin/ping
- "24. understand X in
general and the XFree86 X server in particular, including its configuration
file and the primary tools used for editing that file":
- "25. be familiar with the
window manager and desktop environment choices available under Red Hat Linux,
and know how to select these choices":
Installing
Sawfish (Window Manager) and GNOME (Desktop Environment)
- "26. understand
and be capable of implementing and using the remote capabilities of X,
including remote logins and remote clients.":
X remote
- "20. understand. and
be capable of. implementing the following network services: Apache,
Samba, NFS, basic sendmail, POP3/IMAP4 email, DNS, and ftp":
- NFS
Insert CD 1
# nfs
# portmap >= 4.0 is needed by nfs-utils-0.1.9.1-7
/bin/mount /dev/cdrom /mnt/cdrom
/bin/rpm -ivh /mnt/cdrom/RedHat/RPMS/nfs-utils-0.1.9.1-7.i386.rpm /mnt/cdrom/RedHat/RPMS/portmap-4.0-29.i386.rpm
/bin/umount /dev/cdrom
/usr/bin/man exports
/bin/cp /etc/exports /etc/exports.1
/bin/vi /etc/exports
############################################
/var/ftp/incoming example.com(ro,no_root_squash)
############################################
/usr/sbin/exportfs -v -a -r
/sbin/service portmap start
/sbin/service nfslock start
/sbin/service nfs start
/sbin/chkconfig --list nfs
/sbin/chkconfig --level 345 nfs on
/bin/mount -t nfs example.com:/var/ftp/incoming /mnt/cdrom
/bin/ls -alrt /mnt/cdrom
/bin/umount /mnt/cdrom
- SENDMAIL and POP3/IMAP4
# (SMTP for sending mail)
# sendmail-8.11.0-8 (CD 1 - Base)
# sendmail-cf-8.11.0-8.i386.rpm (CD 2 - Configuration)
#
# m4-1.4.1-3.i386.rpm (CD 1 - For sendmail.mc script file)
#
# (POP3/IMAP4 for fetching mail)
# imap-4.7c2-12.i386.rpm (CD 2 - POP and IMAP mail client)
#
# stunnel is needed by imap-4.7c2-12 (CD 1)
/bin/cp /etc/xinetd.d/imap /etc/xinetd.d/imap.1
/bin/vi /etc/xinetd.d/imap
###################################################
# Replace with the following
#disable = yes
disable = no
###################################################
/bin/cp /etc/xinetd.d/ipop3 /etc/xinetd.d/ipop3.1
###################################################
# Replace with the following
#disable = yes
disable = no
###################################################
/sbin/service xinetd restart
/bin/cp /etc/mail/sendmail.mc /etc/mail/sendmail.mc.1
/bin/cp /etc/sendmail.cf /etc/sendmail.cf.1
/bin/vi /etc/mail/sendmail.mc
###################################################
# Add the following line
DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0,Name=MTA')
dnl 0.0.0.0 means for all ip
#
###################################################
/usr/bin/m4 /etc/mail/sendmail.mc > /etc/sendmail.cf
/bin/cp /etc/mail/local-host-names /etc/mail/local-host-names.1
/bin/vi /etc/mail/local-host-names
############################################
# Add the following entry...
example.com
#
############################################
/sbin/service sendmail restart
###################################################
# Test with mail client
/usr/X11R6/bin/startx
# Test Mail Transfer Agent (SMTP)
#
# Programs -> Internet -> Netscape Communicator:
#
# Edit -> Preferences -> Mail & Newgroups ->
# Mail Servers -> Outgoing Mail Server ->
# Outgoing mail (SMTP) server: example.com
# Outgoing mail server user name: mailuser
#
# Edit -> Preferences -> Identity ->
# Your name: mailuser
# Email address: [email protected]
#
# Communicator -> Messenger -> File -> New -> New Message ->
# To: [email protected]
# Subject: Test
# Hello World
# Test Mail User Agent (POP)
#
# Edit -> Preferences -> Mail & Newgroups ->
# Mail Servers -> Incoming Mail Servers -> (Select pop) ->
# Edit -> General ->
# Server Name: example.com
# Server Type: POP
# User Name: mailuser
#
# Communicator -> Messenger -> File -> Get New Messages ->
# Password for mail user [email protected]:
# (mailuser password)
#
# /etc/sendmail.cw
# which specifies the hosts on behalf of which the
# server will accept mail
#
# Needs the following entry in /etc/mail/sendmail.mc
# FEATURE(`use_cw_file')dnl
#
- "21. be sufficiently familiar
with the function, configuration, and logging of those services as to be
capable of basic troubleshooting":
- Log kernel messages for debugs:
/usr/bin/man syslog.conf
/sbin/service syslog status
/bin/cp /etc/syslog.conf /etc/syslog.conf.1
/bin/vi /etc/syslog.conf
####################################################
#
# Append to the following:
#
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
kern.debug /var/log/messages
#
# For the above entry:
#
# facility = kern (Messages from kernel)
# priority = debug (Log debug messges and messages of higher priority)
# action = /var/log/messages (Log messages to the specified file)
#
# The klogd generally passes received messages to syslogd,
# which logs them in the usual manner.
#
####################################################
/sbin/service syslog restart
/bin/cat /var/log/messages
- Troubleshooting:
################################################
# Troubleshooting Procedures:
#
# - Modified configurations
#
# 1. Backup old configuration files
# e.g. /bin/cp /etc/exports /etc/exports.1
#
# 2. Look up the man page for the format of the configuration file.
# e.g. /usr/bin/man exports
#
# 3. Edit the configuration file
# e.g. /bin/vi /etc/exports
#
# 4. Activate the modified configuration file
# e.g. /usr/sbin/exportfs -v -a -r
#
# 5. Turn on services that relates to the modified configuration
# e.g. /sbin/chkconfig --level 345 nfs on
#
# 6. A service may require other services to run.
# e.g. NFS needs portmap
#
# 7. Check log for bugs
# e.g /bin/cat /var/log/messages | /usr/bin/less
#
# - CD-ROM cannot be ejected
#
# Error Message: "umount: /mnt/cdrom: device is busy"
#
# Common causes:
# 1. Several Virtual Console logged in,
# there maybe terminal processes still accessing the CD.
# e.g. Virtual Console 2 is under the current path
# of /mnt/cdrom/RedHat/RPMS where the CDROM device is
# mounted at /mnt/cdrom
#
# Possible Solution:
# [Ctrl-Alt-F2]
# cd /
# /bin/umount /dev/cdrom
#
# Error Message: "Device or resource busy"
#
# Common causes:
# 1. At least a process is still using the
# /dev/cdrom device file.
#
# Possible Solution:
# /sbin/fuser -m /dev/cdrom
# /bin/ps -ef
# /bin/kill -9 # (process id from the /sbin/fuser command)
#
# Tips:
# After installing new packages, it is best to update the filelist by:
# /usr/bin/updatedb &
#
- "22. be familiar with,
and capable of, implementing access restrictions for the above
services":
- "23. be familiar with
other network services supported under Red Hat Linux: squid, innd NNTP server,
xntpd, etc.":
- squid
# (CD 2)
# squid-2.3.STABLE4-1.i386.rpm
##################################################
# Configure Proxy Server
/bin/cp /etc/squid/squid.conf /etc/squid/squid.conf.1
/bin/vi /etc/squid/squid.conf
##################################################
# Add the following...
#http_access allow manager localhost
http_access allow all
#
##################################################
/sbin/service squid start
##################################################
# Testing Proxy Server
#
# Get the squid service port number:
/bin/cat /etc/services | /bin/grep "squid" | /usr/bin/awk '{print $2}' | \
/usr/bin/awk 'gsub("/tcp", "")'
# Netscape -> Edit -> Preferences -> Advanced -> Proxies ->
# Manual Proxy Configuration -> View ->
# Http Proxy: example.com
# Port: 3128
/sbin/service httpd restart
# Netscape -> Location -> http://www.example.com
- innd
# cleanfeed is needed by inn-2.2.3-3
#
# cleanfeed - A spam filter for Usenet news servers. (CD 1)
# inn - The InterNetNews (INN) system, an Usenet news server. (CD 1)
#
/sbin/service innd start
/bin/mv /etc/news/nnrp.access /etc/news/nnrp.access.1
/bin/chmod 740 /etc/news/nnrp.access
/bin/vi /etc/news/nnrp.access
################################################
# Add the following...
example.com:Read Post:foo:foo:*
#
################################################
/usr/X11R6/bin/startx
# Netscape -> Edit -> Preferences -> Mail & Newsgroups
# -> Newsgroup Servers -> Add ->
# Server: example.com
# Port: 119
# Netscape -> Communicator -> Messenger -> example.com
# Netscape Mail & Newsgroups -> File -> Subscribe ->
# Please enter a username for news server access: foo
# Please enter a password for news server access: foo
- "27. understand the role
of xinetd and be capable of implementing tcp_wrappers security
measures":
- Installation
# (CD 1)
# tcp_wrappers-7.6-15.i386.rpm
#
# The order of the entries of restrictions/privileges
# are important. By default, all hosts are allowed to
# access all services.
#
# i.e.
# /etc/hosts.allow: -> yes -> grant access
# || not mentioned
# \/
# /etc/hosts.deny: -> yes -> reject request
# || not mentioned
# \/
# grant access
#
# Hostname and domain names are allowed.
# Note that portmap requires IP addresses only.
/bin/cp /etc/hosts.allow /etc/hosts.allow.1
/bin/cp /etc/hosts.deny /etc/hosts.deny.1
/usr/bin/man 5 hosts_access
- Testing tcp_wrappers
##########################################################
# Task 1: Allow FTP services only for host 192.168.1.10
# and localhost.
#
/bin/vi /etc/hosts.allow
############################################
# Add the following...
in.ftpd: localhost.localdomain, 192.168.1.10
#
############################################
/bin/vi /etc/hosts.deny
############################################
# Add the following, otherwise it will accept
# any other host request for this service by
# default. So it needs to be caught here.
in.ftpd: ALL
#
############################################
/sbin/service xinetd reload
############################################
# Test
/usr/bin/ftp -i example.com
# Login as anonymous and leave the password blank
###################################################
# Task 2: Allow all services to any hosts except
# the ones from example.com
/bin/cat /dev/null
!! > /etc/hosts.allow
^allow^deny
/bin/vi !$
#############################################
# /etc/hosts.deny
ALL: 192.168.1.0/255.255.255.0
#
#############################################
/sbin/service xinetd reload
#############################################
# Test
/usr/bin/ftp -i example.com
# Login as anonymous and leave the password blank
- "28. understand basic
NIS concepts and the components associated with NIS":
- "29. understand the
purpose of the PAM subsystem, and be capable of implementing basic
PAM configuration changes":
- PAM implementation
/bin/rpm -qif /etc/pam.d
/usr/bin/man 8 pam_console
/usr/bin/slocate pam_console
/bin/ls -alrt /lib/security
/bin/ls -alrt /etc/pam.d
#
# Use a file to restrict a list of users
# For wu-ftpd, the file /etc/ftpusers is used.
#
/bin/cat /etc/pam.d/ftp
##############################################
#
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
#
# module_type = auth
# control_flag = required
# module_path = /lib/security/pam_listfile.so
# arguments: item=user sense=deny file=/etc/ftpusers onerr=succeed
#
##############################################
# Implement for /etc/pam.d/login
/bin/cp /etc/pam.d/login /etc/pam.d/login.1
/bin/vi /etc/pam.d/login
##############################################
# Add the following line...
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
#
##############################################
##############################################
#
# Go to Virtual Console 2 while still logged in as root in Virtual
# Console 1. Test by logging in with one of the listed users
# in /etc/ftpusers
#
# After the testing, go back to Virtual Console 1 and type:
/bin/cp /etc/pam.d/login.1 /etc/pam.d/login
- PAM modules and its purposes
# /lib/security/pam_access.so
# Restricts hosts from services like TCP_WRAPPERS
#
# /lib/security/pam_console.so
# Grants special privileges for console users, e.g. accessing
# devices like floppy drive and controlling shutdown/reboot.
#
# /lib/security/pam_listfile.so
# Restricts access by consulting a specified file
#
# /lib/security/pam_nologin.so
# Prevents users other than root from logging in while the /etc/nologin
# file exists.
#
# /lib/security/pam_securetty.so
# Prohibits logging in as root from a tty device other than
# those listed in /etc/securetty
# Note: Serial Console installation may require a laptop for
# output, a serial cable for the connection between the Linux System
# and the laptop and an entry to the /etc/securetty where
# the port is connected.
#
# /lib/security/pam_time.so
# Restricts the times at which a user can access a service by
# day or by time of day.
#
# /lib/security/pam_stack.so
# Calls another service pam restriction file. Referencing
# another service pam restriction file can be convenient
# if a service restriction is used often e.g. /etc/pam.d/system-auth
# For more information, type:
# /usr/bin/man 8 pam_stack
#
- "30. possess basic
familiarity with configuration issues -- routing options, IP forwarding,
kernel configuration -- associated with using Red Hat Linux as a
router":
- "31. be capable of using
ipchains to implement basic firewalling policies and be familiar with
the User Private Group scheme in Red Hat Linux":
Security
- Firewall
# (CD 1)
# ipchains-1.3.9-17.i386.rpm
#
# Implementing basic firewall policies
#
# Note: "/sbin/ipchains -A input -j DENY"
# will deny all incoming packets disregarding
# any other rules
#
# Task:
# 1. Accept packets from localhost
# 2. Reject packets to 192.168.1.0 network addresses
# requesting for a port 80 (HTTP) service of protocol TCP.
#
/sbin/ipchains -L
/sbin/ipchains -A input -s 127.0.0.1 -j ACCEPT
/sbin/ipchains -A output -d 192.168.1.0/24 80 -p TCP -j REJECT
/sbin/ipchains -L
#
# Test by accessing the web server from example.com
# Remember to disable the proxy from /etc/lynx.cfg
/usr/bin/lynx http://www.example.com
# Now delete rule number 2 of chain input that rejects
# outgoing packets requesting http service from example.com
# and test again.
#
/sbin/ipchains -D input 2
/usr/bin/lynx http://www.example.com
#
# It is generally good practice to set the default policy to
# DENY when a packet does not match a rule:
# /sbin/ipchains -P input DENY
#
# To implement IP masquerading with /sbin/ipchains:
/sbin/ipchains -A forward -i lo:0 -s 127.0.0.1 -j MASQ
# So if the originating packet comes from 127.0.0.1
# the firewall will translate it to its own address
# 192.168.1.10 through the interface lo:0
/sbin/ipchains-save > /etc/sysconfig/ipchains
# /sbin/ipchains-restore will check /etc/sysconfig/ipchains
# at startup
/bin/grep -r "ipchains-restore" /etc/*
/bin/cat /etc/rc.d/init.d/ipchains
#
# Note: The order of implementing rules using "/sbin/iptables"
# matters. e.g. If "/sbin/iptables -A INPUT -j DROP" is the
# first rule, then it will drop all incoming packets disregarding
# what rules that come after.
#
|