1 / 50

Unix Linux Administration II

Unix Linux Administration II. Class 1: Dev server install, user and group management, Linux file systems, basic client firewall admin, certificates and authentication. Class details. We will be working primarily with CentOS this quarter.

teegan-golden
Download Presentation

Unix Linux Administration II

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Unix Linux Administration II Class 1: Dev server install, user and group management, Linux file systems, basic client firewall admin, certificates and authentication.

  2. Class details We will be working primarily with CentOS this quarter. We will allocate sometime in class for lab work but you should expect some remote work each week to be completed on your “production” build. *Start to copy the CentOS DVD iso to your desktop now. http://www.ulcert.uw.edu/ISO/CentOS-6.2-i386-bin-DVD1.iso Note if you are trying this over the guest wireless it will take a long time. Consider copying it to your class workstation and then using a USB stick to transfer it to your own laptop.

  3. Agenda • Introductions: who am I, who are you. • Review CentOS. • Review RedHat • Review Linux file system • Install development instance of CentOS on your desktop using VMWare player. • Review firewall management with CentOS • Review the role of sudo • Configure a local account with full rights via sudo. • Certificates and authentication

  4. Who am I • Who are you • What do you do • Linux/Unix background • Goals for this class/course

  5. Class 1, Unit 1. What we are going to cover: • Introduction to Redhat/CentOS, file system structure, and user management. What you should leave with from this session: • Overview of the CentOS and Redhat history. • Knowledge of the standard files and directories structure. • How to manage users, groups and elevate your rights on demand.

  6. Community ENTerprise Operating System - CentOS • Freely available operating system, based on Red Hat Enterprise Linux. • Red Hat releases all source code for the product freely due to the GNU license requirements. A core group of CentOS developers compile that code, removing any logos or trademarks and release it as CentOS. www.centos.org • Support provided for at least 7 years. • CentOS-5 updates until Mar 31, 2017 • CentOS-6 updates until November 30, 2020

  7. CentOS support • Commercial support is available • CentOS versions match RedHat versions. • Patches released by RedHat are usually available within 72 hours or less. • Each major version of CentOS maintains a key, so you will need to install a new public key each time you upgrade major versions. Question? Where does the CentOS documentation come from?

  8. Additional CentOS features. • Extended lifecycle support (minimum 7 years). • Low risk security updates – targeted patches. • Application Binary Interface (ABI) and Application Programming Interface (API) stability. • Regular updates and fixes published. • Redhat is often selected by Vendors as a supported platform for a given piece of hardware or software. Due to the relationship between CentOS and Redhat these requirements can usually be assumed to include CentOS.

  9. Single install base Unlike Redhat, CentOS has one install base. You may enable any features required from this single instance. RedHat maintains different versions and provides add-ons for various features and functions. https://www.redhat.com/wapps/store/allProducts.html

  10. Redhat RHEL categories: • RHEL Server • Standard 32/64 bit systems based on AMD or Intel systems. • IBM POWER Systems • IBM System z. • RHEL desktop • RHEL add-ons: • High Availability, Load Balancing, Resilient Storage.

  11. Redhat overview cont. Another primary difference is the subscription model. The least expensive server option is $349 annually. A desktop license is available for $49. There are student discounts available between $40 to 80. Redhat Only supports KVM on systems that will support 64bit installations.

  12. What is new to RHEL 6 There is a long list of new features and functions but some highlights are: • Default support for KVM based virtual machines • ext4 file system, support files up to 16TB • More, as in more support for sockets, cores, threads and memory.

  13. FHS, File System Hierarchy Standard Redhat adheres to the FHS file system structure (for the most part). This standard is maintained by the Linux Foundation; previously known as the “Free Standards Group”. Supported by organizations including IBM, Dell, RedHat, and HP.

  14. Linux file system review • /boot = contains static files required to boot the system such as the kernel • /dev = device nodes that either represent attached devices to the system or virtual devices that are provided by the OS • /etc = local host config files • /lib = library files needed to execute binaries in /bin and /sbin • /media = used for removable media (dvd, usb…) • /mnt = mounted file systems like nfs mounts • /opt = most 3rd party app software packages

  15. Linux file system review cont. • /proc = file that either extracts info from or sends info to the kernel. e.g. “cat /proc/meminfo” • /sbin = executables used by root • /sys = new to 2.6 kernel often used with hot pluggable hardware contains info similar to /proc. • /usr = directory for files that CAN be shared across multiple machines, often mounted read-only. • /usr/local used for software that is local to the host. FHS intends this directory for software that is safe from upgrades. • /var = stores variable data file spool files, logging data and temp files.

  16. CentOS install requirements • Minimum • I386 or X86-64 proc • 512MB ram • 1G proc (recommended) • 1.2G disk space (can be smaller) ISO available as a DVD or CD set. Due to the software available for inclusion the cd set is pretty large. There is a netinstall iso available. *Verify your images with the SHA1 checksum. ?How much memory can you address on a 32bit install?

  17. CentOS install notes The default install will create two partitions. • Boot 100mb • LVM based partition for the remaining disk Logical Volume Manager – abstracts the disks from the install allowing you to manipulate one or more disks as if they were one disk. • Firewall enabled by default with SSH enabled. • SELinux enabled by default.

  18. User and Group management • What file maintains all user accounts? • What file maintains all groups? • user management tools • useradd • groupadd • usermod • What is the option to add a secondary group? Where is the primary group defined? /usr/sbin/{useradd|groupadd|usermod}

  19. Switch User SU Once you get into the habit of logging in as regular user there will be times when you need “root” rights. One option is to use su or switch user. In function can be used for any user account, not just root user@localhost $) su root Or user@localhost $) su - root Note the addition of the “-”, spawn new shell.

  20. Switch User cont. It is also possible to run specified commands as a given user without starting another shell using the -c user@localhost $) su root -c “cmd” e.g. user@localhost $) su root -c “cat /etc/shadow”

  21. sudo – “su” do grant rights to run commands as root or another user without sharing passwords. Sudo creates an audit trail including the commands run and by who. It is best to edit the sudoers file using visudo, why? /usr/sbin/visudo *image source http://xkcd.com/149/

  22. Sudo history • The concept, design and initial implementation were the result of Bob Coggeshall and Cliff Spencer circa 1980 at the Dept of Comp Sci Buffalo • In 1991 a new version was released under contract from “The Root Group” and released under GNU license. Todd C. Miller unoffically supported sudo while at CU-Boulder. • Continued support for sudo is provided by Dell. Dell has aquired Quest software the last company to hire Todd. Todd is now the active developer for the latest open source versions of sudo. Sudo support is part of his job description.

  23. sudo configuration The sudo configuration file is found here: /etc/sudoers The best utility for editing this file is visudo /usr/sbin/visudo The sudo binary is found here: /usr/local/bin/sudo

  24. Sudo configuration cont. The following example shows how the local group “wheel” has been granted full access to all privileged commands. ## Allows people in group wheel to run all commands # %wheel ALL=(ALL) ALL Sudo actions are logged to /var/log/secure

  25. Review: Class1, Unit 1. CentOS vs Redhat: support available for both, patches, documentation, 3rd party support, other points? File System Hierarchy Standard: Defines purpose for directories such as /usr/local, /opt, /proc, /boot, others of interest? User management, su and sudo.

  26. Lab 1a • Lab notes for this session can be found here: http://www.ulcert.uw.edu/class/ -> Home -> Labs ->

  27. Class 1, Unit 2. What we are going to cover: • IPTables What you should leave with from this session: • IPTables configuration. • How to manage rules using the iptables binary dynamically and manually.

  28. CentOS firewall intro - iptables • IPTables are a very complex topic and one that many organizations rely upon a dedicated contact or group to manage; often the firewall administrator/s • RedHat provides a simple base configuration that we can augment to start our rule sets.

  29. CentOS firewall intro – iptables • Rules added using the iptables utility and not saved will be in effect until the system is rebooted or table is cleared. • You can manually edit the config file and restart iptables but this will create a brief outage.

  30. Firewall - iptables • Linux network packet filtering tool includes these basic concepts: • Rules • Tables ( filter or NAT/Masquerade) • Chains (Input, Output, Forward) • Target (what to do with the packet) A collection of RULES make up the Iptables configuration. Each RULE is used for a specific TABLE, each TABLE has its own CHAIN. A CHAIN is a list of RULES. A CHAIN is compared to a packet for a match.

  31. Iptables cont… • Start and stop iptables • /sbin/service iptables stop|start|restart|save|condrestart|status|panic stop = flush rules, delete chains, unload kernel module, set policy to accept all packets again condrestart = stop and only restart if it was running before. status = if firewall is active display rules panic= stop, disable firewall, and set policy to drop all packets.

  32. Options to manage IPTables • Edit /etc/sysconfig/iptables • sudo /usr/bin/system-config-securitylevel-tui If you have manually edited the iptables file running the sys config tool may wipe out those changes. • *sudo /sbin/iptables <cmd> *best if you want the rules to dynamically take effect.

  33. IPTables switches and arguments. • -A = append • -I = insert • -p = port • -dport = destination port • -sport = source port • -j = target for rule REJECT/ACCEPT etc.

  34. IPTables commands To check your current iptable status: • sudo /sbin/service iptables status Adding rules using /sbin/iptables is a dynamic function, meaning as soon as you enter the rule it takes effect. • sudo /sbin/iptables -A INPUT -p tcp --dport 99 -j ACCEPT What did we just do? Append a rule to a chain, inbound tcp, destination port 99, accept and log.

  35. IPTables commands cont. Typically the last rule in a set will be “drop” or “reject”. If we append a rule to a ruleset this will often by default come after the drop rule. What is the problem with this? This example uses the Insert option rather than Append. sudo /sbin/iptables -I INPUT 4 -p tcp --dport 99 -j ACCEPT

  36. Additional IPTables related cmds • Iptstate – monitor current connections • /usr/sbin/iptstate • Iptables –list –v • List verbose output on current config • Iptables-save • Defaults to stdout • Iptables-restore • Restore config from local file • /sbin/service iptables status • Print to screen current running config

  37. Iptables commands • Appending a rule or inserting a rule what is the difference? • What is the default behavior?

  38. Review Class 1, Unit 2. Default configuration under /etc/sysconfig Backup file manually i.e. cp iptables iptables.bk Backup running config /sbin/iptables-save > <file-name> Restore from file using /sbin/iptables-restore Check status /sbin/service iptables status Check real time traffic /usr/sbin/iptstate Flush all rules with /sbin/iptables –F

  39. In class lab 1b • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->

  40. Class 1, Unit 3. What we are going to cover: • SSH certificate authentication. What you should leave with from this session: • Public/Private key authentication. • SSH process flow • Agent based certificate authentication.

  41. ssh certificate authentication It is possible to use certificates for authentication in place of passwords. SSH authentication is based on the concept of a private key and a public key. • Anyone can see, read or have the public key. • Nobody except the authorized user should be granted access to the private key.

  42. To Authenticate or Authorize What is the difference between Authentication and Authorization? What are we doing with ssh keys, authenticating or authorizing?

  43. Use cases for ssh authentication • Improving security. • Avoiding simple password based authentication. • Automating login via shell scripts. • automating commands on remote systems. • More?

  44. ssh certificate authentication cont. You can create your keys with ssh-keygen. This utility is standard with the openSSH builds. This should produce a private key and a public key. In many cases it will also create the ssh directory based on your $HOME variable. Typicall a hidden directory .ssh The private key should be restricted to the owner.

  45. ssh certificate authentication cont. Next you need to copy the public key to any host that you want to authenticate using certificates. Place the public key into a file called authorized_keys under .ssh for your user account. You can use ssh-copy-id to copy your public key, it will try to ensure the file and folder permissions are correct. • $HOME dir permission should be 755, • $HOME/.ssh dir perm - it should be 700 , • private-key perm should be 600, • authorized_keys perm - should be 644

  46. ssh auth process flow • Generate key pair. • Connect to server, on first attempt public key presented. • Server sends encrypted message generated using the private key; it can be decrypted with public key. • If accepted the client sends a signature to be authenticated with its public key to the server • If this works the server authenticates the user and provides a user session.

  47. ssh agents Both windows and linux have ssh agents available that will manage your ssh private keys for you. On your windows machines we will use the putty agent. On linux we will use the ssh-agent /usr/bin/ssh-agent /usr/bin/ssh-agent bash Next you will need to add your private key to the new agent keyring. /usr/bin/ssh-add

  48. Review Class 1, Unit 3. We can use certificates in place of traditional password to provide authentication. Use ssh-keygen to generate the public private key pairs. use ssh-add to load the private key into your agent process. Copy the public key to the authorized_keys file for the target user.

  49. In class lab 1c • Lab notes for this session can be found here: http://www.ulcert.uw.edu -> Class Content -> InClass labs ->

  50. Homework • To be posted on the class web site.

More Related