Tag Archives: proxy

Red Hat Certification – RHCE – Course Outline

Howdy!

In case you saw my previous posts I’ve been prepping for a RHCE course the last couple of weeks.

Here are the posts based on the objectives:

Odds are quite high that I’ve missed something or not gone deep enough into some subjects and for the record some subjects I decided to skip.

I’m taking the course over at Tieturi here in Helsinki and they have published the schedule for the course, with quite detailed outline.

This outline of the course can with benefit be used to see if you missed any terms or functions while going through the objectives.

I’ll go through the ones I find more interesting below:

Network Resource Access Controls

-Internet Protocol and Routing

OK, well this is quite obvious, some commands:

ip addr
ip route
route add
netstat -rn

IPv6

-IPv6: Dynamic Interface Configuration
-IPv6: StaticInterface Configuration
-IPv6: Routing Configuration

You can add IPV6 specific lines in the ifcfg-device files in /etc/sysconfig/network-scripts/. See /usr/share/doc/initscripts*/sysconfig

Some settings can also go into /etc/sysconfig/network

iptables

Netfilter Overview
-Rules: General Considerations
Connection Tracking
-Network Address Translation (NAT)
-IPv6 and ip6tables

 

Web Services

-Squid Web Proxy Cache

On client check what IP you get:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

On server install and setup squid:

yum install squid
vi /etc/squid/squid.conf
#add this line in the right place:
acl localnet src 192.168.1.1/32
#allow port 3128 TCP in the firewall (use very strict access here)
service squid start

On client:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

Beware that this is unsecure. Very unsecure. You should at least set up a password for the proxy, change the default port and have as limited firewall rules as possible.

E-mail Services

-Simple Mail Transport Protocol
-Sendmail SMTP Restrictions
-Sendmail Operation

 

Securing Data

-The Need For Encryption

-Symmetric Encryption

Symmetric uses a secret/password to encrypt and decrypt a message.
You can use GnuPG (cli command is ‘gpg’) to encrypt and decrypt a file symmetrically. Arguments:

–symmetric/-c == symmetric cipher (CAST5 by default)
–force-mdc == if you don’t have this you’ll get “message was not integrity protected”

There are many more things you can specify.

echo "awesome secret message" > /tmp/file
gpg --symmetric --force-mdc /tmp/file
#(enter password)
#this creates a /tmp/file.gpg
#beware that /tmp/file still exists
#to decrypt:
gpg --decrypt /tmp/file.gpg
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
awesome secret message

 

-Asymmetric Encryption

Uses a key-pair. A public key and a private key.
A message encrypted with the public key can only be decrypted with the private key.
A message encrypted with the private key can only be decrypted with the public key.

GnuPG can let you handle this.

Login with a user called ‘labber’:

gpg --gen-key
# in this interactive dialog enter username: labber, e-mail and password
# this doesn't always work, might take _long_time_, eventually I just tried on another machine
echo "secret message" > /tmp/file
gpg -e -r labber /tmp/file
# enter password
gpg --decrypt /tmp/file
# enter password

To export the public key in ASCII format you can:

gpg --armor --output "key.txt" --export "labber"

However, how to encrypt a file with somebody else’s public key?

-Public Key Infrastructures – PKI

Consists of:

  • CA – certificate authority – issues and verifies digital certiciates
  • RA – registration authoriy – verifies user identity requesting info from the CA
  • central directory – used to store and index keys

-Digital Certificates

A certificate has user details and the public key.

Account Management

-Account Management
-Account Information (Name Service)
Name Service Switch (NSS)
Pluggable Authentication Modules (PAM)
-PAM Operation
-Utilities and Authentication

 

PAM

Basically a way to authenticate users. You can put different types of authentication ways behind PAM. So that a software only needs to learn to authenticate to PAM and then PAM takes care of the behind-the-scenes-work.

For example you can have PAM connect to an ldap-server.

CLI: authconfig

Files:
/etc/sysconfig/authconfig
/etc/pam.d/
/etc/sssd/sssd.conf

 

Installing Squid 3.2 on CentOS 5.3

Giving this one a shot :) I will be compiling it myself as well.

Squid for those who do not know is a proxy server.
Proxys can be used for many things, but one great thing if you have a thinner connection to the Internet, you can use this to speed things up a bit. What it does is when you surf the web, the things you download are actually first downloaded to the proxy, and then your browser downloads it automagically from the proxy. If you afterwards browse to the same page the proxy should provide you with a cached copy and not re-download the whole page again.

Downloading/compiling

It’s a good idea to not run any service as root.

  1. Download it from http://www.squid-cache.org/ there are many options to chose from. Stable, unstable, 3.2, 3.1 etc. I just took a recent developer build from the 3.2 chain – squid-3.2.0.6.
  2. Untar this somewhere, doesn’t matter where. Move directory and:

To get the program to install itself in a location where you have access, you need to specify that while running the configure check.

You do this with:

./configure –prefix=/home/user/bin/squid-install

or wherever you want to put it. I just put it directly in /home/user/squid-inst.

If that completes without errors next step is to: make; make install. This will compile and then install it in the directory you specified above. After that completes sucessfully you can delete/hide the directory. I hide it just in case I want to change something in the configure or whatever.

Then it’s time to configure!

Now proxy servers you need to put some kind of authentication on. Unless you want a hoard of unwanted visitors.

There are a gazillion of different settings in the squid.conf.documented.

Configuration is done via ~/squid-inst/etc/squid.conf

cache_dir ufs /usr/local/squid/cache 100 16 256
The value 100 denotes 100MB cache size. This can be adjusted to the required size.
http_port 3128
This is the port you will be connecting to. Make sure you do not set one that other services on the machine uses. Might be a good idea to use a non-standard as well, to prevent some from “stumbling” onto it and trying to brute-force it.

Starting squid

  1. create cache directories with ~/squid-inst/sbin/squid -z
  2. run it in debug ~/squid-inst/sbin/squid -NCd1

If everything is working fine, then your console displays: “Ready to serve requests”.

You can now surf to your http://host:port

However, you cannot use it as a cache yet.

You need to set up the http_access part. The ACL – access list.

This can be complicated.

See here for some examples of that: http://wiki.squid-cache.org/SquidFaq/SquidAcl

However, all you “need” is as below. First, find out your IP-address. Let’s say it’s 12.24.48.96 for the fun of it. You can see what it is by surfing to www.ripe.net

add this somewhere on top near the other “acl” entries:

acl me src 12.24.48.0/24

Then a bit further down

http_access allow me

Now if you want to you can be more tight with the security, and you probably should.
The setting above means that everybody on that subnet can use your proxy server.
For example you might want to change it to only your IP – if you have a static one.

acl me src 12.24.48.96/32

If you change something in the configuration, you can do this to stop squid:

~/squid-inst/sbin/squid -k kill

~/squid-inst/sbin/squid &

is used to start it in a daemon mode (keeps running after you log off your shell).

There are other ways to set up password checks (used to be with .htpasswd) but I have no need for this today. I’ll have a look into it some other day :)
Also this proxy is transparent – meaning if you connect somewhere, people can see that you are indeed connecting through a proxy.

But first you need to set your browser to use the proxy, you do this under network settings.

Happy proxying!