Difference between revisions of "OPS335 Resources"

From CDOT Wiki
Jump to: navigation, search
(New Features in Fedora 15/16)
(Removing some very outdated resources)
Line 1: Line 1:
 
[[Category:OPS335]]
 
[[Category:OPS335]]
= Installation Video =
 
[http://www.youtube.com/watch?v=AhXt8PnmAxQ Fedora 12 Installation]
 
  
= New Features in Fedora 15/16 =
+
= New Features =
 
* [[systemd_fedora | systemd resource]]
 
* [[systemd_fedora | systemd resource]]
* Netfilter/iptables
+
* [http://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sec-Comparison_of_Firewalld_to_system-config-firewall.html iptables and firewalld ]
** Added new built-in chain for the NAT table: INPUT chain
 
  
= F12 Live CD update Tracker =
+
= Monitoring System Main Log File =
The following table shows the number of packages available for update on a given date on a Live Fedora 12 system.
 
{|border="1"
 
|- style="width: 100%;color: white; background-color: #7430c2; font-weight: bold"
 
| Date || No. of Packages || Size || Time(min.)
 
|-
 
|November 25, 2009
 
|100
 
|94MB
 
|5
 
|-
 
|November 24, 2009
 
|89
 
|87MB
 
|5
 
|-
 
|December 6, 2009
 
|180
 
|152MB
 
|8
 
|-style="width: 100%;color: white; background-color: #7430c2; font-weight: bold"
 
|Date||No of Package||Size||Time(min.)
 
|}
 
 
 
= F13 Installation DVD update Tracker =
 
The following table shows the number of packages available for update on a given date on a Live Fedora 13 system.
 
{|border="1"
 
|- style="width: 100%;color: white; background-color: #7430c2; font-weight: bold"
 
| Date || No. of Packages || Size || Time(min.)
 
|-
 
|September 10, 2010
 
|485
 
|579MB
 
|5
 
|-style="width: 100%;color: white; background-color: #7430c2; font-weight: bold"
 
|Date||No of Package||Size||Time(min.)
 
|}
 
 
 
= Some facts about Fedora 12 Live DVD =
 
 
 
== Version information==
 
[root@localhost ~]# uname -a
 
Linux localhost.localdomain 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 athlon i386 GNU/Linux
 
 
 
== Number of packages ==
 
[root@localhost ~]# rpm -qa | wc -l
 
1017
 
 
 
== Super User Account ==
 
There is no password for the super user account "root". You can simply type "su -" to switch to super user account in order to perform the following task:
 
* yum update
 
* yum install package-name
 
* switch SELinux mode
 
* list, flush, add, delete firewall rule using the iptables command
 
* start/stop network service
 
* add/remove/modify user accounts
 
* add/remove software package
 
* other administrative tasks
 
* reading system log files
 
 
 
=== Monitoring System Main Log File ===
 
 
Most system daemons write log messages to the main system log file at /var/log/messages. As a system administrator, you can view any new log messages written to the file in real time using the following command line in a terminal window:
 
Most system daemons write log messages to the main system log file at /var/log/messages. As a system administrator, you can view any new log messages written to the file in real time using the following command line in a terminal window:
 
   
 
   
Line 96: Line 33:
 
The above messages were generated when a user plugged in an USB Flash drive to the system. In this example, the system assgined the device name [sdc] to identify the Flash drive.
 
The above messages were generated when a user plugged in an USB Flash drive to the system. In this example, the system assgined the device name [sdc] to identify the Flash drive.
  
== Mail Package ==
+
= Firewall Configuration =
Fedora 12 Live DVD does not install the malix package by default.
+
== Default Firewall Setting ==
To install the mailx package (so that user can use the mail command to read their local mails), follow the follwing steps:
 
[root@localhost mail]# yum install mailx
 
Loaded plugins: presto, refresh-packagekit
 
Setting up Install Process
 
Resolving Dependencies
 
--> Running transaction check
 
---> Package mailx.i686 0:12.4-3.fc12 set to be updated
 
--> Finished Dependency Resolution
 
 
Dependencies Resolved
 
 
=========================================================================================
 
Package          Arch            Version            Repository                Size
 
=========================================================================================
 
Installing:
 
  mailx            i686            12.4-3.fc12        fedora                      214 k
 
 
 
Transaction Summary
 
=========================================================================================
 
Install      1 Package(s)
 
Upgrade      0 Package(s)
 
 
Total download size: 214 k
 
Is this ok [y/N]: y
 
Downloading Packages:
 
Setting up and reading Presto delta metadata
 
Processing delta metadata
 
Package(s) data still to download: 214 k
 
mailx-12.4-3.fc12.i686.rpm                                    | 214 kB    00:01   
 
Running rpm_check_debug
 
Running Transaction Test
 
Finished Transaction Test
 
Transaction Test Succeeded
 
Running Transaction
 
  Installing    : mailx-12.4-3.fc12.i686                      1/1
 
 
  Installed:
 
    mailx.i686 0:12.4-3.fc12                                                               
 
 
Complete!
 
 
 
== TCP/IP Network Services running on the Live DVD by default ==
 
* cups on port 631 (Common Unix Print Service)
 
* smtp on port 25 (Simple Message Transfer protocol, for handling emails exchange between local users)
 
* avahi-daemon on port 5353 and 49032
 
* bootpc on port 68 (DHCP Client)
 
 
 
[root@localhost ~]# netstat -atup
 
Active Internet connections (servers and established)
 
Proto Recv-Q Send-Q Local Address              Foreign Address  State      PID/Program name 
 
tcp        0      0 localhost.localdomain:ipp  *:*              LISTEN      1500/cupsd         
 
tcp        0      0 localhost.localdomain:smtp  *:*              LISTEN      1800/sendmail: acce
 
tcp        0      0 localhost6.localdomain6:ipp *:*              LISTEN      1500/cupsd         
 
udp        0      0 *:mdns                      *:*                          1489/avahi-daemon: 
 
udp        0      0 *:ipp                      *:*                          1500/cupsd         
 
udp        0      0 *:49032                    *:*                          1489/avahi-daemon: 
 
udp        0      0 *:bootpc                    *:*                          1698/dhclient
 
 
 
== SELinux Configuration ==
 
Security Enhence Linux is enabled by default.
 
[root@localhost ~]# sestatus
 
SELinux status:                enabled
 
SELinuxfs mount:                /selinux
 
Current mode:                  enforcing
 
Mode from config file:          enforcing
 
Policy version:                24
 
Policy from config file:        targeted
 
[root@localhost ~]#
 
 
 
To Keep SELinux running but ask it not to enforce the Security Policy, do the following:
 
[root@localhost ~]# setenforce 0
 
[root@localhost ~]# sestatus
 
SELinux status:                enabled
 
SELinuxfs mount:                /selinux
 
Current mode:                  permissive
 
Mode from config file:          enforcing
 
Policy version:                24
 
Policy from config file:        targeted
 
 
 
It is not recommended to turn off SELinux. If you encounter some SELinux policy issues and can not get it resolve, then you should set it to permissive mode.
 
 
 
To switch SELinux from "permissive" mode to "enforcing" mode, do the following:
 
[root@localhost ~]# setenforce 1
 
[root@localhost ~]# sestatus
 
SELinux status:                enabled
 
SELinuxfs mount:                /selinux
 
Current mode:                  enforcing
 
Mode from config file:          enforcing
 
Policy version:                24
 
Policy from config file:        targeted
 
 
 
== Firewall Configuration ==
 
Fedora distribution use "netfilter" kernel module for building a Stateful Packet Filtering firewall. Firewall is enable on Fedora Live DVD by default.
 
=== Default Firewall Setting ===
 
 
The default firewall configuration:
 
The default firewall configuration:
 
      
 
      
Line 205: Line 48:
 
  Chain FORWARD (policy ACCEPT)
 
  Chain FORWARD (policy ACCEPT)
 
  num  target    prot opt source              destination         
 
  num  target    prot opt source              destination         
1    REJECT    all  --  anywhere            anywhere            reject-with icmp-host-prohibited
 
 
   
 
   
 
  Chain OUTPUT (policy ACCEPT)
 
  Chain OUTPUT (policy ACCEPT)
Line 213: Line 55:
 
** Rule number 1 allows any packets which are related to any packets went out before
 
** Rule number 1 allows any packets which are related to any packets went out before
 
** Rule number 2 allows any icmp packets, including echo-request and echo-reply packet (used by the ping command)
 
** Rule number 2 allows any icmp packets, including echo-request and echo-reply packet (used by the ping command)
** Rule number 3 allows packets coming from the loop back network interface (lo), need to "-v" to show the interface name.
+
** Rule number 3 allows packets coming from the loop back network interface (lo).  Use the "-v" option to show the interface name.
 
** Rule number 4 allows packets go to IP address 224.0.0.251 port 5353
 
** Rule number 4 allows packets go to IP address 224.0.0.251 port 5353
 
** Rule number 5 blocks all other incoming packets
 
** Rule number 5 blocks all other incoming packets
  
* No packet will be forwarded.
+
* All packets will be forwarded.
  
 
* All outgoing packets are allowed.
 
* All outgoing packets are allowed.
  
=== Flush out firewall rules in the Filter table ===
+
== Improving system security with some better rules ==
To turn off the blocking of Incoming packet, do the following:
+
A better configuration
  [root@localhost ~]# iptables -F
+
  [root@localhost ~]# iptables -L --line-number
[root@localhost ~]# iptables -L
+
  Chain INPUT (policy DROP)
  Chain INPUT (policy ACCEPT)
+
num target    prot opt source              destination         
  target    prot opt source              destination         
+
1    ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
 +
2    ACCEPT    icmp --  anywhere            anywhere           
 +
3    ACCEPT    all  --  anywhere            anywhere           
 
   
 
   
  Chain FORWARD (policy ACCEPT)
+
  Chain FORWARD (policy DROP)
  target    prot opt source              destination        
+
num target    prot opt source              destination        
 
   
 
   
 
  Chain OUTPUT (policy ACCEPT)
 
  Chain OUTPUT (policy ACCEPT)
  target    prot opt source              destination  
+
num target    prot opt source              destination        
 +
 +
* Incoming packets will be filtered based on firewall rules for the INPUT chain (Chain num 1 to 3)
 +
** Rule number 1 allows any packets which are related to any packets went out before
 +
** Rule number 2 allows any icmp packets, including echo-request and echo-reply packet (used by the ping command)
 +
** Rule number 3 allows packets coming from the loop back network interface (lo).  Use the "-v" option to show the interface name.
 +
** As we aren't using MDNS, we can delete that rule.
 +
** Instead of rejecting unwanted traffic (which sends a response back), simply drop it (note the changed default policy).
  
The "iptables -F" command "flushes" out all the firewall rules in the filter table. The "iptables -L" displays the updated firewall rules in the filter table (none left after the iptables -F command).
+
* No packets will be forwarded.
 +
** Unless you expect to be forwarding traffic, why allow it?
  
=== Restore default firewall rules to the Filter table ===
+
=== Logging unexpected traffic ===
To restore the default firewall, do the following:
+
It can also be useful to keep a log of the traffic that your machine drops.  This could be traffic that you want, but haven't added a rule to accept, or it could provide early warning that someone is trying to compromise your machine.  This is particularly useful on machines/interfaces that face the outside world.
  [root@localhost ~]# service iptables restart
+
 
 +
[root@localhost ~]# iptables -A INPUT -j LOG
 +
 
 +
== Restore default firewall rules to the Filter table ==
 +
To restore the firewall to saved settings, do the following:
 +
  [root@localhost ~]# systemctl restart iptables
 
  iptables: Flushing firewall rules:                        [  OK  ]
 
  iptables: Flushing firewall rules:                        [  OK  ]
 
  iptables: Setting chains to policy ACCEPT: raw mangle nat f[  OK  ]
 
  iptables: Setting chains to policy ACCEPT: raw mangle nat f[  OK  ]
 
  iptables: Unloading modules:                              [  OK  ]
 
  iptables: Unloading modules:                              [  OK  ]
 
  iptables: Applying firewall rules:
 
  iptables: Applying firewall rules:
 
= Additional Software Package Installation =
 
 
== Apache Manual ==
 
 
=== Installation using yum ===
 
[root@localhost ~]# yum install httpd-manual
 
Loaded plugins: presto, refresh-packagekit
 
Setting up Install Process
 
Resolving Dependencies
 
--> Running transaction check
 
---> Package httpd-manual.noarch 0:2.2.13-4.fc12 set to be updated
 
--> Finished Dependency Resolution
 
 
Dependencies Resolved
 
 
================================================================================
 
  Package              Arch          Version              Repository      Size
 
================================================================================
 
Installing:
 
  httpd-manual        noarch        2.2.13-4.fc12        fedora        767 k
 
 
Transaction Summary
 
================================================================================
 
Install      1 Package(s)
 
Upgrade      0 Package(s)
 
 
Total download size: 767 k
 
Is this ok [y/N]: y
 
Downloading Packages:
 
Setting up and reading Presto delta metadata
 
fedora/prestodelta                                      | 1.3 kB    00:00   
 
Processing delta metadata
 
Package(s) data still to download: 767 k
 
httpd-manual-2.2.13-4.fc12.noarch.rpm                    | 767 kB    00:02   
 
Running rpm_check_debug
 
Running Transaction Test
 
Finished Transaction Test
 
Transaction Test Succeeded
 
Running Transaction
 
  Installing    : httpd-manual-2.2.13-4.fc12.noarch                        1/1
 
 
Installed:
 
  httpd-manual.noarch 0:2.2.13-4.fc12                                         
 
 
Complete!
 
 
=== Starting Apache Server ===
 
[root@localhost ~]# service httpd start
 
Starting httpd:                                            [  OK  ]
 
[root@localhost ~]#
 
 
=== To access your Apache Web Server running on the Live DVD ===
 
* Open the Firefox Web Browser
 
* Type the url "http://localhost" into the address box and press ENTER
 
* Type the url "http://localhost/manual" to access the Apache manual
 
 
  
 
= Reporting Problems about your Fedora Installation =
 
= Reporting Problems about your Fedora Installation =

Revision as of 10:18, 7 January 2015


New Features

Monitoring System Main Log File

Most system daemons write log messages to the main system log file at /var/log/messages. As a system administrator, you can view any new log messages written to the file in real time using the following command line in a terminal window:

[root@localhost ~]# tail -f /var/log/messages
Jan 13 11:59:01 localhost kernel: usb 1-2: new high speed USB device using ehci_hcd and address 5
Jan 13 11:59:01 localhost kernel: usb 1-2: New USB device found, idVendor=058f, idProduct=6387
Jan 13 11:59:01 localhost kernel: usb 1-2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Jan 13 11:59:01 localhost kernel: usb 1-2: Product: Mass Storage
Jan 13 11:59:01 localhost kernel: usb 1-2: Manufacturer: USB2.0
Jan 13 11:59:01 localhost kernel: usb 1-2: SerialNumber: 1C7FED06
Jan 13 11:59:01 localhost kernel: usb 1-2: configuration #1 chosen from 1 choice
Jan 13 11:59:01 localhost kernel: scsi9 : SCSI emulation for USB Mass Storage devices
Jan 13 11:59:06 localhost kernel: scsi 9:0:0:0: Direct-Access     USB2.0   Flash Disk       8.07 PQ: 0 ANSI: 2
Jan 13 11:59:06 localhost kernel: sd 9:0:0:0: Attached scsi generic sg3 type 0
Jan 13 11:59:06 localhost kernel: sd 9:0:0:0: [sdc] 1998848 512-byte logical blocks: (1.02 GB/976 MiB)
Jan 13 11:59:06 localhost kernel: sd 9:0:0:0: [sdc] Write Protect is off
Jan 13 11:59:06 localhost kernel: sd 9:0:0:0: [sdc] Assuming drive cache: write through
Jan 13 11:59:06 localhost kernel: sd 9:0:0:0: [sdc] Assuming drive cache: write through
Jan 13 11:59:07 localhost kernel: sdc: unknown partition table
Jan 13 11:59:07 localhost kernel: sd 9:0:0:0: [sdc] Assuming drive cache: write through
Jan 13 11:59:07 localhost kernel: sd 9:0:0:0: [sdc] Attached SCSI removable disk
Jan 13 11:59:07 localhost kernel: kjournald starting.  Commit interval 5 seconds
Jan 13 11:59:07 localhost kernel: EXT3 FS on sdc, internal journal
Jan 13 11:59:07 localhost kernel: EXT3-fs: recovery complete.
Jan 13 11:59:07 localhost kernel: EXT3-fs: mounted filesystem with ordered data mode.

The above messages were generated when a user plugged in an USB Flash drive to the system. In this example, the system assgined the device name [sdc] to identify the Flash drive.

Firewall Configuration

Default Firewall Setting

The default firewall configuration:

[root@localhost ~]# iptables -L --line-number
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    ACCEPT     udp  --  anywhere             224.0.0.251         state NEW udp dpt:mdns 
5    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination          

  • Incoming packets will be filtered based on firewall rules for the INPUT chain (Chain num 1 to 5)
    • Rule number 1 allows any packets which are related to any packets went out before
    • Rule number 2 allows any icmp packets, including echo-request and echo-reply packet (used by the ping command)
    • Rule number 3 allows packets coming from the loop back network interface (lo). Use the "-v" option to show the interface name.
    • Rule number 4 allows packets go to IP address 224.0.0.251 port 5353
    • Rule number 5 blocks all other incoming packets
  • All packets will be forwarded.
  • All outgoing packets are allowed.

Improving system security with some better rules

A better configuration

[root@localhost ~]# iptables -L --line-number
Chain INPUT (policy DROP)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
2    ACCEPT     icmp --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination          

  • Incoming packets will be filtered based on firewall rules for the INPUT chain (Chain num 1 to 3)
    • Rule number 1 allows any packets which are related to any packets went out before
    • Rule number 2 allows any icmp packets, including echo-request and echo-reply packet (used by the ping command)
    • Rule number 3 allows packets coming from the loop back network interface (lo). Use the "-v" option to show the interface name.
    • As we aren't using MDNS, we can delete that rule.
    • Instead of rejecting unwanted traffic (which sends a response back), simply drop it (note the changed default policy).
  • No packets will be forwarded.
    • Unless you expect to be forwarding traffic, why allow it?

Logging unexpected traffic

It can also be useful to keep a log of the traffic that your machine drops. This could be traffic that you want, but haven't added a rule to accept, or it could provide early warning that someone is trying to compromise your machine. This is particularly useful on machines/interfaces that face the outside world.

[root@localhost ~]# iptables -A INPUT -j LOG

Restore default firewall rules to the Filter table

To restore the firewall to saved settings, do the following:

[root@localhost ~]# systemctl restart iptables
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: raw mangle nat f[  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:

Reporting Problems about your Fedora Installation

Please read the bug report guide line to collect as much information as possible when reporting your Fedora problem to your professor.

Miscellaneous Topics