Tag Archives: Linux

configure apache

Apache Active Directory Authentication

Overview

This tutorial provides an example of Apache Active Directory Authentication using the Authz LDAP module.
Apache and SSL settings are not in the scope of this tutorial.
Continue reading

Linux_Logo_Photos

Basic SELinux Security Concepts

Overview

“SELinux is a security enhancement to Linux which allows users and administrators more control over access control.” (selinuxproject.org”
Continue reading

VMWare Workstation start on boot CentOS

EPEL CentOS 7 – Add Fedora EPEL repository

EPEL CentOS 7

EPEL CentOS 7 – In the next tutorial I will show you how to add the fedora EPEL repository to your CentOS 7 installation

.

Applicable to

  • Centos 7.x, but also to CentOS 6.x (and probably earlier)

 

Requirements

In order to install CentOS EPEL Repository you need:

  • root access
  • wget:
yum install wget -y

 

Installation

check here for latest version of epel-release-x-x.noarch.rpm

wget http://mirror.nonstop.co.il/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
rpm -Uvh epel-release-7-5.noarch.rpm
rm epel-release-7-5.noarch.rpm -f

or in short:

rpm -Uvh http://mirror.nonstop.co.il/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

Verify

use:

yum repolist

to check that the repo installed correctly.

centos-epel-repolist

That’s it! You’ve added CentOS EPEL repository to your centos installation.

 

How to use?

yum --enablerepo=epel install [package]

for example:

yum --enablerepo=epel install zabbix

Note: The epel configuration file is located under /etc/yum.repos.d/epel.repo.

 

That’s it

Development Specialist, Artist and Activist
Personal Website
Linux_Logo_Photos

Linux ACL Permissions

Overview

“Access Control List (ACL) provides an additional, more flexible permission mechanism for file systems.
It is designed to assist with UNIX file permissions.
ACL allows you to give permissions for any user or group to any disc resource.” (Wikipedia)

Enable ACL on file system

Most likely is that the ACL option is already enabled on your file system but to be sure you can verify using the next command:

#make sure to replace sda2 with the name of your device
tune2fs -l /dev/sda2 | grep options

The output should be:

Default mount options:    user_xattr acl

In order to enable ACL on a file system use tune2fs command:

#make sure to replace sda2 with the name of your device
tune2fs -o acl /dev/sda2

View Linux ACL Permissions

ls command

With ls command you can see if there are any ACL permissions on a file, you will see a ‘+’ sign:

ls -l /folder-file

#Output:
-rw-rwxr--+ 1 root root 0 Mar 15 05:27 folder-file

Now we use getfacl command to see the ACL permissions.

getfacl command

You can use getfacl to view the current ACL permissions of a file or folder.

getfacl /folder-file

#Output
# file: folder-file
# owner: root
# group: root
user::rw-
user:nfsnobody:rwx
group::r--
mask::rwx
other::r--

setfacl command

#setfacl -m u:username:permissions /folder-file
setfacl -m u:bob:rwx /folder-file

#setfacl -m u:uid:permissions /folder-file
setfacl -m u:12345:rwx /folder-file

#setfacl -m g:groupname:permissions /folder-file
setfacl -m g:company:rx /folder-file

#setfacl -m g:gid:permissions /folder-file
setfacl -m g:12345:rx /folder-file

Remove all ACL permissions:

setfacl -b

Remove a specific ACL entry by username, uid, group or gid:

setfacl -x "bob"

Enjoy!

Linux_Logo_Photos

Test firewall with netcat

Overview

“The nc (or netcat) utility is used for just about anything under the sun involving TCP, UDP, or UNIX-domain sockets.
It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. Unlike telnet nc scripts nicely, and separates error messages onto standard error instead of sending them to standard output, as telnet does with some.” (NetCat Manual)

You can use netcat to listen on any available port and connect to it from a remote client, this way you can test that the firewall actually allows you to pass.

netcat installation

On CentOS you just need to use:

yum install nc -y

Test firewall with netcat

netcat server

Run netcat server on port 12345:

nc -v -l 12345

You should receive a blank line.
During connection you will see “Connection from 10.0.0.2 port 6666 [tcp/ircu-2] accepted” and whatever you write on the server will appear on the client.

netcat client

Connect to port 12345 on a remote server 10.0.0.1:

nc 10.0.0.1 12345

You should receive a blank line and whatever you write on the client will appear on the server.

netcat man page

Enjoy!

Linux_Logo_Photos

chmod suid sgid sticky bit

Overview

Linux chmod has a few options that can make your life a lot easier when managing a shared storage.
The most needed are chmod suid sgid sticky bit.
Also the impact of each one is different between files and folders.

chmod suid sgid sticky bit

SetUID and SetGID

SUID (SetUID) and SGID (SetGID) has different affects when used on files or on folders.

suid and sgid on files

When suid is set on an executable that means the file will run with the owner user permissions when run by a different user.
When used you will have the letter ‘S’ specified in the files permissions.
When you will have a lower-case ‘s’ that means it hides the permission ‘x’ of user so it means ‘t+x”

Apply SUID on ‘run.sh’:

chmod u+s run.sh

Apply SUID with 777:

chmod 4777 run.sh

Output SUID with 777:

-rwsrwxrwx.

Output SUID with 677:

drwSrwxrwx.

When sgid is set on an executable that means the file will run with the owner groups permissions when run by a different user.
When used you will have the letter ‘S’ specified in the files permissions.
When you will have a lower-case ‘s’ that means it hides the permission ‘x’ of group so it means ‘t+x”

Apply SGID on ‘run.sh’:

chmod g+s run.sh

Apply SGID with 777:

chmod 2777 run.sh

Output SGID with 777:

-rwxrwsrwx.

Output SGID with 767:

drwxrwSrwx.

suid and sgid on folders

suid and sgid on folders means inherit permissions for newly created files.
sgid will set the owner group permission of all new files the same as folders owner group.

Linux ignores the suid permission on folders.

Sticky-Bit

“When the sticky bit is set, only the item’s owner, the directory’s owner, or the superuser can rename or delete files.” (Wikipedia)

Sticky_bit is mostly applied to folders, it has a few uses on files but that not in the scope of this tutorial.

When used you will have the letter ‘T’ specified in the folders permissions.
When you will have a lower-case ‘t’ that means it hides the permission ‘x’ of others so it means ‘t+x”

Output sticky bit with 777:

drwxrwxrwt.

Output sticky bit with 776:

drwxrwxrwT.

Apply sticky bit to ‘/folder’:

chmod +t /folder

Apply sticky bit with 777:

chmod 1777 /folder

Enjoy!

xrdp-logo

CentOS xrdp HowTo

Overview

xrdp is a free open-source remote desktop server for Linux.
Installing xrdp on CentOS might be a little tricky since CentOS repositories does not contain the xrdp package.
Even the EPEL repository (Extra Packages Enterprise Linux) only contains an old version of xrdp.

CentOS xrdp HowTo

Add EPEL repo

First you need to add the EPEL repository that has an older version of xrdp.

rpm -Uvh http://ftp.uni-bayreuth.de/linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

Install xrdp from EPEL repo

yum install xrdp -y

Install dependencies

yum install tiger-vncserver autoconf automake libtool openssl-devel pam-devel libX11-devel libXfixes-devel -y

Download and install xrdp from source

Now that you have the older version of xrdp installed you can easily compile the latest version on top of the old one.

Download xrdp from sourceforge http://sourceforge.net/projects/xrdp/files/ to /opt folder.

extract the content of the file

tar -xvzf xrdp-v0.6.1.tar.gz

compile and install xrdp:

cd xrdp-v0.6.1
./bootstarp
./configure
make
make install

start xrdp and make sure it is set to run at startup:

service xrdp start
chkconfig xrdp on

Customize xrdp settings

The xrdp service config files are located at ‘/etc/xrdp/’:
We will edit these three:

/etc/xrdp/xrdp.ini
/etc/xrdp/sesman.ini
/etc/xrdp/startwm.sh

Remove login options

Edit ‘/etc/xrdp/xrdp/ini’ and delete from xrdp2 block to the end of the file leaving only the xrdp1 option.

Limit access to certain group

Edit ‘/etc/xrdp/sesman.ini’ and change ‘TerminalServerUsers=tsusers’ to the group name you wan to allow access.
If unset or set to an invalid or non-existent group, login for all users is enabled.

Add environment variables

xrdp has a different set of environment variables than regular bash session.
Edit ‘/etc/xrdp/startwm.sh’ and add at the beginning of the file the environment variables you want.
for example add ‘/bin’ and ‘/sbin’ to the PATH variable:

export PATH=$PATH:/bin:/sbin

Set session limits to avoid login failed error

Edit ‘/etc/xrdp/sesman.ini’ and change ‘MaxSessions=10’ to ‘MaxSessions=100’
 
 
 
xCentOS xrdp HowTo

Enjoy.

Linux_Logo_Photos

iptables examples on CentOS

Overview

“iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.”

In this tutorial I will give a few essential examples of how to use iptables on CentOS

iptables

There are several ways to configure iptables on CentOS.
The simplest way is to use the command system-config-firewall/system-config-firewall-tui, it will help you set up standard rules like Web Server, FTP Server and a few more.
The second way is to use iptables command to edit the configuration – this method is best for testing since it will NOT save the settings until you run the command:

/etc/init.d/iptables save

The third way is to edit the file /etc/sysconfig/iptables and that is what I will show you today.

iptables chains

First we clear the content of /etc/sysconfig/iptables using:

echo > /etc/sysconfig/iptables

Set all the default chains to DROP and save the file:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

Now we are ready to insert the necessary rules to our chains.

Stateful configuration

Using a stateful rule to allow all established connections:

#Allow all Established connections
-A INPUT -p all -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p all -m state --state ESTABLISHED -j ACCEPT

Some services requires you to allow related connections (ftp,tftp…):

#Allow all Related connections
-A INPUT -p all -m state --state RELATED -j ACCEPT
-A OUTPUT -p all -m state --state RELATED -j ACCEPT

iptables examples

Allow LocalHost

First we need to insert a rule to allow localhost to communicate:

#All localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

Allow Web Browsing

#Out Internet Access
-A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

#Out Internet Access SSL
-A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Allow Outgoing SSH

#Out SSH
-A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming SSH

Allow Incoming SSH from a specified subnet/ip address

#In SSH
-A INPUT -p tcp -s 10.0.0.0/24 --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming SSH from all

#In SSH
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

Allow Incoming Web Server

#In Internet Access Port 80
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

#In Internet Access SSL Port 443
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

Allow DHCP Client

#In/Out DHCP Client
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT

Allow DHCP Server

#In/Out DHCP Server
-A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT

Allow DNS requests

#Out DNS
-A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

Allow Incoming ping

#In ping
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Outgoing ping

#Out ping
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Zabbix Agent

#In Zabbix Agent
-A INPUT -p tcp --dport 10050 -m state --state NEW -j ACCEPT

Allow Outgoing RDP

#Out RDP
-A OUTPUT -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Allow Incoming RDP Server

#In RDP
-A INPUT -p tcp --dport 3389 -m state --state NEW -j ACCEPT

Allow SMTP Server

#In SMTP
-A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

Allow SMTP Client

#Out SMTP
-A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

Allow SMTPs Server

#In SMTPs
-A INPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT

Allow SMTPs Client

#Out SMTPs
-A OUTPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT

Allow SMTP TLS Server

#In SMTP TLS
-A INPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

Allow SMTP TLS Client

#Out SMTP TLS
-A OUTPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT

Allow POP Server

#In POP
-A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Allow POP Client

#Out POP
-A OUTPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

Allow POPs Server

#In POPs
-A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

Allow POPs Client

#Out POPs
-A OUTPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT

Allow IMAP Server

#In IMAP
-A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT

Allow IMAP Client

#Out IMAP
-A OUTPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT

Allow IMAPs Server

#In IMAPs
-A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

Allow IMAPs Client

#Out IMAPs
-A OUTPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT

Allow mySQL Server

#In mySQL
-A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Allow mySQL Client

#Out mySQL
-A OUTPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT

Allow NTP Server

#In NTP
-A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

Allow NTP Client

#Out NTP
-A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

Allow rsync

#In rsync
-A INPUT -p tcp --dport 873 -m state --state NEW -j ACCEPT

#Out rsync
-A OUTPUT -p tcp --dport 873 -m state --state NEW -j ACCEPT

Allow rsyslogd

#In rsyslogd
-A INPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 514 -m state --state NEW -j ACCEPT

#Out rsyslogd
-A OUTPUT -p tcp --dport 514 -m state --state NEW -j ACCEPT
-A OUTPUT -p udp --dport 514 -m state --state NEW -j ACCEPT

Allow SAMBA Server

#In Samba
-A INPUT -p udp --dport 137:139 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m multiport --dport 139,445 -m state --state NEW -j ACCEPT

Allow NFS Server

NFS uses random ports on startup so we need to fix the port numbers, add the following lines to ‘/etc/sysconfig/nfs’:

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020
RDMA_PORT=20049

#In NFS
-A INPUT -p tcp -m multiport --dport 111,662,875,892,2020,2049,20049,32803 -m state --state NEW -j ACCEPT
-A INPUT -p udp -m multiport --dport 111,662,875,892,2020,2049,20049,32769 -m state --state NEW -j ACCEPT

Allow TFTP Server

TFTP needs an iptables module called “nf_conntrack_tftp”, edit ‘/etc/sysconfig/iptables-config’ and make sure you have:

IPTABLES_MODULES="nf_conntrack_tftp"

#In TFTP
-A INPUT -p tcp --dport 69 -m state --state NEW -j ACCEPT
-A INPUT -p udp --dport 69 -m state --state NEW -j ACCEPT

#You also need to allow related OUTPUT
-A OUTPUT -p all -m state --state RELATED -j ACCEPT

Allow Routing

Allow routing between Network-1 to Network-2 using 2 different NICs:

#Allow routing from eth0 to eth1
-A FORWARD -i eth0 -o eth1 -j ACCEPT

Specify port range

For example allow all communication from ports 100-200 to ports 200-300:

-A OUTPUT --sport 100:200 --dport 200:300 -j ACCEPT

Speciy IP Address range

IP Address range requires the ‘iprange’ module,
For example allow all communication to and from 10.0.0.1-10.0.0.100:

-A OUTPUT -m iprange --dst-range 10.0.0.1-10.0.0.100 -j ACCEPT
-A INPUT -m iprange --src-range 10.0.0.1-10.0.0.100 -j ACCEPT

Enjoy!

bash

tr vs sed – String manipulation commands in Linux/Unix

Overview

tr and sed are very powerful stream and character manipulation commands, Each has its own advantage with string manipulation.
tr vs sed - String manipulation commands in Linux/Unix
 

tr vs sed usage and examples

Replace “hi” with “bye”

echo "hi hi" | sed 's/hi/bye/g'
output: bye bye

echo "hi hi" | tr 'hi' 'bye'
output: by by

While sed can replace strings tr can only replace characters,
so with complete string replacement sed is the way to go.
 
Replace “good” with “bad”
echo "good good" | sed 's/good/bad/g'
output: bad bad

echo "good good" | tr 'good' 'bad'
output: bddd bddd

tr is more like a mapping command, it’s like a set of rules:
The char “g=b”, the char “o=a”,”o=d” the last one will be the active one “o=d”.
 
Change ‘ ‘ to a new line:
echo "line1 line2" | tr ' ' '\n'
output:
line1
line1

echo "line1 line2" |sed -e 's/\s\s*/\n/g'
output:
line1
line1

 
As you can see tr is a lot easier for this job.
 
 
Enjoy.
bash

Linux fg bg commands usage and examples

Overview

Linux fg bg commands usage and examples using CTRL-Z and jobs command.
Move a process between background and foreground modes with paused and running states.

Usage and examples

Pause a process

When running a process you can use CTRL-Z to pause the process and free the current shell instance:
Linux fg bg commands ctrl-z-stop

Linux jobs command

To view the stopped jobs use the jobs command:

jobs

You should receive something like this (Job number, Status, Command):
[1]+  Stopped                 ls --color=auto -l --color=auto -lla -R /

Run a process in the background

You can start a process in the background from the start using an ‘&’ mark at the end of the command:

cp /source /destination &

linux fg bg commands

To move a job to the foreground execution (for example job 1):

fg 1

To move a job to the background execution (for example job 1):
bg 1

Kill paused jobs

To kill a paused job you can use the kill command followed by the job number (for example job 1):

kill %1

Enjoy

bash

Copy SSH public key to another server instructions

copy ssh public key

Prerequisities

You need to have a public key. If you haven’t generated keys before use:

ssh-keygen -t rsa

copy ssh public key is very simple. there are some ways to achieve this:

Using ssh-copy-id (recommended)

ssh-copy-id user@host

with this very simple command you can copy your public key to any user@host combination

Using scp

scp .ssh/id_rsa.pub user@host2:.ssh/authorized_keys

cd ~/ before.

The different is that scp will create a new file called authorized_keys while ssh-copy-id will add to id.

Development Specialist, Artist and Activist
Personal Website