RHEL5
There are errors in this DOC, please know this.:
-- This is not a final copy
This may be printed by clicking on this line.

There are a few people giving notes as this is being written. I hope they are willing to add their names to this contribution.
As of yet:
Chris Forsyth
Kevin Landreth
James Jhurani
Brandon Broyles
Brian Kontrath
___

During the install I will recommend to "cd /mnt/sysimage".

From here "ls" and see what all has actually been installed.

If you are familiar enough with editing the files directly you will be able to go into /etc and edit services such as samba (smb), apache (httpd), sendmail, ftpd (vsFTP), squid, named (bind), before you have to reboot the server initially.
-- This is good to do to not waste the time during the installation.
--* You may also chroot /mnt/sysimage during the installation, this is after the right rpm's are installed.
-----*** Don't forget you need to reboot the machine after the installation. Don't stay in the chroot'ed environment while making changes to partitions and such. It's probably not a wise idea, but hypothetically this would not harm anything...
--- I will simply recommend to see the files as they are created using ls, and have fun:

USE TAB COMPLETION!!!
USE "*" as wildcards!!!


###################################
Permissions & FileSystems:

At a bash prompt, as root:


This will show the overall set of permissions for the files you are reviewing.

The layout is like this:

User|Group|World
- rwx | rwx | rwx
looked at as for the example being 755:

This is to say the "file" has read, write, and executable permissions by the User, read and execute permissions by the Group, and read and execute for the World.

It may also read as:

This is to say the "directory" has read, write, and executable permissions by the User, read and execute permissions by the Group, and read and execute for the World. Note the "d" at the beginning.
--------
For example, use "vim" to open a directory. View the output. It's a container.
--------
4 2 1
R W X
-
4=Read
2=Write
1=eXecute
--------
There is actually a mathematical value to each of these:
The following command would allow httpd access to outside users, so this directory may serve web pages:


755
4 + 2 + 1 = 7 == User bit (first column)
4 + 1 = 5 == Group Bit (second column)
4 + 1 = 5 == World Bit (Third column)

Easy to remember:

4 2 1
R W X


The first bit that is referenced to 'some of the time' is the SUID bit.

To do a chmod properly every time, it would include:
chmod 0755 /var/www/html
-- assuming it does not need the bit, but it may for group sharing.

whereas:
would allow this to be a group share
Look at the "s" in the "x" spot under the group user!
what you are looking at is the Group User having the "share" because in the regard is being enabled to have use for Group Shares.

This is also represented by:
all it does is make it a group share

This is controlled by what you have setup in your:
/etc/group

--------
chmod 755 == rwxr-xr-x
chmod 110 == --x--x---
__________________________________
chown:

-R == recursive === All subfolders and files (depending on what you are doing) - it's a hierarchy

chown user:group /file/to/be/owned

chown -R user:group /directory/recursive
__________________________________
chattr & lsattr:

lsattr filename --- shows file attributes
chattr --- changes the file/folder attributes

"+" -- add attribute
"-" -- remote attribute
"=" -- be the ONLY attribute

Ex:

Works recursively


Immutable. Can be set or cleared only by a privileged user. Makes the file unable to be deleted or modified.


Clears the immutable flag.


Makes this the only attribute - Immutable - cannot be deleted, Nor may the file be modified - therefore the file will always exist.


Undeletable. This causes a file to be saved even after it has been deleted, so that a user can undelete it later.

---- For example:
---- The "touched~" that still exists is the "undeleted" file. Like a recycle bin. There is no attribute flag associated.
From there you can remove the touched~

________________________________
umask:

umask is the default permissions set to a file or folder.
-- This is hard to explain, but I will try:

The inverse of 0755 of a directory is 0022

The inverse of 0600 on a file is 0066

Files: 0666 - Inverse: 0000
Folders: 0777 - Inverse: 0000

The reason why the Inverse is mentioned, is because this is what you will have to set the default umask to to the initial persissions of a file or directory. This is to say, this is what you DO NOT want setup when a new file is created. For example: using the "mkdir" command to create a new directory, or "touch" to create an empty file.

So if I want the default permissions on a directory to be "755" when it is created, I will have to change this manually if the default permissions are set to "0022".

If you run:
Then the default permissions to the File created will be:
644
The Default permissions to a Directory will be:
755
This is because of the umask being set to:
0022.

To change the umask value do the following:
This will give Directories the permissions of:
0777
This will give Files the Permissions of:
0666

I will then need to manually change the permissions with the chmod command:


There is an offset between Files and Directories in the filesystem - this is the differential between them in regards in reference to umask. The offset is by "1". Directories naturally will be one digit higher than files.
________________________________
acl:

This depends on how the filesystem is mounted. Just add:
to the /etc/fstab for the desired mount point.

Display the acl info on the Directory/File:
Set acl permissions on a Directory/File:
Ex:
Set the permissions on the specified Directory to have read and eXecute rights for the user, and mask:
Block other users from being able to access individual files:
Set the acl for the file, file1, and give it read permissions to the user:

####################################
Networking & Securing:

Network:

Using the current network configuration files, things are rather easy to manipulate.

This is the basics of the file:


Other commands that are relevant are:
Configure network interface:
Bring up the network interface:
Take down the network interface:
Restart the network using the inet.d script:
Add Route (gateway):
Remove Route (gateway):
netstat:
netstat:: show current sshd port:

Get a new dhcp'd IP Address:
________________________________
tcp_wrapper aka "hosts_access":




These 2 lines both do the same thing of blocking a service:
This blocks everything from gaining any sort of remote access:You can do this in the /etc/hosts.allow and /etc/hosts.deny
-- The /etc/hosts.allow takes precedence.
Good thing these two files use the same syntax!

Block users from the iprange 192.168.1.*

Only deny the iprange of 192.168.2.*


If you have in your /etc/hosts.denyAnd you want to Allow ssh, and smtp access from 192.168.2.* and 192.168.3.*, but you do not want to allow it from 192.168.4.*; do this:

________________________________
iptables & NAT

man iptables

-t == Table - and too much to explain, view the man page
-A == Append to the end of the Chain
-D == Delete
-L == List the current iptables rules
-F == Flush the current iptables rules

If you are using -A or -D, you will want to use one of the following:
INPUT
OUTPUT
FORWARD

Then the rule will need to be followed by the Packet Pattern:
-s == specific source IP Address
-d == specific destination IP Address
-p == specified Port (by service name {such as tcp, icmp, ftp, http, })
--dport == specified port number

-j == what to do?!?!?
Tell the rule what to do in the situation:
DROP
REJECT
ACCEPT

Ex:
List the current iptables rules:
Reject data from the IP 192.168.0.12:
Drop ping requests from the IP 192.168.0.12:
Stop TCP SYN from within your network of 192.168.0.0:
Delete the block icmp(ping) from 192.168.0.12 in the iptables rules:
Stop packet forwarding:
Allow other users to use squid on your server:
Save iptables rules:

Make it Live!


Use the GUI to edit your iptables rules:


IP Masquerading - aka NAT:

First off, in order to control/use NAT on a server, you must have more than one Network Interface Card

You may need to enable a few Kernel Modules in order to use some of the functionalities of IP Masquerading, and these may be found if you have the source code for the Kernel on your system:


You will need to enable IP Forwarding:
TO:
-- You will need to reboot to make these settings take effect...

Now you may run:-- This is assuming the inet connection is going through eth0, and your network IP's that will be routing through this firewall are on the IP Range of 192.168.0.0/24.
________________________________
SELinux:

SELinux is broken up into 3 components:
System User
System Object
Type of sharing with others

SELinux man page:
Scroll down to the bottom, You will see several other man pages listed for services such as:
ftpd_selinux
named_selinux
httpd_selinux
samba_selinux
nis_selinux
keberos_selinux
ypbind_selinux

From here you may run ls -Z to display the SELinux settings for the directories you are viewing.

For Apache
If the permissions are set to:
This will not work while allowing apache to have proper access rights.
To fix this run:


For example - content_t:

For the cgi-bin - script_exec_t:


For Samba - share_t:
Make the share accessible /mnt/DVR:
-- This is however only relevant if the stanza for the location /mnt/DVR is setup.


By default there is a file_contexts file you may use for reference, BUT YOU HAVE TO CREATE IT!!! MEMORIZE THIS! - if you want... I will advice to make the directories you need to, that You have set, such as apache, samba, named, nfs, ypbind and any other services like such:
and so fourth.
The first line will set the directory & files to have the permissions of ftpd_anon_rw_t and allow FTP users access to work with a SELinux enabled system
The second line will allow the /home/UserName/html/ directory and files to have http_sys_content_t which will allow httpd the ability to serve pages with SELinux
The third line will allow /var/named/ Directory and files to work with named_zone_t and allow named to work properly with SELinux

Like I said, you can use the /etc/selinux/targeted/contexts/files/file_contexts as a quick reference for syntax, and values.
________________________________
/etc/nologin:

/etc/nologin
This will prevent regular users from being able to login!
-- Just rename the file, call it /etc/nologin.old if you need.
--- generally speaking it's OK to delete this, but sometimes it's better to move.

####################################
rpm:

rpm == Redhat Package Management

Install a rpm:
Upgrade a rpm:

It is possible to Install/Upgrade more than one rpm at a time:

Query for a rpm that's installed:

OR

####################################
gpm:

Mouse Support at console - no gui!!

Make it Live!


###################################
man:

See what man paged there are:

Reference to the specific manpage:

Reference to the general manpage:


####################################
Sendmail:

edit:



page down till you see where it says:



change the 0.0.0.0 to the loopback address 127.0.0.1

save the changes!

at the top of this file there is a command, reopen sendmail.mc if you need to look,
Then run:


Make it Live!

________________________________
Test the mail server:

Test SMTP:-- use <ctrl>] to break out of the connection

###################################
Dovecot:

There is nothing to configure - now you will have POP3, and IMAP

Make it Live!

________________________________
Test retrieval protocols:

Test POP3:
Test IMAP:

###################################
Cups:

I will recommend to actually use the gui for printer configuration.



Make it Live!


###################################
Samba aka smb:




Create the stanzas as you see fit.

printable == PRINTER!!!
Workgroup == Workgroup Name for Directory Browsing
_______________________________



Will yield:


To connect to the smb server:


Make it Live!


###################################
squid:



drop in:

MEMORIZE THIS!:
</snip>
</snip>

Create the initial swap directories:


Make it Live!


###################################
named:

Copy the files from location:

Edit the file for the zone you want at the bottom, and comment out any zones you do not have config files for...
-- If you have copied the files from:
/usr/share/doc/bind-9*/sample/var/named/ to /var/named, you should be OK.

addin the /etc/named.conf at the top:
<snip>
</snip>

This can also be found in the /usr/share/doc/bind-9*/sample/etc/named.conf
-- it's under the first "options" stanza - just remember you need the "options", and "directory"

Be sure to make the matching:

/var/named/example.com.zone file, and be sure to remove the "root" option from the sample if you use the "localdomain.zone"
and add any "A" records that may be required....



/etc/resolv.conf - DNS resolver (be sure to have 127.0.0.1 listed if you are setting up DNS as well as your real DNS server that it will read as the master DNS server)

test the configuration


set specific user to run as after the service is daemonized


Make it Live!


###################################
httpd:

/etc/httpd/conf/httpd.conf --- Main httpd configuration file - This will have the basic layout of the server, and stanza qualifications
--- At the bottom of this file is the basic stanza you will want to setup for Virtual Servers
---- Just use (for example:) "7 yy" - while in "vim" to copy the lines, then you can "vim ../conf.d/example.com"

/etc/httpd/conf.d/ --- where the config files for Virtual domains may be located

Be sure to have "DocumentRoot "/var/www/html"" "defined the same as <Directory "/var/www/html">"

If you need SSL support, use /etc/httpd/conf.d/ssh.conf as an overall reference.
-- Keep in mind you may only have 1 SSL per IP.

Make it Live!

________________________________
Test the http server:

OR:


###################################
vsFTPd:

Main Directory: /etc/vsftpd

Make it Live!


###################################
xinetd:

Location of the configuration file:

There will be several variables & parameters that may be used:
socket_type == Specified the Communication Stream
wait == yes for a single threaded application, no for a multi Threaded Application
user == Account User which the server should run
group == Account Group which the server should be run
server == The server Program
only_from == Hostname or IP which is allowed to use this server
no_access == Hostname or IP NOT allowed to access the server
log_on_failure == If there is a failed login attempt, this specified where this is logged
disable == By default Yes, which disables the server

There is also the xinetd.d folder, which it's location is defined in the /etc/xinetd.conf and this is specified a the bottom of the file with the: directive.

Make it Live!


###################################
ntpd:

/etc/ntp.conf
hwclock
date
ntpdate -u pool.ntp.org

It may be easier to setup the ntp client in the gui:
system-config-time

Make it Live!


###################################
Auto Mount:

MUST BE DONE!!!


setup automount points in:
/etc/auto.misc
-- these will be listed, and accessible in /misc/mountpoint
using "ls" will activate this (so to speak)...
___________________________

setting up automount for /mnt/movies using nfs.

add your new directory, and config location to /etc/auto.master
eg: /mnt /etc/auto.movies

then create /etc/auto.movies
chmod 755 /etc/auto.movies

in auto.movies add:
movies -fstype=nfs,intr,tcp ip:/dir

you will not see it if you ls in /mnt. You have to literally cd /mnt/movies for it to actually mount.

###################################
fdisk:



m == help manu!!!
n == Creates new partition as you define it to be
t == changes the "type" of partition
--- this includes swap, LVM, RAID, FAT16, Solaris etc...
----- Press "L" for the type list
d == deletes a partition
w == saves changes
q == quits

###################################
e2label:
e2label == Partition Labeling

shows the current label


sets the label for /dev/sda1 to /boot


You can change the label for almost all devices such as:
Disk Partitions
LVM
RAID
etc...
You may use the LABEL by using the /etc/fstab, and using the LABEL=/ directive

###################################
Software RAID:

First off BE SURE TO SET THE PROPER FLAG IN FDISK FOR THE PARTITION TYPE TO
"linux raid auto"

You may have to reboot the server to make the partition changes to take effect
Depending on the scenario, you may be able to run:
"partprobe" instead of rebooting.

mdadm
-v == verbose
-c == create
-l == RAID Level
-n == number of devices
-f == Force
-r == Remove
-a == add

Build a Software RAID Level 6 out of 4 partitions


to view the status of the array


Format /dev/md0 with the ext3 filing system


make sure this is mounted!!!

so it will mount after the machine reboots
add in there:
Save Changes


________________________________

Fail an array:


Add a replace partition that is the same or larger size:
--- This will rebuild the array

To view the status of the array



###################################
LVM:

1)Please keep in mind, if you resize a "LV" - "LogicalVolume" this can be OK if you are growing the partition using resize2fs.
2)If you are shrinking the partition, be sure to save the data first, then shrink the lv, then format the partition.

pv<tab><tab>
vg<tab><tab>
lv<tab><tab>

pv == Physical Volume:
-- this is what the "vg" - "VolumeGroup" Needs to be created

vg == Volume Group:
-- 2 or more "pv" - "PhysicalVolumes" acting as 1 physical Device - what "lv" - "LogicalVolumes" are made from

lv == Logical Volume:
-- This would be the actual mountable device - so to speak

First off BE SURE TO SET THE PROPER FLAG IN FDISK FOR THE PARTITION TYPE TO
Linux LVM
Set all available partitions you wish to be "pv"'s in fdisk - this is very important!

This creates the PV's for the partitions listed above:


This creates a VolumeGroup named "VolumeGroupName" using /dev/sdb1 and /dev/sdb2:


Use this to add /dev/sdb3 to the Volume Group "VolumeGroupName":


Split Volume Group:


Creates a "LV" "LogicalVolume" that is 500MB named lvm1:


Assuming there is 2gb of space available in the VG, this will resize the LV "lvm1" to 2GB

Make sure the Format is correct:



If there is not enough space in the VG, use:
this will use the rest of the PV's we initially created in this example

New LV:
or just make sure the Format is correct if you grew the LV:


edit fstab so it is available after a reboot:
Add:


Other ways to use manage LVM's is as follows:
Scan the system for lvm's

Make the lvm active


###################################
NFS:

vim /etc/exports
Insert the mountable locations you want:


You may also give the mount options of sync, and nosync. There are several other options as well...

then run:

_____________________________
Mount NFS:

vim /etc/fstab
Insert:


This will make your /home directory located on the server 192.168.1.12, but mounted at your /home.
-- keep in mind it the nfs server fails, or other errors persist, then the /home directory will not mount.


Make it Live!


####################################
crontab:

* * * * *
Minute == 0-59
Hour == 0=23
Day Of Month == 1-31
Month 1-12
Day of Week 0-7 (0 or 7 is Sun, or use names)

Edits the current users crontab:

Lists the output of the current users crontab:

Edits the users crontab specified:

Lists the output of the users crontab specified:

Removes the crontab for the specified user:


crontab works as follows:

every Monday at 12pm, the script will run


Other options may go as follows:

Every day his daughter get's out of school at 3:15pm, this will echo on the console:


###################################
quota:

Edit the /etc/fstab with the mounted partitions.
Make sure the quotated partition will include the correct options:
usrquota,grpquota
Ex:


Turns quotas on on the / partition

checks the initial value of the quotas per the specified mount point

edit a users quota

Grace Period


###################################
LDAP & NIS:

ypbind - nis client for resolving nis domains

easy way:
system-config-authentication
-- Fill in the blanks....

###################################
mkinitrd:

This is a lil tricky if you are not used to doing this:

First, boot to a live CD, another environment in essence...
Second, mount the partitions for the filesystem into a folder such as /mnt/sysimage
Third, chroot into the new enviornment:
Then you may run:

This should regenerate the initrd image needed for the initial RAM Disk.

###################################
Xorg:

Let’s say the /etc/X11 directory is gone, to restore, do all of the following:

You will need to restore the xfs for fonts:
This will reinstall the /etc/X11/fs directory


This will reinstall the /etc/X11/prefdm executable


-------------------
create the xorg.conf:
Copy the file to the proper location:
Or

Ultimately speaking you will want to make sure the xorg.conf is located at /etc/X11/xorg.conf when things are said and done.

start the font server:


Launch gnome:
or


launch X - xdm (most likely):


--- dm == Display Manager
ex:
gdm == Gnome Display Manager
kdm == KDE Display Manager
xdm == "X" Display Manager

###################################
Grub:
e - edits existing kernel arguements - not saving - Be sure to make changes final by editing /boot/grub/grub.conf or /boot/menu.lst (same file)
c - Grub command line

-- easy way to remember this:

normally this will work, and it will find root(hd0,0) automatically


let it will in the blanks, and give options
-- but the line complete should read as for run level 3 with selinux:
On the line below: "root=LABEL=/1" - this is in reference to the e2label
--- normally this would be "/", but it is actually "/1" due to selinux
Remember we are going to use the compressed kernel - that's the "vmlinuz":

Should read in full as:


Make sure the initrd matches the kernel image defined in the kernel argument:


--------------------------------

Be sure to make changes final by editing /boot/grub/grub.conf or /boot/menu.lst (same file)

Keep grub simple. It is easier!!! & it won't break!!

The entire stanza should read as:


###################################
/etc/init.d:

This is the basics of the services that may be launched via the "service" command.

Starting and stopping services:
etc...


###################################
vim:

Once in vim, the environment once understood is not soo bad:
(although the Unix vi is a lil different...)

if all else fails, hit the <esc> key a few times.
-- it will bring you back to the "top" so to speak

i == insert
r == replace
x == delete
dd == delete the line
:q! == quits without saving
:w! == saves changes
:x! == saves and quits
7yy == yanks 7 lines - starting where the curser is at
p == pastes the yanked lines
:e /path/to/file == opens/creates a file to edit
:we! /path/to/file == saves the current file and opens/creates a file to edit

no line wrapping
--- This must be enabled once vim is launched.

###################################
Misc:

/etc/sysconfig == main RHEL configuration directory
/etc/sysconfig/network-scripts/ifcfg-eth0 == location for eth0
/etc/sysctl.conf == sysctl configuration for the machine
--- This is where you may add:
kernel.panic = 5
----- so the machine will reboot 5 seconds after a kernel panic

mount -t nfs 192.168.1.12:/mnt/lvm /mnt/nfs
mount -o remount,ro /

useradd <username> ; passwd <username> --- add a user, and the users password
/etc/hosts --- hosts file - can control connectivity, and defign the hostnames

mkdir -p /home/username/{folder1,folder2,folder3} && touch /home/username/folder1/touched

ps axl | grep service
ls -lah


cp -R /home/. /backup/ == This will copy the files and folders recursively
mv /root/file1 /root/file2 == This is the same as renaming a file or folder
mkdir /home/username = creates the one folder
mkdir -p /home/username/html/{folder1,folder2,folder3}
--- this will create the folders in the path as needed, as well as
------ /home/username/html/folder1
------ /home/username/html/folder2
------ /home/username/html/folder3

Good thing there's the option to print this!

You can also just copy and paste it into Notepad, and it all works out well...!

Be sure to look at the post time, and date if you need to to see if there have been modifications....