Tag Archives: studying

Brocade Certified Professional Data Center Track – Check!

Leave a reply

After ~49 posts on this blog on the topic Brocade the first larger block is finally complete: the Brocade Certified Professional Data Center Track (BCPDC)!

What’s that? So Brocade has several (4) tracks which consist of  certifications/accrediations, some are shared between the tracks and some are only in one track.
Currently, after completing 3 out of 4 you gets the title Brocade Distinguished Architect! Woop!

It took me ~3.5 years (counting since first blog post about BCFA (certified fabric administrator)) to complete all the prerequisites for BCPDC, but naturally I didn’t do it as fast as I could. I was patient and many of the certificates I got by being signing up for Brocade’s beta tests of their certs.

Not that many certificates left to take actually before I can complete another track.
Most of the remaining ones are labeled accreditations, which are unprobro_edu4_cert_pro_data_center_rgbctored tests one does at home.

  • For Brocade Certified Professional Converged Networking (BCPCN) I have 3 accrediations left (Fabric Specialist, FCoE Specialist and Ethernet Fabric Support Specialist) and 1 certification: Ethernet Fabric Professional 2013. The certification I have signed up for the free one I mentioned in an earlier blog post.
  • For Brocade Certified Professional FICON (BCPF) there’s one accrediation (Accredited FICON Specialist) an done certification (Certified Architect for FICON 2013) remaining.
  • For Brocade Certified Professional Internetworking (BCPI) there’s 3 certifications: Certified Layer 4-7 Engineer 2010, Certified Network Professional 2012 and Certified Layer 4-7 Professional 2013.

BANAS – Brocade Certification – Studying

Leave a reply

I’m going to focus on the below things when studying for BANAS: They are based on the current objectives listed on Brocade’s page.

 

Brocade Accredited Network Advisor Specialist Exam Topics

  • The Brocade Accredited Network Advisor Specialist exam has these objectives:

Product Features

  • Demonstrate knowledge of Brocade Network Advisor product features

Installation and Configuration

  • Describe the installation and configuration of Brocade Network Advisor

  • Perform SAN Discovery

    • What are seed switches?

  • Perform IP Discovery

    • BNA 170-WBT is a course that’s currently free by Brocade – it’s about IP Discovery in BNA!
    • Once discovered devices are stored in the Management application database. First IP of the device discovered becomes the primary address of the device.
    • Simple/Profile based discovery: single: hostname/IP. Profile: range.
    • Requirements
      • Users must have Discover Setup-IP and “All IP Products AOR” privileges
        • For rediscovery only “All IP Products AOR” is needed?
      • ICMP or telnet must be enabled on devices
      • Snmpv1+v2 or v3 read-write
      • IP range of devices must be known
      • All devices must have SNMP MIB support
    • Access by: “Discover -> IP Products”.
    • One can add default username/password. One can add several and it tries the default and then the rest..
    • It uses OIDs to select products to include/exclude.
      • Cisco/Juniper are available by default.
    • Seed address: the IP the BNA server will use to contact the switches?

Migration

  • Describe considerations when migrating to Brocade Network Advisor from other tools
    • Check out the Installation Guide for BNA.

Troubleshooting

  • Demonstrate knowledge of troubleshooting Brocade Network Advisor

BANAS – Brocade Accredited Network Advisor Specialist

1 Reply

Finally got around to start preparing the last certificate/accreditation – BANAS – to complete the Brocade Data Center Track (ok, not last. There are plenty more!).

It looks like it’s an accreditation showing that the taker can do some basic tasks in Brocade Network Advisor (BNA). This used to be a certification, so it’s probably a bit harder than it might seem!

Please note, this post is not meant to be a replacement for the official Brocade studying recommendation, just my notes on how I’m practicing for it.

Methods:

 

Install in a VM

Not much can be tested without any switches, but installing it a few times is probably helpful. Also getting acquainted with the UI and some things can still be done in the UI like:

  • Set UI options
  • Set up a firmware repository (at least import firmwares, release notes and md5 checksums)
  • Retrieve a SupportSave

Either register on Brocade’s site and get the download that way. Or get it via HP’s public page – for example here. Click on Download.
Because I’m lazy I’m installing it in a Windows 7 x64 VM 2 cores and 4GB RAM is much faster than 2GB. For just installing it you’ll need 3-4GB disk space.
Find install.exe within na1214_hp_windows.zip

The default user/password is: Administrator/password
The user/password you set during installation is for the database.

FTP/SCP/SFTP, syslog, snmp, https. Uses a postgreSQL database.

On the http/https page there are MIBs and the BNA client.

SDN Course – Interview with Google Network Lead

Leave a reply

This week in the SDN course on coursera there were lots of examples of real use of SDN stuff, for example like the B4 WAN by Google. They got a really interesting and cool interview with the Network Lead at Google – Amin Vahdat.
And! They actually put this interview up on youtube so you don’t have to be registered for the course on coursera to view the interview. Actually I just noticed all the interviews are there, including the one I mentioned before with the Internetz Architect David Clark.

Programming assignment for this week is to work with pyresonance, which is based on resonance + pyretic which is a controller that can change how network is forwarded/routed based on outside things, like network intrusion or bandwidth caps. This is really new stuff. The code that was put on github was put there just 3 days ago :)

Assignment is to create a load balancer and forward traffic to hosts depending on load :)

Make your own L2 Firewall!

Leave a reply

Is what I did this week during the SDN Course on Coursera :)

Within mininet or with a real OpenFlow capable switch, you can point the switch to use a controller. The controller would figure out all the smart stuff and the switch only does what the controller tells it to do.

POX is one of these APIs that you can use to create controllers, it’s good for learning about controllers as it’s not so low level as it’s sibling NOX, which is in C++. There are switches in JAVA too (Floodlight) and many more.

With POX there are some example switches, for example a basic L2 learning switch. It remembers (among quite a few other things) MAC addresses for hosts and remembers in which ports the MAC addresses can be found. With a simple ping: After L2 broadcast is done to find the MAC of the recipient, the controllers install the MAC_source+port and MAC_destination+port as flows on the switches.

What we did this week was to right after the switch is executed, run some extra code that parses a .csv file for MAC address pairs that are not allowed to talk and add these pairs into the flow table.

Pretty cool I think :)

SDN Course on Coursera

Leave a reply

Halfway now, in week3, and just finished the first programming assignment in the course Software Defined Networking.

Quite happy with the course so far, the quizzes are not too hard if you actually listen to the video lectures and after taking Coursera’s “Learn to Program: Crafting Quality Code” the python code was not too much for me. It took me about day to get my head around it again (I don’t write programs or scripts in python so often) and complete this first assignment where we got to create a custom topology with customized links.

I think it was a great first assignment as it got me used to playing with python again and also some of the features and what one can do with mininet.

 

SDN course on coursera

Leave a reply

Even though I’m on summer holiday I’d squeeze in time for a Software-Defined Networking course on coursera! https://www.coursera.org/course/sdn

It’s given by a professor from Georgia University.

It’s still not too late to register, it’s only on the second week (until tomorrow Monday 8/7) and the first two weeks are not too complicated, just some introductions and history for SDN. Programming things should start soon though.
The hard deadlines for each week’s quiz aren’t until 5th of August so plenty of time to catch up.

In particular I’d recommend a quite cool interview with David D. Clark and who is that? Quote from wikipedia: “… acted as chief protocol architect in the development of the Internet…” Which is pretty awesome. Hearing about some design decisions around the internet was quite interesting.

Pythons

Leave a reply

Ever thought about studying a bit of programming? Thought it was a too daunting task?

I’ve just gone through the second lesson on learnstreet and it’s quite fun! It doesn’t take long to go through the first two lessons, so if you don’t have much time you can spend a few minutes each day going to the next exercise or lesson.

Only other language I’ve studied is C++ back in high school – it did not sit so well with me back then.

Since then I’ve made acquaintance with Ruby, Python and Perl, but never made it too far away from bash.

Why start with Python then? I’ve seen announcements of vulnerabilities for Ruby lately, Perl isn’t on learnstreet and Python is used in some scripts at work.

Red Hat Certification – RHCE – KVM via CLI

Leave a reply

In a previous post while preparing for RHCSA I installed kvm post-installation, via the GUI.

But how to install, configure and use it only from the CLI?

Virt-Manager

http://virt-manager.org/page/Main_Page has some details

As a test-machine I’m using a server with Scientific Linux 6.2 (with virtualization enabled as seen by ‘cat /proc/cpuinfo|grep vmx’).

None of the Virtualization Groups are installed, as seen by ‘yum grouplist’. While doing that you’ll find four different groups. You can use

yum groupinfo "Virtualization Client"

or correspondingly to get more information about the group.

yum groupinstall Virtualization "Virtualization Tools" "Virtualization Platform" "Virtualization Client"

This installs a lot of things. Libvirt, virt-manager, qemu, gnome and python things.

lsmod|grep kvm
service libvirtd start
lsmod|grep kvm

This also sets up a bridge-interface (virbr0).

Now, how to install a machine or connect to the hypervisor?

How to get console?

ssh -XYC user@kvmserver
virt-manager

did not work.

On the client you could try to do:

yum groupinstall "Virtualization Client"
yum install libvirt
virt-manager

Then start virt-manager and connect to your server. However this didn’t work for me either. Is virtualization needed on the client too?

Noit is not, first: check if Virtualization is enabled on the server. Look in /var/log/messages for

kernel: kvm: disabled by bios

If it says that you’ll need to go into BIOS / Processor Options / and enable Virtualization.

Then you can start virt-manager, check that you can connect to the KVMserver.

Copy a .iso to /var/lib/libvirt/images on the server.

Re-connect to the kvm-server in virt-manager.

Add a new VM called test. Using 6.2 net-install and NAT network interface. This may take a while.

Pointing the VM to kvm-server where a httpd is running (remember firewall rules) and an SL 6.2 is stored. Installing a Basic Server.

OK, we could use virt-manager, it’s quite straight-forward and doesn’t require any edits of config files at all.

Moving on to virsh.

To install a vm you use ‘virt-install’.

You can get lots of info from ‘virsh’

virsh pool-list
virsh vol-list default
virsh list
virsh list-all
virsh dumpxml test > /tmp/test.xml
cp /tmp/test.xml /tmp/new.xml

Edit new.xml

change name to new and remove line with UUID

virt-xml-validate /tmp/new.xml
virsh help create
virsh create --file /tmp/new.xml
virsh list

This creates a new VM that uses the same disk and setup. But, if you shut down this new domain, it will disappear from virsh list –all and the list. To keep it you need to define it first:

virsh define --file /tmp/new.xml
virsh start new

This can become quite a bit more complicated. You would probably want to make clones (virt-clone) or snapshots (virsh help snapshot) instead of using the same disk file.

Making your own .xml from scratch looks fairly complicated. You could use ‘virt-install’ however.

virt-install --help
virt-install -n awesome -r 1024 --vcpus 1 --description=AWESOME --cdrom /var/lib/libvirt/images/CentOS-6.2-x86_64-netinstall.iso --os-type=linux --os-variant=rhel6 --disk path=/var/lib/libvirt/images/awesome,size=8 --hvm

For this the console actually works while running ‘virt-install’ over ssh on the kvm-server.

To make edit to a vm over ssh:

virsh edit NAMEOFVM

Red Hat Certification – RHCE – Course Outline

Leave a reply

Howdy!

In case you saw my previous posts I’ve been prepping for a RHCE course the last couple of weeks.

Here are the posts based on the objectives:

Odds are quite high that I’ve missed something or not gone deep enough into some subjects and for the record some subjects I decided to skip.

I’m taking the course over at Tieturi here in Helsinki and they have published the schedule for the course, with quite detailed outline.

This outline of the course can with benefit be used to see if you missed any terms or functions while going through the objectives.

I’ll go through the ones I find more interesting below:

Network Resource Access Controls

-Internet Protocol and Routing

OK, well this is quite obvious, some commands:

ip addr
ip route
route add
netstat -rn

IPv6

-IPv6: Dynamic Interface Configuration
-IPv6: StaticInterface Configuration
-IPv6: Routing Configuration

You can add IPV6 specific lines in the ifcfg-device files in /etc/sysconfig/network-scripts/. See /usr/share/doc/initscripts*/sysconfig

Some settings can also go into /etc/sysconfig/network

iptables

Netfilter Overview
-Rules: General Considerations
Connection Tracking
-Network Address Translation (NAT)
-IPv6 and ip6tables

 

Web Services

-Squid Web Proxy Cache

On client check what IP you get:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

On server install and setup squid:

yum install squid
vi /etc/squid/squid.conf
#add this line in the right place:
acl localnet src 192.168.1.1/32
#allow port 3128 TCP in the firewall (use very strict access here)
service squid start

On client:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

Beware that this is unsecure. Very unsecure. You should at least set up a password for the proxy, change the default port and have as limited firewall rules as possible.

E-mail Services

-Simple Mail Transport Protocol
-Sendmail SMTP Restrictions
-Sendmail Operation

 

Securing Data

-The Need For Encryption

-Symmetric Encryption

Symmetric uses a secret/password to encrypt and decrypt a message.
You can use GnuPG (cli command is ‘gpg’) to encrypt and decrypt a file symmetrically. Arguments:

–symmetric/-c == symmetric cipher (CAST5 by default)
–force-mdc == if you don’t have this you’ll get “message was not integrity protected”

There are many more things you can specify.

echo "awesome secret message" > /tmp/file
gpg --symmetric --force-mdc /tmp/file
#(enter password)
#this creates a /tmp/file.gpg
#beware that /tmp/file still exists
#to decrypt:
gpg --decrypt /tmp/file.gpg
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
awesome secret message

 

-Asymmetric Encryption

Uses a key-pair. A public key and a private key.
A message encrypted with the public key can only be decrypted with the private key.
A message encrypted with the private key can only be decrypted with the public key.

GnuPG can let you handle this.

Login with a user called ‘labber’:

gpg --gen-key
# in this interactive dialog enter username: labber, e-mail and password
# this doesn't always work, might take _long_time_, eventually I just tried on another machine
echo "secret message" > /tmp/file
gpg -e -r labber /tmp/file
# enter password
gpg --decrypt /tmp/file
# enter password

To export the public key in ASCII format you can:

gpg --armor --output "key.txt" --export "labber"

However, how to encrypt a file with somebody else’s public key?

-Public Key Infrastructures – PKI

Consists of:

  • CA – certificate authority – issues and verifies digital certiciates
  • RA – registration authoriy – verifies user identity requesting info from the CA
  • central directory – used to store and index keys

-Digital Certificates

A certificate has user details and the public key.

Account Management

-Account Management
-Account Information (Name Service)
Name Service Switch (NSS)
Pluggable Authentication Modules (PAM)
-PAM Operation
-Utilities and Authentication

 

PAM

Basically a way to authenticate users. You can put different types of authentication ways behind PAM. So that a software only needs to learn to authenticate to PAM and then PAM takes care of the behind-the-scenes-work.

For example you can have PAM connect to an ldap-server.

CLI: authconfig

Files:
/etc/sysconfig/authconfig
/etc/pam.d/
/etc/sssd/sssd.conf

 

Red Hat Certification – RHCE – Network Services – NTP

1 Reply

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

NTP:

You could possibly test this from Windows as well.

On linux it’s fairly straight-forward, you can use ntpd both as a client and as a server.

Check in /var/log/messages for details

The time-synchronization with ntpd is slow by design (to not overload or cause dramatic changes in the time set).

ntpdate is instant but it’s not recommended to be used. For example with ‘ntpdate -q’.

man ntp.conf
this then points to :
man ntp_acc
man ntp_auth
man ntp_clock
man ntp_misc

  • Install the packages needed to provide the service.
    • yum install ntp
  • Configure SELinux to support the service
    • nothing to configure??
  • Configure the service to start when the system is booted.
    • chkconfig ntpd on
  • Configure the service for basic operation.
    • /etc/ntp.conf
      • server ntp.server.com
    • service ntpd start
    • ntpq -p # to see status
  • Configure host-based and user-based security for the service
    • iptables
      • port 123 (UDP)

Enable ntpd as a client

What’s a bit reverse for ntpd is that first you need to configure the server as a client

So that your local ntp-server gets good time from somewhere else. You can find a good time-server to use on www.pool.ntp.org

You only need to add one server line but for redundancy you should probably have more than one.

As an example with your client on 192.168.0.0/24 and server is on 192.168.1.0/24.

All you need to do is for the client part:

server ntp.example.com
service ntpd restart
ntpq -p

 

Enable ntpd as a server

You need to add a restrict line in ntp.conf.

You also need to allow port 123 UDP in the firewall.

restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
service ntpd restart

Client to use your ntp server

Basically the same as the above for client, but you specify the address to your NTP-server instead of one from pool.ntp.org.

Extra

  • Synchronize time using other NTP peers.

I believe this has been covered.

More Extra

One extra thing you may want to check out is the ‘tinker’ command.

This is put on top of ntp.conf and more info are available in ‘man ntp_misc’.

However, most of the time you just need to wait a bit for the time change to come through.

tcpdump

There’s not much to go in logs on either server or client for ntpd. You’ll get messages in /var/log/messages though that says “synchronized” and when the service is starting.

You can also use tcpdump on the server to see if there are any packets coming in.

tcpdump -i eth0 -w /tmp/tcmpdump.123 -s0 'udp port 123 and host NTP.CLIENT.IP'
# wait a while, restart ntpd on client
tcpdump -r /tmp/tcmpdump.123
# this will then show some packets if you have a working communication between server and client

To test that it’s working

Start with the server still connecting to an ntp-server with good time.

You could then set the date and time manually on the server to something else. For example, let’s say the current time is 6 JUN 2012 17:15:00.

Set it to 15 minutes before:

date -s "6 JUN 2012 17:00:00"
service ntpd restart

Also restart ntpd on the client, then wait, this will probably take a bit longer than before.

If you set the time manually to something too big it won’t work. You could then experiment with ‘tinker panic 0’

Red Hat Certification – RHCE – Network Services – ssh

1 Reply

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

SSH:

To test from windows you can use putty.

But in linux you just need ssh for client and sshd for server.

man 5 sshd_config and this blogpost has an overview.

  • Install the packages needed to provide the service.
    • yum install openssh
  • Configure SELinux to support the service
    • getsebool -a|grep ssh
  • Configure the service to start when the system is booted.
    • chkconfig sshd on
  • Configure the service for basic operation.
    • /etc/ssh/sshd_config
  • Configure host-based and user-based security for the service
    • iptables
      • port 22 (TCP)
    • tcp.wrapper

 

TCP Wrapper

More info in man tcpd and man 5 hosts_access

Check that your daemon supports it:

which sshd
ldd /usr/sbin/sshd|grep wrap

For this test, let’s say that the server you are configuring has IP/netmask 192.168.1.1/24 and that you have a client on 192.168.0.0/24

cat /etc/hosts.allow

sshd: 192.168.0.0/255.255.255.0
sshd: ALL : twist /bin/echo DEATH

The last row sends a special message to a client connecting from a non-allowed network.

cat /etc/hosts.deny

ALL: ALL

If you on the server with these settings try to do “ssh -v root@localhost” or “ssh -v root@192.168.1.1” you’ll get the message from twist.

If you in hosts.allow add:

sshd: KNOWN

You can log on to the localhost, but not if you add “LOCAL”.

If you add

sshd: 192.168.1.

you can log on from localhost to the public IP of the server.

Extra

  • Configure key-based authentication.
    • ssh-keygen
    • ssh-copy-id user@host
    • ssh user@host
    • set PasswordAuthentication to no in sshd_config
    • service sshd restart
  • Configure additional options described in documentation.
    • many things can be done, see “man 5 sshd_config”
    • chrootdirectory looks quite cool but requires a bit of work

Red Hat Certification – RHCE – Network Services – e-mail

2 Replies

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

SMTP:

Hackmode has a good article about setting postfix for the first time.

To test that e-mail is working you can – tada – use an e-mail client.

You have lots of details in /usr/share/doc/postfix-N ( the path should be in /etc/postfix/main.cf )

  • Install the packages needed to provide the service.
    • yum install postfix
  • Configure SELinux to support the service
    • getsebool -a|grep postfix
  • Configure the service to start when the system is booted.
    • chkconfig postfix on
  • Configure the service for basic operation.
    • set hostname to host.example.com
    • /etc/postfix/main.cf and define (this assumes hostname is host.example.com):
      • myhostname = host.example.com
      • mydomain = example.com
      • myorigin = $mydomain
      • inet_interfaces = all
      • mydestination = add $mydomain to the default one
      • home_mailbox = Maildir/
      • Update firewall to allow port 25 tcp
      • Test with: nc localhost 25
  • Configure host-based and user-based security for the service
    • iptables or $mynetworks in main.cf
    • user: postmap

In CLI (important to use ‘ and not “):

#hostname - record the output of this
postconf -e 'myhostname = output from hostname in here'
#hostname -d
postconf -e 'mydomain = output from hostname -d in here'
postconf -e 'myorigin = $mydomain'
postconf -e 'inet_interface = all'
postconf -e 'mydestination = $myhostname, localhost, $mydomain'
postconf -e 'mynetworks = 127.0.0.0/8 [::1]/128, /32'
postconf -e 'relay_domains = $mydestination'
postconf -e 'home_mailbox = Maildir/'

To use it:

useradd -s /sbin/nologin labber
passwd labber

Edit /etc/aliases and add:

labber: labber

Then run:

newaliases
service postfix start
service postfix status
netstat -nlp|grep master

Send e-mail:

mail -s "Test e-mail here" labber@mydomain
test123
.

The . at the end is quite nice, that stops the input.

Check e-mail:

cat /home/labber/Maildir/new/*

Real E-mail Client

But, perhaps you want to check this out with a real e-mail client like thunderbird 10.

For this there needs to be a e-mail server that stores the e-mails on the server.

For this we can use ‘dovecot’

yum install dovecot
service dovecot start
  1. Update iptables to allow ports 25 and 143 (TCP)
  2. Update main.cf to allow from your IP
  3. Restart services
  4. Add new account in thunderbird –
    1. do use the IP address of your server, not the DNS
    2. do not use SMTP security (or username), but use password authentication
    3. do use IMAP STARTTLS security, username: labber, password auth

Thunderbird is quite nice, it will often tell you which setting is wrong.

You can use /var/log/maillog for details on the server-side (to see if you get connections at all for example).

 

Deny a User

To illustrate this feature we first need to add a second user/e-mail account:

useradd -s /sbin/nologin labrat
passwd labrat
echo "labrat: labrat" >> /etc/aliases
newaliases
service postfix restart
service dovecot restart
mail -s "test" labrat@mydomain

You need to send an e-mail to the e-mail address before you can add it in Thunderbird (because the user does not have a $HOME/Maildir until you do).

After the new user has been created and added to your e-mail client do the following:

cd /etc/postfix
echo "labber@mydomain REJECT" >> sender_access
postmap hash:sender_access
echo "smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/sender_access" >> /etc/postfix/main.cf
service postfix restart

Try:

  • to send an e-mail from and to both accounts

Extra

  • Configure a mail transfer agent (MTA) to accept inbound email from other systems.
    • inet_interfaces = all
  • Configure an MTA to forward (relay) email through a smart host.
    • relayhost=hostname.domain.com

If I understand this correctly to setup the above two we would need to have two servers.

Red Hat Certification – RHCE – Network Services – SMB

Leave a reply

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

SMB:

Testing an SMB server may be quite easy from Windows, but from Linux I suppose it’s a bit trickier.

The CLI client is called ‘smbclient’

The tool to set passwords: ‘smbpasswd’

You can also get some information with commands starting with ‘net’, for example ‘net -U username session’

testparm is another tool you can use to test that the config file – smb.conf – is not missing anything structural or in syntax.

The server is called ‘samba’.

There are more packages, for example ‘samba-doc’, samba4. You can find them by typing: ‘yum install samba*’

samba-doc installs lots of files in /usr/share/doc/samba*

  • Install the packages needed to provide the service.
    • yum install samba
  • Configure SELinux to support the service
    • getsebool -a |grep smb; getsebool -a|grep samba
    • /etc/samba/smb.conf # has some information about selinux
  • Configure the service to start when the system is booted.
    • chkconfig samba on
  • Configure the service for basic operation.
    • server#: open firewall (check man smb.conf, port 445 and 139 are mentioned)
    • server#: mkdir /samba; chcon -t type_in_smb_conf /samba
    • server#: edit /etc/samba/smb.conf:
      • copy an existing share – make it browseable and allow guest to access
    • server#: service smb start
    • server#: touch /samba/fileonshare
    • client#: smbclient \\\\ip.to.smb.server\\share
      • hit enter and it will attempt to log in as anonymous (guest)
    • client#: get fileonehsare
  • Configure host-based and user-based security for the service
    • server#: check that ‘security = user’ in smb.conf.
    • server#: add” writable = yes” or “read only = no” to the share in smb.conf
    • server#: smbpasswd -a username
    • server#: mkdir /samba/upload
    • server#: chown username /samba/upload
    • server#: chmod 777 /samba/upload
    • client#: smbclient -U username \\\\ip.to.smb.server\\share
    • client#: cd upload; mkdir newfolder; cd newfolder
    • client#: put file

Extra

  • Provide network shares to specific clients.
    • things you can set on the share:
      • write list = +staff
      • invalid users =
      • valid users =
      • hosts allow = 192.168.0.0/255.255.255.0
      • hosts deny =
  • Provide network shares suitable for group collaboration.
    • groupadd staff
    • usermod -a -G staff bosse
    • chown root.staff /samba/upload
    • chmod 775 /samba/upload
    • connect with bosse – do things,
    • connect with another user – can you do things?

Red Hat Certification – RHCE – Network Services – NFS

Leave a reply

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

NFS:

Testing an NFS server is generally easier from another linux-server.

  • Install the packages needed to provide the service.
    • yum install nfs ?? (already installed on mine)
  • Configure SELinux to support the service
    • getsebool -a |grep nfs
  • Configure the service to start when the system is booted.
    • chkconfig nfs on
    • edit /etc/fstab on the client to mount on boot
  • Configure the service for basic operation.
    • server#: mkdir /foo
    • server#: vi /etc/exports
      • /foo          192.168.0.0/24(rw)
    • server#: iptables – port 2049 tcp and udp
    • server#: service nfs start
    • client#: mount -t nfs IP:/foo /mnt
    • server#: mkdir /foo/upload
    • server#: chown username.username /foo/upload
    • server#: chmod 777 /foo/upload
    • client#: touch /mnt/upload/file2
    • server#: cd /net/ip.to.server/foo
  • Configure host-based and user-based security for the service
    • iptables to deny hosts
    • add permissions appropriately in /etc/exports
      • man exports

Extra

  • Provide network shares to specific clients.
    • Add a new folder / line in /etc/exports and only allow certain clients to connect to it
  • Provide network shares suitable for group collaboration.
    • With the help of permissions. Use unix group ID number or names.

Red Hat Certification – RHCE – Network Services – FTP

1 Reply

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

FTP:

An ftp-server is also quite easy to test. You can test it from many web-browsers, telnet, ftp, lftp or a myriad of other clients.

  • Install the packages needed to provide the service.
    • yum install vsftpd
  • Configure SELinux to support the service
    • this might be more interesting, you may need to do some magic here for sharing files
    • getsebool -a|grep ftp
  • Configure the service to start when the system is booted.
    • chkconfig vsftpd on
  • Configure the service for basic operation.
    • for basic – only open firewall then start the service
    • that is enough for anonymous read to /var/ftp/pub/
      • cp /root/anaconda-ks.cfg /var/ftp/pub/
      • chmod 755 /var/ftp/pub/anaconda-ks.cfg
  • Configure host-based and user-based security for the service
    • iptables to deny hosts
    • you can deny users by putting them in /etc/vsftpd/ftp_users and/or user_list
    • in vsftpd.conf there is a tcp_wrappers variable

Extra

  • Configure anonymous-only download
    • Deny all other users :)

 

Red Hat Certification – RHCE – Network Services – DNS

1 Reply

1st post – System Management and Configuration

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

DNS:

A DNS-server is quite easy to test as well, just point a client to the IP of your local DNS server and check /var/log/messages on the DNS-server.

  • Install the packages needed to provide the service.
    • yum install bind
  • Configure SELinux to support the service
    • working from scratch, after adding new zones and things you may need to add correct context to the files
  • Configure the service to start when the system is booted.
    • chkconfig named on
  • Configure the service for basic operation.
    • /etc/named.conf
      • after editing you need to restart named
    • edit ‘allow-query’ and ‘listen-on port 53’ – update firewall, start named
    • configure a client to use it with /etc/resolv.conf
    • see examples in: /usr/share/doc/bind*/
  • Configure host-based and user-based security for the service
    • host-based can be done via firewall (port 53 UDP and TCP)
    • host-based: allow-query { localhost; };
    • but user-based??

Extra

  • Configure a caching-only name server.
    • This is what the default /etc/named.conf does it – (this is also stored in the /usr/shar/doc/bind*/ – but, it a good thing to try would be to try to configure this from an empty named.conf
  • Configure a caching-only name server to forward DNS queries.
    • Almost same config as caching-only, except for the addition of two lines:
      • forward only;
      • forwarders  { dns.ip; dns.ip2 }
  • Note: Candidates are not expected to configure master or slave name servers.

 

Red Hat Certification – RHCE – Network Services – httpd

1 Reply

1st post – System Management and Configuration

This post is about Network Services.

During all these exercises I try my hardest not to use google, as that’s not available during the exam anyway.

Objectives

Network services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service.
  • Configure SELinux to support the service.
  • Configure the service to start when the system is booted.
  • Configure the service for basic operation.
  • Configure host-based and user-based security for the service.

User should be able to do the following for all these services:

  • http/https
  • dns
  • ftp
  • nfs
  • smb
  • smtp
  • ssh
  • ntp

httpd:

  • Install the packages needed to provide the service.
    • yum install httpd
  • Configure SELinux to support the service.
    • supports by default, if changing documentroot/defaultroot use:
    • chkcon -R –reference /var/www/html /var/newhtmldir
  • Configure the service to start when the system is booted.
    • chkconfig httpd on
  • Configure the service for basic operation.
    • rpm -qc httpd (find config file)
  • Configure host-based and user-based security for the service
    • host-based -> iptables
    • user-based -> htpasswd for httpd

htpasswd

An htpasswd file contains users/passwords.

A .htaccess file points to the htpasswd

The .htaccess file is not the recommended way to set up authentication, instead you should do it in the Directory section of httpd.conf.

To get more information about httpd in general do:

yum install httpd-manual

Then surf to http://hostname/manual.

To generate a htpasswd:

[root@rhce webpages]# htpasswd -c /etc/httpd/conf/.htpasswd user
New password:
Re-type new password:
Adding password for user user

Then add this .htaccess file:

AuthUserFile /etc/httpd/conf/.htpasswd
AuthGroupFile /dev/null
AuthName "Private Area"
AuthType Basic
AuthBasicProvider file
Require user user

https

The s – means the httpd uses another port – 443 and that it uses certificates.

yum install mod_ssl

This adds /etc/httpd/conf.d/ssl.conf

That config file actually has a ‘listen’ directive for port 443.

So add that port in the firewall and restart httpd.

After that you can surf to https://ip and it will complain about the certificate (which is a default generated one).

But wait, there’s more!

Configure a virtual host.

This is can be used when you want to have several hostnames or domains on the same machine.

There’s some info in httpd.conf but there’s quite a lot in the manual via httpd-manual package.

To test this you could either put several IP addresses on the server or point several domains towards it (might be easiest, /etc/hosts). But in VMWare it’s very easy to just add another network interface.

  1. Add another ethernet interface on the same network as the existing one (mine is bridged behind a NAT).
  2. Edit /etc/hosts on a client and on the server so that ww1.example.com and ww2.example.com points to the IP addresses on the server
  3. Make sure /etc/nsswitch.conf has ‘files’ in the hosts row.
  4. If you have very narrow firewall add the new IP address.
  5. mkdir /var/www/ww1.example.com; mkdir /var/www/ww2.example.com; chcon -R –reference =/var/www/html /var/www/ww*
  6. Edit /etc/httpd/conf/httpd.conf

and add this at the end:

NameVirtualHost *:80

    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/ww1.example.com
    ServerName ww1.example.com

    ServerAdmin webmaster@dummy-host.example.com
    DocumentRoot /var/www/ww2.example.com
    ServerName ww2.example.com

7. service httpd restart

Then on the client point your browser to and (add different index.html in each to make it easy to see).

Configure private directories.

I’d say this fall under the htpasswd section.

Deploy a basic CGI application.

FOSwiki for example uses CGI. Perhaps it should be a custom CGI application, like a small hello-world script.

/var/www/cgi-bin is where CGI scripts are stored by default.

A simple .cgi script is just a perl script with another extension that outputs .HTML text.

Configure group-managed content.

Group-managed. So this would be somehow using the AuthGroupFile in .htaccess?

Or could be done by creating a new directory under www-root and give specific access to this directory. That means it can be managed by a unix group, (access is a different story however).

Red Hat Certification – RHCE – System Configuration and Management

10 Replies

RHCE Preparation – System Configuration and Management

This is post 1 in a series of posts where I will be going through the objectives for the RHCE certifications. It builds on the initial post that has the objectives:

Red Hat Certification – RHCE – Preparation

It appears that the objectives have been updated, at least if you compare between my post above and https://www.redhat.com/training/courses/ex300/examobjective

for example build a simple rpm is installs one package is not in the list.

I bet there are many blogs about this topic. I’m doing this quite a lot for myself, but maybe somebody else finds these useful.

This post will be about the section ‘System Configuration and Management’.

My setup: Core i7, 8GB RAM, Windows 7 x64, VMWare Workstation with CentOS installed.

Installing a fresh VM with 4 cores, 5GB RAM, virtualization and CentOS.

CentOS is a free clone of Red Hat, it’s missing some stuff (satellite for example) but it does the job for learning. You can find it in many places, for example here: http://www.nic.funet.fi/pub/Linux/INSTALL/Centos/6/isos/x86_64/

IP Routing and NAT

The part “Routing / NAT” will be tricky, as I do not have a second computer that I could use for this. Maybe I can get something working inside the virtual machines though, but for now I think I will skip these two and get straight into the other ones.

 

Use /proc/sys and sysctl to modify and set kernel runtime parameters.

 

Edit /etc/sysctl.conf

Or use sysctl -w to set it temporary

For example one is: vm.overcommit_ratio

You can then do either of these to view the current setting:

cat /proc/sys/vm/overcommit_ratio
sysctl vm.overcommit_ratio

To set it temporarily:

echo "60" > /proc/sys/vm/overcommit_ratio
sysctl -w vm.overcommit_ratio="50"

To set each time on boot:

echo "vm.overcommit_ratio = 50" >> /etc/sysctl.conf

 Configure a system to authenticate using Kerberos.

Waiting with this. Need to set up a KDC – kerberos service first.

 

Build a simple RPM that packages a single file.

This appears to be a bit complicated – the details below are about as simple as this can be made. There is a lot more nifty things that you can do with an rpm.

Would be nice to have a guide of this in for example /usr/share/doc

yum install rpm-build
cd $HOME/rpmbuild
mkdir {BUILD,RPMS,SOURCES,SPECS,SRPMS}
mkdir GetIP
cd GetIP

The “program”:

cat getip.sh
#!/bin/bash

wget -q http://guldmyr.com/ip.php -O/tmp/ip
cat /tmp/ip
chmod +x getip.sh

Make an archive and put it in the SOURCES DIR:

cd $HOME/rpmbuild
tar -cf GetIP.tar.gz GetIP
mv GetIP.tar.gz SOURCES/

Edit a spec-file (do this as a normal user instead of root, it will show the default entries):

cd SPECS
vi sample.spec

Make it look like this:

Name:GetIP
Version:1.0
Release:        1%{?dist}
Summary: Get an IP wooop

Group:  Development/Tools
License:        GPL
URL:            http://guldmyr.com/blog
Source0:        %{name}.tar.gz
BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)

BuildRequires:bash
Requires:bash

%description
Get an IP woop!

%prep
%setup -n GetIP

%build

%install
mkdir -p "$RPM_BUILD_ROOT/opt/GetIP"
cp -R * "$RPM_BUILD_ROOT/opt/GetIP"

%clean
rm -rf "$RPM_BUILD_ROOT"

%files
/opt/GetIP
%defattr(-,root,root,-)
%doc

%changelog

Then make an rpm:

rpmbuild -v -bb $HOME/rpmbuild/SPECS/sample.spec

Then as root:

cd /home/user/rpmbuild/RPMS/x86_64/
rpm -ivh GetIP-1.0-1.el6.x86_64.rpm

Then as normal user you can now execute the installed file:

/opt/getip/getip.sh

If you wonder about things – check this fairly unreadable blog post out.

Basically you want to use the $RPM_BUILD_ROOT in front of where you want to install the software. By default there are ‘make’, ‘configure’ and nothing in the ‘require’ entries. I removed the make, configured and just put ‘bash’ in the require entries, it seemed to do the trick though.

More info is also available on rpm.org – which recommend to use /usr/src/redhat for building packages.

Configure a system as an iSCSI initiator that persistently mounts an iSCSI target.

Waiting with this. Need to set up an iSCSI target first.

Produce and deliver reports on system utilization (processor, memory, disk, and network).

sar -A

/etc/cron.d/sysstat

Use shell scripting to automate system maintenance tasks.

Well, this can be a lot of things and is quite hard to prepare for.

But I think a ‘for loop’ is a good thing to know about and can help with a lot of system maintenance tasks.

an input file with usernames:

[martbhell@rhce ~]$ cat /tmp/userlist
bengt
goran

a scriptfile:

[root@rhce ~]# cat usersndirs.sh
#!/bin/sh

userlist=/tmp/userlist

for i in `cat $userlist`; do
echo useradd $i;
echo mkdir $i;
done

Remove the “echo” to create the users.

Of course, you could also use the ‘newuser’ command (interactive or send a file).

This happens a lot I think: You get an idea that “hey, I can do this with a script”. But then a random amount of time later you find out that there is already a command that does this for you. That doesn’t mean the time spent is a total waste, hopefully you learned something while doing it. Maybe your script even does a better job than the new one you found.

Configure a system to log to a remote system.

syslog / rsyslog

man rsyslog.conf has an example for how to log to a remote machine

edit /etc/rsyslog.conf

add

       To  forward  messages  to another host via UDP, prepend the hostname with the at sign ("@").  To forward it via plain tcp, prepend two at
       signs ("@@"). To forward via RELP, prepend the string ":omrelp:" in front of the hostname.

       Example:
              *.* @@192.168.0.8

Set the IP to the machine that will be receiving the logs.

Configure a system to accept logging from a remote system.

So this step you may want to do before the previous step (unless you already have a working syslogd server).

You edit /etc/rsyslog.conf

and uncomment the “reception” parts (don’t forget firewall and restart service).

To test try to “su -” with the wrong password and then check in /var/log/secure on the loghost.

Create a private repository

“To create a private repository you should proceed as follows: – Install the createrepo software package – Create a <directory> where files can be shared (via FTP or HTTP) – Create a subdirectory called Packages and copy all packages to be published in Packages – run createrepo -v <directory>”

 

Red Hat Certification – RHCE – Preparation

Leave a reply

Wow, there’s lots of it in there.
Some of it is about networking and a lot about individual services.
I haven’t actually planned to go get the exam soon, but I think just going through these objectives will make me better at Linux. Anyway, if I pass the RHCE, that extends the RHCSA expiration automagically.

This is going to take a while to do. I will update this post as I progress through the sections.

This is a copy of the objectives from https://www.redhat.com/certification/rhce/objectives/

System Configuration and Management

Routing / NAT

  • Route IP traffic and create static routes
  • Use iptables to implement packet filtering and configure network address translation (NAT)

For the two above I think I need to use another machine. Maybe the IBM T40 could be of some use again. Install SLC via USB maybe! /2011 12 18: update: Nope, T40 didn’t like booting like that. So, booting via DVD instead. But, maybe I can boot via the small CD and then load the files off of an NFS-server instead. Turns out the CPU in my laptop does not have PAE and thus cannot install anything after RHEL5(possibly) with the default isos. There is a guide on scientificlinux.com that tells you how to do it via a fedora netinstall iso.

Other

  • Use /proc/sys and sysctl to modify and set kernel run-time parameters
  • Configure system to authenticate using Kerberos
  • Configure a system as an iSCSI initiator that persistently mounts an iSCSI target
  • Produce and deliver reports on system utilization (processor, memory, disk, and network)
  • Use shell scripting to automate system maintenance tasks

rsyslog

  • Configure a system to log to a remote system
  • Configure a system to accept logging from a remote system

 

Network Services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

  • Install the packages needed to provide the service
  • Configure SELinux to support the service
  • Configure the service to start when the system is booted
  • Configure the service for basic operation
  • Configure host-based and user-based security for the service

RHCE candidates should also be capable of meeting the following objectives associated with specific services:

HTTP/HTTPS

  • Configure a virtual host
  • Configure private directories
  • Deploy a basic CGI application
  • Configure group-managed content

DNS

  • Configure a caching-only name server
  • Configure a caching-only name server to forward DNS queries
  • Note: Candidates are not expected to configure master or slave name servers

FTP

  • Configure anonymous-only download

NFS

  • Provide network shares to specific clients
  • Provide network shares suitable for group collaboration

SMB

  • Provide network shares to specific clients
  • Provide network shares suitable for group collaboration

SMTP

  • Configure a mail transfer agent (MTA) to accept inbound email from other systems
  • Configure an MTA to forward (relay) email through a smart host

SSH

  • Configure key-based authentication
  • Configure additional options described in documentation

RHCSA – Rapid Track – Day 5 – Exam

Leave a reply

Just did the exam.
Not bad at all, I really enjoyed this hands-on exam.

Great way to test someone’s skills, although I thought it would be harder. But maybe I got lucky with the tasks.

I believe this RHCSA Rapid Track (along with My Own Preparation ™) and learning how to work inside a terminal/console is enough.

Can’t wait until next week to find out how it went!

RHCSA – Rapid Track – Day 4

Leave a reply

Last day!

A little more kickstarting, LVM – logical volume management and File ACL.
Then a rehearse of the previous chapters.

Feeling a bit excited about tomorrow!

These ACL were a bit more complex than I thought, but they could be made very complicated if you want to. But there’s the default ACL and then there’s the normal ones. Chmod +s for sticky bits.

Also got a 4GB USB pen that does about 4.4MB/s :p

Some important ones:

mount -o remount,rw /
/usr/share/doc/initscripts*/sysconfig.txt
kernel-doc package and /usr/share/doc/kernel-*
rpm -qd; rpm -qc

Some important but not importantest:

getsebool -a
setsebool -P
usermod -a
sssd - service that caches authentication stuff

Automounter
/etc/auto.master -> 

/home/guests    /etc/auto.guests

/etc/auto.guests ->

* -rw nfsserver:/path/to/mount/on/home/guests/&

If on nfsserver there is an nfsshare that is: /path/to/mount/on/home/guests/
and in there you have home directories for users. Then this will automount these directories when anybody tries to access them. Same concept as doing:

ls /net/nameofnfsserver/

RHCSA – Rapid Track – Day 3

Leave a reply

Wow, what a day!

Some great stuff today:

It ended with configuring a kickstart file, starting an unattended installation via PXE by referring to said kickstart file on an http-server.

Before that we were playing with partitioning, making swap, encrypting with cryptsetup and LUKS. Also very interesting.

After we learned about partitioning we did changing booting kernel parameters, resetting root password, editing grub, loading modules, setting module specific parameters etc.

And we started the day with SELinux. Very interesting, a lot of opinion about that in the room but honestly I can see that SELinux is extremely useful and doesn’t cause much harm on a desktop. Especially one where you don’t run any services. Also, there’s so often 0-day exploits for various net-services that running SELinux can’t be bad, right? There’s probably lots of other stuff you can do to do hardening in a Linux system.

Teacher did not mention chcon at all, only restorecon.

More thoughts

This RHCSA course do assume that you know a bit. For example it assumes that you know scripting, we’re not going through that at all. Using vi, less, are also assumed. Parsing, grepping etc. There are people struggling keeping up in class.

Going through all the objectives before attending is a great idea. It gives you some breathing room while doing the exercises in class and if you have stumbled upon and questions while you were experimenting yourself – you have a great opportunity to ask these in class. Another good thing with this is probably that it makes you faster at doing the task. If you can reset the root password on a VM in 60 seconds, instead of 300s – because you’re wondering about what commands to run, what parameters to send and how to send them, etc, that’ll save you a lot of time.

Mini Book Review

But even that is not enough, you really need to be experienced with Linux before. How to use the CLI and things like that. There are some good books around. Such as the book UNIX and Linux System Administration Handbook. I haven’t read all of it yet, actually just the part until Perl scripting, which is only the 2nd chapter! The stuff before chapter 3 are just basic linux administration / using the system. After that it goes into booting, filesystem, basically everything, and this is with some serious depth. Which is not for me.

RHCSA Video

Found http://www.youtube.com/watch?v=CjVYnK57YLA on youtube. Pretty cool, snapshotting in LVM!