Tag: sysadmin

How to increment MySQL replication counters

Sometimes, MySQL replication may break, displaying an error in ‘show slave status’ such as:

mysql> show slave status\G
********************* 1. row *********************
                 Last_Errno: 1062
                 Last_Error: Error 'Duplicate entry '123456' for key 1' on query. Default database: 'XXX'. Query: 'YYY'
               Skip_Counter: 0

When you see this, you can try to increment the counter by:

mysql> stop slave;
mysql> set global sql_slave_skip_counter=1; start slave;

Then rerun the ‘show slave status’ again to see if replication is now working again. If you start seeing many of these, it could possibly indicate that your replication is not consistent between the Master and Slave MySQL servers, and you may need to consider rebuilding replication.

Investigating Compromised Servers

This guide is not a step by step tutorial on how to clean a compromised server, rather it is a reference to illustrate what tools are available for performing an analysis of the compromise. The goal of this guide is to show you what information is available to help you determine:

– Point of entry
– The origin of the attack
– What files were compromised
– What level access did the attacker obtain
– Audit trail of the attackers footprints

There are many different types of compromises available to exploit a UNIX server. Under many circumstances, a server is exploited using common techniques such as using a brute force attack, to guess a weak password, or attempting to use known vulnerabilities in software in hopes the server is not on a regular patch schedule. Whatever the method, it is important to understand how the machine got compromised so you can determine the extent of damage to your server and other hosts accessible to this machine.

During many root level compromises, the most straight forward approach to recovery is to perform a clean install of the server and restore any critical data from known good backups. However until the entry point of the compromise is known, this may not be enough as the compromise needs to be understood so that security hole can be properly closed.

Documentation

When you are notified that a system under your control may be compromised. You want to obtain as much information as possible from the complainant. This includes:

– How was the initial problem found?
– Can the time of the compromise be estimated?
– Has the server been modified since the compromise was detected?
– Anything else the complainant says that is important.

IMPORTANT NOTE: If you are planning on getting law enforcement involved, it is imperative that no additional actions are taken on the server. The server must remain in its current state for forensic and evidence collection purposes.

If you choose to proceed with the investigation, document anything you find on the server. It can be as simple as a copy/paste of the command and its results.

Tools used for investigation

In the attacker’s ideal scenario, all important log files would have been wiped so their tracks are clean. Oftentimes however, this doesn’t happen. This leaves some valuable clues in finding what was done. It may also help determine if this was a basic web hack, or a root level compromise. Below are some of the basic commands that I’ll look through when trying to find that one thread so I can unravel the rest of the compromise.

last

This will list the sessions of users that recently logged into the system and include the timestamps, hostnames and whether or not the user is still logged in. An odd IP address may be cross referenced against a brute force ssh attack in /var/log/messages or /var/log/secure which may indicate how the attacker gained entry, what user they got in as, and if they were able to escalate their privilege to root.

ls -lart /

This will provide a time ordered list of files and directories that can be correlated against the time of the compromise. This listing will help determine what has been added or removed from the system.

netstat -na

This will list the current listening sockets on the machine. Running this may reveal any back doors that are listening, or any errant services that are running.

ps -wauxef

This will be helpful in tracking down any errant processes that are listening, as well as help show other odd processes such as the user www running a bash process for example. lsof |grep can also be used to further find what open files this process is using. Concurrently, cat /proc//cmdline may also let you know where the file that controls this process exists.

bash_history

The history file often becomes the Rosetta stone of tracking down what took place during a compromise. Looking through the users .bash_history file will often show exactly what commands were executed, what malicious programs were downloaded, and possibly what directories they were focusing on.

top

Oftentimes, a malicious process will be causing CPU contention issues within the environment, and will usually show up near the top of the list. Any processes that are causing the CPU contention issues should be considered suspicious when tracking down a compromise.

strace

When running strace -p pid on a suspicious process, this may yield important insight into what the process is performing.

In some cases, the commands above may not provide many clues to what happened during the attack. This is where more fine grained tools must be used.

Before moving forward, it should be confirmed that the binaries you are using to investigate are not trojanned versions. These trojanned versions can perform whatever tasks the attacker wishes, which include not showing information that could trace what the compromise was trying to accomplish.

So to verify we have a good working set of tools:

rpm -Va

Verifying a package compares information about the installed files in the package with information about the files taken from the package meta data stored in the rpm database. Among other things, verifying compares the size, MD5 sum, permissions, type, owner and group of each file. Any discrepancies are displayed.

When running this command, it is important to note any packages that are flagged in the following directories may mean you are using a trojanned version of the binary, and therefore you cannot trust its output:

– /bin
– /sbin
– /usr/bin
– /usr/sbin

An example of what a trojanned file:

S.5….T /bin/login
rpm -qa

This can be used to show what rpm’s have been recently installed in chronological order. However, in the case of a root compromise, the rpm database could be altered and therefore not trusted.

lsattr

In cases where the attacker was able to get root access and trojan certain binaries, sometimes they will set that binary to be immutable so you cannot reinstall a clean version of that binary. Common directories to look in are:

– /bin
– /sbin
– /usr/bin
– /usr/sbin

An example of a file that had its attributes set to immutable:

-------i----- /bin/ps

Under normal circumstances in these directories, the rules should all look similar to:

------------- /bin/ps
find

Find is a UNIX tool that can be critical in finding files that have been recently modified. For instance, to find files that have been modified in the last file days, run:

find / -mtime 5

Common Directories Where Web Exploits Are Found
Check world writable directories that Apache would commonly write its temp files to. Locations such as:

– ls -al /tmp
– ls -al /var/tmp
– ls -al /dev/shm

If you have directories on your website that are chmod’ed 777, those are suspect as well.

When checking these directories, you are looking for any files that you don’t recognize, or look suspicious. Be on the lookout for hidden files or files that have execute permissions.

mailq
postcat -q [message_id] | grep X-PHP-Originating-Script
...
X-PHP-Originating-Script: 48:dirs60.php(243) : eval()'d code
...

As shown above, sometimes the compromise could reveal itself through Postfix. If you see your server sending out a lot of spam, or if you are having resource contention issues with CPU or Load, checking out mail queue could help locate the source of the malicious script on the server.

As dirs60.php doesn’t show you exactly where the file resides, you can usually track it down by:

updatedb
locate dirs60.php
# or
find /path/to/website/docroot -name dirs60.php
maldet --scan-all /var/www

Maldet can be very useful for scanning your site for potential malware. Instructions on how to install and run it can be found here.

clamscan -r -i /

ClamAV can also be extremely useful for scanning your entire server for malware. Instructions on how to install and run it can be found here.

Finding point of entry

If you found anything using the information above, that means that you most likely have a timestamp of when the malicious file(s) were installed on the server.

You can now use that timestamp to start combing through your website’s access logs, looking for any suspicious entries in the log during that time period. If you find something, you can cross reference it to where you found the malicious files, then you likely just narrowed down the point of entry.

While the large majority of compromises do come from exploitable code within your website, you cannot rule out other entry points. So be sure to dig through /var/log/* to see if there is anything suspicious during the reported time frame.

Example of investigation

Below is a real example of one of my investigations, documenting my thought process.

When I am investigating a suspected root level compromise, the first thing that needs to be verified was whether or not this was just a basic web hack, or if root privileges were really gained. 80% of the time, its just a simple web hack that can be safely cleaned.

Step 1: Quick and dirty check to see it root privileges were gained:

lsattr /usr/sbin | less
lsattr /usr/bin | less
lsattr /bin | less
lsattr /sbin | less

What to look for:

Your checking for modified attributes such as binaries being set immutable, etc.

Results:

s---ia------- /sbin/shs

^ When you strings that file, you see its a backdoor shell.

Step 2: See if the attacker cleaned his tracks.

Many times, these are script kiddies or dummies who just forgot to clean up after themselves.

What to look for:

All user accounts in /etc/passwd that a valid shell:

cat /home/$USER/.bash_history
Root's history:
history
cat /root/.bash_history

Results:

The /root/.bash_history revealed what the attacker did on the server, which includes:

– They downloaded some malicious tools to serve up via apache in /var/www/html/*.
– They also installed some IRC stuff in /var/tmp/.ICE-unix (as well as other tools).
– Modified root’s crontab to re-download the malicious tools if someone removes them from the server:
* * * * * /var/tmp/.ICE-unix/update >/dev/null 2>&1

Step 3: Check for basic web hacks

Normally if steps 1 and 2 do not show anything, most likely its just a simple web hack that CAN be cleaned easily without formatting the server or otherwise causing panic.

In this specific investigation, that logic is null and void since we know that root privileges were gained. However, just for reference, and since its relevant to this anyways cause I believe that the attacker exploited phpmyadmin. Once they had their backdoor phpshell loaded, they were able to perform a local root exploit to escalate their privileges.

What to look for:

Hidden files and directories, in world readable directories, that apache would normally write tmp files to:

ls -al /var/tmp |less
ls -al /tmp
ls -al /dev/shm

Results:

drwx------ 3 70 70 4096 Nov 19 02:00 /var/tmp/.ICE-unix

^ There is a whole bunch of fun stuff in there.

If items are found in here, you must attempt to track down the entry point so you can have the client take down the site, upgrade their site code, or otherwise fix the exploitable code. One quick and dirty way is by looking at step 5. However, if you see irc bots and stuff running in the output of ps -waux, then you can try to catch where the process is running from by using lsof, or ps -wauxxef |grep .

Step 4: Look for PID’s listening for incoming connections

What to look for:

netstat -natp : Looks for any suspicious connections running on odd ports
ps -wauxxef : look for suspicious files like bash running under www context
lsof : helps to determine where the pid above is running from

Results:

tcp 0 0 0.0.0.0:1144 0.0.0.0:* LISTEN 1008/bash
tcp 0 1 172.16.23.13:60968 22.22.22.22:7000 SYN_SENT 6860/sshd

There are also a fair amount of other ssh ESTABLISHED connections running from high level ports. This means the attackers are still connected to this machine. I can’t see them cause they probably modified the binaries to hide themselves.

[root@www tmp]# netstat -natp |grep sshd |awk '{print $4,$5,$6,$7}'
0.0.0.0:22 0.0.0.0:* LISTEN 1046/sshd
172.16.23.13:60986 22.22.22.22:6667 SYN_SENT 6860/sshd
123.123.123.123:22 22.22.22.22:59361 ESTABLISHED 22795/sshd
123.123.123.123:22 22.22.22.22:57434 ESTABLISHED 22796/sshd
123.123.123.123:57139 143.143.143.143:6667 ESTABLISHED 6860/sshd
123.123.123.123:57402 22.22.22.22:6667 ESTABLISHED 6860/sshd
123.123.123.123:22 143.143.143.143:49238 ESTABLISHED 8860/sshd
123.123.123.123:57134 22.22.22.22:6667 ESTABLISHED 6860/sshd
123.123.123.123:56845 22.22.22.22:6667 ESTABLISHED 6860/sshd
123.123.123.123:57127 143.143.143.143:6667 ESTABLISHED 6860/sshd

Step 5: Determine point of entry for original compromise

What to look for:

/var/log/[messages|secure] : check for brute forced ssh attempts.
apache access logs and error logs : May help determine which site is exploitable. Most attacks are linked against this.

When checking this, also cross reference IP’s against the logs if you think there is a chance it may have originated from there. Its a quick and easy way to trace down the origin point.

Simple ways of checking servers with a ton of web logs like the one used in this example:

cd /var/log/httpd
for i in `ls * |grep access`; do echo $i && grep wget $i; done
for i in `ls * |grep access`; do echo $i && grep curl $i; done

NOTE: wget was searched cause that was in root’s history file under what I believe may have been part of the entry point

Results:
Evidence found that the phpmyadmin installation in /var/www/html was exploited. The version of phpmyadmin was severely outdated. Keeping phpmyadmin patched on a regular schedule would have prevented this from happening.

Final thoughts

Investigating web or root level exploits is more of an art then a science. After you have investigating a few dozen, you will just ‘feel’ something is not right on the server. I cannot stress enough, when you are investigating a compromised system, you must do everything you can to determine exactly how the server got compromised in the first place. Once you have that information, you will then be able to successfully remediate the exploit.

Encrypting Block Storage In The Cloud

For sensitive information being stored in the cloud outside your direct control, it is critical to encrypt your data at rest. Full disk encryption helps to protect you against unauthorized indivuduals mounting your volume without a key.

It should be noted that LUKS encryption will not protect your data when it is mounted and viewable by your server. A malicious user could in theory break into your server and traverse to that mount point.

My requirements

When writing this guide, I am using the following thought process when implementing LUKS on my Cloud Block Storage volume:

– No keys are to be stored on the server. This is for security purposes since your keys shouldn’t be stored on the server. Would you tape the keys to your Porche on the hood? No. The same logic applies here.
– The volume will not be mounted at boot. This is to prevent the server from stopping the boot process for you to enter in the key. Please note that if the server reboots, you will have to manually log in, mount the volume, and type the passphase for the volume before the system can use it again!

Procedure

This example is going to be specific for CentOS 6.

1. Create your Cloud Block Storage Volumes
In this instance, I am going to be using 2x 100G volumes which are already mounted on my server, and will be setting them up in a RAID 1 configuration.

yum install mdadm cryptsetup-luks cryptsetup-luks-devel
mdadm --create /dev/md0 --level=1 --raid-devices=2 /dev/xvdb /dev/xvdd

Now confirm the RAID is rebuilding itself by typing:

mdadm --detail /dev/md0

2. Now its time to setup LUKS. This will format your volume, so use caution.

cryptsetup luksFormat /dev/md0

Confirm the contents of the message, then type ‘YES’ in uppercase letters. Then enter a very secure passphrase, and store it somewhere safe. Never store the key on your server!

3. You can verify the results of the encryption process by typing the following:

cryptsetup luksDump /dev/md0

4. Time to mount the encrypted volume and give it a name:

cryptsetup luksOpen /dev/md0 mysecurevolume

5. Finally, lets put a filesystem on it and mount:

mkfs.ext4 /dev/mapper/mysecurevolume
mkdir /opt/mysecurevolume
mount /dev/mapper/mysecurevolume /opt/mysecurevolume

6. You can check the status to ensure its encrypted by typing:

cryptsetup status mysecurevolume

7. Now disable automount so your server won’t hang on boot waiting for the passphrase:

vi /etc/grub.conf
# Append the following at the end of all the kernel lines
rd_NO_LUKS

And your done!

To manually mount the volume after a reboot:

cryptsetup luksOpen /dev/md0 mysecurevolume
mount /dev/mapper/mysecurevolume /opt/mysecurevolume

To manually umount the volume, type:

umount /dev/mapper/mysecurevolume
cryptsetup luksClose mysecurevolume

Final thoughts

Remember, full disk encryption utilizing LUKS is only one part of a defense in depth strategy. No security management system is perfect, but each layer you add will help increase your solutions security footprint.

Scrutiny

Being asked at 9AM to determine what caused a system to have problems at 2:30AM can be a weary task. If the normal system logs do not give us any real hints about what may have caused the issue, we oftentimes get trapped having to give the really poor answer of “We cannot replicate the issue that you experienced during the overnight, and the logs are not giving us enough information to go on. So we’ll have to watch for it tonight to see if it re-occurs.” Times like that makes a sysadmin feel completely helpless.

What if you could see what processes were running on the system at prescribed intervals? And not just processes, but what about what queries were running, how many people were hitting Apache, perhaps what types of network connections you were getting, on top of a bunch of other information that can be gathered from tools like vmstat, iostat, etc? Now you can draw better conclusions cause you will know what was happening at that single point in time.

Welcome Scrutiny! Located over on github. A tool based off of recap, rewriten to suit my own needs for portability between Red Hat, Debian, and FreeBSD based systems, as well as allowing for simple modifications of the metrics needed to best suit your own environment.

Features

– Simple code base for quick customizations
– Ability to enable/disable groups of checks
– Easy to add/modify/remove individual metric gathering
– Uses tools such as ps, top, df, vmstat, iostat, netstat, mysqladmin, and apache’s server-status module to help create a point in time snapshot of the systems events.

Configuration

The currently configurable options and thresholds are listed below:

# Enable / Disable Statistics
process_log=on
resource_log=on
network_log=on
mysql_log=on
apache_log=on

# Retention Days
retension=2

# Logs
basedir=/var/log/scrutiny

Implementation

Download script to desired directory and set it to be executable:

# Linux based systems
cd /root
git clone https://github.com/stephenlang/scrutiny/linux/scrutiny.sh

# FreeBSD based systems
git clone https://github.com/stephenlang/scrutiny/freebsd/scrutiny.sh
chmod 755 scrutiny.sh

After configuring the tunables in the script (see above), create a cron job to execute the script every 10 minutes:

crontab -e
*/10 * * * * /root/scrutiny.sh

Now days later, if a problem was reported during the overnight and you were able to narrow it down to a specific timeframe, you will be able to look at the point in time snapshots of system events that occurred:

ls /var/log/scrutiny

RHCSA Study Guide – Practice Exam

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################
For all of the following problems:
- SELinux must be activated in enforcing mode.
- The 'X' sign represents your station number.
- The RHEL 6.1 repository url is:
http://server1.example.com/isos/RHEL-6.1-x86_64/Server

0)  Set up access to the yum repository provided above.  Install setroubleshoot.

NOTES:
[root@web01 ~]# vi /etc/yum.repos.d/myrepo.repo
...
[myrepo]
name = my repo
gpgcheck = 0
baseurl=http://server1.example.com/isos/RHEL-6.1-x86_64/Server
...

[root@web01 ~]# yum install setroubleshoot
[root@web01 ~]# service auditd restart
	
STATUS:  COMPLETE
--


1)  Fix your machine so that it will present a graphical login prompt upon bootup.

NOTES:
[root@web01 ~]# vi /etc/inittab
# change
id:4:initdefault:
# to	
id:5:initdefault:

STATUS:  COMPLETE
--


2)  Replace your DHCP-assigned IP configuration with a static network setup.  Your machine should stay in the same subnet, using the same default gateway and DNS server, as well as the same IP address and netmask, but it will be set up statically instead of dynamically.

NOTES:
[root@web01 ~]# service NetworkManager stop
[root@web01 ~]# chkconfig NetworkManager off
[root@web01 ~]# setup
Put in static configuration

STATUS:  COMPLETE
--


3)  Add 1GiB of swap space to your machine using a raw device.
	
NOTES:
[root@web01 ~]# fdisk /dev/sda
n
e
default
default
n
default
+1G
t
5
82
w
[root@web01 ~]# reboot
[root@web01 ~]# mkswap /dev/sda5
[root@web01 ~]# swapon /dev/sda5
[root@web01 ~]# vi /etc/fstab
...
/dev/sda5 swap swap defaults 0 0 
...

STATUS:  COMPLETE
--


4)  Create user accounts named "student", "mike", and "linus" each with passwords of "redhat" and belonging to a secondary group called "rhce".

NOTES:
[root@web01 ~]# groupadd rhce
[root@web01 ~]# for i in student mike linus; do echo "useradd $i -G rhce"; done
[root@web01 ~]# for i in student mike linus; do passwd $i; done

STATUS:  COMPLETE
--


5)  Restrict the "rhce" group to own no more than 1GiB of data and up to 1000 files in the /home filesystem.
	
NOTES:
[root@web01 ~]# vi /etc/fstab
# change
/dev/mapper/VolGroup00-LogVol01 /home ext4 defaults 1 2
# to
/dev/mapper/VolGroup00-LogVol01 /home ext4 defaults,usrquota,grpquota 1 2

[root@web01 ~]# umount /home
[root@web01 ~]# mount -a
[root@web01 ~]# quotacheck -mavug
[root@web01 ~]# quotaon -a
[root@web01 ~]# edquota -g rhce
...
/dev/mapper/VolGroup00-LogVol01 40 0 104857600 5 0 1000
...
	
# Quota dervived from:  echo $((1024*1024*100))
[root@web01 ~]# repquota -g /home

STATUS:  COMPLETE
--	


6)  Setup a /home/rhce directory to facilitate collaboration among the rhce group.  Each member should be able to create files and modify each others' files, but should not be able to delete any one else's files in this directory.

NOTES:
[root@web01 ~]# mkdir /home/rhce
[root@web01 ~]# chown root:rhce /home/rhce
[root@web01 ~]# chmod 770 /home/rhce
[root@web01 ~]# chmod +t /home/rhce
[root@web01 ~]# chmod g+s /home/rhce

STATUS:  COMPLETE
--


7)  Configure your machine to be an NIS client of server1 for authenticating users in the example.com domain.  You should then be able to login with a username of "stationX" using "stationX" for the password.

NOTES:
[root@web01 ~]# setup --> Authentication configuration
Select:  NIS and Kerboros
Domain:  example.com
Server:  server1
Check both boxes at bottom

# Now lets just do the automount stuff for completion
[root@web01 ~]# showmount -e server1
[root@web01 ~]# vi /etc/auto.master
...
/home/nis	/etc/auto.nis
...

[root@web01 ~]# vi /etc/auto.nis
...
* server1.example.com:/home/nis/&
...

[root@web01 ~]# service autofs restart
[root@web01 ~]# ssh station3@localhost # And verify you have your home dir

STATUS:  COMPLETE
--


8)  Expand the filesystem on /home to 3GiB in size.
	
NOTES:
[root@web01 ~]# lvresize -r -L 3G /dev/mapper/VolGroup00-LogVol01
	
STATUS:  COMPLETE
--


9)  Set up a default configuration FTP server.  Verify anonymous access to the pub folder.  Block ftp connections from 192.168.0.32.

NOTES:
[root@web01 ~]# yum install vsftpd
[root@web01 ~]# chkconfig vsftpd on
[root@web01 ~]# service vsftpd start
[root@web01 ~]# iptables --flush
[root@web01 ~]# vi /etc/sysconfig/iptables
...
-A INPUT -s 192.168.0.32 -m tcp -p tcp --dport 21 -j REJECT
...
        
[root@web01 ~]# service iptables restart
[root@web01 ~]# rpm -qlv vsftpd | fgrep /var/ftp # Figure out what perms it should have by default
[root@web01 ~]# chmod 755 /var/ftp	

STATUS:  COMPLETE	
--


10)  Set up a default configuration webserver.  In the index file, place the word "stationX" where X is your station number.  Make this web server only accessible to your machine and server1.example.com.

NOTES:
[root@web01 ~]# yum install httpd
[root@web01 ~]# chkconfig httpd on
[root@web01 ~]# service httpd start
[root@web01 ~]# echo "station3" > /var/www/html/index.html
[root@web01 ~]# vi /etc/sysconfig/iptables
...
-A INPUT -p tcp -s 192.168.1.44 --dport http -j ACCEPT
-A INPUT -p tcp -s 127.0.0.1 --dport http -j ACCEPT
-A INPUT -p tcp -s server1.example.com --dport http -j ACCEPT
-A INPUT -m tcp -p tcp --dport 80 -j REJECT
...
        
# Now, setup the Apache acl cause that was ambigious about access:
[root@web01 ~]# vi /etc/httpd/conf/htpd.conf
...
< Directory />
Order allow,deny
Allow from 192.168.1.44 127.0.0.1 server1.example.com
...
	
[root@web01 ~]# service httpd restart
# Tried to browse to the url, no dice
[root@web01 ~]# ls -alZ /var/www/html/
[root@web01 ~]# setenforce 0
# confirmed selinux is the issue
[root@web01 ~]# setenforce 1
[root@web01 ~]# tail /var/log/messages |grep SELinux
[root@web01 ~]# chcon -R --reference /var/www /var/www/html
# -or-
[root@web01 ~]# restorecon -R /var/www/html
[root@web01 ~]# service httpd restart

STATUS:  COMPLETE
--



11)  Set up a new 1G logical volume.  Encrypt the volume with LUKS and set it up to automatically decrypt and mount to /crypt at boot.  Use the ext4 filesystem and place an empty file in the root of the encrypted filesystem with a name of "stationX".

NOTES:  
[root@web01 ~]# lvcreate -n crypt -L 1G VolGroup00
[root@web01 ~]# mkdir /crypt
[root@web01 ~]# cryptsetup luksFormat /dev/VolGroup00/crypt
[root@web01 ~]# cryptsetup luksOpen /dev/mapper/VolGroup00-crypt crypt
[root@web01 ~]# mkfs -t ext4 /dev/mapper/crypt
[root@web01 ~]# vi /etc/fstab
...
/dev/mapper/crypt /crypt ext4 defaults 1 2
...

[root@web01 ~]# mount -a
[root@web01 ~]# dd if=/dev/urandom of=/etc/keyfile bs=1k count=4
[root@web01 ~]# cryptsetup luksAddKey /dev/VolGroup00/crypt /etc/keyfile
[root@web01 ~]# chmod 400 /etc/keyfile
[root@web01 ~]# vi /etc/crypttab
...
crypt /dev/VolGroup00/crypt /etc/keyfile
...
 
[root@web01 ~]# touch /crypt/station3

# How to test this to ensure it'll mount on boot
[root@web01 ~]# umount /crypt
[root@web01 ~]# cryptsetup luksClose /dev/mapper/crypto
[root@web01 ~]# bash
[root@web01 ~]# . /etc/init.d/functions
[root@web01 ~]# init_crypto 1 # If your key works, it won't prompt for a passphrase.
[root@web01 ~]# mount -a

STATUS:  COMPLETE
--


12)  Create a new user "alice".  Give alice, not in the rhce group, read and write access to /home/rhce.

NOTES:
[root@web01 ~]# useradd alice
[root@web01 ~]# passwd alice
[root@web01 ~]# setfacl -R -m u:alice:rwx /home/rhce
[root@web01 ~]# setfacl -R -m default:u:alice:rwx /home/rhce
[root@web01 ~]# chmod +t /home/rhce # Had to set this again... thinking acl blew it out

STATUS:  COMPLETE

RHCSA Study Guide – Objective 10 : Virtualization

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

Virtualization

EXAM NOTE: This will not be on the test since the test is on a vm… so they can’t test for it at the time of this writing as far as I can tell.

RHEL6 virtualization is done by:

- KVM
- QEMU

To run it, you must be on a 64-bit system and the kernel virtualization extensions much be enabled on the cpu’s. (ie. VT (VMX) and AMD-V (svm))

To get this working, 4 package groups are needed to get this setup:

- Virtualization
- Virtualization Client
- Virtualization Platform
- Virtualization Tools

Libvirt is the management framework used in RHEL6 virtualization.

Interface to libvirt available is:

- virsh : cli
- virt-manager : GUI client (Not exactly feature rich...)

RHCSA Study Guide – Objective 9 : Network Security

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

TCP Wrappers

TCP wrappers were originally written to provide host based access controls, pretty much back 30 years ago. It can be thought of as the first firewall of sorts. So assuming the service your looking to protect supports tcpwrappers, and tcpwrappers are turned on, then you can enable wrappers.

To see if the application has tcpwrappers built in, you can do the following:

[root@web01 ~]# which sshd
[root@web01 ~]# /usr/sbin/sshd
[root@web01 ~]# ldd /usr/sbin/sshd |grep wrap # If you see libwrap.so.0, it has support.

The 2 configuration files are below:

/etc/hosts.allow
/etc/hosts.deny

They are parsed in the following order:

1.  /etc/hosts.allow is consulted first.  If the configuration permits the requested connections, its allowed.
2.  /etc/hosts.deny is consulted.  If the configuration doesn't permit the connection, its denied.

If the connection is not specifically accepted or rejected in either file, its denied.

The syntax in both of these files are as follows: (Using sshd as the example)

[root@web01 ~]# vi /etc/hosts.deny
# Deny ssh connections from 192.168.2.223
sshd: 192.168.2.223

iptables

Iptables operates at the kernel level, which allows for:

- Flexible layer 2 filtering engine
- NAT support
- Port forwarding
- And a ton more

The configuration is parsed top to bottom. First match wins. If there is no specific match, the chain policy will apply.

Tools:

[root@web01 ~]# iptables # view/modify current firewall rules
[root@web01 ~]# iptables-save # Script to save current firewall rules for use with iptables-restore
[root@web01 ~]# iptables-restore # Restores iptables-save format firewall rules - useful to setup firewalls at boot.

Personally, I like doing this stuff myself by directly editing: 

[root@web01 ~]# /etc/sysconfig/iptables.

When creating rules, considerations include:

1.  What chain should the rule apply to?  Note:  A chain is just a collection of rules
  a.  INPUT - Any traffic coming inbound 
  b.  OUTPUT - Egress filtering (outbound filtering)
  c.  FORARD - Responsible for filtering traffic between different interfaces

2.  What traffic pattern to look for
The most common flags for the exam are posted below:
  a.  -i incoming interface
  b.  -p protocol (udp/tcp)
  c.  -s source ip address
  d.  -d destination ip address
  e.  --dport destination port

3.  What should happen with the traffic.
  a.  DROP : Do not deliver, do not respond
  b.  REJECT : Do not deliver, send reject notice
  c.  ACCEPT : Deliver
  d.  Log : Just log the packet.

EXAM NOTE: Will probably only see INPUT chain rules only.

Summary of iptables:
- iptables

What chain should the rule apply to?
 -A INPUT

What is the traffic pattern to look for?
 -s 192.168.222.2

What should happen with the traffic?
 -j REJECT

Lab

1.  Use iptables, configure your web server to NOT accept connections from the 192.168.1.0/24 network, EXCEPT for the ip address of whomever is sitting next to you.  Work together to test firewall settings, and remember, WEB server.

[root@web01 ~]# vi /etc/sysconfig/iptables
...
-A INPUT -s 192.168.1.4 -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m tcp -p tcp --dport 80 -j REJECT
...

2.  Browse through the man page for iptables.
[root@web01 ~]# man iptables

3.  Use iptables to allow ssh from the classroom network only.
[root@web01 ~]# vi /etc/sysconfig/iptables
...
-A INPUT ! -s 192.168.1.0/24 -m tcp -p tcp --dport 22 -j REJECT
...

RHCSA Study Guide – Objective 8 : Web Services

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

Apache

Apache is the default web server on RHEL6. The default configuration file exists at:

/etc/httpd/conf/httpd.conf

In Apache2, the /etc/httpd/conf.d directory stores configuration that are specific to a particular Apache module. All files in this directory ending in .conf will be parsed as a configuration file.

Basic apache vhost default:

< VirtualHost blah.com>
        ServerName blah.com
        ServerAlias www.blah.com
        DocumentRoot /var/www/vhosts/www.blah.com
        CustomLog /var/log/httpd/blah.com.access
        ErrorLog /var/log/httpd/blah.com.error
< VirtualHost>

Apache supports 3 types of virtual hosting:

- IP based hosting : (All sites have different IP's)
- Port based virtual hosting : (Can use the port to tell the server were to go to.  ie. google.com:33333
- Name based virtual hosting : (most popular, as apache looks at the host header and directs the name to the vhost container and match)

Additional docs:

[root@web01 ~]# yum install httpd-manual
[root@web01 ~]# service httpd restart
[root@web01 ~]# firefox localhost:/manual

Lab

1.  Configure two websites on your server.  "X" represents your station #. 

2.  wwwX.example.com should be served from the /var/www/html and should also respond to requests for the short hostname wwwX.

3.  vhostX.example.com should be served from /home/linus/html and should also respond to requests for the short hostname vhostX.

4.  Both should be listening on your primary ip address, but wwwX.exmaple.com should be the default site.

** Too much to post answers here... but its really straight forward.  Just watch selinux, and perms on /home/linus

Securing Apache

2 directives for setting up access controls

-  allow from (host|network|ALL)
-  deny from (host|network|ALL)

These are applied in the given order:

1.  order allow,deny : Allows explicitly allowed clients and denies everyone else.  Anyone matching both deny and allow are denied.

2.  order deny,allow : Denies explicitly denied clients and allows everyone else.  Anyone matching both deny and allow are allowed.

These directives are placed inside one of the following tags:

< Directory>
< File>

In theory, its best to keep these as global variables in the httpd.conf. You have to remember that you are protecting your data, your files and directories, so its best to keep these secured against all vhosts… so you set them globally. In other words, set it OUTSIDE the vhost tag.

RHCSA Study Guide – Objective 7 : File Sharing

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

NFS

The network file service (NFS) is used to share data with other servers.

To see if the NFS server has the ports listening:

[root@web01 ~]# rpcinfo -p server1

To see what shares are setup on the NFS server:

[root@web01 ~]# showmount -e server1

To mount the NFS share:

[root@web01 ~]# mount x.x.x.x:/share1 /mnt

To make it persistent across reboots:

[root@web01 ~]# vi /etc/fstab
...
x.x.x.x:/share /mnt nfs defaults 0 0
...

EXAM NOTE: You just need to know how to mount a share for the rhcsa. No real nfs configuration needed

Lab

Mount the /share NFS share from server1, and add it to your fstab for persistence across reboots
[root@web01 ~]# mount -t nfs server1:/share /mnt
[root@web01 ~]# vim /etc/fstab
...
server1:/share  /mnt nfs defaults 0 0
...

VSFTPD

The default FTP server is vsftpd. The primary configuration file is:

/etc/vsftpd/vsftpd.conf

Two types of access are allowed:

1.  Anonymous : By default, these users are chrooted to /var/ftp for security.  (NOTE for SElinux), could use that --reference flag if changing dir
2.  User :  By default, users do not get chrooted.

Indivudual users can be denied by placing their names in:

[root@web01 ~]# vim /etc/vsftpd/ftpusers

Lab

1.  Configure VSFTPd to only allow the user 'richard' to ftp to your server
[root@web01 ~]# yum install vsftpd
[root@web01 ~]# chkconfig vsftpd on

# Now, need to set selinux to allow users to write to their homedir
[root@web01 ~]# getsebool -a |grep ftp
[root@web01 ~]# setsebool -P ftp_home_dir on
[root@web01 ~]# setsebool -P sftpd_enable_homedirs on

# EXAM NOTE: DO NOT FORGET TO SPECIFY THE -P SO THE CHANGE IS PERSISTENT ACROSS REBOOTS!

# Now, set vsftpd to only allow richard in:
[root@web01 ~]# vi /etc/vsftpd/vsftpd.conf
...
userlist_enable=NO
...

[root@web01 ~]# vi /etc/vsftpd/user_list
# Remove everything and add
richard

# Test by:
[root@web01 ~]# ftp localhost

2.  Browse through the man page on vsftpd.conf
[root@web01 ~]# man vsftpd.conf

3.  Make sure vsftpd is started at boot time
[root@web01 ~]# chkconfig vsftpd on

RHCSA Study Guide – Objective 6 : Kernel Features

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

LVM

Quick note: There is a gui tool for all this if that is what you like:

[root@web01 ~]# yum install system-config-lvm
[root@web01 ~]# system-config-lvm

LVM abstracts the physical hardware into logical drive spaces which can be dynamically grown/shrunk and span disparate physical devices. Its good for hard drive management as it abstracts away the details of the underlying storage devices.

There is a low amount of overhead to the VFS layer, so you are going to take a slight performance hit.

LVM Terminology:

- Physical Volume (pv) - A physical volume is the partition/raid device for the lvm space.
- Physical Extent (pe) - EXAM NOTE:  You may need to change this on text.  Its a chuck of disk space.  Defaults to 4M
- Volume Group (vg) - Collection of physical volumes
- Logical Volume (lv) - A logical volume is a grouping of physical extents from your physical volume.  This is where you format your fs.

Gist of how this works:
pvcreate : Create a physical volume

[root@web01 ~]# pvcreate /dev/sda4

vgcreate : Create a volume group on PV

vgcreate VolGroup00 /dev/sda4  # This is where the extents are created.

lvcreate : Create a logical volume on VG 

[root@web01 ~]# lvcreate -n myvol -L 10G VolGroup00 # This is where the extents are allocated.

Other commands:

vgextend
lvextend
lvresize
resize2fs
lvresize # Use this one when doing your resize:  
ex:  lvresize -r {-l (+extents) | -L (+size)} (lv)

When mounting your new fs, use: /dev/vg/lv.

Lab

EXAM NOTE: Most of this stuff will be on the test

1.  Add logical volume management on top of a new partition.  Use a physical extent size of 16MB.  Use fdisk or whatever to create new volume.  
[root@web01 ~]# pvcreate /dev/sda7
[root@web01 ~]# vgcreate -s 16 vg0 /dev/sda7
[root@web01 ~]# vgdisplay vg0

2.  Use half the available space for a logical volume formatted with ext4 and mounted persistently across reboots.
[root@web01 ~]# lvcreate -n myvol -L 5G vg0
[root@web01 ~]# ls -al /dev/vg0/myvol
[root@web01 ~]# ls -al /dev/mapper/vg0-myvol
[root@web01 ~]# ls -al /dev/dm-3
[root@web01 ~]# mkfs -t ext4 /dev/vg0/myvol
[root@web01 ~]# vi /etc/fstab
...
/dev/vg0/myvol /u03 ext4 defaults 1 2
...
[root@web01 ~]# mkdir /u03
[root@web01 ~]# mount /u03

3.  Take a snapshot of this logical volume and check the file system for errors
[root@web01 ~]# ls -al /u03
[root@web01 ~]# cp /var/log/* /u03/
[root@web01 ~]# lvcreate -s /dev/vg0/myvol -n snap-of-myvol -L 500M
[root@web01 ~]# ls -al /dev/vg0
[root@web01 ~]# lvdisplay vg0 # You will see your 2 logical volumes (and snapshot in 'source of')
[root@web01 ~]# mount /dev/vg0/snap-of-myvol /mnt  # This is how you mount that snapshot.

4.  Assuming none are found, reset the counter for days and mounts until a check is forced on the original file system.
[root@web01 ~]# umount /mnt
[root@web01 ~]# fsck /dev/vg0/snap-of-myvol  # If you see clean, then you should be okay
[root@web01 ~]# tune2fs /dev/vg0/snap-of-myvol # Shows more verifications
[root@web01 ~]# tune2fs -C 25 /dev/vg0/snap-of-myvol # Fake out the system to make it believe it has been mounted 25 times so it will actually fsck
[root@web01 ~]# fsck /dev/vg0/snap-of-myvol
[root@web01 ~]# umount /u03
[root@web01 ~]# lvresize -r -L +100M /dev/vg0/myvol
[root@web01 ~]# lvchange -an /dev/vg0/myvol
[root@web01 ~]# lvchange -ay /dev/vg0/myvol
[root@web01 ~]# lvresize -r -L +100M /dev/vg0/myvol
[root@web01 ~]# lvremove /dev/vg0/snap-of-myvol # If this fails, just try a few more times.  Its a known issue

5.  Copy some data onto the LV, then expand it and the filesystem by 50MB.  fsck, then re-mount the filesystem and verify it's contents.  Also try reducing by 50MB 
[root@web01 ~]# umount /u03
[root@web01 ~]# lvresize -r -L +100M /dev/vg0/myvol
[root@web01 ~]# lvchange -an /dev/vg0/myvol
[root@web01 ~]# lvchange -ay /dev/vg0/myvol
[root@web01 ~]# lvresize -r -L +100M /dev/vg0/myvol
[root@web01 ~]# lvremove /dev/vg0/snap-of-myvol # If this fails, just try a few more times.  Its a known issue.  You can resize till snap is gone.
[root@web01 ~]# lvresize -r -L +100M /dev/vg0/myvol # Grow it
[root@web01 ~]# lvresize -r -L -300M /dev/vg0/myvol # Shrink it
# Or you can set it to 2G by
[root@web01 ~]# lvresize -r -L 2G /dev/vg0/myvol
# NOTE:  The -r flag does everything with the resize2fs... so you won't have to resize your system manually.

Swap space

Swap space allows the kernel to better manage limited system memory by copying segments of memory onto disk.

To create 2G of additional swap space using a file:

[root@web01 ~]# dd if=/dev/zero of=/swap01 bs=1024 count=2097152
[root@web01 ~]# mkswap /swap01
[root@web01 ~]# swapon /swap01

If you no longer need the /swap01, just:

[root@web01 ~]# swapoff /swap01

Now list your active swap areas by:

[root@web01 ~]# cat /proc/swaps

Performance note:
Creating a swap device via lvm or like its own partition (even better) is better for performance. Setting it up on a file within an existing fs is going to be really horrendous for performance.

Lab

1.  Add 500MB of swap space to your system using a device
[root@web01 ~]# lvcreate -n swap02 -L 500M vg0
[root@web01 ~]# mkdir /swap02
[root@web01 ~]# mount /dev/vg0/swap02 /swap02
[root@web01 ~]# mkswap /swap02
[root@web01 ~]# swapon /swap02
[root@web01 ~]# vi /etc/fstab
...
/dev/vg0/swap02 swap swap defaults 0 0
...

2.  Add 500MB of swap space to your system using a swap file
# Calculate how much 500M is:
[root@web01 ~]# echo $((1024*500))
512000
[root@web01 ~]# dd if=/dev/zero of=/swap01 bs=1024 count=512000
[root@web01 ~]# mkswap /swap01
[root@web01 ~]# swapon /swap01
[root@web01 ~]# vi /etc/fstab
...
/swap01 swap swap defaults 0 0
...