Prvo mora da se u fstab doda
LABEL=/home /home ext3 defaults,acl 0 0
ili na nekom drugom mount point-u.
zatim
mount -o remount -o acl LABEL=/home
da vidimo trenutni ACL na /home/folderu
getfacl /home/djordje
sada treba da podesiti prvo acl za folder u kom je file
setfacl -m user:djordje:r-x /home/djordje
setfacl -m mask:r-x /home/djordje
maska je vazna jer ona dozvoljava svima sa acl liste odredjeni pristup, kako smo je vec podesili.
Da objasnim malo ovo
Imamo folder test, gde je useru(root) dozvoljeno rwx, grupu i other su oduzeta sva prava.
drwx------ 3 root root 4096 Aug 24 08:22 test
Izlistacemo ACL
getfacl test
# file: test
# owner: root
# group: root
user::rwx
group::---
other::---
Sada dozvolimo useru djordje da pristupi folderu
setfacl -m u:djordje:rx test/
namestimo masku samo read
setfacl -m m:r test/
dobijamo sledeci ACL na test
getfacl test
# file: test
# owner: root
# group: root
user::rwx
user:djordje:r-x #effective:r--
group::---
mask::r--
other::---
U ovoj situaciji i pored rx premisija za usera djordje on ne moze da pristupi folderu zbog effective premisije maske!
__________________________________________
For example, to give read and write permissions to user andrius:
For example, to remove all permissions from the user with UID 500:
setfacl -x u:500 /project/somefile
_______________________________________________
To set a default ACL, add d: before the rule and specify a directory instead of a file name.
For example, to set the default ACL for the /share/ directory to read and execute for users not in the user group (an access ACL for an individual file can override it):
setfacl -m d:o:rx /share
____________________________________
setfacl -m u::rx,g::rw,m:---,u:djordje:rw dir
:: izmedju usera i prava znaci da se odnose na sve usere
da se izbrise dafault
setfacl -k dir
_______________________________________________________
##########################################################
Quotas
ide samo na particije znaci podesi se u fstab
/dev/VolGroup00/LogVol00 / ext3 defaults,grpquota,usrquota 1 1
posle promene a mora i remount (mount -o remount /home) ako je / onda mora restart
zatim izvrsite sledecu komandu
quotacheck -avcm
zatim dodeljumemo koliko prostora moze svako da koristi
edquota user_name
edquota -t
edquota -up bora aleksa vesna
_______________________________________________________________________________
SUDOERS
visudo
se koristi za izmenu ovog file
/etc/sudoers
Automount/fstab
automount
cd -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom
nfs -fstype=nfs 192.168.1.10:/nfs_homes/home
project -fstype=ext3 :/dev/sdb1 (to mount localfilesystem)
samba -fstype=cifs,username=djordje,password=djordje ://192.168.1.10/samba_shares
fstab
//192.168.1.10/samba_shares /root/samba cifs username=djordje,password=djordje 0 0
192.168.1.10:/nfs_homes/home /root/nfs nfs soft,timeo=300 0 0
Vrlo je vazno da se zapamti tacan format za automount i fstab, ovo "://" nije "//" ili ":/", ukoliko pogresimo jednostavno se to nece mountovati.
Grub
/boot/grub/grub.conf
____________________________________________
ako hocemo da stavimo sifru
grub-md5-crypt
zatim u grub.conf
will lok like:
password --md5 copy-of-the-output
Da se ukuca sifra u Grub, pritisnite "p"
____________________________________________
komande u grub.conf
grub> find (hd0,0)/grub/grub.conf
komande redom
kernel vmlinuz (tab za complete)
initrd (tab za complete)
boot
_________________________________________
LVs , VGs , PVs
Krenucemo redom. Imamo disk/particije sdb1 i sdc1
Prvo kreiramo Phisical Volumes
pvcreate /dev/sdc1
pvcreate /dev/sdb1
__________________________________________________________________________________
kada kreiramo 2 ili vise physical volume onda kreiramo
Volume group
vgcreate imekojehocemozagrupu /dev/sdc1 /dev/sdb1
mozemo da dodajemo nove particije na VG
vgextend imegrupe /dev/sdf1 (recimo)
onda kreiramo logical volumes u grupi koje posle mozemo da formatiramo kao obicne diskove (zise, type..)
lvcreate -l number_of_pes imegrupe -n logvol(imeparticije)
ili sa odgovarajucom velicinom
lvcreate -L 200m imegrupe -n flex
da vidimo sta imamo i gde se nalazi LV i GV
vgdisplay
lvdisplay
lvscan
onda kreiramo filesistem za logilac volume
mkfs -t ext3 /dev/prvagrupa/logvol
vgreduce --removemissing VolGroup00
_______________________________________
da dodamo novi prostor
lvextend -L+2M /putanja_koju_vidimo_sa_lvscan
resize2fs /putanja_koju_vidimo_sa_lvscan
( ako ovo nece onda mora umount pa e2fsck -f /putanja_koju_vidimo_sa_lvscan)
_________________________________________________
zatim u fstab mozemo da kucamo
LABEL=/home/mj /home/mj ext3 defaults 1 2
ali da bi ovo koristili moramo da naprvimo label za isti
e2label /dev/prvagrupa/logvol /home/mj
ili u fstab umesto
LABEL=/home/mj
kucamo
/dev/prvagrupa/logvol
##########################################################
9. Apache
rpm -q httpd
rpm -q mod_ssl
da se instalira
httpd
httpd-manual
http://localhost/
directory
/etc/httpd/
main config file
/etc/httpd/conf/httpd.conf
______________________
document root za website je
/var/www/
uglavnom se kreiraju diretorijumi za odredjene domene
recimo
mkdir /var/www/virtuallab.internal
_________________________________________________________________________________
alias za bilo koji folder a u folderu treba da se nalazi index.html, index.htm ...
alias /www.virtuallab.middle /var/www/virtuallab.middle (ne mora isto ime da vude sa folderom)
<VirtualHost www.virtuallab.middle>
ServerName www.virtuallab.middle
DocumentRoot "/var/www/virtuallab.middle"
ServerAdmin [email protected]
ErrorLog logs/virtuallab.external-error_log (napravimo ove file)
CustomLog logs/virtuallab.external-access_log common (napravimo ove file)
</VirtualHost>
<Directory "/var/www/virtuallab.middle">
# Order deny,allow (if we set up order allow,deny access is denied by default)
# Allow from all
AuthType Basic
AuthName "Unesite svoju Sifru."
AuthUserFile /etc/httpd/webpass
require valid-user
</Directory>
htpasswd -c /etc/httpd/webpass djordje (-c kreira file user_pass)
_____________________________________________________________________________
SAmo djordju useru dozvoliti pristup
Require user djordje (ovo isto ide u DIRECOTRY continer)
DA se regulise pristup grupi dodaju se ovi :
AuthGroupFile /etc/httpd/webgroups (naravimo ovaj fle Ime_grupe: user1 user2 ..)
Require group Design
_____________________________________________________________________________
_____________________________________________________________________________
LOG
/etc/httpd/logs
access_log error_log
__________________________________________________________________
SELINUX (man httpd_selinux)
chcon -R -u system_u /var/virtuallab
chcon -R -t httpd_sys_content_t /var/virtuallab
__________________________________________________________________
kad dodamo ovo
ServerAlias vituallab.external www2.virtuallab.external
SSL
<NameVirtualHost *:443>
________________________________
Ako koristimo .htaccess file moramo u Directory container da ubacimo opciju
AllowOverride Options
A inace htaccess se smesta u web directory
____________________________________________
Everthing HAS TO BE accesible by user apache!
_____________________________________________
########################################################
10. Named
instalira se
yum install bind
yum install system-config-bind
__________________________________
zatim ici na system-config-bind
onda snimiti default i to je up and running cahing onliy server (to se recrusive=yes)
ovaj ce generisati named.conf u /etc/named.conf
___________________________________
chkconfig named on
_______________________________________
kada kreiramo novu zonu svi fileovi ce biti u /var/named
ako hocemo drugu lokaciju mora da se specificira tacno
_____________________________________
port je UDP 53
#######################################################
11. Network mix
ovo znaci da kad se zeli komunicirati sa 12.14.543.32 uvek ide preko 192.168.1.101
route add -host 12.14.543.32 gw 192.168.1.101 (na primer)
route del 12.14.543.32 (samo adresa koja se bise je dovoljna)
_________________________________________________________
kada hocemo da komuniciramo sa celim subnet
route add -net 12.14.543.0 netmask 255.0.0.0 gw 192.168.1.101
_________________________________________________________________
dig informacije o serverima (primer:dig www.yahoo.com MX)
___________________________________________________________________
netstat -antu -c(za refresh svake sekunde) | less ( za procese ukljucujuci tcp i udp)
65535 portova postoji
-s | less (statistical information about tcp stack)
-l (listening)
-r routing table isto kao i "route")
Kompjuteri nikad nece slati zahteve ispod porta 1024 =, uvek je taj port veci ka poru na racunaru koji je uglavnom ispod 1024.
___________________________________________________________________
nmap -v -O -sS -p 22 192.168.1.10
________________________
w ko je logovan trenutno
who -a (preciznija je za vreme logovanja u minut)
last (govori o login/logout usera) i koliko je puta system restart)
_____________________________________________
/etc/issue kernel i os informacije
/etc/motd (informacija koja se ispisuje kad s eneko loguje )
_________________________________________
rdesktop -g 550x450 za remote desktop
_______________________________________________
########################################################
12. Nfs
/etc/exports
primer
/temp_dir *(rw,sync,no_root_squash)
/temp_dir 192.168.1.11(rw,sync) 192.168.1.12(ro) 192.168.1.0/24(ro,sync)
/temp_dir *.virtuallab.internal(ro,sync)
no_root_squash (remote root users will not be treated as a root once they connect to the server)
_____________________________________________
onda mount
remote ip
mount -t nfs 192.168.1.10:/remote_dir /local_dir/
_____________________________________________
showmount -e (da se vidi shareovano)
_____________________________________________
################################
AUTOMOUNT
da nfs share bude permanent
/etc/fstab
192.168.1.10:/nfs_homes/home /home nfs rw,soft,timeo=100 0 0
______________________________________________________________________________
Primer za auto.misc
nfs_centos1 -rw,soft,intr centos1:/nfs_homes/home
/etc/auto.net ime_servera
______________________________________________________________________________
########################################
after changes in /etc/exports
exportfs -a (za sve)
exportfs -r (procitaj sta je"r") kada dodamo dir run this command da se dodaju u shares
_____________________
iptables
111 TCP/UDP
2049 TCP/UDP
rpcinfo -p
onda gledamo 4 deamon
locked (TCP)
locked (UDP)
mountd (TCP)
statd (TCP)
Da se staticki konfigurisu portovi.
/etc/sysconfig/nfs (da se odkomentuju svi portovi koje koristi - mogu i da s epromene po zelji)
U suprotnom portovi se menjaju random kad se restart!
__________________________________
support to write access
setsebool -P nfs_export_all_rw 1
_____________________________________
fstab line
192.168.1.10:/nfs_homes/home /home/vesna/nfs_home nfs rw,soft,intr 0 0
______________________________________________________________________
Host acces se regulise u /etc/exports
User Acces preko acl!
_____________________________________
########################################################
13. NIS/LDAP
NIS
edit /etc/yp.conf
domain domain_name server server_name
chkconfig ypbind on
edit /etc/nsswitch.conf
passwd: files nis
shadow: fils nis
group: files nis
man ypbind_selinux
setsebool -P allow_ypbind 1
#########################################################
LDAP
we need
openldap-clients, openldap, nss_ldap
da se konfigurise klijent treba da se modifikuje ldap.conf na dva mesta
/etc/ldap.conf
/etc/openldap/ldap.conf
____________________________________________________
/etc/openldap/ldap.conf
base dc=example,dc=com
URI ldap://127.0.0.1 (zameniti 127 sa ip ldap servera a examplesa imenom domena)
########################################################
14. NTP
/etc/ntp.conf
_____________
ovi da se comment out
#restrict default kod nomodify notrap nopeer noquery
#restrict -6 default kod nomodify notrap nopeer noquery
#restrict 127.0.0.1
#restrict -6 ::1
takodje
#server 127.127.1.0
odnosno svi restrict - comment out
takodje
izbrise se
nopeer noquery
__________________________________
dodajes servere
server ip/server_name
kad hoces da bude server onda se aktivira ovaj restrict za odredjeni subnet
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
SElinux da se iskljuci za ntp
setsebool -P ntpd_disable_trans 1
___________________________________
chkconfig ntpd on
________________________________
ntpq -np (to query status of time sync) no "n" da vidmo imena servera
ntptrace
ntpq -n (interactive mode)
ntpdate -u 192.168.1.10 (za update)
PORT 123
########################################################
15. PAM
knjiga 305
dokumentacja
cd /usr/share/doc/pam-0.99.6.2/txts/
/etc/pam.d/login
moduli su
/etc/security/
applications are PAM aware, tako da samo aktiviramo pam i on radi
PAM moze da disable access userma shodno vremenu, password expiration, ili lista restricted usera
ako ne moze da seloguje user treba proveriti
/var/log/secure da vidmo dal PAM zabranjuje????
.so fileovi
/lib/security/
_________________________________________________________________________________________________
e /etc/pam.d/ su deamons koji mogu da se kontrolisu preko conf file-ova u /etc/security, a u same deamons ubacujemo .so file:
recimo
account required /lib/security/pam_access.so
ciji je config file u /etc/security/access.conf
_________________________________________________________________________________________________
_________________________________________________________________________________________________
primeri
/usr/share/doc/pam-0.99.6.2/txts
recmo da zabranimo bori da se loguje koristeci sshd
/etc/security/time.conf
sshd;*;bora;!Al2200-0400
a onda u
/etc/pam.d/sshd
ubacimo
account required pam_time.so
______________________________________________
15.4 Custom PAM Example
This example limits who can use SSH based on a list of users.
1. In /etc/pam.d/sshd, add the following line:
auth required /lib/security/pam_listfile.so onerr=fail item=user sense=allow file=/etc/sshd_users
The above will allow a user to login via sshd if they are listed in the /etc/sshd_users file. The options specified have the following meanings:
* onerr=fail - If an error occurs (file specified isn't found, or an improperly formatted entry is found in the file), fail this test. This will deny the user access via sshd. The other possible option for "onerr" is "succeed".
* item=user - This states that we are testing or verifying the user's login name.
* sense=allow - This means that if the user is found in the file specified, this test succeeds. This will allow the user access if all other PAM tests succeed as well. The other possible option for "sense" is "deny".
* file=/etc/sshd_users - This specifies the file that will contain the list of users (one per line) that are allowed to access sshd.
15.5 Time Based Restrictions
These examples will limit the login times of certain users. See /etc/security/time.conf for more information/examples. In order to place time restrictions on user logins, the following must be placed in /etc/pam.d/login:
account required /lib/security/pam_time.so
The remaining lines should be placed in /etc/security/time.conf.
1. Only allow user steve to login during on weekdays between 7 am and 5 pm.
login;*;steve;Wd0700-1700
2. Allow users Bilbo & Frodo to login on all days between 8 am and 5 pm except for Sunday.
login;*;bilbo|frodo;AlSu0800-1700
If a day is specified more than once, it is unset. So in the above example, Sunday is specified twice (Al = All days, Su = Sunday). This causes it to be unset, so this rule applies to all days except Sunday.
15.6 Access Based Restrictions
/etc/security/access.conf can be used to restrict access by terminal or host. The following must be placed in /etc/pam.d/login in order for these examples to work:
account required /lib/security/pam_access.so
1. Deny steve login access on all terminals except for tty1:
-:steve:ALL EXCEPT tty1
2. Users in the group jedi are only allowed to login from a local terminal:
-:jedi:ALL EXCEPT LOCAL
3. Allow user gandalf to only login from a trusted server:
-:gandalf:ALL EXCEPT trusted.somedomain.com
_______________________________________________________
/lib/security/pam_access.so account required
/lib/security/pam_listfile.so auth required
/lib/security/pam_time.so account required
/lib/security/pam_wheel.so auth required use_uid (limiting use of su za wheel group)
##############################################################
##############################################################
16. Postfix malo
/etc/postfix/main.cf
#myhostname = host.domain.tld
#mydomain=domain.tld
#myorigin =$mydomain
inet_interfaces = all
mynetworks =192.168.1.0/24, 127.0.0.0/8
__________________________________________________________
/etc/aliases (se dodaje za redirect)
username: username01, username 02
groupname: username01, username 02, othergroupname
____________________________________________________
alternatives --config mta (da se odabere default mail agent)
#########################################################
17. Kvote
prvo se dad u fstab
usrquota,grpquota
____________________
zatim se remount ta particija
mount -o remount,rw /home
mount -o remount / (Primeri)
*******************
1mb = 1000 u edquota soft i hard
************************
______________________
zatim se run
quotacheck -cugm /home (ova komanda nam pravi dva file aquota.user i aquota.group ovi fileovi bi trebaloda budu u root-u particije za koju smo aktivirali )
edquota -t djordje (za grace period)
_______________________
onda
edquota -u djordje
################################################################
da se uzme kao template quota za user djordje i podesi za sotale
edquota -up djordje bora vesna aleksa adriana
########################################################
quota za grupe
edquota -g djordje
###########################################################
________________________________
soft - limit that can be exceededfor certain number of days or grace period
hard - they can never exceed hard limit
_____________________________________________
repquota -a (da izlista sve usere i quote - lepota :-)
______________________________________
##########################################################
18. RAID
RAID 0 koristi oba diska da pise po njima ne obezbedjuje data redudancy (ako jedan rikne ide sve u ku***)
RAID 1 mirroring izmedju 2 ili vise diskova
RAID 4 (requires 3 or more disks) jedan sluzi kao parity disk ostala dva za podatke, obezbedjena data redudancy
RAID 5 (requires 3 or more disks) slicno kao RAID 4 ali se parity nformacije pisu na svm diskovma , obezbedjena data redudancy
RAID 6 (requires 4 or more disks) two levels of parity, 2 moguda riknu i podaci da budu sigurni
################################################
da se vidi poostojeci RAID
cat /proc/mdstat
to find more about array
mdadm --detail /dev/md0 (il md1 ili koji vec)
#################################################
da se kreira RAID
mdadm --create --verbose /dev/md0 --level=1 --raid-devices=2 /dev/sdd1 /dev/sde1 (od ova 2 diska)
#################################################
remove disk from raid
mdadm --verbose /dev/md0 -f /dev/sdd1 -r /dev/sdd1
add partition to RAID array
mdadm --verbose /dev/md0 -a /dev/sdd1
##################################################
then it is necessary to create the /etc/raidtab file
###################################################
zatm se formatira RADI devixce
mkfs.ext3 /dev/md0
##################################################
19. Samba
instaliraju se
samba
samba-client
samba-common
samba-swat (alat za upravljanje)
system-config-samba
_____________________________________________
Dodavanje user-a
smbpasswd –a user_name
zatim dodati usere u /etc/samba/smbusers
_____________________________________________
onda u /etc/xinetd.d/swat se podesi disable=no
onda idemo na http://localhost:901
ispodesavamo
napravimo share ....
onda na
service smb start (automatski startuje i nmb)
_______________________________________________
/etc/samba/smb.conf
_______________________________________________
SELINUX!!!!!!
Selinux je objasnjeno u OBAVEZNO!!!!!!!!!!!!!
man samba_selinux OBAVEZNO!!!!!!!!!!!!!
Kada se share novi folder ide ova komanda da mu se obezbedi pristup
chcon -t samba_share_t putanja_foldera
semanage fcontext -a -t samba_share_t "putanja_foldera(/.*)?" (ovo da bude permanent change)
restorecon -R -v putanja_foldera (da se apply promena)
_____________________________________________________________________________
da mogu useri da koriste
chmod +s /sbin/mount.cifs
onda
mount.cifs //192.168.1.10/samba4 /root/test2 -o username=djordje
_____________________________________________________________________________
chmod 1777 putanja_foldera
(svi mogu da pisu u folder ali samo mozes da izbrises folder koji si ti napravio ne tudje)
_____________________________________________________________________________
testparm (da se tesrita samba za greske u syntax)
_____________________________________________________________________________
Samba client
smbclient -L centos1 -U aleksa (da se vide share-ovi na centos1 user djordje)
da ove dve komande napravimo exectuable
chmod +s /sbin/mount.cifs
chmod +s /sbin/umount.cifs
onda isprobamo
automount za directory sa linux i 2003
sa kog mount lokalni folder
mount.cifs //server2003/Test_Share /proba_mount -o username=djordje%sifra
umount.cifs proba_mount
zatim
onda mozemo
da ubacimo linije u .bashrc (odredjenog usera)
.bash_logout (istog usera)
___________________________________________________________________
To mount a Samba share to be mounted when a Linux system comes up after reboot edit the
/etc/fstab file and put entry as follows for your Windows/Samba share:
//ntserver/share /mnt/samba cifs username=username,password=password 0 0
___________________________________________________________________
GUI system/prefrences/more prefrences/sessions i add isto /sbin/mount.cifs ....
________________________________________________________________________________
General:
In the /etc/services file you will find a few lines that refer to Samba services
netbios-ns 137/udp # NetBIOS Name Service
netbios-dgm 138/udp # NetBIOS Datagram Service
netbios-ssn 139/tcp # NetBIOS Session Service
microsoft-ds 445/tcp # Microsoft Directory Service
-A RH-Firewall-1-INPUT -p udp -m udp --dport 137 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
______________________________________
host access u /etc/smb.conf
user acess takodje u smb.conf
_________________________________________
########################################################
20. Selinux
Privremena promena selinux
To se into passive(premisive) mode
echo 0 >/selinux/enforce
You'll need to be logged in as root, and in the sysadm_r role:
newrole -r sysadm_r
To enforce mode
echo 1 >/selinux/enforce
____________________________________________________
setenforce 1 | 0 isto ko ovo gore sa echo
getenforce da se vidi da koji je!
____________________________________________________
videti koji je mod
cat /etc/selinux/config
____________________________________________________
____________________________________________________
Stalna promena
/etc/selinux/config
SELINUX=enforcing ili SELINUX=permissive
_____________________________________________________
brzi switch
echo 0 >/selinux/enforce (permissive)
echo 1 >/selinux/enforce (enforce)
____________________________________________________
You may never need to relabel an entire file system. This usually occurs only when labeling a file system for SELinux for the first time, or when switching between different kinds of policy, such as going from the targeted to the strict policy.
There is one good method for relabeling the file system. You may also hear about two other methods, both of which are not recommended. Here they are in order:
The best and cleanest method to relabel is to let init do it for you on boot.
touch /.autorelabel
reboot
By allowing the relabeling to occur early in the reboot process, you ensure that applications have the right labels when they are started and that they are started in the right order. If you relabel a live file system without rebooting, you may have processes running under the incorrect context. Making sure all the daemons are restarted and running in the right context can be difficult.
It is possible to relabel a live file system using fixfiles, or to relabel based on the RPM database:
fixfiles relabel
fixfiles -R packagename restore
________________________
###########################################################
21. Sendmail
Sendmail
_________________
ovi trebaju da budu install
sendmail
sendmail-cf
_____________________________
mail is stored
/var/spool/mail/
_____________________________
aliases are in
/etc/aliases i /etc/aliases.db
________________________________
/etc/mail
sendmail.cf (ovaj nikad da se ne dira)
sendmail.mc (ovaj treba da se modifikuje jer je makro pa ce on da napravi sendmail.cf)
i oako hocemo da menjamo ovaj .mc samo izbacimo 'dnl' na pocetku i promenimo sta vec hocemo
zatm
cp sendmail.cf sendmail.cf.bak
Ovo treba da se promeni
dnl # DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl da se komentuje ili promeni u odgovarajuci IP
zatim da starrujemo macro
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
zatim u access file u /etc/mail/access
ubacimo CONNECT:192.168.1 RELAY
zatim
makemap hash /etc/mail/access.db < /etc/mail/access
__________________________________________________________
zatim local-host-names
tu se ubacuje domain
virtuallab.internal (recimo)_______________________________________________________________________________
/etc/mail/virtusertable (sadrzi mapping btween smtp and local user names)
[email protected] djordje
[email protected] aleksa
kada promenimo mora komanda
makemap hash /etc/mail/virtusertable.db < /etc/mail/virtusertable
_______________________________________________________________________________
For example, if you want all email addressed to any domain.com account to be delivered to <[email protected]>, you need to add a line to the virtusertable file:
@domain.com [email protected]
Then, to add this new information to the virtusertable.db file, execute makemap hash /etc/mail/virtusertable < /etc/mail/virtusertable as root. This will create a new virtusertable.db that contains the new configuration.
_________________________________________________________________________
Command line koricsenje
sendmail -v username
pisemo stavec
pa ctrl+d
_____________________________
/etc/mail/local-host-names (sadrzi domen koji senadmail handle)
________________________________
u /etc/aliases
pera-zdera: root, djordje
ovo posle svake promene
newaliases (updates newaliases.db)
_______________________________
IPtables port 25 TCP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
________________________________
alternatives --config mta (da se odabere default mail agent)
_________________________________
###############################
domaintable je za redirect domain
jedno.com drugo.com
##############################
virtusertable (redirect mail lokalnog usera na neki drugi mail)
vesna@CeClean [email protected]
##############################################
POP3 - port 110
IMAP - port 143
SMTP - port 25
HTTP - port 80
Secure SMTP (SSMTP) - port 465
Secure IMAP (IMAP4-SSL) - port 585
IMAP4 over SSL (IMAPS) - port 993
Secure POP3 (SSL-POP) - port 995
__________________________________________________
#############################################################
22. Squid
/etc/squid/squid.conf
Doda se u conf file
visible_hostname 192.168.1.10
acl local_net src 192.168.1.0/24
http_access allow local_net
_______________________________________
file executable se nalazi u
/usr/sbin/squid
_______________________________________
port je default 3128 TCP
moze da se otvori port
moze i
iptables -t nat PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-ports 3128
________________________________________
selinux
setsebool -P squid_connect_any 1
________________________________________
zatim
squid -z (da se kreira squid chache dir)
_______________________________________
chkconfig squid on
_______________________________________
Blokirati odredjenu rec u url
acl porn_block url_regex -i porn
http_access deny porn_block
TIME
acl work_days time M T W H F 14:20-14:37
http_access deny work_days
_____________________________________
########################################################
22. SSH
scp file_name user@ip: (default root)
_____________________________________
ssh-keygen -t dsa
ssh-keygen -t rsa
napravi se file authorized_keys
iskopirati dva pub i presnimiti u /root/.ssh (ili koji vec user)
_________________________
/etc/ssh/ssh_config
____________________________
known_hosts se moze iskopira u /etc/ssh/ssh_known_host da bude za sve (global accesible dir)
_____________________________________________________
man sshd_config (config file)
___________________________________________________
Port forwarding
ssh -L 8080:www.linuxcbt.net:80 www.linuxcbt.net
zatim sve sto se na lokalu obrati na 8080 ide na linuxcbt
http://localhost:8080 port bound to 127.0.0.0
ovo slusa samo lokalno na zahteve
za ceo subnet znaci i spolja
ssh -g -L 8080:www.linuxcbt.net:80 www.linuxcbt.net
port ce u ovom slucaju biti boundovan za 0.0.0.0 - sve ip
___________________________________________________________
fileovi
port 22
openssh-server
openssh-clients
openssh-askpass
openssh
____________________
########################################################
23. TCP Wrappers
primer
/etc/hosts.deny
sshd: 192.168.1.1
vsftpd: 192.168.1.13
In the following example from a hosts.allow file, all example.com hosts are allowed to connect to all services except cracker.example.com:
ALL: .example.com EXCEPT cracker.example.com
In the another example from a hosts.allow file, clients from the 192.168.0.x network can use all services except for FTP:
ALL EXCEPT vsftpd: 192.168.0.
ALL: .example.com EXCEPT cracker.example.com
It is also possible to specify a facility using the severity option. The following example logs any SSH connection attempts by hosts from the example.com domain to the local0 facility with a priority of alert:
sshd : .example.com : severity local0.alert
##############################################################
24. Malo User sdministration
useradd -c "Proba" username
usermod -option username (usermod -G PrvaGrupa,DrugaGrua username)
userdel -option username
usermod -e 2009-16-06 username
chage username -M 2 (maximum number of days for one passwd)
chpasswd < file (username:passsword)
passwd username
groupadd groupname
groupdel groupname
groups username (list all the gruops user exists)
chmod u,g,o,-+rwx
Premmisions for Directories
execute u atributu - to enter dir
chown username.groupname file/directory
newgrp groupname ( i kada se prebais u grupu sve se automatsk podesava za tu grupu)
chage
gpasswd -A user groupname (tada user moze da kontolise ko ce da bude u grupi ko ne)
gpasswd -a username groupname (da taj userdoda usere u grupu)
gpasswd -d username groupname (da se izbrise iz grupe)
usermod -e 07/06/2009 vesna
_______________________________________
_____________________________________
##############################################################
25. Change Desktop from Gnome to Kde
Open /etc/sysconfig/desktop file:
# vi /etc/sysconfig/desktop
Set DESKTOP variable to kde:
DESKTOP="KDE"
DISPLAYMANAGER="KDE"
############################################################
26. Cron
/etc/crontab (main conf file)
da se ecituje crontab
crontab -e
editovati za posebnog usera
crontab -u username -e
___________________________________________________________________________
da file/script bude exetuable
chmod +x imescript.sh
___________________________________________________________________________
every userthat creates cron entry will have a file in
/var/spool/cron
___________________________________________________________________________
ako napravimo u /etc/
cron.allow (samo userima koji su ovde je dozvoljeno da naprave cron entry)
cron.deny
___________________________________________________________________________
-l da vidimo koji zadaci su zadati
___________________________________________________________________________
je prakticno backup za cron (jel ako se restart sistem pa posle anacron proverava i startuje sa odredjenim delay)
/etc/anacrontab
___________________________________________________
at now
zatim at da startuje script
at> putanja do scripte
at now, at 21:21, at midnight, atq (da se vidi que)
ctrl+d izlaz iz at
___________________________________________
batch (isto ko at ali kad sistem nije zauzet onda se start)
_____________________
minute, hour, day of the month, month, day of the week
* * * * *
_____________________________________________________
########################################################
27. VsFTpd
cd /etc/vsftpd/vsftpd.conf
vazni
default directory
/var/ftp (ovde idu anonymous, ostali kad se loguju idu u svoje home directory)
___________________________________
da testiramo ftp
ftp localhost (ili ip)
user anonymous
pass [email protected] (samo da bude format email)
_____________________________________
lcd (local directory)
!lcd (da se lista lokalno)
___________________________________
log file
/var/log/vsftpd.log
______________________________________
xinetd i vsftpd
/usr/share/doc/vsftpd(verzija/vsftpd.xinetd
kopiramo ovaj file u /etc/xinet.d/vsftpd
promeniti na disable da se ne bi startovao, jer ce da ga startuje xinetd
zatim se treba da se stopira vsftpd da ne bi se kosile sa xinetd
u vsftpd.conf moramo da komentujemo #listen
moramo da uputimo xinetd da koristi vsftpd.conf (ln -s /etc/vsftpd/vsftpd.conf .) u /etc/pravimo
zatim restartujemo xinetd
______________________________________________
set up download speed, ubaciti posle listen=
anon_max_rate=10000 (za anonymous 10000bytes=10k/s)
local_max_rate=15000 (lokalni)
______________________________________________
restrict IP addresses that can access - ovo moze i preko TCP wrapers
vsftpd.conf
deny_email_enable=yes
then go /etc/ i touch vsftpd.banned_emails (inace ovo je default file koji vsftpd.conf pretrazuje)
samo redjas email jedan za drugim
________________________________________________
zanimljive komande
listen_port=
max_clients=
max_per_ip= max nubmer of conection from one ip
_______________________________________________________
SELinux issue
/usr/sbin/setsebool -P ftp_home_dir=1 (allow to change user dir for ordinary users)
_________________________________________________________
Useri se kontrolisu preko ftpusers i user_list file-ova u /etc/vsftpd/
host access preko TCP Wrapers
_________________________
############################################################
Svasta
Vazno - Gledaj Cesto (tako se meni zove file)
kad se doda disk u Vmvare da se scanira za hardware changes za hard disk
echo "- - -" > /sys/class/scsi_host/host#/scan (broj hosta je u pomenutom dir)
i onda da vidimo
fdisk -l
____________________________________________________________________________________
chmod g+s folder/file (da bude executable)
chmod uog-s folder/file (da se skine executable)
_____________________________________________________________________________________
cat /etc/services (spisak srvisa i odgovarajucih portova)
___________________________________
Samo primer. sjajno, da vidis razliku izmedju dva ili vise file, u ovom slucaju vidis koje portove zauzima servis samba)
# service smb stop
# netstat -ln > netstat-ln-smb.before
# service smb start
# netstat -ln > netstat-ln-smb.after
# diff netstat-ln-smb.*
_____________________________________________________
rucno dodavanje da se vide po imenu bez BIND
/etc/hosts
ip [tab] ime_kompjutera
192.168.1.10 centos1
_____________________________________________________
da vidmo dal service radi
ps -aux | grep ime_servisa
______________________________________________________
koprati dir home sa svim poddirektorijumima u current dir
cp -r /home/ .
______________________
date -s "05/15/2009 18:35" podesavanje vremena i datuma
_________________________
find /dirtolook -name *.txt recimo
find -amin -10 (za sve fileove kojima je pristupljeno pre 10 minuta) + posle 10 min, samo 10 tacno minuta
___________________________________________________________________
SED
sed 's/djordje/abrahim/g' sed_test > sed_output (da djordje zamenimao sa abrahim u sed_test i output u file sed_output)
__________
tail -n20 messages (pretrazuje messages dvadeset zadnjih 20 linija)
tail -f imefilea (gleda log u realnom vremenu)
_________________________________
/etc/sysconfig (vazan folder za sistemska podesavanja ) keyoard, clok, iptables, network, static-routes, /etc/sysconfig/network-scripts/ifcfg-eth0, system-config-securitylevel (lista sve otvorene portove iz firewall inace je GUI)
_____________
kill -9 procesid ubija :)
____________
Secure copy
scp user@host:remote-path local-path
scp -r [email protected]:~/tutorial ~/ (za ceo dir koristi se "-r")
_____________
cat /root/install.log (sta je instalirano)
/var/log/dmesg (o memoriji, cpu, a lot of nformation at boot time)
_____________________________
PATH=$PATH:/directory_to_add
export PATH
_______________________
kad se napravi user kreira se linija u
/etc/passwd
/etc/groups
i
/etc/shadow
/etc/gshadow
da bi sifru konvertovali u /etc/passwd i gpasswd
pwconv username
oposite
pwunconv username
grpconv
grpunconv
_______________
free (komanda) koliko ima free memorije
__________________________________________
da e napravi novi SWAP file
dd if=/dev/zero of=/swapfile bs=1024 count=1024
mkswap /swapfile
swapon /swapfile
nece da bude tu posle restart - mora da se ubaci u fstab
_________________________________________
reread fstab
mount -a
______________________________
env lista sve varijable
vrijable podesavamo
export TERM=vt100
export PATH=$PATH:/dir_za_path
________________________________
_________________________________
___________________________________
XORG, XFS
xfs (xorg-x11-xfs-1.0.2-4.i386.rpm paket za eventualno --force install)
je vazan za X11 (GU) da se startuje. Config file je u /etc/X11/fs/config. Proveriti dal postoji ...
dal je startivan servic chkconfi --list xfs
system-config display se nalazi u /etc/X11/xorg.config
fontovi /usr/share/X11/fonts/misc
log file /var/log/Xorg.0.log
da se podesi env DISPLAY
export DISPLAY=localhost:0.0
or
export DISPLAY=:0.0
______________________________________
______________________________________
DA se doda virtuelna IP adresa na adapteru
ifconfig eth0 add 192.168.1.101
_________________________________________
***********************************************
***********************************************
Example to create a 1GB file:
dd if=/dev/zero of=file_1GB bs=1024 count=1000
/or/
dd if=/dev/zero of=file_1GB bs=4096 count=250
/or/
dd if=/dev/zero of=file_1GB bs=2048 count=500
Example to create a 2GB file:
dd if=/dev/zero of=file_2GB bs=2048 count=1000
/or/
dd if=/dev/zero of=file_2GB bs=1024 count=2000
Example to create a 512MB file:
dd if=/dev/zero of=file_512MB bs=1024 count=500
/or/
dd if=/dev/zero of=file_1GB bs=512 count=1000
************************************************
**************************************************
AWK za sve usere uid veci od 500
awk -F: '{if ($3>=500 && $3<=1000) print}' /etc/passwd | cut -d: -f1
_____________________________________________________________________________
#########################################################
Nesto Administracije
mkfs za (create, edit, move, rename partition)
fdisk (create, edit, move, rename partition)
fsck (no running at mounted systems)
df (filsystems, space, mounted)
du (disk usage)
du --max-depth=1 -h
cp -ar /home/* /root/test (sve fajlove i direktorijume)
To preserve the Ownerships of the files while copying it to some other location you can use the -pR switch as below:
cp -pR /path/of the/source /path/of the/destination
____________________________________________________________________________________________
scp postojeci_folder [email protected]:/root/ (-r se koristi ako je folder)
___________________________________________
symbolic link
ln -s fileOrFolderpostojeci novifile (soft moze da ide preko razlicitih diskova, hard ne moze)
___________________________________________
grep '\<50.\>' /etc/group (da izlista sve koji imaju 50 i jos jedan broj -500, 501, . se koristi umesto asteriksa)
______________________________________________
watch comand (svake dve sekunde komanda startuje opet)
_________________________
rpm -ivh za instalaciju
rpm -Uvh instalira ako ne postoji i update
rpm -Fvh samo refresh-update
_______________________________________________
ntsysv (moze da se on/off procesi ali samo za current runlevel)
_______________________________________
BACKUP
tar -cvzf ime_file.tar.gz /directory_to_tar /more_directory (kad se radi i gzip bez "z" samo tar)
tar -cvpf ime_file.tar --newer 16jun09 /directory_to_tar /another_directory
to see through tar
tar -tvpf ime_file.tar | less
_______________________________________________________________
################################################
Dovecot
/etc/dovecot.conf
#protocols - imap imaps pop3 pop3s (ostavimo koji nam trebaju)
#listen =192.168.1.100:10110
#ssl_disable = no (dve negacije znaci DA)
For SSL
#ssl_cert_file =
#ssl_key_file =
Moguce da nam zatreba da koristmo
mail_location
u suprotnom dovecotu ce biti problem sa userima koji nemaju home dir
_______________________________________________________________________
Napravimo sertifikate
prvo izbrisemo generisane sertifikate
/etc/pki/dovecot/certs/dovecot.pem
i
/etc/pki/dovecot/private/dovecot.pem
zatim napravimo sertifikate
/usr/share/doc/dovecot-1.0.7/examples/mkcert.sh
__________________________________________________________
portovi
110
995 ssl
IMAP
143
993
___________
#############################################################
Ima toga jos, ali je nepregledno do bola... Ovo mi je kao malo organizovano. Moze da sluzi kao podsetnik kad se sprema RHCE.
Pozz
[Ovu poruku je menjao Machiavelli... dana 26.08.2010. u 17:32 GMT+1]
with
others is like being in infinite ocean of knowledge.
________________________________________________________________
____
Veruj u sebe. Ako ti neces, ko hoce?!
„Bolje živeti 100 godina kao milioner, nego sedam dana u bedi.“