Category Archives: IT

P2000 API Auth String

Ever wanted to do monitoring of a P2000 or MSA2000 from HP?

They are in secret Dot Hill hardware, for example DDN also resells these as for example EF3015.

There is a nice nagios script written by Tom http://www.toms-blog.com/nagios-hp-msa-p2000-status-and-performance-monitor/

To use that you need an API string which you can get from capturing traffic while logging in to the HTTP interface.

Another way to get the string is to run this perl code that gets the md5sum out of “manage_!manage” which is the default username and password:

#!/usr/bin/perl

use Digest::MD5 qw(md5_hex);
# generate MD5 hash using default username/password
my $md5_data = "manage_!manage";
# replace !manage with the new password in case you change the password
my $md5_hash = md5_hex( $md5_data );
print "$md5_hash\n";

Code borrowed from “HP P2000 G3 MSA System CLI Reference Guide” http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c02520779/c02520779.pdf

sage on ipv6.he.net

http://ipv6.he.net/certification/

This was really fun!

If you complete this with your own domain and server you’ll learn to set up these:

  • set up IPv6 address and routing
  • point your DNS to the IPv6 address – this would applies mostly if you have your own nameserver
  • point the IPv6 address to the DNS – rDNS – requires quite long entries!
  • set up e-mail – both receiving (imap/pop3) and sending (smtp)
  • slightly more advanced use of dig :)

The e-mail part was the trickiest for me as I hadn’t done that before. Used courier and exim4 to set this up on a Debian Virtual Machine.

Pythons

Ever thought about studying a bit of programming? Thought it was a too daunting task?

I’ve just gone through the second lesson on learnstreet and it’s quite fun! It doesn’t take long to go through the first two lessons, so if you don’t have much time you can spend a few minutes each day going to the next exercise or lesson.

Only other language I’ve studied is C++ back in high school – it did not sit so well with me back then.

Since then I’ve made acquaintance with Ruby, Python and Perl, but never made it too far away from bash.

Why start with Python then? I’ve seen announcements of vulnerabilities for Ruby lately, Perl isn’t on learnstreet and Python is used in some scripts at work.

IPv6

Do you have IPv6 connectivity? Perhaps a server and a domain name already set up?

http://ipv6.he.net/

Some things you get to play with:

  • check if you can view the page in IPv6
  • send an e-mail over IPv6
  • rDNS over IPv6

Quite fun way of learning about IPv6

Running Ubuntu on a Desktop

Introduction

Recently I’ve had the pleasure of installing Ubuntu on my desktop. Here are some thoughts and what I initially do:

Machine is a:

Motherboard: Gigayte GA-EX58-UD3R
CPU: Intel Core i7
Memory: 8GB
Disks: Intel i300 SSD, 2x500GB and 1x3TB Western Digital Drives.
Graphics Card: AMD HD6800

Here are some of the things figured out along the way:

  • grub2 does not like keyboard, but if I boot on the Ultimate Boot CD (grub) – the keyboard does work. This is with flipping all the USB keyboard, mouse, storage, legacy .. settings on and off in BIOS.
    • After removing Ubuntu 12.10 and installing 12.04 (this is with USB things enabled in BIOS) – the keyboard works in grub2 menu.
  • to install better drivers, easiest is to open Ubuntu Software, edit sources and allow post-release things.
    • then go to settings and “additional drivers”
  • after upgrading to fglrx,
    • to change speed of the GPU fan to 20% hit: aticonfig –pplib-cmd “set fanspeed 0 20”
    • to view the speed of the GPU fan hit: aticonfig –pplib-cmd “get fanspeed 0”
    • to view the GPU temperature hit: aticonfig –adapter=0 –od-gettemperature

If you do decide to try with newer drivers for the ATI – card, make sure you have the installation CD/DVD handy. Or even better, get it on a USB-drive, way faster.

To find the devices for / and /boot – at least when I boot up there are these disk icons in the side-bar on the left side. If you hover over the icon you’ll see the size, if you click, it mounts and then a folder is opened. Then in the output of ‘mount’ you can see which device it is. Unmount and then proceed with these to get a working chroot:

sudo mount /mnt /dev/devicethathasroot
sudo mount /mnt/boot /dev/devicethathasslashboot
sudo mount ‐‐bind /dev /mnt/dev
sudo mount ‐‐bind /proc /mnt/proc
sudo mount ‐‐bind /sys /mnt/sys
xhost +local:
# above xhost is to get x things working from within a chroot (possibly unsafe?).
chroot /mnt
# you can get network working, it needs a good /etc/resolv.conf first. Either overwrite the existing one or somehow get the local nameserver up and running

Install some good software

apt-get install screen openssh-server tmux openjdk-6-jre unrar p7zip pidgin vim

Spotify Repository – http://www.ubuntuupdates.org/ppa/spotify

Google Chrome Repository – http://www.ubuntuupdates.org/ppa/google_chrome

Universal Media Server

For UMS you’ll also need:

apt-get install ffmpeg mplayer mencoder libzen-dev mediainfo

You also need to make sure zen and mediainfo works – check trace log in UMS to see if there are any errors in the beginning that they are not found. If so the hack is to create symlinks. For me the libzen.so and libmediainfo.so are in the /usr/lib/x86_64-linux-gnu/ directory.

Getting graphite running (for graphing / system monitoring )

One reason was that I wanted to learn more about this tool – but another reason is that it’s quite light weight, especially if you’re going to be running an httpd anyway.

To install it, follow this guide: http://coreygoldberg.blogspot.fi/2012/04/installing-graphite-099-on-ubuntu-1204.html

Carbon-cache initd-script: https://gist.github.com/1492384

To monitor temperature and fan speed of your AMD/ATI card put this script in /usr/local/bin/atitemp.sh:

#!/bin/bash
# Script to monitor temp and fanspeed of an AMD/ATI card.
# amdccle required? Also X?

HOST1="$(hostname -s)"
DEBUG="0"

CMD="$(which aticonfig)"

if [ "$?" != "0" ]; then
        echo "Cannot find aticonfig, check paths and if it's even installed."
        exit $?
fi

while [ 1 ];
do

TEMP=$(/usr/bin/aticonfig --adapter=0 --od-gettemperature|grep Sensor|awk '{print $5}'|sed -e 's/\.00//')
SPEED=$(/usr/bin/aticonfig --adapter=0 --pplib-cmd "get fanspeed 0"|grep Result|awk '{print $4}'|tr -d "%")
DATU="$(date +%s)"
LOGF="/tmp/atitemp.log"

echo "##########" >> $LOGF

if [ "$TEMP" != "" ]; then
echo "servers.$HOST1.atitemp $TEMP $DATU"|nc localhost 2003

if [ "$DEBUG" == "1" ]; then
echo $TEMP >> $LOGF
fi

fi

sleep 1
if [ "$SPEED" != "" ]; then
echo "servers.$HOST1.atifanspeed $SPEED $DATU"|nc localhost 2003

if [ "$DEBUG" == "1" ]; then
echo $SPEED >> $LOGF
fi

fi

sleep 60;
done

To graph useful system resources (network bandwidth, cpu/mem-usage, disk space)

Would be good to install collectl and just export to graphite. But this does not work well currently because the version of collectl with Ubuntu 12.04 LTS is 3.6.0 (3.6.3 with 12.10).
3.6.1 is needed to make it work with graphite and 3.6.5 to make it work good if you want to group servers.

There are plenty of other options though. You can write some scripts yourself, use diamond or a few other tools that has graphite-support.

Diamond is another option, to install follow these two links https://github.com/BrightcoveOS/Diamond/wiki/Installation (only addition is first you have to clone the git repository, from in there you run make builddeb).

How to manually configure a custom collector: https://github.com/BrightcoveOS/Diamond/wiki/Configuration

cfengine – some useful examples / or how I learn’t about the bomb and tried Puppet instead / salt?

Building on the initial post about cfengine we’re going to try out some things that may actually be useful.

My goal would be to make /etc/resolv.conf identical between all the machines.

The server setup is the lustre cluster we built in a previous post.

In this post you’ll first see two attempts at getting cfengine and then puppet to do my bidding until success was finally accomplished with salt.

Cfengine

Set up name resolution to be identical on all machines.

http://blog.normation.com/2011/03/21/why-we-use-cfengine-file-editing/

Thought about

Make oss1 and client1 not get the same promises.

Perhaps some kind of rule / IF-statement in the promise?

Cfengine feels archaic. Think editing named/bind configs are complicated? They are not even close to setting up basic promises in cfengine.

Puppet ->

http://puppetlabs.com/

CentOS 6 Puppet Install

vi /etc/yum.repos.d/puppet.repo
pdcp -w oss1,client1 /etc/yum.repos.d/puppet.repo /etc/yum.repos.d/puppet.repo

Sign certificates:

puppet cert list
puppet cert sign 
sudo puppet cert sign --all

For puppet there’s a dashboard. This sounds interesting. Perhaps I won’t have to write these .pp files which at a glancelooks scarily similar to the cfengine promises.

yum install puppet-dashboard mysqld

service start mysqld

set mysqld password

create databases (as in the database.yml file)

after this I didn’t get much further… But I did get the web-server up. Although it was quite empty…

salt

Easy startup instructions here for getting a parallel shell going:

After it’s set up you can run a bunch of built-in special commands, see the help section about modules.

salt ‘*’ sys.doc|less

will give you all the available modules you use :)

Want to use it for configuration management too? Check out the ‘states‘ section.

What looks bad with salt is that it’s a quite new (first release in 2011)

Salt is a very common word so it makes googling hard. Most hits tend to be about cryptography or cooking.

To distribute (once) the resolv.conf do you run this on the admin-server: salt-cp ‘*’ /etc/resolv.conf /etc/resolv.conf

On to states to make sure that the resolv.conf stays the same:

  1. uncomment the defaults in the master-file about file_roots and restart the salt-master service
  2. create /srv/salt and ln -s /etc/resolv.conf /srv/salt/resolv.conf
  3. create a /srv/salt/top.sls and a /srv/salt/resolver.sls

 

In top.sls put:

base:
 '*':
   - resolver

In resolver.sls put:

/etc/resolv.conf:
 file:
  - managed
  - source: salt://resolv.conf

Then run: salt ‘*’ salt.highstate

How to get this to run every now and then? Setting up a cronjob works.

Haven’t been able to find a built-in function to accomplish this but then again, all I’m doing here is scratching at the surface so it’s working and I’m happy :)

pdsh – parallell distributed shell

pdsh

This a software to run commands on a set of servers.

For example ‘pdsh -a uname -av’ will give you “uname -av” of all machines.

http://techsnail.com/howtos-tutorials/installing-pdsh-on-hpc-cluster/

It can be installed from rpmforge.0

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.5.2-2.el6.rf.x86_64.rpm
rpm -ivh rpm-release*
yum install pdsh

after that you can immediately run “pdsh -w oss1,client1 uname -av” to run a command on a remote node.

It’s possible to set up so that it executes on a pre-defined list. Check out /etc/machines.

Extremely useful if you want to save some time :)

cfengine – what’s that about?

http://cfengine.com/what-is-cfengine

It’s a (old) software that is used to make sure that (for example) the same config files are used on all machines. There are several other CMSs, for example puppet. Wikipedia has a nice overview of them.

Let’s use the lustre   machines we set up in a previous post.

On cfengine.com there are many examples too.

Inside a policy you have a promise.

Install

Installing on an RPM-based distribution is easy, cfengine has their own repository where the community edition is available.

http://cfengine.com/cfengine-linux-distros

Get the gpg-key, import it, set up the repository-file and install “cfengine-community”.

Check if “cfengine3” is set to start on boot.

Test

A small example how to write a promise.

  • “cf-promise -f ” can be used to test that a promise is valid (syntax and more is OK)
  • “cf-agent -f” run the promise, so if we use the example in the link above it echoes a Hello World.

 

Client/Server

Client pulls policies from the server.

policy-server: mds – 192.168.0.2
client1: client1 – 192.168.0.4
client2: oss1 – 192.168.0.3

on the policy-server hit: “/var/cfengine/bin/cf-agent –bootstrap –policy-server 192.168.0.2”

open port 5308 on the policy-server.

After you see “-> Bootstrap to 192.168.0.2 completed successfully” you can run the same cf-agent command on the client. This points it to use 192.168.0.2 as the policy-server.

No need to open port on the clients.

On the policy-server add this to /var/cfengine/masterfiles/cftest1.cf:

bundle agent test
{
 files:
  "/tmp/cf_test_file"
   comment => "Promise that a plain file exists with stated permissions",
    perms => mog("644", "root", "sys"),
   create => "true";
}

Then in /var/cfengine/masterfiles/promises.cf you can’t follow the guide verbatim, the promises.cf needs to look like this (really important to have “, ” as a separator between the bundles, notice the space after the “,”.

   body common control 
     {
     bundlesequence => { "main", "test" };
             inputs => { 
                       "cfengine_stdlib.cf", 
                       "cftest1.cf",
                       };
            version => "Community Promises.cf 1.0.0";
     }

After that you can run “cf-agent -Kv” on the client, and it will do what is promised in the cftest1.cf file!

Try to change ownership/permissions on the file, in a while it will have been changed back :)

In /var/cfengine/promise_summary.log you’ll see if it couldn’t keep a promise and if it corrected the mistake.

Distribute it

And to get oss1 the same file. Just run the good old “/var/cfengine/bin/cf-agent –bootstrap –policy-server 192.168.0.2” on it and eventually that file /tmp will pop up in there too. Nice!

Some useful stuff.

I’ll probably try out some more useful things in the near future.

Streamline resolv.conf settings, ip routes, config files for software like to make sure /etc/dcache/dcache.conf is the same on all pool servers or why not a kind of user database? Like for /etc/passwd? Check out the solutions on cfengine.com!

Android wordpress publishing app

Enabled! Wonder if there’s been lots of exploits for this method of writing posts?

Turns out there are lots of old exploits for wordpress and xmlrpc, apparently it may also leave the page open for bruteforce attacks.. I’ll leave this one disabled.

But I bet there are other ways to upload posts. E-mail perhaps. But it’s actually working pretty well with google chrome — at least it’s a lot smoother than the native android browser.

Thoughts after Brocade’s Analyst and Technology Day 2012

Thursday today, the day after the Day. It was a real long day, and to my surprise it said ‘press’ on my pass – so I had to try to ask some questions :)

Some things picked up:

* New VDX 8770 product released – a modular Ethernet switch. Room for 384 10GbE ports. 100GbE ready and also ready for SDN protocols like VXLAN (vmware) and NVGRE (windows 2012). The VDX 8770 chassi is called “Mercury” internally in Brocade. I found it very similar to the DCX chassis  except that the supervisor modules are half-height.

* Today Brocade opened up registrations for the BCEFP certification – Brocade Certified Ethernet Fabric Professional (which include the VDX8770), It looks advanced and you probably want to take the previous exam – BCEFE – before.

* SDN – storage-defined network was the main focus of the day. Fibre Channel was barely mentioned at all.
Ken Cheng‘s (one of the VPs of Brocade) definition of SDN:

“A set of technologies which are focused on achieving three objectives: network virtualization (vxlan), programmatic control (openflow) and cloud orchestration (openstack).”

It was quite obvious that Brocade’s VCS is the technique/medium which they intend to enable these new technologies. SDN is still quite immature (even though internet2 are already using it in their production network) – so be prepared to wait if you want ready solutions.

* VCS seems quite similar to QLogic’s/Juniper’s QFabric. They had a hands-on lab where we could connect four smaller vdx switches and a vdx8770 (4-slot version). The switches had only had a unique ID set on them and their were end-devices (web-servers, web cams and a tablet) on different IP subnets on each switch. All I needed to do to connect switches (and devices) was to connect two switches via a fibre pair. Quite easy. Almost too easy to be true. This is something I really enjoy that’s part of Fibre Channel. The technology has quite a few features, self-forming trunks being one of them (with frames being striped over all members of a trunk). It also gets rid of spanning tree (so no more unused links).

* Quite soon we should see Brocade’s OEMs release embedded VDX switches for their blade chassis. No news yet about which but lately IBM have been quick to release new Brocade products. As a side note: Brocade from start only sold their gear through OEMs, this is no longer always the case and they are trying to communicate more directly with customers.

* Cost per bit was really important to push down for internet exchanges.

* It’s a lot easier to write a blog post on my wordpress blog via Chrome (on android) than via the native browser. Using my asus transformer tf101 as a note taking device for the day worked out great. Success!

Asus Eee Pad Transformer TF 101 + root + arch in chroot

Just got one of these – thought it would be a great tool when going to conferences for example or somewhere where I would need a small computer but don’t want to bring a long my normal heavy laptop.

Normally I prefer pen and paper when going to meetings or conferences, but if there’s a lot of information needed to be written down or if I want to check something online it sounds quite nice.

Got a keyboard with it too. The stuff I’ve wanted do to so far works perfectly and it is very nice to play around with – though I haven’t done any serious work or task for any longer period of time yet. If I can do that without any/much issues I will be very happy about it.

Rooted it without any problems (from a Windows 7 x64 PC). Needed to install the USB drivers from Asus’s page –  (choose OS android).

It would also be nice to have a Linux chroot terminal running inside Android. This tutorial works pretty great – at least to get a basic setup :) Still need to play some more with it to get things working (vpn perhaps?). After you got the sshd running on the android you can connect to localhost with an ssh client, for example irssi connectbot. In there you run the commands outlined in the last link.

After you create a user you need to add the user to the appropriate group. At least if you want network access.
What was strange was that if my user was in only aid_inet I could ssh and irssi to an IP-address, but I could not ping said address. Neither could I ping or ssh to a dns-name. After adding group aid_net_raw and your user to that group that was possible.

After that you can use ‘pacman -S irssi’ to install for example irssi!

Happy transformer arching!

 

Brocade Accredited Server Specialist – BASP

http://www.brocade.com/education/certification-accreditation/accredited_server_connectivity/curriculum.page

I’m currently preparing for yet another accreditation, the previous one I took was the BADCS,

The BASP (Brocade Accredited Server Specialist) appear to focus on the server side. Things like:

  • how to install drivers
  • HBA management tools
  • describe features
  • how to run diagnostics

This accrediation has the most questions of all the current ones, but it has the same amount of time allotted (one hour) so this exam will have a lot less time available for each question.

The curriculum for this accreditation are also free, they are called Introduction to HBA and Introduction to CNA. There’s also some docs about the 1860 Fibre Adapter. They can be found on Brocade’s Saba/training website under my.brocade.com.

 

// Update 20140422: This accrediation has been replaced with something else. See the current list here: http://www.brocade.com/education/certification-accreditation/index.page?

New theme

Just updated the theme to http://www.nullin.com/hemingwayex/

and I must say I like it quite a lot :) Especially that two posts are available next to eachother. I think this theme will be better for people who have larger screens. At least the home page is better. But I’m still not sure if each individual post is looking better. There’s a lot of white space on the left side of really long posts, like the quite important Brocade SAN Upgrades.

Don’t like it? Please let me know!

Changed to this in the CSS – hard to see the links by default:

a{
	color:#FFF;
	text-decoration:underline;
}

Update to Spotify – An RSS Feed

After some time the solution I devised on http://www.guldmyr.com/blog/script-to-check-for-an-update-on-a-web-page/ just did not elegant enough (also it stopped working).

Instead of getting some kind of output in a terminal sometimes somewhere I decided to make an RSS feed that updates http://guldmyr.com/spotify/spot.xml instead :)

I suspect that the repository itself could be used to see if there’s an update to it. It has all these nice looking files in here: http://repository.spotify.com/dists/stable/ – but I also suspect this is a repository for debian/ubuntu which I cannot use on my RHEL-based workstation.

Thus:

A bash script was written. It uploads the spot.xml whenever there is an update. The script does not run on the web-server so it ftps the file to the web-server, it would be nice if it did because then the actual updating of the feed would be so much more simple (just move/copy a file).

But, I hope it works :) Guess we’ll see next time there’s an update to spotify!

The script itself is a bit long and I hope not too badly documented, so it’s available in the link below: http://guldmyr.com/spotify/update.spotify.rss.feed.sh

Or, more easily, you can just add http://guldmyr.com/spotify/spot.xml to your RSS reader (google’s reader, mozilla’s thunderbird, there are many of them).

Some things I learned:

  • Latest post in an RSS feed is just below the header, making it a bit awkward to update via a script as you cannot just remove the </channel> and </rss>, add a new <item></item> and then add the </channel> and </rss> at the end again.
  • lastBuildDate in the header also needs to be updated each time the feed is updated. In the end I decided to re-create the file/feed completely every time there was an update.
  • Some rss-readers appear to have a built-in interval that they use to check if there’s an update. So for example you could update the rss-feed and press ‘refresh’ but the client still won’t show the new feeds. Google Reader does this for example. With Mozilla’s Thunderbird you can ask it to update (Get Messages) and it will. You don’t need an e-mail account in Thunderbird to use it as an RSS reader by the way.
  • http://feedvalidator.org is a great tool, use it.

I claim no responsibility if you actually use the script, the feed however should be fairly safe to subscribe to.

 

[Valid RSS]

Red Hat Certification – RHCE – KVM via CLI

In a previous post while preparing for RHCSA I installed kvm post-installation, via the GUI.

But how to install, configure and use it only from the CLI?

Virt-Manager

http://virt-manager.org/page/Main_Page has some details

As a test-machine I’m using a server with Scientific Linux 6.2 (with virtualization enabled as seen by ‘cat /proc/cpuinfo|grep vmx’).

None of the Virtualization Groups are installed, as seen by ‘yum grouplist’. While doing that you’ll find four different groups. You can use

yum groupinfo "Virtualization Client"

or correspondingly to get more information about the group.

yum groupinstall Virtualization "Virtualization Tools" "Virtualization Platform" "Virtualization Client"

This installs a lot of things. Libvirt, virt-manager, qemu, gnome and python things.

lsmod|grep kvm
service libvirtd start
lsmod|grep kvm

This also sets up a bridge-interface (virbr0).

Now, how to install a machine or connect to the hypervisor?

How to get console?

ssh -XYC user@kvmserver
virt-manager

did not work.

On the client you could try to do:

yum groupinstall "Virtualization Client"
yum install libvirt
virt-manager

Then start virt-manager and connect to your server. However this didn’t work for me either. Is virtualization needed on the client too?

Noit is not, first: check if Virtualization is enabled on the server. Look in /var/log/messages for

kernel: kvm: disabled by bios

If it says that you’ll need to go into BIOS / Processor Options / and enable Virtualization.

Then you can start virt-manager, check that you can connect to the KVMserver.

Copy a .iso to /var/lib/libvirt/images on the server.

Re-connect to the kvm-server in virt-manager.

Add a new VM called test. Using 6.2 net-install and NAT network interface. This may take a while.

Pointing the VM to kvm-server where a httpd is running (remember firewall rules) and an SL 6.2 is stored. Installing a Basic Server.

OK, we could use virt-manager, it’s quite straight-forward and doesn’t require any edits of config files at all.

Moving on to virsh.

To install a vm you use ‘virt-install’.

You can get lots of info from ‘virsh’

virsh pool-list
virsh vol-list default
virsh list
virsh list-all
virsh dumpxml test > /tmp/test.xml
cp /tmp/test.xml /tmp/new.xml

Edit new.xml

change name to new and remove line with UUID

virt-xml-validate /tmp/new.xml
virsh help create
virsh create --file /tmp/new.xml
virsh list

This creates a new VM that uses the same disk and setup. But, if you shut down this new domain, it will disappear from virsh list –all and the list. To keep it you need to define it first:

virsh define --file /tmp/new.xml
virsh start new

This can become quite a bit more complicated. You would probably want to make clones (virt-clone) or snapshots (virsh help snapshot) instead of using the same disk file.

Making your own .xml from scratch looks fairly complicated. You could use ‘virt-install’ however.

virt-install --help
virt-install -n awesome -r 1024 --vcpus 1 --description=AWESOME --cdrom /var/lib/libvirt/images/CentOS-6.2-x86_64-netinstall.iso --os-type=linux --os-variant=rhel6 --disk path=/var/lib/libvirt/images/awesome,size=8 --hvm

For this the console actually works while running ‘virt-install’ over ssh on the kvm-server.

To make edit to a vm over ssh:

virsh edit NAMEOFVM

Red Hat Certification – RHCE – Course Outline

Howdy!

In case you saw my previous posts I’ve been prepping for a RHCE course the last couple of weeks.

Here are the posts based on the objectives:

Odds are quite high that I’ve missed something or not gone deep enough into some subjects and for the record some subjects I decided to skip.

I’m taking the course over at Tieturi here in Helsinki and they have published the schedule for the course, with quite detailed outline.

This outline of the course can with benefit be used to see if you missed any terms or functions while going through the objectives.

I’ll go through the ones I find more interesting below:

Network Resource Access Controls

-Internet Protocol and Routing

OK, well this is quite obvious, some commands:

ip addr
ip route
route add
netstat -rn

IPv6

-IPv6: Dynamic Interface Configuration
-IPv6: StaticInterface Configuration
-IPv6: Routing Configuration

You can add IPV6 specific lines in the ifcfg-device files in /etc/sysconfig/network-scripts/. See /usr/share/doc/initscripts*/sysconfig

Some settings can also go into /etc/sysconfig/network

iptables

Netfilter Overview
-Rules: General Considerations
Connection Tracking
-Network Address Translation (NAT)
-IPv6 and ip6tables

 

Web Services

-Squid Web Proxy Cache

On client check what IP you get:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

On server install and setup squid:

yum install squid
vi /etc/squid/squid.conf
#add this line in the right place:
acl localnet src 192.168.1.1/32
#allow port 3128 TCP in the firewall (use very strict access here)
service squid start

On client:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

Beware that this is unsecure. Very unsecure. You should at least set up a password for the proxy, change the default port and have as limited firewall rules as possible.

E-mail Services

-Simple Mail Transport Protocol
-Sendmail SMTP Restrictions
-Sendmail Operation

 

Securing Data

-The Need For Encryption

-Symmetric Encryption

Symmetric uses a secret/password to encrypt and decrypt a message.
You can use GnuPG (cli command is ‘gpg’) to encrypt and decrypt a file symmetrically. Arguments:

–symmetric/-c == symmetric cipher (CAST5 by default)
–force-mdc == if you don’t have this you’ll get “message was not integrity protected”

There are many more things you can specify.

echo "awesome secret message" > /tmp/file
gpg --symmetric --force-mdc /tmp/file
#(enter password)
#this creates a /tmp/file.gpg
#beware that /tmp/file still exists
#to decrypt:
gpg --decrypt /tmp/file.gpg
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
awesome secret message

 

-Asymmetric Encryption

Uses a key-pair. A public key and a private key.
A message encrypted with the public key can only be decrypted with the private key.
A message encrypted with the private key can only be decrypted with the public key.

GnuPG can let you handle this.

Login with a user called ‘labber’:

gpg --gen-key
# in this interactive dialog enter username: labber, e-mail and password
# this doesn't always work, might take _long_time_, eventually I just tried on another machine
echo "secret message" > /tmp/file
gpg -e -r labber /tmp/file
# enter password
gpg --decrypt /tmp/file
# enter password

To export the public key in ASCII format you can:

gpg --armor --output "key.txt" --export "labber"

However, how to encrypt a file with somebody else’s public key?

-Public Key Infrastructures – PKI

Consists of:

  • CA – certificate authority – issues and verifies digital certiciates
  • RA – registration authoriy – verifies user identity requesting info from the CA
  • central directory – used to store and index keys

-Digital Certificates

A certificate has user details and the public key.

Account Management

-Account Management
-Account Information (Name Service)
Name Service Switch (NSS)
Pluggable Authentication Modules (PAM)
-PAM Operation
-Utilities and Authentication

 

PAM

Basically a way to authenticate users. You can put different types of authentication ways behind PAM. So that a software only needs to learn to authenticate to PAM and then PAM takes care of the behind-the-scenes-work.

For example you can have PAM connect to an ldap-server.

CLI: authconfig

Files:
/etc/sysconfig/authconfig
/etc/pam.d/
/etc/sssd/sssd.conf

 

Red Hat Certification – RHCE – Network Services – NTP

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

NTP:

You could possibly test this from Windows as well.

On linux it’s fairly straight-forward, you can use ntpd both as a client and as a server.

Check in /var/log/messages for details

The time-synchronization with ntpd is slow by design (to not overload or cause dramatic changes in the time set).

ntpdate is instant but it’s not recommended to be used. For example with ‘ntpdate -q’.

man ntp.conf
this then points to :
man ntp_acc
man ntp_auth
man ntp_clock
man ntp_misc

  • Install the packages needed to provide the service.
    • yum install ntp
  • Configure SELinux to support the service
    • nothing to configure??
  • Configure the service to start when the system is booted.
    • chkconfig ntpd on
  • Configure the service for basic operation.
    • /etc/ntp.conf
      • server ntp.server.com
    • service ntpd start
    • ntpq -p # to see status
  • Configure host-based and user-based security for the service
    • iptables
      • port 123 (UDP)

Enable ntpd as a client

What’s a bit reverse for ntpd is that first you need to configure the server as a client

So that your local ntp-server gets good time from somewhere else. You can find a good time-server to use on www.pool.ntp.org

You only need to add one server line but for redundancy you should probably have more than one.

As an example with your client on 192.168.0.0/24 and server is on 192.168.1.0/24.

All you need to do is for the client part:

server ntp.example.com
service ntpd restart
ntpq -p

 

Enable ntpd as a server

You need to add a restrict line in ntp.conf.

You also need to allow port 123 UDP in the firewall.

restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
service ntpd restart

Client to use your ntp server

Basically the same as the above for client, but you specify the address to your NTP-server instead of one from pool.ntp.org.

Extra

  • Synchronize time using other NTP peers.

I believe this has been covered.

More Extra

One extra thing you may want to check out is the ‘tinker’ command.

This is put on top of ntp.conf and more info are available in ‘man ntp_misc’.

However, most of the time you just need to wait a bit for the time change to come through.

tcpdump

There’s not much to go in logs on either server or client for ntpd. You’ll get messages in /var/log/messages though that says “synchronized” and when the service is starting.

You can also use tcpdump on the server to see if there are any packets coming in.

tcpdump -i eth0 -w /tmp/tcmpdump.123 -s0 'udp port 123 and host NTP.CLIENT.IP'
# wait a while, restart ntpd on client
tcpdump -r /tmp/tcmpdump.123
# this will then show some packets if you have a working communication between server and client

To test that it’s working

Start with the server still connecting to an ntp-server with good time.

You could then set the date and time manually on the server to something else. For example, let’s say the current time is 6 JUN 2012 17:15:00.

Set it to 15 minutes before:

date -s "6 JUN 2012 17:00:00"
service ntpd restart

Also restart ntpd on the client, then wait, this will probably take a bit longer than before.

If you set the time manually to something too big it won’t work. You could then experiment with ‘tinker panic 0’

Red Hat Certification – RHCE – Network Services – ssh

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

SSH:

To test from windows you can use putty.

But in linux you just need ssh for client and sshd for server.

man 5 sshd_config and this blogpost has an overview.

  • Install the packages needed to provide the service.
    • yum install openssh
  • Configure SELinux to support the service
    • getsebool -a|grep ssh
  • Configure the service to start when the system is booted.
    • chkconfig sshd on
  • Configure the service for basic operation.
    • /etc/ssh/sshd_config
  • Configure host-based and user-based security for the service
    • iptables
      • port 22 (TCP)
    • tcp.wrapper

 

TCP Wrapper

More info in man tcpd and man 5 hosts_access

Check that your daemon supports it:

which sshd
ldd /usr/sbin/sshd|grep wrap

For this test, let’s say that the server you are configuring has IP/netmask 192.168.1.1/24 and that you have a client on 192.168.0.0/24

cat /etc/hosts.allow

sshd: 192.168.0.0/255.255.255.0
sshd: ALL : twist /bin/echo DEATH

The last row sends a special message to a client connecting from a non-allowed network.

cat /etc/hosts.deny

ALL: ALL

If you on the server with these settings try to do “ssh -v root@localhost” or “ssh -v root@192.168.1.1” you’ll get the message from twist.

If you in hosts.allow add:

sshd: KNOWN

You can log on to the localhost, but not if you add “LOCAL”.

If you add

sshd: 192.168.1.

you can log on from localhost to the public IP of the server.

Extra

  • Configure key-based authentication.
    • ssh-keygen
    • ssh-copy-id user@host
    • ssh user@host
    • set PasswordAuthentication to no in sshd_config
    • service sshd restart
  • Configure additional options described in documentation.
    • many things can be done, see “man 5 sshd_config”
    • chrootdirectory looks quite cool but requires a bit of work

Red Hat Certification – RHCE – Network Services – e-mail

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

SMTP:

Hackmode has a good article about setting postfix for the first time.

To test that e-mail is working you can – tada – use an e-mail client.

You have lots of details in /usr/share/doc/postfix-N ( the path should be in /etc/postfix/main.cf )

  • Install the packages needed to provide the service.
    • yum install postfix
  • Configure SELinux to support the service
    • getsebool -a|grep postfix
  • Configure the service to start when the system is booted.
    • chkconfig postfix on
  • Configure the service for basic operation.
    • set hostname to host.example.com
    • /etc/postfix/main.cf and define (this assumes hostname is host.example.com):
      • myhostname = host.example.com
      • mydomain = example.com
      • myorigin = $mydomain
      • inet_interfaces = all
      • mydestination = add $mydomain to the default one
      • home_mailbox = Maildir/
      • Update firewall to allow port 25 tcp
      • Test with: nc localhost 25
  • Configure host-based and user-based security for the service
    • iptables or $mynetworks in main.cf
    • user: postmap

In CLI (important to use ‘ and not “):

#hostname - record the output of this
postconf -e 'myhostname = output from hostname in here'
#hostname -d
postconf -e 'mydomain = output from hostname -d in here'
postconf -e 'myorigin = $mydomain'
postconf -e 'inet_interface = all'
postconf -e 'mydestination = $myhostname, localhost, $mydomain'
postconf -e 'mynetworks = 127.0.0.0/8 [::1]/128, /32'
postconf -e 'relay_domains = $mydestination'
postconf -e 'home_mailbox = Maildir/'

To use it:

useradd -s /sbin/nologin labber
passwd labber

Edit /etc/aliases and add:

labber: labber

Then run:

newaliases
service postfix start
service postfix status
netstat -nlp|grep master

Send e-mail:

mail -s "Test e-mail here" labber@mydomain
test123
.

The . at the end is quite nice, that stops the input.

Check e-mail:

cat /home/labber/Maildir/new/*

Real E-mail Client

But, perhaps you want to check this out with a real e-mail client like thunderbird 10.

For this there needs to be a e-mail server that stores the e-mails on the server.

For this we can use ‘dovecot’

yum install dovecot
service dovecot start
  1. Update iptables to allow ports 25 and 143 (TCP)
  2. Update main.cf to allow from your IP
  3. Restart services
  4. Add new account in thunderbird –
    1. do use the IP address of your server, not the DNS
    2. do not use SMTP security (or username), but use password authentication
    3. do use IMAP STARTTLS security, username: labber, password auth

Thunderbird is quite nice, it will often tell you which setting is wrong.

You can use /var/log/maillog for details on the server-side (to see if you get connections at all for example).

 

Deny a User

To illustrate this feature we first need to add a second user/e-mail account:

useradd -s /sbin/nologin labrat
passwd labrat
echo "labrat: labrat" >> /etc/aliases
newaliases
service postfix restart
service dovecot restart
mail -s "test" labrat@mydomain

You need to send an e-mail to the e-mail address before you can add it in Thunderbird (because the user does not have a $HOME/Maildir until you do).

After the new user has been created and added to your e-mail client do the following:

cd /etc/postfix
echo "labber@mydomain REJECT" >> sender_access
postmap hash:sender_access
echo "smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access" >> /etc/postfix/main.cf
service postfix restart

Try:

  • to send an e-mail from and to both accounts

Extra

  • Configure a mail transfer agent (MTA) to accept inbound email from other systems.
    • inet_interfaces = all
  • Configure an MTA to forward (relay) email through a smart host.
    • relayhost=hostname.domain.com

If I understand this correctly to setup the above two we would need to have two servers.

Red Hat Certification – RHCE – Network Services – SMB

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

SMB:

Testing an SMB server may be quite easy from Windows, but from Linux I suppose it’s a bit trickier.

The CLI client is called ‘smbclient’

The tool to set passwords: ‘smbpasswd’

You can also get some information with commands starting with ‘net’, for example ‘net -U username session’

testparm is another tool you can use to test that the config file – smb.conf – is not missing anything structural or in syntax.

The server is called ‘samba’.

There are more packages, for example ‘samba-doc’, samba4. You can find them by typing: ‘yum install samba*’

samba-doc installs lots of files in /usr/share/doc/samba*

  • Install the packages needed to provide the service.
    • yum install samba
  • Configure SELinux to support the service
    • getsebool -a |grep smb; getsebool -a|grep samba
    • /etc/samba/smb.conf # has some information about selinux
  • Configure the service to start when the system is booted.
    • chkconfig samba on
  • Configure the service for basic operation.
    • server#: open firewall (check man smb.conf, port 445 and 139 are mentioned)
    • server#: mkdir /samba; chcon -t type_in_smb_conf /samba
    • server#: edit /etc/samba/smb.conf:
      • copy an existing share – make it browseable and allow guest to access
    • server#: service smb start
    • server#: touch /samba/fileonshare
    • client#: smbclient \\\\ip.to.smb.server\\share
      • hit enter and it will attempt to log in as anonymous (guest)
    • client#: get fileonehsare
  • Configure host-based and user-based security for the service
    • server#: check that ‘security = user’ in smb.conf.
    • server#: add” writable = yes” or “read only = no” to the share in smb.conf
    • server#: smbpasswd -a username
    • server#: mkdir /samba/upload
    • server#: chown username /samba/upload
    • server#: chmod 777 /samba/upload
    • client#: smbclient -U username \\\\ip.to.smb.server\\share
    • client#: cd upload; mkdir newfolder; cd newfolder
    • client#: put file

Extra

  • Provide network shares to specific clients.
    • things you can set on the share:
      • write list = +staff
      • invalid users =
      • valid users =
      • hosts allow = 192.168.0.0/255.255.255.0
      • hosts deny =
  • Provide network shares suitable for group collaboration.
    • groupadd staff
    • usermod -a -G staff bosse
    • chown root.staff /samba/upload
    • chmod 775 /samba/upload
    • connect with bosse – do things,
    • connect with another user – can you do things?

Red Hat Certification – RHCE – Network Services – NFS

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

NFS:

Testing an NFS server is generally easier from another linux-server.

  • Install the packages needed to provide the service.
    • yum install nfs ?? (already installed on mine)
  • Configure SELinux to support the service
    • getsebool -a |grep nfs
  • Configure the service to start when the system is booted.
    • chkconfig nfs on
    • edit /etc/fstab on the client to mount on boot
  • Configure the service for basic operation.
    • server#: mkdir /foo
    • server#: vi /etc/exports
      • /foo          192.168.0.0/24(rw)
    • server#: iptables – port 2049 tcp and udp
    • server#: service nfs start
    • client#: mount -t nfs IP:/foo /mnt
    • server#: mkdir /foo/upload
    • server#: chown username.username /foo/upload
    • server#: chmod 777 /foo/upload
    • client#: touch /mnt/upload/file2
    • server#: cd /net/ip.to.server/foo
  • Configure host-based and user-based security for the service
    • iptables to deny hosts
    • add permissions appropriately in /etc/exports
      • man exports

Extra

  • Provide network shares to specific clients.
    • Add a new folder / line in /etc/exports and only allow certain clients to connect to it
  • Provide network shares suitable for group collaboration.
    • With the help of permissions. Use unix group ID number or names.

Red Hat Certification – RHCE – Network Services – FTP

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

FTP:

An ftp-server is also quite easy to test. You can test it from many web-browsers, telnet, ftp, lftp or a myriad of other clients.

  • Install the packages needed to provide the service.
    • yum install vsftpd
  • Configure SELinux to support the service
    • this might be more interesting, you may need to do some magic here for sharing files
    • getsebool -a|grep ftp
  • Configure the service to start when the system is booted.
    • chkconfig vsftpd on
  • Configure the service for basic operation.
    • for basic – only open firewall then start the service
    • that is enough for anonymous read to /var/ftp/pub/
      • cp /root/anaconda-ks.cfg /var/ftp/pub/
      • chmod 755 /var/ftp/pub/anaconda-ks.cfg
  • Configure host-based and user-based security for the service
    • iptables to deny hosts
    • you can deny users by putting them in /etc/vsftpd/ftp_users and/or user_list
    • in vsftpd.conf there is a tcp_wrappers variable

Extra

  • Configure anonymous-only download
    • Deny all other users :)