├── dynamic_route.txt ├── scheduling_crontab.txt ├── img └── rsyslog-tcp.png ├── udev.txt ├── test.txt ├── ntp.txt ├── apparmor.txt ├── minimum_makefile_for_pack_mang.txt ├── static_ip_seperate_interface.txt ├── automount_file_system.txt ├── nfs.txt ├── downgrade.txt ├── port_numbers.txt ├── memorize_commands.txt ├── kernel.txt ├── rsync.txt ├── pam.txt ├── lxd.txt ├── tmux.txt ├── pxe_server.txt ├── squid.txt ├── create_systemd_service.txt ├── dhcp.txt ├── selinux.txt ├── docker.txt ├── pam_openldap.txt ├── static_routing.txt ├── mariadb.md ├── samba.txt ├── partition.txt ├── troubleshoot_networking_commands.txt ├── adv_networking_vagrant_clients.txt ├── rsyslog.md ├── ssh.txt ├── lvm.txt ├── package_management.txt ├── filesystem.txt ├── iscsi.txt ├── ftp.txt ├── misc_commands.txt ├── lf_linux_networking_administration_course_contents.txt ├── dns.txt ├── email.txt ├── apache-ssl.md ├── firewall.txt ├── lxc.md ├── README.md └── apache.txt /dynamic_route.txt: -------------------------------------------------------------------------------- 1 | Go to document "adv_networking_vagrant_clients.txt". 2 | -------------------------------------------------------------------------------- /scheduling_crontab.txt: -------------------------------------------------------------------------------- 1 | crontab -e 2 | */1 * * * 1-5 logger its a weekday 3 | -------------------------------------------------------------------------------- /img/rsyslog-tcp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ghumman/lfce/HEAD/img/rsyslog-tcp.png -------------------------------------------------------------------------------- /udev.txt: -------------------------------------------------------------------------------- 1 | #system-installed rules 2 | /usr/lib/udev/rules.d/ 3 | 4 | #custom-made rules 5 | /etc/udev/rules.d/ 6 | 7 | #reloading the rules 8 | udevadm control --reload` 9 | -------------------------------------------------------------------------------- /test.txt: -------------------------------------------------------------------------------- 1 | This file is created because .git repos were deleted by mistake. I want to fetch .git from online repositories and see if I can fetch and commit new local files and push the changes again. 2 | -------------------------------------------------------------------------------- /ntp.txt: -------------------------------------------------------------------------------- 1 | Install 2 | sudo apt-get install ntp 3 | 4 | To Test 5 | ntpq -p 6 | 7 | To Peer(/etc/ntp.conf) 8 | peer 192.168.33.XX 9 | (On both nodes) 10 | 11 | To connect to an ntp server 12 | server 192.168.33.xx iburst 13 | 14 | 15 | -------------------------------------------------------------------------------- /apparmor.txt: -------------------------------------------------------------------------------- 1 | #By default we have apparmor but very basic. 2 | sudo apt install apparmor-profiles 3 | sudo apt install apparmor-utils 4 | 5 | #status 6 | aa-status 7 | 8 | #profile location 9 | /etc/apparmor.d/ 10 | 11 | #Create a profile 12 | aa-genprof 13 | 14 | 15 | -------------------------------------------------------------------------------- /minimum_makefile_for_pack_mang.txt: -------------------------------------------------------------------------------- 1 | all: 2 | g++ CppHelloWorld.cpp -o CppHelloWorld 3 | install: 4 | install -d $(DESTDIR)/usr/bin 5 | install CppHelloWorld $(DESTDIR)/usr/bin 6 | clean: 7 | rm -f CppHelloWorld 8 | ~ 9 | -------------------------------------------------------------------------------- /static_ip_seperate_interface.txt: -------------------------------------------------------------------------------- 1 | Install vlan 2 | sudo apt-get install vlan 3 | 4 | (May need it)Load kernel 8021q 5 | sudo modprobe 8021q 6 | 7 | Add following to /etc/network/interfaces 8 | auto eth1.7 9 | iface eth1.7 inet static 10 | address 10.10.0.0 11 | netmask 255.255.255.0 12 | vlan-raw-device eth1 13 | 14 | Apply 15 | sudo ifup eth1.7 16 | -------------------------------------------------------------------------------- /automount_file_system.txt: -------------------------------------------------------------------------------- 1 | Install 2 | sudo apt-get install autofs 3 | 4 | Assuming server is all set for nfs(/etc/exports) and samba(/etc/samba/smb.conf), inside client 5 | sudo vim /etc/auto.master 6 | " 7 | /auto /etc/auto.auto --timeout=10 # for 10 seconds 8 | " 9 | 10 | sudo vim /etc/auto.auto 11 | " 12 | data -rw 192.168.33.10:/srv/data 13 | lab -fstype=cifs,rw,username=linda,password=linda ://192.168.33.10/labshare 14 | " 15 | -------------------------------------------------------------------------------- /nfs.txt: -------------------------------------------------------------------------------- 1 | Install NFS 2 | sudo apt-get install nfs-kernel-server nfs-common 3 | 4 | Inside server 5 | (vim /etc/exports) 6 | /home/vagrant/nfs_server 127.0.0.1/32(rw) 192.168.33.0/24(ro) 7 | 8 | Make changes effective 9 | exportfs -a 10 | 11 | Inside client 12 | sudo mount 192.168.33.10:/home/vagrant/nfs_server /home/vagrant/remote_share 13 | 14 | In order to see what share drives are available on a host/client 15 | showmount -e 192.168.33.10 16 | 17 | 18 | -------------------------------------------------------------------------------- /downgrade.txt: -------------------------------------------------------------------------------- 1 | apt-get install «pkg»=«version» 2 | sudo apt-get -t= install 3 | 4 | apt-cache showpkg # lists all available versions 5 | apt-mark hold # "holds" the package at the current version, preventing automatic upgrades. 6 | 7 | #Check current version and candidate version of a package 8 | apt-cache policy 9 | 10 | #Run simulation of upgrading a software package 11 | apt-get -s install vim 12 | 13 | #Run simulation of upgrading all packages 14 | apt-get -V -s upgrade 15 | -------------------------------------------------------------------------------- /port_numbers.txt: -------------------------------------------------------------------------------- 1 | best place to find port numbers and their names is following 2 | /etc/services 3 | 4 | 21 ftp 5 | 22 ssh 6 | 23 telnet 7 | 25 smtp 8 | 53 dns 9 | 53 domain 10 | 63 tftp 11 | 80 http 12 | 110 pop3 13 | 111 rpcbind 14 | 139 netbios-ssn 15 | 143 imap 16 | 443 https 17 | 445 microsoft-ds 18 | 631 ipp 19 | 873 rsync 20 | 993 imaps 21 | 995 pop3s 22 | 2049 nfs 23 | 2200 ici 24 | 2222 EtherNetIP-1 25 | 3000 ntop 26 | 3000 ppp 27 | 3128 squid-http 28 | 3306 mysql 29 | 7200 fodms 30 | 8080 http-proxy 31 | -------------------------------------------------------------------------------- /memorize_commands.txt: -------------------------------------------------------------------------------- 1 | 2 | AuthType Basic 3 | AuthName "Restricted Area" 4 | AuthUserFile secure.users 5 | Require valid-user 6 | 7 | htpasswd -c secure.users vagrant 8 | 9 | #When setting SASL for postfix using dovcot 10 | postconf -e "smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination" 11 | echo -en "\0vagrant\0vagrant" | base64 12 | (When SASL is up and TLS auth only is up, use following) 13 | gnutls-cli --crlf --starttls --insecure --port 25 14 | -------------------------------------------------------------------------------- /kernel.txt: -------------------------------------------------------------------------------- 1 | #check which modules(drivers) are loaded 2 | lsmod 3 | 4 | #manually load a module 5 | modprobe xxxxx 6 | 7 | #remove/unload a module 8 | modprobe -r xxxxx 9 | 10 | #info about a module 11 | modinfo xxxxxx 12 | 13 | #EXAMPLE: disable ipv6 using kernel proc 14 | cd /proc/sys/net/ipv6/conf/all 15 | echo 1 > disable_ipv6 (need to be sudo user, vim won't work) 16 | # If you want to keep it this way even after reboot 17 | sudo vim /etc/sysctl.d/ 18 | echo net.ipv6.conf.all.disalbe_ipv6 = 1 > ipv6.conf 19 | 20 | #See all tunables 21 | sysctl -a 22 | sysctl -a | wc 23 | 24 | 25 | -------------------------------------------------------------------------------- /rsync.txt: -------------------------------------------------------------------------------- 1 | # rsync over ssh 2 | rsync -av /tmp/transfer-lab/*.bin root@localhost:/tmp/receive/. (similar to scp, a=archieve, v=verbose) 3 | 4 | #sharing a folder over rsync protocol 5 | #inside server 6 | mkdir /srv/rsync/ 7 | for i in /srv/rsync/{a,b,c}-{1,2,3}.{txt,log,bin} 8 | do 9 | echo $i > $i 10 | done 11 | #create /etc/rsyncd.conf 12 | vim /etc/rsyncd.conf 13 | [default] 14 | path = /srv/rsync 15 | comment = default rsync files 16 | # modify /etc/default/rsync 17 | RSYNC_ENABLE=true 18 | # see rsync shared modules 19 | rsync localhost:: 20 | #from client 21 | rsync -av 192.168.33.20::default from_client2/. 22 | -------------------------------------------------------------------------------- /pam.txt: -------------------------------------------------------------------------------- 1 | #Check if application/program is pam aware 2 | ldd $(which sshd) | grep pam 3 | 4 | #Format of files inside /etc/pam.d/**** 5 | type (account, auth, password, session) 6 | control-flag (requisite, required, sufficient, optional, ...) 7 | module (pam_mail.so, pam_env.so, pam_selinux.so, ....) 8 | module-arguments (open, force, revoke, ...) 9 | 10 | #Restrict root access to ssh service via pam 11 | 1) Add following line to /etc/pam.d/sshd and /etc/pam.d/login 12 | auth required pam_listfile.so onerr=succeed item=user sense=deny file=/etc/ssh/deniedusers 13 | 2) sudo vim /etc/sshd/deniedusers 14 | root 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /lxd.txt: -------------------------------------------------------------------------------- 1 | #Install 2 | sudo apt-get install lxd 3 | 4 | #Add User 5 | sudo adduser lxd vagrant 6 | newgrp lxd 7 | 8 | #Setting lxd using ZFS storage backend 9 | sudo apt-get install zfsutils-linux 10 | 11 | #Initialize 12 | sudo lxd init 13 | 14 | #List all VM 15 | lxc list 16 | 17 | #List available images 18 | sudo lxc image list images: | grep ubuntu 19 | 20 | # Launch a VM 21 | lxc launch ubuntu:16.04 22 | (or) lxc launch images:ubuntu/16.04 myweb 23 | 24 | #Execute commands inside container 25 | lxc exec ace-wren /bin/bash (ace-wren is name of instance) 26 | 27 | #Stop vm container 28 | lxc stop ace-wren 29 | 30 | #Delete vm container 31 | lxc delete ace-wren 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /tmux.txt: -------------------------------------------------------------------------------- 1 | sudo apt-get install tmux 2 | 3 | Ctrl+b -> ? Help 4 | Ctrl+b -> " Breaks horizontally 5 | Ctrl+b -> % Breaks vertically 6 | Ctrl+b -> o Go to next pane (same bash) 7 | Ctrl+b -> Ctrl+o Bring next pane to current location (Used to switch panes) 8 | Ctrl+b -> space Switch between horizontal and vertical panes 9 | Ctrl+b -> [ Start cursor mode, can be used to up and down or to copy. To folloing to copy 10 | Ctrl+b -> Space Start copying 11 | Ctrl+b -> Ctrl+w End copying 12 | Ctrl=b -> ] Paste 13 | Ctrl+b -> ! This will take the pane out of layout and make it a new window (new bash) 14 | Ctrl+b -> : To give a command 15 | :join-pane -t # (0 or 1 or else) to combine window back to pane. -t=to(also -s=source) 16 | 17 | 18 | -------------------------------------------------------------------------------- /pxe_server.txt: -------------------------------------------------------------------------------- 1 | (preboot execution environment) 2 | 3 | #Install dhcp server 4 | sudo apt-get install isc-dhcp-server 5 | sudo vim /etc/default/isc-dhcp-server 6 | INTERFACES="enp0s8" 7 | sudo vim /etc/dhcp/dhcpd.conf 8 | " 9 | option domain-name "client1.org"; 10 | option domain-name-servers ns1.client1.org; 11 | authoritative; 12 | subnet 192.168.33.0 netmask 255.255.255.0 { 13 | range 192.168.33.48 192.168.33.50; 14 | } 15 | host ubuntu-client2 { 16 | hardware ethernet 08:00:27:8e:42:67; 17 | fixed-address 192.168.33.49; 18 | } 19 | sudo systemctl restart isc-dhcp-server 20 | " 21 | 22 | #Install PXE along with tftp 23 | sudo apt-get install apache2 tftpd-hpa inetutils-inetd 24 | 25 | Rest of guide can be following from following link, it's real stuff, can't try it out on VMs. 26 | 27 | https://www.ostechnix.com/how-to-install-pxe-server-on-ubuntu-16-04/ 28 | 29 | -------------------------------------------------------------------------------- /squid.txt: -------------------------------------------------------------------------------- 1 | Install squid and squidguard 2 | sudo apt-get install squid3 squidguard 3 | 4 | sudo vim /etc/squid/squid.conf 5 | # Search /INSERT and adding following code 6 | acl client1 src 192.168.33.10 7 | acl client2 src 192.168.33.20 8 | acl allclients src 192.168.33.0/24 9 | 10 | http_access allow allclients !client1 11 | 12 | NOTE: All these things need to be before following line to work. 13 | http_access deny all 14 | 15 | In order to use test it in firefox, for proxy for this example use 192.168.33.1. 16 | For testing it inside vagarant, assuming client1 is 192.168.33.10 and client2 is 192.168.33.20. Then do following. 17 | sudo apt-get update 18 | sudo apt-get install w3m 19 | sudo vim /etc/environment(add following line) 20 | http_proxy="http://192.168.33.1:3128/" 21 | 22 | NOTE: clients need to be on same subnet. So for vagrant though it can ping other ip addresses of local machine, if we use those other ip address, vagrant machine will actually be localhost. 23 | NOTE: Make sure there's no iptables rule set. 24 | 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /create_systemd_service.txt: -------------------------------------------------------------------------------- 1 | Packages we install normally reside at 2 | /usr/bin (system related binaries in /usr/sbin) 3 | 4 | Two locations where we can put Systemd packages 5 | /usr/lib/systemd/ (Create a directory system and put the foo.service in it) 6 | /etc/systemd/system (Put foo.service in it. Also can make directory foo.service.d and put 00-foo.conf to add features, make changes) 7 | (/etc/systemd/system has precedence over /usr/lib/systemd/system) 8 | 00-foo.conf 9 | [Service] 10 | ExecStart= 11 | ExecStart=/usr/bin/stress --cpu 3 --io 3 --vm 3 --vm-bytes 32M --timeout 9s 12 | 13 | systemd-delta will tell which systemd configuration is used(will only tell either /usr/lib/systemd or /etc/systemd used). 14 | 15 | Slices are used for additional features. Add a file foo.slice inside /etc/systemd/system/ and declare this slice inside /etc/systemd/system/foo.service.d/00-foo.conf 16 | foo.slice 17 | [Unit] 18 | Description= slice of stress from /etc/systemd/system/ 19 | [Slice] 20 | CPUQuota=2% 21 | (Then at the bottom of the file 00-foo.conf add following line) 22 | Slice=foo.slice 23 | 24 | Command 'systemctl daemon-reload' will reload configuration file of systemd unit 25 | 26 | 27 | 28 | -------------------------------------------------------------------------------- /dhcp.txt: -------------------------------------------------------------------------------- 1 | Install 2 | sudo apt-get install isc-dhcp-server 3 | 4 | Assign static ip address(/etc/network/interfaces) 5 | auto enp0s31f6 6 | iface enp0s31f6 inet static 7 | address 10.5.5.1 8 | netmask 255.255.255.0 9 | 10 | 11 | Declare which interface to use for dhcp server 12 | sudo vim /etc/default/isc-dhcp-server 13 | INTERFACES="enp0s31f6" 14 | 15 | 16 | 17 | Add following to /etc/dhcp/dhcp.conf 18 | ddns-update-style none; 19 | option domain-name "example.org"; 20 | option domain-name-servers ns1.example.org, ns2.example.org; 21 | default-lease-time 600; 22 | max-lease-time 7200; 23 | authoritative; 24 | log-facility local7; 25 | # A slightly different configuration for an internal subnet. 26 | subnet 10.5.5.0 netmask 255.255.255.224 { 27 | range 10.5.5.26 10.5.5.30; 28 | option domain-name-servers ns1.internal.example.org; 29 | option domain-name "internal.example.org"; 30 | option subnet-mask 255.255.255.224; 31 | option routers 10.5.5.1; 32 | option broadcast-address 10.5.5.31; 33 | default-lease-time 600; 34 | max-lease-time 7200; 35 | } 36 | host desktop-node { 37 | hardware ethernet a0:8c:fd:d6:bd:0f ; 38 | fixed-address 10.5.5.30; 39 | } 40 | 41 | dhcp leases can be found in following file 42 | /var/lib/dhcp/dhcpd.leases 43 | 44 | 45 | -------------------------------------------------------------------------------- /selinux.txt: -------------------------------------------------------------------------------- 1 | #Install 2 | sudo systemctl stop apparmor 3 | sudo systemctl disable apparmor 4 | sudo apt-get purge apparmor 5 | (Even doing all these selinux wasn't enforcing/working no xenial but worked on preciese) 6 | sudo apt-get install selinux 7 | 8 | #Enable 9 | sudo vim /etc/selinux/config 10 | SELINUX=permissive 11 | reboot 12 | 13 | #Get Status 14 | getenforce 15 | 16 | #Toggle between Permissive and Enforceing 17 | setenforce 18 | 19 | #See context labels 20 | ls -Zl (Z - option, context type is third option) 21 | 22 | #EXAMPLE: if a webserver page is giving an error. 23 | Check getenforce 24 | Set setenforce 0 and test that webpage is working. 25 | Confirm that context type is mismatching by using following commands 26 | ls -lZ /var/www/html (or /var/www/) 27 | ls -lZ /var/www/html/index.html 28 | To fix use following command, and then setenforce 1 29 | sudo restorecon -R /var/www/html/web-api/ 30 | 31 | EXAMPLE: change context type of directory /srv/lab and everything under it 32 | semanage fcontext -a -t samba_share_t "/srv/lab(/.*)?" 33 | restorecon -Rv /srv/lab 34 | 35 | EXAMPLE: change context type of directory /srv/ftp/upload and everyhtin under it 36 | semanage fcontext -a -t public_content_rw_t "/srv/ftp/upload(/.*)?" 37 | restorecon -Rv /srv/ftp/upload 38 | 39 | #Check anonymous ftp user is allowed to write or not 40 | getsebool -a | grep ftp 41 | -------------------------------------------------------------------------------- /docker.txt: -------------------------------------------------------------------------------- 1 | (In order to install the right way, follow guidelines on website, but following does the job) 2 | Install 3 | sudo apt-get install docker docker.io 4 | 5 | Help 6 | docker -h/docker --help 7 | 8 | Search for package/docker image 'linux' (If you want to filter for results having stars 5 or more add -s 5) 9 | docker search linux 10 | 11 | Create a docker image 'test', using oraclelinux version 7 12 | docker create --name test oraclelinux:7 13 | 14 | Create a docker image 'test', using oraclelinux version 7 with a specific software 15 | docker create --name test oraclelinux:7 /bin/bash 16 | 17 | Information about entire docker system about containers/statuses 18 | docker info 19 | 20 | In order to pull/download an image 21 | docker pull ubuntu 22 | 23 | In order to see what images are downloaded 24 | docker images 25 | 26 | In order to see all containers 27 | docker ps -a 28 | 29 | Run a command (following will automatically pull the image if not available) 30 | docker run fedora echo "hello" 31 | 32 | Run a container with a terminal 33 | docker run -it ubuntu /bin/bash 34 | 35 | Recent activity from a particular container 36 | docker logs b336de20e2ff 37 | (for detailed inspection) 38 | docker inspect b336de20e2ff 39 | 40 | Create your own container 41 | docker create -it --name mycontainer centos:6.8 /bin/bash 42 | 43 | Remove a container 44 | docker rm 3f1e1e65703a 45 | -------------------------------------------------------------------------------- /pam_openldap.txt: -------------------------------------------------------------------------------- 1 | #Centos guide 2 | #Install 3 | yum install openldap compat-openldap openldap-clients openldap-servers nss-pam-ldapd 4 | 5 | systemctl start slapd 6 | 7 | slappasswd -h {SSHA} -s password 8 | 9 | cd LDAP/LDAP/ 10 | vim initial.ldif 11 | 12 | (paste password as oldRootPw: {SSHA}...) 13 | 14 | # import 15 | ldapmodify -Y external -H ldapi:/// -f initial.ldif 16 | 17 | # import 18 | for i in cosine nis inetorgperson; do ldapadd -Y external -H ldapi:/// -f /etc/openlap/schema/$i.ldif; done 19 | 20 | #add ous and users 21 | ldapadd -x -W -D "cn=ldapadm,dc=la,dc=local" -f ous.ldif 22 | (write password) 23 | ldapadd -x -W -D "cn=ldapadm,dc=la,dc=local" -f users.ldif 24 | 25 | #setup pam to authenticate locally 26 | authconfig --enableldap --enableldapauth --ldapserver=localhost --ldapbasedn="dc=la,dc=localhost" --enablemkhomdir --update 27 | # restart caching daemon 28 | systemctl restart nslcd 29 | # id tcox 30 | # id pinehead 31 | 32 | #setup pam on client 33 | yum install openldap-clients nss-pam-ldapd -y 34 | authconfig --enableldap --enableldapauth --ldapserver=10.0.1.100 --ldapbasedn="dc=la,dc=localhost" --enablemkhomdir --update 35 | restart caching daemon 36 | systemctl restart nslcd 37 | # id tcox 38 | # id pinehead 39 | 40 | #Run and test on either client or server 41 | ldappasswd -s password -W -D "cn=ldapadm,dc=la,dc=local" -x "uid=pinehead,ou=People,dc=la,dc=local" 42 | ssh pinehead@localhost 43 | 44 | 45 | 46 | -------------------------------------------------------------------------------- /static_routing.txt: -------------------------------------------------------------------------------- 1 | Client1: 2 | auto eth1.7 3 | iface eth1.7 inet static 4 | address 10.10.0.10 5 | netmask 255.255.255.0 6 | vlan-raw-device eth1 7 | up route add -net 10.10.0.0 netmask 255.255.255.0 gw 192.168.33.40 8 | 9 | auto eth1.8 10 | iface eth1.8 inet static 11 | address 192.168.4.100 12 | netmask 255.255.255.0 13 | vlan-raw-device eth1 14 | up route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.33.40 15 | up route add -net 10.20.0.0 netmask 255.255.255.0 gw 192.168.33.40 16 | Client2: 17 | auto eth1.9 18 | iface eth1.9 inet static 19 | address 192.168.4.110 20 | netmask 255.255.255.0 21 | vlan-raw-device eth1 22 | up route add -net 192.168.4.0 netmask 255.255.255.0 gw 192.168.33.30 23 | auto eth1.8 24 | iface eth1.8 inet static 25 | address 10.20.0.10 26 | netmask 255.255.255.0 27 | vlan-raw-device eth1 28 | up route add -net 10.20.0.0 netmask 255.255.255.0 gw 192.168.33.30 29 | 30 | Client3: 31 | auto enp0s8.7 32 | iface enp0s8.7 inet static 33 | address 10.20.0.20 34 | netmask 255.255.255.0 35 | vlan-raw-device enp0s8 36 | up route add -net 10.20.0.0 netmask 255.255.255.0 gw 192.168.33.20 37 | up route add -net 10.10.0.0 netmask 255.255.255.0 gw 192.168.33.20 38 | 39 | #In manual it is done as follows 40 | up route add -net 192.168.4.0/24 gw 192.168.33.10 dev dev enp0s31f6 41 | -------------------------------------------------------------------------------- /mariadb.md: -------------------------------------------------------------------------------- 1 | 2 | ```sh 3 | lxc launch images:ubuntu/21.10 mariadb -c limits.cpu=1 -c limits.memory=200MiB 4 | lxc exec mariadb -- bash 5 | 6 | ## ----- From the container 7 | apt install mycli mariadb-server mariadb-client vim 8 | 9 | systemctl enable --now mariadb 10 | 11 | mysql_secure_installation 12 | 13 | mysqladmin -u root -p version 14 | create database if not exists test; 15 | 16 | create user 'student'@'%' identified by 'student'; 17 | 18 | grant all privileges on test.* to 'student'@'%'; 19 | 20 | select user, host from mysql.user; 21 | 22 | exit 23 | 24 | mysql -u student -p --database=test 25 | create table courses ( 26 | -> courseno int not null, 27 | -> title varchar(100), 28 | -> description varchar(200), 29 | -> primary key (courseno) 30 | -> ); 31 | insert into courses values (1, 'Computer Science', 'Start meditating before it is too late.'); 32 | 33 | cat <>/etc/mysql/my.cnf 34 | [mysqld] 35 | skip-networking=0 36 | skip-bind-address 37 | EOF 38 | 39 | 40 | ## ----- From the host 41 | lxc exec mariadb -- systemctl restart mariadb 42 | lxc exec mariadb -- mysqld --print-defaults 43 | 44 | export MARIADB_IP=`lxc info mariadb |grep -m1 inet |cut -f3` 45 | apt install mariadb-client 46 | mysql -u student -h ${MARIADB_IP} -p --database=test 47 | 48 | 49 | ``` 50 | 51 | 52 | ### Useful links 53 | - https://mariadb.com/kb/en/a-mariadb-primer/ 54 | - https://mariadb.com/kb/en/sql-statements/ 55 | - https://www.mariadbtutorial.com/mariadb-basics/ 56 | -------------------------------------------------------------------------------- /samba.txt: -------------------------------------------------------------------------------- 1 | Install samba and samba client on both server and client 2 | sudo apt-get install samba smbclient 3 | 4 | On vagrant client1: 5 | mkdir smb_share 6 | sudo vim /etc/samba/smb.conf 7 | [mainexports] 8 | comment = client1 sharing with client2 9 | path = /home/vagrant/smb_share 10 | read only = no 11 | guest ok = yes 12 | valid users = vagrant 13 | 14 | smbpasswd -a vagrant 15 | service smbd restart 16 | 17 | On vagrant client2: 18 | smbclient -U vagrant //192.168.33.10/mainexports 19 | Doing above you'll enter into 'smb' command line 20 | In order to mount do following. 21 | sudo apt-get install cifs-utils 22 | mount -o username=vagrant //192.168.33.10/mainexports /home/vagrant/remote_smb_share 23 | (or) 24 | mount -o username=vagrant,password=vagrant //192.168.33.10/mainexports /home/vagrant/remote_smb_share 25 | (or) 26 | sudo vim /etc/fstabs (add following line) 27 | //192.168.33.10/mainexports /home/vagrant/remote_smb_share cifs creds=/root/creds,_netdev 0 0 28 | sudo vim /root/creds 29 | username=vagrant 30 | password=vagrant 31 | Then in order to mount, use following command 32 | mount -a 33 | 34 | If you want to see available samba share drives on a client, use following command 35 | smbclient -L 192.168.33.10 (ignore password prompt and hit enter) 36 | 37 | For adding a user linda in group users 38 | useradd -G users linda 39 | For modifying group of user linda to users 40 | usermod -aG users linda 41 | 42 | Check syntax errors in /etc/samba/smb.conf file 43 | testparm 44 | -------------------------------------------------------------------------------- /partition.txt: -------------------------------------------------------------------------------- 1 | #Create a hard drive/image 2 | a) Using loop devices 3 | 4 | dd if=/dev/zero of=500MB_HDD.img bs=1M count=512 (total size will be 1M*512) 5 | # Now there're two options, i) create the /dev/loopx and then use fdisk (to create partitions) and mkfs.ext4 (to create file system). ii) Create partition using fdisk and filesystem using mkfs.xxxxx and then make /dev/loopxx. Use following command to make /dev/loopxx 6 | sudo losetup -Pf --show 500MB_HDD.img (losetup:loopback setup, -P tell os new dev is there, -f find first loop device available, --show display which loop device created) 7 | 8 | #To see partitions 9 | cat /proc/partitions 10 | (or) 11 | sudo fdisk -l 12 | 13 | #Partition (MBR) 14 | sudo fdisk /dev/loop3p1 15 | (p to print current table) 16 | m -> manual/help 17 | n -> create new partition 18 | p/e -> primary (up to 4) / extended 19 | number -> partition number 20 | first sector 21 | last sector -> +500M/+1G 22 | p -> print current tables 23 | w -> write it 24 | q -> quit 25 | # When creating extended partition, created another logical partition on top of it as extended is like an empty container and and logical partition needs to go on it. 26 | 27 | #Use partprobe /dev/xxxxx to synchronize 28 | 29 | partprobe /dev/sdc ; inform the os about partition 30 | 31 | #Partition (GPT) 32 | sudo gdisk /dev/loop2 33 | 34 | #Write filesystem to partition 35 | Go to filesystem.txt 36 | 37 | 38 | # Swap partition. 39 | fdisk /dev/loopxx (fdisk can also be used to change partition type) 40 | >t (change partition type) 41 | >l (list all codes for all partition types) 42 | >82 (for swap) 43 | >p (show partitions) 44 | >w 45 | 46 | #encrypted partition. 47 | checkout filesystemt.txt 48 | -------------------------------------------------------------------------------- /troubleshoot_networking_commands.txt: -------------------------------------------------------------------------------- 1 | ping: 2 | Use: look for icmp_seq numbers, if any packet is being lost. 3 | ttl is maximum distance, can be 128 router 4 | sudo ping -f localhost (flood: can be used for stress test) 5 | sudo ping -f -s 4096 localhost (-s: packet size) 6 | 7 | traceroute: 8 | Not useful anymore. In early internet days, 9 | it was used to see which routers are used. 10 | Now you'll see ***. 11 | 12 | nmap: 13 | It's port scanner 14 | Example: 15 | nmap localhost 16 | nmap -sn 192.168.0.0/24 17 | arp: 18 | Address Resolution Protocol 19 | 20 | telnet: 21 | telnet protocol 22 | telnet www.google.com 80 (Followed by GET) 23 | 24 | openssl: 25 | crytography toolkit implementing SSL and TLS 26 | openssl s_client -connect google.com:443 27 | 28 | tcpdump/wireshark: 29 | dump traffic on a network 30 | tcpdump -i wlp1s0 -w capture.pcap (write results to capcure.pcap) 31 | tcpdump -i wlp1s0 port 21 (for ftp) 32 | tcpdump -i wlp1s0 proto ICMP (for ping) 33 | 34 | ss: 35 | socket statistics (netstat: deprecated) 36 | ss -tua (t:tcp u:udp a:all) 37 | (Normally used) 38 | ss -tuna (will not show names) 39 | ss -tua (will show names of services) 40 | ss -ltn (will tell you listening ports) 41 | netstat -tulpen 42 | netstat -taupe 43 | 44 | ip -s link: 45 | This will show information about packets which are shown by ifconfig. Will also show mac address 46 | 47 | ethtool -S wlp1s0: 48 | Statistics for device wlp1s0 49 | 50 | iptraf: 51 | real time traffic on the computer 52 | 53 | ntop: 54 | start the service and use it from browser(it runs as a server), http://localhost:3000 55 | 56 | sysctl -a: 57 | shows all the network parameters which can be modified 58 | 59 | 60 | 61 | 62 | -------------------------------------------------------------------------------- /adv_networking_vagrant_clients.txt: -------------------------------------------------------------------------------- 1 | sudo apt-get install vlan 2 | sudo vim /etc/network/interfaces 3 | " 4 | auto eth1.7 5 | iface eth1.7 inet static 6 | address 10.20.0.1 7 | netmask 255.255.255.0 8 | vlan-raw-device eth1 9 | up route add -net 10.10.0.0/24 gw 192.168.33.10 dev eth1 10 | up route add -net 10.20.0.0/24 gw 192.168.33.10 dev eth1 11 | " 12 | Note: 13 | In order to remove vlan-raw-device, once it is up. Use 14 | ip link del eth1.7 (or) 15 | vconfig rem eth1.7 16 | 17 | From internet you can also do: 18 | " 19 | auto eth0 20 | iface eth0 inet static 21 | address 192.168.50.2 22 | netmask 255.255.255.0 23 | gateway 192.168.50.100 24 | #########{Static Route}########### 25 | up ip route add 10.10.20.0/24 via 192.168.50.100 dev eth0 26 | " 27 | 28 | For Dynamic routing. 29 | Setting it up on vagrant 30 | Set static ip address on vlan like following. 31 | " 32 | auto eth1.7 33 | iface eth1.7 inet static 34 | address 10.20.0.1 35 | netmask 255.255.255.0 36 | vlan-raw-device eth1 37 | " 38 | Install quagga 39 | apt-get install quagga 40 | 41 | Modify following files 42 | /etc/quagga/daemons 43 | 44 | zebra=yes 45 | ospfd=yes 46 | Copy following sample files from /usr/share/doc/quagga/ to /etc/quagga 47 | 48 | Create /etc/quagga/zebra.conf 49 | 50 | interface eth0 51 | ip address 10.0.2.15/24 52 | ipv6 nd suppress-ra 53 | interface eth1 54 | ip address 192.168.33.20/24 55 | ipv6 nd suppress-ra 56 | interface eth1.7 57 | ip address 10.20.0.10/24 58 | ipv6 nd suppress-ra 59 | interface lo 60 | ip forwarding 61 | line vty 62 | 63 | Create /etc/quagga/ospfd.conf 64 | 65 | interface eth0 66 | interface eth1 67 | interface eth1.7 68 | interface lo 69 | router ospf 70 | network 10.0.2.0/24 area 0.0.0.0 71 | network 192.168.33.0/24 area 0.0.0.0 72 | network 10.20.0.0/24 area 0.0.0.0 73 | line vty 74 | 75 | Restart quagga. 76 | service quagga restart (or) 77 | systemctl restart quagga 78 | -------------------------------------------------------------------------------- /rsyslog.md: -------------------------------------------------------------------------------- 1 | # Rsyslog to lxc container over tcp 2 | 3 | ### Create compatible table 4 | createDB.SQL 5 | 6 | ```sh 7 | ## ----- mariadb container 8 | apt install -y rsyslog-mysql rsyslog-relp 9 | 10 | vim /etc/rsyslog.conf 11 | ``` 12 | ################# 13 | #### MODULES #### 14 | ################# 15 | 16 | module(load="imuxsock") # provides support for local system logging 17 | module(load="immark") # provides --MARK-- message capability 18 | 19 | # provides UDP syslog reception 20 | #module(load="imudp") 21 | #input(type="imudp" port="514") 22 | 23 | # provides TCP syslog reception 24 | module(load="imtcp") 25 | input(type="imtcp" port="514") 26 | 27 | # provides kernel logging support and enable non-kernel klog messages 28 | module(load="imklog" permitnonkernelfacility="on") 29 | 30 | module(load="imrelp") 31 | input(type="imrelp" port="5000" maxDataSize="10k" ) 32 | 33 | ```sh 34 | systemctl restart rsyslog 35 | tail -f /var/log/syslog 36 | ``` 37 | 38 | ```sh 39 | ## ----- kvm host 40 | echo "10.0.3.77 mariadb-server" >> /etc/hosts 41 | 42 | vim "/etc/rsyslog.d/50-default.conf" 43 | local7.* -/var/log/local7.log 44 | #local7.* :omrelp:mariadb-server:5000 45 | local7.* @@mariadb-server:514 46 | 47 | 48 | systemctl restart rsyslog 49 | logger -p local7.error -s -t hello 'HOLAAAA' 50 | 51 | ``` 52 | 53 | To monitor traffic on lxc network 54 | `tcpdump -v -XX -i lxcbr0 dst port (514 or 5000) and host mariadb-server` 55 | 56 | ![tcpdump](img/rsyslog-tcp.png) 57 | 58 | 59 | ### Redirect apache2 logs to mariadb server through rsyslog 60 | 61 | ``` 62 | vim /etc/apache2/sites-enabled/000-default.conf 63 | ErrorLog "|/usr/bin/tee -a ${APACHE_LOG_DIR}/error.log |/usr/bin/logger -thttpd -plocal7.err" 64 | # CustomLog "|/usr/bin/tee -a ${APACHE_LOG_DIR}/access.log |/usr/bin/logger -thttpd -plocal7.notice" combined 65 | ``` 66 | 67 | - https://httpd.apache.org/docs/2.4/logs.html#piped 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /ssh.txt: -------------------------------------------------------------------------------- 1 | Client 1: 2 | a) 3 | ssh-keygen -t rsa 4 | ssh-copy-id 192.168.33.20 5 | ssh 192.168.33.20 6 | This will require passphrase every time logging in 7 | b) 8 | ssh-keygen -t rsa 9 | ssh-agent /bin/bash 10 | ssh-add 11 | ssh 192.168.33.20 12 | Won't require passphrase everytime 13 | 14 | Port Forwarding 15 | ssh -fNL 4444:rhatcert.com:80 root@192.168.33.20 16 | (Testing) w3m http://localhost:4444 17 | 18 | Install apache server on 192.168.33.20 19 | ssh -fNL 5555:localhost:80 root@192.168.33.20 20 | (or )ssh -fNL 5555:192.168.33.20:80 root@192.168.33.20 21 | (another way to do it is following) 22 | ssh -f root@192.168.33.20 -L 5555:192.168.33.20:80 -N 23 | (Testing) w3m http://localhost:5555 24 | 25 | ssh to client2 using a different port 26 | ssh -fNL 6666:localhost:22 root@192.168.33.20 27 | (Testing) ssh -p 6666 localhost 28 | 29 | VNC Server 30 | Install 31 | sudo apt-get install tightvncserver xtightvncviewer 32 | 33 | Start 34 | vncserver 35 | 36 | View 37 | vncviewer localhost:1 38 | 39 | View over/via ssh 40 | vncview -via vagrant@client3 client3:1 41 | 42 | Kill 43 | vncserver -kill :1 44 | 45 | To create vnc service at boot-up with systemd 46 | sudo vim /etc/systemd/system/vncserver@.service 47 | [Unit] 48 | Description=Remote desktop service (VNC) on port :%I 49 | After=syslog.target network.target 50 | [Service] 51 | Type=forking 52 | User=student 53 | ExecStartPre=-/usr/bin/vncserver -kill :%i 54 | ExecStart=/usr/bin/vncserver :%i -localhost 55 | PIDFile=/home/lee/.vnc/%H:%i.pid 56 | ExecStop=-/usr/bin/vncserver -kill :%i 57 | [Install] 58 | WantedBy=multi-user.target 59 | 60 | (PIDFile need to be created manually) 61 | 62 | SSH using alias 63 | sudo vim ~/.ssh/config 64 | host friend 65 | hostname client1 66 | user vagrant 67 | 68 | #Stop a client to connect using TCP Wrappers 69 | sudo vim /etc/hosts.deny 70 | sshd: 192.168.33.40 71 | #Also if you want log this information, use following 72 | sshd: 192.168.33.40 \ : spawn /bin/echo $(/bin/date) %a access denied >> /var/log/sshd \ :deny 73 | -------------------------------------------------------------------------------- /lvm.txt: -------------------------------------------------------------------------------- 1 | #To see partitions 2 | sudo fdisk -l (cat /proc/partitions) (lsblk) 3 | (Let's say you see three devices) 4 | /dev/xvdf, /dev/xvdj, /dev/xvdg 5 | # To reread partitions 6 | partprobe /dev/sdX (or just partprobe) 7 | 8 | #If not already installed 9 | sudo apt-get install lvm2 10 | 11 | # Create an lvm partition. 12 | gdisk -l /dev/loop0 13 | n 14 | (select size) 15 | L (to lookup the codes) 16 | 8e00 (lvm type) 17 | w 18 | 19 | #sync 20 | partprobe /dev/xxxx 21 | 22 | 23 | #Create lvm 24 | pvcreate /dev/xvdf /dev/xvdj /dev/xvdg (physical volume created) 25 | vgcreate ghumVol /dev/xvdf /dev/xvdj /dev/xvdg (volume group created) 26 | lvcreate -l 100%FREE -n devdisks ghumVol (logical volume created) 27 | 28 | #Display logical volume 29 | lvdisplay 30 | (or) lvs 31 | 32 | #Put filesystem 33 | (Install ext4 if shrinking and growing is needed at a later stage) 34 | (xfs doesn't allow shrinking of filesystem, it can only grow) 35 | mkfs.ext4 /dev/ghumVol/devdisks 36 | 37 | #Mount 38 | mkidr /mnt/newvol 39 | sudo mount /dev/ghumVol/devdisks /mnt/newvol 40 | 41 | #Note 42 | Just like encrypting partitions create /dev/mappers/xxxx, lvm also creates devices with symlink inside /dev/mappers and also /dev/vgdata/lvdata. 43 | 44 | # change properties of filesystems which are already created use tune2fs 45 | tune2fs -L lvdata /dev/vgdata/lvdata 46 | 47 | #mounting using Labels in /etc/fstab 48 | LABEL=lvdata /lvmount/point ext4 defaults 0 0 49 | 50 | #mounting using UUID in /etc/fstab 51 | #to find out uuid of filesystem, use "blkid" (can use with double quotes or without it) 52 | UUID="xxxxxxxxxxxxxx" /lvmount/point ext4 defaults 0 0 53 | 54 | # Resize LVM 55 | pvs, vgs, lvs show size and free space 56 | i) create new partition using gdisk/pdisk (using LVM partition) 57 | ii) vgextend vgdata /dev/newlycreated 58 | (above command detects that newly created partition is not physical volume so it converts it to physical volume and then adds it to vgdata volume group) 59 | iii) lvextend -l +100%FREE -r /dev/vgdata/lvdata (r for resize) 60 | 61 | # Shrink 62 | lvreduce -L 800M -r /dev/vgnew/lvnew 63 | (it will ask permission to unmount, then will resize and will mount it again) 64 | -------------------------------------------------------------------------------- /package_management.txt: -------------------------------------------------------------------------------- 1 | Example: stress-ng --cpu 8 --io 4 --vm 2 --vm-bytes 128M --fork 4 --timeout 10s 2 | -c N, --cpu N start N workers spinning on sqrt(rand()) 3 | -i N, --io N start N workers spinning on sync() 4 | -m N, --vm N start N workers spinning on anonymous mmap 5 | --vm-bytes N allocate N bytes per vm worker (default 256MB) 6 | -f N, --fork N start N workers spinning on fork() and exit() 7 | -t N, --timeout T timeout after T seconds 8 | 9 | Generally stress-ng is used to perform different tests. 10 | 11 | Packages required for building packages. 12 | sudo apt-get install dh-make fakeroot build-essential 13 | 14 | Commands used in building packages. 15 | 1) tar 16 | 17 | Examples: 18 | tar -cf archive.tar foo bar # Create archive.tar from files foo and bar. 19 | tar -tvf archive.tar # List all files in archive.tar verbosely. 20 | tar -xf archive.tar # Extract all files from archive.tar. 21 | Use tar -xzvf and -czvf and -tvf (z for gzip). 22 | 23 | 2) dh_make 24 | 25 | -> WORK 26 | -> cpphelloworld-1.0/ 27 | -> dh_make -f ../cpphelloworld-1.0.tar.gz 28 | -> cpphelloworld-1.0.tar.gz 29 | 30 | 31 | 3) dpkg-buildpackage 32 | 33 | -> WORK 34 | -> cpphelloworld-1.0 35 | -> dpkg-buildpackage -uc -us 36 | -> cpphelloworld-1.0.tar.gz 37 | -us unsigned source package. 38 | -uc unsigned .changes file. 39 | 40 | 41 | 4) dpkg (--contents, --install or -i, --remove or -r) 42 | Summary: 43 | tar -czvf cpphelloworld-1.0.tar.gz cpphelloworld-1.0/ 44 | mkdir WORK 45 | mv cpphelloworld-1.0.tar.gz WORK/ 46 | cd WORK 47 | tar -xzvf cpphelloworld-1.0.tar.gz 48 | cd cpphelloworld-1.0/ 49 | dh_make -f ../cpphelloworld-1.0.tar.gz 50 | dpkg-buildpackage -uc -us 51 | dpkg --contents ../cpphelloworld_1.0-1_amd64.deb 52 | sudo dpkg --install ../*.deb 53 | dpkg --remove cpphelloworld 54 | 55 | 56 | My Example Makefile 57 | 58 | all: 59 | g++ CppHelloWorld.cpp -o CppHelloWorld 60 | install: 61 | install -d $(DESTDIR)/usr/bin 62 | install CppHelloWorld $(DESTDIR)/usr/bin 63 | clean: 64 | rm -f CppHelloWorld 65 | ~ 66 | -------------------------------------------------------------------------------- /filesystem.txt: -------------------------------------------------------------------------------- 1 | #Ext4 2 | mkfs.ext4 --help 3 | mkfs.ext4 -b 1024 -L myfs /dev/loop1p1 (b=byte, L=label) 4 | mkdir /mnt/myfs_dir 5 | mount /dev/loop1p1 /mnt/myfs_dir 6 | (always have lost+found in ext4 fs, and it is used my fsck ) 7 | 8 | #xfs 9 | mkfs.xfs --help 10 | mkfs.xfs -L XFSFS /dev/loop1p5 11 | mkdir /mnt/fsloop1part5xfs 12 | #mount 13 | mount /dev/loop1p5 /mnt/fsloop1part5xfs/ 14 | (or) mount LABEL=XFSFS /mnt/fsloop1part5xfs/ 15 | 16 | #btrfs 17 | mkdir /mnt/fsloop2part1brf 18 | mkfs.btrfs --help 19 | (Got error: Minimum size for each btrfs device is 41943040) 20 | 21 | # permanent changes after reboot using /etc/fstab 22 | # add following lines 23 | /dev/loop1p1 /mnt/fsloop1part1ext4/ ext4 defaults 0 0 24 | /dev/loop1p5 /mnt/fsloop1part5xfs/ xfs defaults 0 0 25 | 26 | #mount everything in /etc/fstab 27 | mount -a 28 | 29 | # show all mounts 30 | mount 31 | 32 | # mounting using systemctl 33 | cp /lib/systemd/system/dev-mqueue.mount /etc/systemd/system/ext4.mount 34 | vim /etc/systemd/system/ext4.mount 35 | #change following 36 | What=/devloop1p1 37 | Where=/ext4 #(This has to match unit name) 38 | Type=ext4 39 | Options=defaults 40 | 41 | systemctl daemon-reload 42 | systemctl restart ext4.mount 43 | 44 | # Swap partition. 45 | fdisk /dev/loopxx (fdisk can also be used to change partition type) 46 | >t (change partition type) 47 | >l (list all codes for all partition types) 48 | >82 (for swap) 49 | >p (show partitions) 50 | >w 51 | 52 | #Swap filesystem 53 | mkswap /dev/loopxxxx 54 | free -h 55 | swapon /dev/loopxxxx (manual) 56 | free -h 57 | (mounting using /etc/fstab) 58 | /dev/loopxxx swap swap defaults 0 0 (2nd column, no need for slash) 59 | (to mount) 60 | swapon -a 61 | 62 | #Encrypted device 63 | (sudo apt-get install cryptsetup) 64 | cryptsetup luksFormat /dev/loop2p1 65 | YES 66 | passphrase: 67 | #see the contents of encrypted device 68 | xxd /dev/loop2p1 (hexadecimal viewer) 69 | #open the encrypted device 70 | cryptsetup luksOpen /dev/loop2p1 secret 71 | 72 | #resulted device will be following 73 | /dev/mapper/secret 74 | 75 | mkfs.ext4 /dev/mapper/secret 76 | mkdir /mnt/secret 77 | mount /dev/mapper/secret /mnt/secret/ 78 | cd /mnt/secret 79 | touch this_file_resides_on_secret_partition.txt 80 | umount /mnt/secret/ 81 | #automate 82 | sudo vim /etc/crypttab 83 | secret /dev/loop2p1 #(password will be required at bootup) 84 | sudo vim /etc/fstab 85 | /dev/mapper/secret /mnt/secret ext4 noauto 0 0 86 | 87 | 88 | -------------------------------------------------------------------------------- /iscsi.txt: -------------------------------------------------------------------------------- 1 | (internet small computer system interface) 2 | (shared volumes in containered clusters) 3 | (Server -> Target, Client -> Initiator) 4 | 5 | #Target 6 | #install 7 | apt-get -y install targetcli 8 | #Create directory 9 | mkdir /var/iscsi_disks 10 | #Admin console 11 | targetcli 12 | >cd backstores/fileio 13 | >create disk01 /var/iscsi_disks/disk01.img 5M (create disk image) 14 | >cd ../../iscsi 15 | >create iqn.2018-12.com.ghumman:storage.target00 16 | >cd iqn.2018-12.com.ghumman:storage.target00/tgp1/portals 17 | >create 192.168.33.20 18 | >cd ../luns 19 | >create /backstores/fileio/disk01 (set luns) 20 | >cd ../acls 21 | >create iqn.2018-12.com.ghumman:www.ghumman.com (set acls) 22 | >cd iqn.2018-12.com.ghumman:www.ghumman.com 23 | >set auth userid=username 24 | >set auth password=password 25 | >exit 26 | >y 27 | #Confirm server is listening 28 | ss -napt | grep 3260 29 | (also a file will be created) cat /etc/target/scsi_target.lio 30 | #Restart target 31 | 32 | ####################################################################### 33 | # Following is old and shouldn't be used 34 | ####################################################################### 35 | #install 36 | sudo apt-get -y install tgt lvm2 37 | #to create /dev/loopxx 38 | dd if=/dev/zero of=6MB_HDD.img bs=1M count=6 39 | sudo losetup -Pf --show 6MB_HDD.img 40 | pvcreate /dev/loop0 41 | vgcreate ghumman_iscsi /dev/loop0 (you can use vgs to confirm) 42 | lvcreate -l 100%FREE -n ghumman_lun1 ghumman_iscsi (lvs to confirm) 43 | (above will create logical volume, following will create acutal lun logical unit number) 44 | sudo vim /etc/tgt/conf.d/ghumman_iscsi.conf 45 | " 46 | 47 | # Provided device as an iSCSI target 48 | backing-store /dev/mapper/ghumman_iscsi-ghumman_lun1 49 | initiator-address 192.168.33.20 50 | incominguser user password 51 | outgoinguser user password 52 | 53 | " 54 | sudo systemctl restart tgt 55 | #Check the status of iscsi target lun partition 56 | tgtadm --mode target --op show 57 | #Had to had following line to make it work (was getting no portal found error {acl issue}) 58 | ############################################################# 59 | # Above is old and shouldn't be used 60 | ############################################################# 61 | 62 | 63 | #Initiator 64 | sudo apt install open-iscsi 65 | #Discover 66 | iscsiadm -m discovery -t st -p 192.168.33.20 67 | (or) iscsiadm --mode discovery --type sendtargets --portal 192.168.33.20 68 | #Check status 69 | iscsiadm -m node -o show 70 | #Connect 71 | #vim /etc/iscsi/iscsid.conf 72 | node.session.auth.authmethod = CHAP 73 | node.session.auth.username = user 74 | node.session.auth.password = password 75 | #sudo vim /etc/iscsi/initiatorname.iscsi 76 | InitiatorName=iqn.2018-10.ghumman.com:lun1 77 | #Login 78 | iscsiadm -m node --login 79 | (or) iscsiadm --mode node --targetname iqn.2018-10.ghumman.com:lun1 --portal 192.168.33.20 --login 80 | -------------------------------------------------------------------------------- /ftp.txt: -------------------------------------------------------------------------------- 1 | sudo apt-get install vsftpd (server) 2 | sudo apt-get install lftp (client, in maunual its ftp) 3 | 4 | ftp default folder in ubuntu: 5 | /srv/ftp 6 | 7 | Create a /srv/ftp/uploads as dropbox 8 | sudo mkdir -m 730 /srv/ftp/uploads (as root user, but any user will be able to upload as group will be changed to ftp) 9 | chown root.ftp /srv/ftp/uploads 10 | 11 | Make following changes to file '/etc/vsftpd.conf' 12 | anonymous_enable=YES 13 | anon_upload_enable=YES 14 | write_enable=YES 15 | 16 | After restarting service 17 | 18 | Use following to confirm that user is part of group ftp 19 | id user (if not use following to add to ftp) 20 | usermod -aG ftp user 21 | 22 | Inorder to upload or drop the file. 23 | 1) cd dir/where/file/exists (localhost or remote) 24 | 2) enter username/password (Or inside ftp enter user 'username') 25 | 3) cd /srv/ftp/uploads (cd to dir where you need to upload) 26 | 4) put file1.txt (file1.txt was present in the directory where we started doing ftp, other files cannot be uploaded) 27 | 28 | 29 | 30 | TFTP 31 | 32 | sudo apt-get install tftpd tftp(tftp for tftp clinet) 33 | (Because this doesn't need to be started all the time, so no systemd directly) 34 | sudo apt-get install xinetd 35 | services which can be started using xinetd are under /etc/xinetd.d directory 36 | Other services which 'manual' uses with xinetd are: 37 | i) rsync (for centos/opensuse only, not for ubuntu, use update-rc.d instead) 38 | ii) telnet (for ubuntu only ) 39 | 40 | All default files inside /etc/xinetd.d/ are missing following arguments which we need. 41 | server = /usr/sbin/in.tftpd 42 | server_args = /tftpboot 43 | No need for following if copied like cp /etc/xinetd.d/time /etc/xinetd.d/tftp 44 | type = INTERNAL 45 | id = time-dgram 46 | Complete /etc/xinetd.d/tftp 47 | service tftp 48 | { 49 | disable = no 50 | socket_type = dgram 51 | protocol = udp 52 | user = root 53 | wait = yes 54 | server = /usr/sbin/in.tftpd 55 | server_args = /tftpboot 56 | } 57 | // 58 | If you don't give port, it will take default port for tftp which is 69(protocol is udp) 59 | Create the directory with right chmod and chown mentioned at server_args 60 | sudo mkdir /tftpboot 61 | sudo chmod -R 777 /tftpboot 62 | Restart xinetd, you'll see at the bottom: Started working: 1 available service 63 | Another way to confirm that tftp is running, use following 64 | ss -tuna(or netstat -tulpen) | grep 69 65 | 66 | Now remote client will be able to download/get what is in /tftpboot using following 67 | tfpt client1 68 | get file1.txt 69 | 70 | ###################################################### 71 | # Blocking Connection using TCP Wrappers 72 | ###################################################### 73 | Add following to /etc/vsftpd.conf 74 | tcp_wrappers=yes 75 | Restart vsftpd 76 | Add following to /etc/hosts.deny 77 | vsftpd: ALL 78 | telnet localhost ftp 79 | -------------------------------------------------------------------------------- /misc_commands.txt: -------------------------------------------------------------------------------- 1 | List all users 2 | cat /etc/passwd 3 | 4 | List hosts aliases for ip address 5 | cat /etc/hosts 6 | 7 | List aliases, normally used when setting up email users 8 | cat /etc/aliases 9 | After setting new aliases or modifying above file, run 'newaliases' 10 | 11 | List variable values (http_proxy is also provided here) 12 | cat /etc/environment 13 | 14 | List nameservers (DNS nameserver can be provided here or inside /etc/network/interfaces) 15 | cat /etc/resolv.conf 16 | 17 | List file sharing directories (It's activated using command 'mount -a')(Used for both nfs, cifs and automount) 18 | (I think, normally used on client side) 19 | cat /etc/fstab 20 | 21 | List NFS sharing directories(for cifs/samba it's /etc/samba/smb.conf)(normally used on server side) 22 | cat /etc/exports 23 | 24 | List hostname 25 | cat /etc/hostname 26 | 27 | This file assigns persistent names to network interfaces 28 | /etc/iftab 29 | 30 | Info about distribution 31 | cat /etc/lsb_release 32 | cat /etc/os-release 33 | 34 | Following file is time based job scheduler 35 | /etc/crontab 36 | 37 | List port numbers and services names 38 | cat /etc/services 39 | 40 | If you don't have systemd, use following to disable a service like 'ufw' 41 | update-rc.d -f ufw remove (in vagrant vm it didn't work with ufw but worked with nfs-kernel-server) 42 | After above command, I had issues enabling the service nfs-kernel-server for startup. I used following to fix it. 43 | update-rc.d nfs-kernel-server default 44 | It turns out that inside /etc/init.d/ some files are the services and some are pointing to /lib/init/upstart-job 45 | Following is another way mentioned on internet but didn't work for my vagrant vms. 46 | echo 'manual' | sudo tee /etc/init/mysql.override 47 | Here's a summary: 48 | If service is SysV(Also called init.d): Use 1) 'sudo service nfs-kernel-server stop', 2) 'sudo update-rc.d -f nfs-kernel-server remove' to disable and 'sudo update-rc.d nfs-kernel-server default' (ntp didn't work) 49 | If service is Upstart: Use 'mv /etc/init/smbd.conf /etc/init/smbc.conf.disabled' and move it back to enable it. 50 | If service is Systemd: Use systemctl enable/disable command. 51 | 52 | When creating Self Signed keys for SSL using openssl, the option -nodes (not decrypted -> maybe) is used to encrpty the private key. If this optin is provided it will ask for passphrase. In case, openssl is used to create key and crt to be used in dovecot ssl, this argument should be used, otherwise you won't be able to connect to mail server. 53 | 54 | For creating problems in network packets 55 | tc qdisc add dev lo root netem loss random 40 56 | tc qdisc del dev lo root 57 | 58 | To see what packages are available 59 | sudo apt search ntop 60 | 61 | #Check which version of software is on the system 62 | dpkg -l open-vm-tools 63 | #To update 64 | sudo apt-get install --only-upgrade open-vm-tools 65 | (or) apt install --only-upgrade open-vm-tools 66 | 67 | #Change home directory 68 | usermod -d /dir/ user 69 | 70 | # if you want ftp user to log into a specific directory, modify following file. 71 | /etc/passwd 72 | 73 | -------------------------------------------------------------------------------- /lf_linux_networking_administration_course_contents.txt: -------------------------------------------------------------------------------- 1 | 1) Course Introduction 2 | 2) Linux Networking Concepts and Reviews 3 | OSI Layers 4 | TCP vs UDP 5 | IP V4 and V6 6 | IP routing and management tools 7 | DNS Database, Query and tools 8 | System V Init, BSD V init 9 | Starting Stopping System Services 10 | Enabling/Disabling System Services 11 | 3) Networking Configuration 12 | Boot time network configuration 13 | Network Manager 14 | DNS Client, VPN and DHCP 15 | 4) Network Troubleshooting and Monitoring 16 | Simple, Intermediate, Advanced Client Troub. 17 | Basic, Intermediate, Advanced Server Troub. 18 | 5) Remote Access 19 | Telnet 20 | RSH 21 | Cryptography 22 | Symmetric and Asymmetric Encryption 23 | Key Exchange and Secure Shell SSH 24 | OpenSSH server and client 25 | OpenSSH configuration, authentication and Tunnel 26 | Parallel SSH 27 | VNC server and client 28 | X Window system, authentication and tunneling. 29 | 6) Domain Name Service 30 | /etc/hosts 31 | DNS basics and database 32 | DNS Recursive Query 33 | Forward/Reverse DNS Queries 34 | DNS Server Daemons 35 | BIND server, configuration 36 | BIND as caching name server and zone config 37 | Zone files and SOA records 38 | 7) HTTP servers 39 | Configuration 40 | IP/Port and Name based virtual host 41 | Name Vhost and SSL 42 | Access Control and .htaccess 43 | File Permissions 44 | SELinux 45 | Safe CGI scripting, SSL and install SSK keys 46 | 8) Advanced HTTP Servers 47 | Rewrite URLs, maps, examples 48 | ModAlias, AliasMatch, ScriptAlias 49 | Mod_Status, Mod_Include, Mod_Perl 50 | MultiProcessing Modules MPM 51 | Config Prefork and worker 52 | Load testing and caching and proxies 53 | Speciality HTTP Servers 54 | 9) Email Servers 55 | SMTP, POP3, IMAP 56 | MTA, MUA, IMAP/POP 57 | Postfix Config, Auth, SASL, Security 58 | qshape, mailgraph, reducing SPAM 59 | Email aliasing and forwarding 60 | Dovecot config, setup, security 61 | 10) File Sharing 62 | FTP Server, Anonymous FTP 63 | rsync daemon config, security, usage 64 | scp, sftp, rsync over ssh 65 | WebDAV, BitTorrent 66 | 11) Advanced Networking 67 | Routing, VLAN, DHCP 68 | NTP, ntpd client and server 69 | 12) HTTP Caching 70 | Proxy SSL, Cache hierarchy 71 | Access Control 72 | 13) Network File System 73 | NFS server, client, securty, performance 74 | Samba/CIFS config, user accounts, smb.conf 75 | Persistent mounting for NFS 76 | 14) Intro to Network Security 77 | Concepts, Principles, Practices 78 | DMZ, Firewalls, App access control 79 | chroot 80 | 15) Firewalls 81 | TCP wrappers 82 | netfilter, filer, nat and mangle table 83 | Iptables, System-Config-Firewalls, gufw 84 | YAST firewall, firewalld 85 | Forced Transparent Proxy, Network Address Translation 86 | 16) High Availability 87 | Stack, App., Network., Storage 88 | Remote Disk Mirroring (DRBD) 89 | 17) Databases 90 | Hierarchical Databases 91 | Relational Databases 92 | Database Management System (DBMS) 93 | Structured Query Language (SQL) 94 | 18) System Log 95 | rsyslog modules, remote logging client/server 96 | 19) Package Management 97 | Build Debian packages 98 | 99 | -------------------------------------------------------------------------------- /dns.txt: -------------------------------------------------------------------------------- 1 | For dns-clients/hosts which need to point to dns-servers. Use either /etc/resolv.conf but that would be overwritten on bootup, or add following line in /etc/network/interfaces 2 | dns-nameservers 8.8.8.8 3 | In order to see changes do ifup and ifdown 4 | ( 5 | Above will do it, if not, try following too 6 | systemctl restart networking 7 | systemctl restart network-manager 8 | resolvconf -u (this updates own database) 9 | resolvconf -d enp0s8 (updates - automatically happens when you do ifdown/ifup) 10 | ) 11 | 12 | To install dns server. 13 | sudo apt-get install bind9 14 | 15 | To set up caching server(whatever that means) 16 | (I think by default it's working as caching server and nothing needs to be done as the response for command 'dig @localhost google.com' remains same, but following is what manual says) 17 | sudo vim /etc/bind/named.conf.options 18 | (add following lines) 19 | listen-on port 53 { any; }; 20 | allow-query {any;}; 21 | recursion yes; 22 | (It didn't work on vagrant vm(precise) but worked on xenial) 23 | 24 | Authoritative Forward Zone (Worked at vagrant vm) 25 | " 26 | • 30 second TTL 27 | • www.example.com has the address 192.168.111.45 and the IPv6 address fe80::22c9:d0ff:1ecd:c0ef 28 | • foo.example.com has the address 192.168.121.11 29 | • bar.example.com has a CNAME pointing to www.example.com 30 | • host1.example.com through host100.example.com have the addresses 10.20.45.1 through 10.20.45.100 31 | " 32 | 33 | Add following to /etc/bind/named.conf.local 34 | zone "example.com." { 35 | type master; 36 | file "/etc/bind/example.com.zone"; 37 | }; 38 | 39 | Create following file /etc/bind/example.com.zone 40 | $TTL 30 41 | @ IN SOA localhost. root.example.com. ( 42 | 1 ; Serial 43 | 604800 ; Refresh 44 | 86400 ; Retry 45 | 2419200 ; Expire 46 | 604800 ) ; Negative Cache TTL 47 | @ IN NS localhost. 48 | www.example.com. IN A 192.168.111.45 49 | www.example.com. IN AAAA fe80::22c9:d0ff:1ecd:c0ef 50 | foo.example.com. IN A 192.168.121.11 51 | bar.example.com. IN CNAME www.example.com. 52 | $GENERATE 1-100 host$.example.com. IN A 10.20.45.$ 53 | 54 | Check the syntax using following command 55 | sudo named-checkconf -z 56 | 57 | In order to test it use following commands. 58 | dig @localhost -t A www.example.com 59 | dig @localhost -t AAAA www.example.com 60 | dig @localhost -t A foo.example.com 61 | dig @localhost -t CNAME bar.example.com 62 | dig @localhost -t A host7.example.com 63 | dig @localhost -t A host27.example.com 64 | 65 | Reverse DNS zone for 10.20.45.0/255.255.255.0 as host$.example.com 66 | 67 | Add following to /etc/bind/named.conf.local 68 | zone "45.20.10.in-addr.arpa." { 69 | type master; 70 | file "/etc/bind/45.20.10.in-addr.arpa.zone"; 71 | }; 72 | 73 | 74 | Create the following file /etc/bind/45.20.10.in-addr.arpa.zone 75 | $TTL 604800 76 | @ IN SOA localhost. root.example.com. ( 77 | 1 ; Serial 78 | 604800 ; Refresh 79 | 86400 ; Retry 80 | 2419200 ; Expire 81 | 604800 ) ; Negative Cache TTL 82 | ; 83 | @ IN NS localhost. 84 | $GENERATE 1-254 $ IN PTR host$.example.com. 85 | 86 | Check the syntax using following command 87 | sudo named-checkconf -z 88 | 89 | Reload the server using following (though tests worked without doing it) 90 | rndc reload 91 | 92 | Test using following 93 | host 10.20.45.7 localhost 94 | host 10.20.45.37 localhost 95 | host 10.20.45.73 localhost 96 | -------------------------------------------------------------------------------- /email.txt: -------------------------------------------------------------------------------- 1 | Install Postfix(MTA) and Dovecot(Email Server(IMAP/POP3)) 2 | sudo apt-get install postfix dovecot-imapd dovecot-pop3d 3 | 4 | ######################################################### 5 | #Postfix smtp, make sure all clients are able to send emails to server 6 | ######################################################### 7 | 8 | On server: 9 | sudo apt-get install postfix 10 | (Select Internet site and hostname as mail name) 11 | #listen to all interfaces 12 | sudo postconf -e "inet_interfaces=all" 13 | #enable trusted subnets 14 | sudo postconf -e "mynetworks_style=subnet" 15 | 16 | # In order to send mail to remote server use ip address not the hostname otherwise will get DNS MX records error inside /var/log/mail.log 17 | # rcpt to: root@[192.168.33.10] 18 | 19 | On client(192.168.33.10): 20 | telnet 192.168.33.1 25 21 | helo localhost 22 | mail from:client1@localhost 23 | rcpt to:root@localhost 24 | data 25 | Subject: Test sent from client1 to server 26 | Tesing 1, 2, 4 27 | . 28 | 29 | Test if we get the mail on server. 30 | #mailutils install mail 31 | #mutt shows emails and sends emails, and it installs postfix, if 32 | # it's already not installed 33 | 34 | # mail can be used to send mail like following from terminal 35 | # mail -s "How are you?" client1@localhost (This gives DNS MX record error if we use hostname for remote computer) 36 | # mail -s "How are you?" client1@[192.168.33.20] (Using this I was able to send email from one server to another server) 37 | Cc 38 | (Keep writing once you're done, press ) 39 | sudo apt-get install mailutils 40 | mail 41 | 42 | ############################################################ 43 | #Enable dovecot as IMAP server 44 | ############################################################ 45 | 46 | At this point without having mutt and dovecott (but having mail and postfix), we can send messages and view messages from the same machine. 47 | 48 | But from a remote machine we can still use tellnet to login to server machine and send from emails from one user to another. but won't be able to see email like using this kind of command. "mutt -f client1@192.168.0.106" 49 | # above assumption is wrong, later I figured you can send emails by putting ip address inside []. 50 | 51 | 52 | sudo apt-get install mutt dovecot-imapd dovecot-pop3d dovecot-core dovecot-lmtpd 53 | sudo vim /etc/dovecot/dovecot.conf 54 | (uncomment this line: listen =*, ::) 55 | sudo systemctl restart dovecot 56 | (Doing this vagrant client with different IP address works for follwoing command but client on same network but on a different machine doesn't work) 57 | mutt -f imap://client1@192.168.0.106/ 58 | # It doesn't work on different machine because other machine it's looking for TLS(transport layer security) / SSL (secure socket layer). After enabling it in next step, above command work on remote host 59 | 60 | ########################################################### 61 | #Enforce TLS/SSL for IMAP server i.e. inside Dovecot 62 | ########################################################### 63 | sudo vim /etc/dovecot/conf.d/10-ssl.conf 64 | #Edit 65 | ssl = required 66 | ssl_cert = AHN0dWRlbnQAc3R1ZGVudA== 103 | telnet localhost 25 104 | helo localhost 105 | auth plain AHN0dWRlbnQAc3R1ZGVudA== 106 | mail from ... 107 | 108 | ########################################################### 109 | # Using both SASL and TLS in Postfix (SASL type = dovecot) 110 | ########################################################### 111 | 112 | postconf -e "smtpd_tls_auth_only = yes" 113 | postconf -e "smtpd_tls_security_level = may" 114 | postconf -e "smtpd_tls_cert_file = /etc/postfix/postfix.pem" 115 | postconf -e "smtpd_tls_key_file = /etc/postfix/postfix.pem" 116 | 117 | #creating postfix.pem 118 | /usr/bin/openssl req -utf8 -newkey rsa:2048 -keyout /tmp/postfix.key -nodes \ 119 | -x509 -days 365 -out /tmp/postfix.crt -set_serial 0 120 | cat /tmp/postfix.key > /etc/postfix/postfix.pem 121 | echo "" >> /etc/postfix/postfix.pem 122 | cat /tmp/postfix.crt >> /etc/postfix/postfix.pem 123 | rm -f /tmp/postfix.crt /tmp/postfix.key 124 | 125 | #restart postfix 126 | systemctl restart postfix 127 | 128 | #test using telnet 129 | (sudo apt-get install gnutls-bin) 130 | gnutls-cli --crlf --starttls --insecure --port 25 localhost 131 | starttls 132 | Ctrl+d 133 | auth plain AHN0dWRlbnQAc3R1ZGVudA== 134 | mail ... 135 | 136 | -------------------------------------------------------------------------------- /apache-ssl.md: -------------------------------------------------------------------------------- 1 | # Enable SSL on alex.com virtualHost 2 | 3 | ## Current machine 4 | Virtualization: kvm 5 | Operating System: Ubuntu 21.10 6 | Kernel: Linux 5.13.0-20-generic 7 | Architecture: x86-64 8 | Hardware Vendor: QEMU 9 | 10 | 11 | 12 | ## Generate RSA key and x509 certificate 13 | `openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/ssl/apache/ssl-rsa-apache.key -out /etc/ssl/apache/certs/ssl-cert-apache.crt ` 14 | 15 | Or if you prefer to create your private key separately: 16 | `openssl genpkey -algorithm RSA -out /etc/ssl/apache/ssl-rsa-apache.key` 17 | 18 | 19 | ## Config Apache Server 20 | Load ssl kernel module: 21 | `a2enmod ssl` 22 | 23 | `grep "^[[:space:]]*<*/*\w" /etc/apache2/ports.conf ` 24 | 25 | ```apache 26 | Listen 80 27 | 28 | Listen 443 29 | 30 | 31 | Listen 443 32 | 33 | ``` 34 | 35 | 36 | `grep "^[[:space:]]*<*/*\w" /etc/apache2/apache2.conf ` 37 | 38 | ```apache 39 | ServerName alex.com 40 | DefaultRuntimeDir ${APACHE_RUN_DIR} 41 | PidFile ${APACHE_PID_FILE} 42 | Timeout 300 43 | KeepAlive On 44 | MaxKeepAliveRequests 100 45 | KeepAliveTimeout 5 46 | User ${APACHE_RUN_USER} 47 | Group ${APACHE_RUN_GROUP} 48 | HostnameLookups Off 49 | ErrorLog ${APACHE_LOG_DIR}/error.log 50 | LogLevel warn 51 | IncludeOptional mods-enabled/*.load 52 | IncludeOptional mods-enabled/*.conf 53 | Include ports.conf 54 | 55 | Options FollowSymLinks 56 | AllowOverride None 57 | Require all denied 58 | 59 | 60 | AllowOverride None 61 | Require all granted 62 | 63 | 64 | Options Indexes FollowSymLinks 65 | AllowOverride None 66 | Require all granted 67 | 68 | AccessFileName .htaccess 69 | 70 | Require all denied 71 | 72 | LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined 73 | LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined 74 | LogFormat "%h %l %u %t \"%r\" %>s %O" common 75 | LogFormat "%{Referer}i -> %U" referer 76 | LogFormat "%{User-agent}i" agent 77 | IncludeOptional conf-enabled/*.conf 78 | IncludeOptional sites-enabled/*.conf 79 | 80 | ``` 81 | `grep "^[[:space:]]*<*/*\w" /etc/apache2/sites-enabled/default-ssl.conf` 82 | ```apache 83 | 84 | 85 | ServerAdmin webmaster@localhost 86 | DocumentRoot /var/www/html 87 | ErrorLog ${APACHE_LOG_DIR}/error.log 88 | CustomLog ${APACHE_LOG_DIR}/access.log combined 89 | SSLEngine on 90 | SSLCertificateFile /etc/ssl/apache/certs/ssl-cert-apache.crt 91 | SSLCertificateKeyFile /etc/ssl/apache/ssl-rsa-apache.key 92 | SSLVerifyClient none 93 | 94 | SSLOptions +StdEnvVars 95 | 96 | 97 | SSLOptions +StdEnvVars 98 | 99 | 100 | 101 | ``` 102 | 103 | `grep "^[[:space:]]*<*/*\w" /etc/apache2/sites-enabled/000-default.conf` 104 | ```apache 105 | 106 | ServerName alex.com 107 | ServerAdmin webmaster@localhost 108 | DocumentRoot /var/www/html 109 | LogLevel info ssl:info 110 | ErrorLog ${APACHE_LOG_DIR}/error.log 111 | CustomLog ${APACHE_LOG_DIR}/access.log combined 112 | 113 | AuthType Basic 114 | AuthName "Restricted Content" 115 | AuthUserFile /etc/apache2/secure.passwords 116 | Require valid-user 117 | 118 | RewriteEngine on 119 | RewriteRule ^/foo/(.*) /scripts/foo.cgi?$1 [L,PT] 120 | 121 | ``` 122 | 123 | 124 | `# echo 127.0.0.1 alex.com >> /etc/hosts` 125 | 126 | `apachectl -S` 127 | 128 | VirtualHost configuration: 129 | *:80 alex.com (/etc/apache2/sites-enabled/000-default.conf:1) 130 | *:443 alex.com (/etc/apache2/sites-enabled/default-ssl.conf:3) 131 | ServerRoot: "/etc/apache2" 132 | Main DocumentRoot: "/var/www/html" 133 | Main ErrorLog: "/var/log/apache2/error.log" 134 | Mutex rewrite-map: using_defaults 135 | Mutex ssl-stapling-refresh: using_defaults 136 | Mutex ssl-stapling: using_defaults 137 | Mutex ssl-cache: using_defaults 138 | Mutex default: dir="/var/run/apache2/" mechanism=default 139 | Mutex watchdog-callback: using_defaults 140 | PidFile: "/var/run/apache2/apache2.pid" 141 | Define: DUMP_VHOSTS 142 | Define: DUMP_RUN_CFG 143 | Define: ENABLE_USR_LIB_CGI_BIN 144 | User: name="www-data" id=33 145 | Group: name="www-data" id=33 146 | 147 | 148 | `systemctl restart apache2` 149 | 150 | `ss -plnt |grep 443` 151 | 152 | LISTEN 0 511 *:443 *:* users:(("apache2",pid=10759,fd=6),("apache2",pid=10758,fd=6),("apache2",pid=10757,fd=6)) 153 | 154 | 155 | `openssl s_client alex.com:443` 156 | 157 | CONNECTED(00000003) 158 | depth=0 C = IT, ST = Italy, L = Rome, O = Alex, OU = alex, CN = alex.com, emailAddress = MY_MAIL 159 | verify error:num=18:self signed certificate 160 | verify return:1 161 | depth=0 C = IT, ST = Italy, L = Rome, O = Alex, OU = alex, CN = alex.com, emailAddress = MY_MAIL 162 | verify return:1 163 | --- 164 | Certificate chain 165 | 0 s:C = IT, ST = Italy, L = Rome, O = Alex, OU = alex, CN = alex.com, emailAddress = MY_MAIL 166 | i:C = IT, ST = Italy, L = Rome, O = Alex, OU = alex, CN = alex.com, emailAddress = MY_MAIL 167 | --- 168 | Server certificate 169 | .... 170 | HTTP/1.1 400 Bad Request 171 | Date: Thu, 28 Oct 2021 09:49:20 GMT 172 | Server: Apache/2.4.48 (Ubuntu) 173 | Content-Length: 301 174 | Connection: close 175 | Content-Type: text/html; charset=iso-8859-1 176 | 177 | -------------------------------------------------------------------------------- /firewall.txt: -------------------------------------------------------------------------------- 1 | Stop/Disable Firewall 2 | systemctl stop firewalld 3 | systemctl disable firewalld 4 | Do not install firewalld 5 | sudo apt-get purge firewalld (if installed mistakenly) 6 | 7 | Before doing anything with NAT tables, make sure following give output: 1 8 | cat /proc/sys/net/ipv4/ip_forward 9 | If output is 0, uncomment following line from /etc/sysctl.conf 10 | net.ipv4.ip_forward=1 11 | 12 | 13 | List all rules (S for Specifications) 14 | sudo iptables -S 15 | 16 | List all rules for one chain 17 | sudo iptables -S INPUT 18 | 19 | List rules in a table 20 | sudo iptables -L 21 | -> First line has name of the chain with default policy 22 | -> Columns are: 23 | -> ->target(ACCEPT, DROP, REJECT, UDP, TCP, ICMP) 24 | -> ->prop(protocols: tcp, udp, icmp, all) 25 | -> ->source(anywhere) 26 | -> ->destination(anywhere) 27 | -> ->opt(state, ctsate RELATED, ESTABLISHED, INVALIC, NEW, reject-with, icmp-port-unreachable, tcp-reset, icmp-proto-unreachable, dpt:ssh) 28 | 29 | List Packet counts and verbosity 30 | sudo iptables -L INPUT -v 31 | 32 | Delete a particular rule 33 | Find following to find the rule 34 | sudo iptables -S 35 | (If output:-A INPUT -i lo -j ACCEPT, use following command) 36 | sudo iptables -D INPUT -i lo -j ACCEPT 37 | 38 | Delete by line number 39 | Find line-numbers using 40 | sudo iptables -L --line-numbers 41 | To delete line 3 of chain INPUT 42 | sudo iptables -D INPUT 3 43 | 44 | Flush single chain 45 | sudo iptables -F INPUT 46 | 47 | 48 | Flush All Rules, Delete All Chains and Accept All 49 | (it will disable your firewall) 50 | If you're 'ssh'ing your server, set default policies for built-in chainns (INPUT, FORWARD, OUPUT) to ACCEPT. 51 | 1) sudo iptables -P INPUT ACCEPT 52 | 2) sudo iptables -P FORWARD ACCEPT 53 | 3) sudo iptables -P OUTPUT ACCEPT 54 | Flush protocols nat and mangle and all chains 55 | 4) sudo iptables -t nat -F 56 | 5) sudo iptables -t mangle -F 57 | 6) sudo iptables -F 58 | Delete all non-default chains 59 | 7) sudo iptables -X 60 | 61 | 62 | Look for iptables modules and add them 63 | lsmod | grep ip_tables 64 | modprobe -a ip_tables (a: all) 65 | 66 | Check System and Service Manager 67 | ps --pid 1 68 | 69 | An Example of Iptables, this will give you internet access . 70 | sudo iptables -P INPUT DROP 71 | sudo iptables -P OUTPUT DROP 72 | sudo iptables -P FORWARD DROP 73 | sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT 74 | sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT 75 | sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT 76 | sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT 77 | sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 78 | sudo iptables -A INPUT -j ACCEPT 79 | sudo iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 80 | sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 81 | sudo iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT 82 | sudo iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT 83 | sudo iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT 84 | sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 85 | sudo iptables -A OUTPUT -j ACCEPT 86 | 87 | If server has a local network at NIC 'enp0s31f6' and getting internet at NIC 'wlp1s0' and vagrant VMs are using virtual NIC 'vboxnet1'. Following needs to be done in order for local devices to get to internet or vagrant VMs. 88 | 89 | Server: 90 | (enp0s31f6)-> 10.10.0.10/24 91 | (wlp1s0)-> 192.168.0.106/24 92 | (vboxnet1)-> 192.168.33.1/24 93 | iptables -t nat -A POSTROUTING -o wlp1s0 -j MASQUERADE 94 | iptables -A FORWARD -i wlp1s0 -o enp0s31f6 -m state --state RELATED,ESTABLISHED -j ACCEPT 95 | iptables -A FORWARD -i enp0s31f6 -o wlp1s0 -j ACCEPT 96 | Local Device: 97 | (eno1)-> 10.10.0.20/24 98 | (/etc/network/interfaces) 99 | auto eno1 100 | iface eno1 inet static 101 | address 10.10.0.20 102 | netmask 255.255.255.0 103 | gateway 10.10.0.10 104 | (/etc/resolv.conf) 105 | nameserver 8.8.8.8 106 | Vagrant VM: 107 | (eth1)-> 192.168.33.10/24 108 | 109 | 110 | In order to connect from AWS machine using VPN to a local network through server, use following. 111 | Server: 112 | (enp0s31f6)-> 10.10.0.10/24 113 | (vpn0)-> 146.209.231.104/22 114 | iptables -t nat -A POSTROUTING -o vpn0 -j MASQUERADE 115 | iptables -A FORWARD -i vpn0 -o enp0s31f6 -m state --state RELATED,ESTABLISHED -j ACCEPT 116 | iptables -A FORWARD -i enp0s31f6 -o vpn0 -j ACCEPT 117 | iptables -A PREROUTING -t nat -i vpn0 -p tcp --dport 2222 -j DNAT --to 10.10.0.20:22 118 | 119 | Client: 120 | (eno1)-> 10.10.0.20/24 121 | (/etc/sshd/sshd_config) 122 | PermitRootLogin yes 123 | -> systemctl restart sshd 124 | (Also need to set root password) 125 | passwd 126 | AWS client: 127 | (eth0)-> 10.225.116.123/24 128 | ssh -p 2222 146.209.231.104 129 | 130 | Drop ping packets (Drop refuses packets quitely and Rejects refuses and sends a message back) 131 | iptables -A INPUT --protocol icmp --in-interface eth0 -j DROP 132 | (When you use REJECT, while pinging you'll get message 'Destination Port Unreachable') 133 | 134 | Allow/prevent NFS clients (from 192.168.0.0/24) to mount NFS4 shares 135 | iptables -F 136 | iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 2049 -j REJECT 137 | iptables -A INPUT -i eth0 -s 0/0 -p tcp --dport 111 -j REJECT 138 | (Replace REJECT to ACCEPT to allow) 139 | 140 | Display rules with line numbers and verbosity 141 | iptables -nL -v --line-numbers 142 | 143 | Replace a rule with another rule. Following will replace rule 2 from INPUT 144 | iptables -R INPUT 2 -i eth0 -s 0/0 -p tcp --dport 2049 -j REJECT 145 | 146 | Save the rules and restoring them manually(though at bootup they automatically restore from saved file). 147 | sudo apt-get install iptables-persistent 148 | iptables-save > /etc/iptables/rules.v4 149 | iptables-restore < /etc/iptables/rules.v4 150 | (Other method for ubuntu) 151 | sudo apt-get install iptables-persistent 152 | sudo /etc/init.d/iptables-persistent save 153 | sudo /etc/init.d/iptables-persistent reload 154 | sudo netfilter-persistent save 155 | sudo netfilter-persistent reload 156 | 157 | #EXAMPLE: let icmp(ping), http work from client to server, just block ssh from a particular client 158 | sudo iptables -A INPUT -s client4 -p tcp --dport ssh -j REJECT (ssh can be replaced with 22) 159 | sudo iptables -A INPUT -s client4 -p tcp --dport 80 -j ACCEPT 160 | sudo iptables -A INPUT -s client4 --protocol icmp -j ACCEPT 161 | -------------------------------------------------------------------------------- /lxc.md: -------------------------------------------------------------------------------- 1 | ` apt install lxc-utils lxctl lxc-templates lxd` 2 | 3 | If there is some issue in starting the lxc-net service, be sure you don't have a dns service running 4 | ``` 5 | systemctl stop named.service 6 | systemctl restart lxc-net.service 7 | ``` 8 | 9 | `lxd init` 10 | 11 | lxc profile list 12 | 13 | 14 | `lxc-checkconfig` 15 | 16 | --- Control groups --- 17 | Cgroups: enabled 18 | Cgroup namespace: enabled 19 | Cgroup v1 mount points: 20 | Cgroup v2 mount points: 21 | /sys/fs/cgroup 22 | 23 | Cgroup v1 systemd controller: missing 24 | Cgroup v1 freezer controller: missing 25 | Cgroup ns_cgroup: required 26 | 27 | Cgroup device: enabled 28 | Cgroup sched: enabled 29 | Cgroup cpu account: enabled 30 | Cgroup memory controller: enabled 31 | Cgroup cpuset: enabled 32 | 33 | ```sh 34 | lxc-create -n debby -t download -- -d debian -r bullseye -a amd64 35 | lxc-start -n debby -o /var/log/lxc-debby.log --logpriority=INFO -F /bin/bash 36 | ``` 37 | 38 | lxc image list images:ubuntu/21 a=amd64 39 | lxc launch images:ubuntu/21.10 ubby-01 40 | lxc launch images:ubuntu/21.10 ubby-02 41 | 42 | ```bash 43 | lxc list 44 | +---------+---------+-----------------------+--------------------------------------------+-----------+-----------+ 45 | | NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS | 46 | +---------+---------+-----------------------+--------------------------------------------+-----------+-----------+ 47 | | ubby-01 | RUNNING | 10.172.37.1 (eth0) | 2602:fc62:a:2000:216:3eff:fe68:7f14 (eth0) | CONTAINER | 0 | 48 | +---------+---------+-----------------------+--------------------------------------------+-----------+-----------+ 49 | | ubby-02 | RUNNING | 10.108.213.109 (eth0) | 2602:fc62:a:2000:216:3eff:fef8:57f3 (eth0) | CONTAINER | 0 | 50 | +---------+---------+-----------------------+--------------------------------------------+-----------+-----------+ 51 | ``` 52 | 53 | ```bash 54 | lxc launch images:ubuntu/21.10 ubby-limited -c limits.cpu=1 -c limits.memory=200MiB 55 | 56 | lxc exec ubby-limited -- free -m 57 | total used free shared buff/cache available 58 | Mem: 200 18 152 0 28 181 59 | Swap: 0 0 0 60 | ``` 61 | 62 | lxc file push my-file ubby-limited/home 63 | 64 | 65 | ### Create a HTTP server 66 | 67 | #### APACHE 68 | ```sh 69 | lxc exec apache-01 -- sh -c "apk -U upgrade && apk add apache2 && rc-service apache2 start && rc-update add apache2" 70 | lxc copy apache-01 apache-02 71 | lxc start apache-02 72 | lxc list 73 | 74 | lxc exec apache-01 -- sh -c "echo 'Hello from APACHE-01' > /var/www/localhost/htdocs/index.html" 75 | lxc exec apache-02 -- sh -c "echo 'Hello from APACHE-02' > /var/www/localhost/htdocs/index.html" 76 | 77 | lxc exec apache-01 -- cat /var/www/localhost/htdocs/index.html 78 | Hello from APACHE-01 79 | 80 | wget -SqO- http://${APACHE_01_IP} 81 | 82 | HTTP/1.1 200 OK 83 | Date: Sat, 30 Oct 2021 14:35:22 GMT 84 | Server: Apache/2.4.51 (Unix) 85 | Last-Modified: Sat, 30 Oct 2021 14:35:10 GMT 86 | ETag: "15-5cf92d9d9f963" 87 | Accept-Ranges: bytes 88 | Content-Length: 21 89 | Keep-Alive: timeout=5, max=100 90 | Connection: Keep-Alive 91 | Content-Type: text/html 92 | Hello from APACHE-01 93 | 94 | wget -SqO- http://${APACHE_02_IP} 95 | 96 | HTTP/1.1 200 OK 97 | Date: Sat, 30 Oct 2021 14:35:27 GMT 98 | Server: Apache/2.4.51 (Unix) 99 | Last-Modified: Sat, 30 Oct 2021 14:35:18 GMT 100 | ETag: "15-5cf92da4cf773" 101 | Accept-Ranges: bytes 102 | Content-Length: 21 103 | Keep-Alive: timeout=5, max=100 104 | Connection: Keep-Alive 105 | Content-Type: text/html 106 | Hello from APACHE-02 107 | 108 | ``` 109 | #### NGINX 110 | ```sh 111 | lxc exec centos-nginx -- bash -c "yum -y update && yum -y install nginx && systemctl enable --now nginx" 112 | 113 | lxc info centos-nginx-master |grep -m1 inet |cut -f3 114 | 10.0.3.59 115 | export NGINX_01_IP=`lxc info centos-nginx-master |grep -m1 inet |cut -f3` 116 | 117 | wget -SqO- http://${NGINX_01_IP} 118 | 119 | HTTP/1.1 200 OK 120 | Server: nginx/1.14.1 121 | Date: Sat, 30 Oct 2021 14:53:14 GMT 122 | Content-Type: text/html 123 | Content-Length: 20 124 | Last-Modified: Sat, 30 Oct 2021 14:50:54 GMT 125 | Connection: keep-alive 126 | ETag: "617d5bce-14" 127 | Accept-Ranges: bytes 128 | WELCOME IN NGINX 01 129 | 130 | lxc copy centos-nginx-master centos-nginx-wrk-01 131 | lxc start centos-nginx-wrk-01 132 | 133 | # WAIT FOR STARTING BEFORE TAKING THE IP 134 | export NGINX_02_IP=`lxc info centos-nginx-wrk-01 |grep -m1 inet |cut -f3` 135 | ``` 136 | 137 | ##### Create a cluster 138 | 139 | ```sh 140 | lxc exec centos-nginx-master -- sh -c "echo $NGINX_02_IP bucket >> /etc/hosts" 141 | 142 | lxc exec centos-nginx-master bash 143 | #---- In the container 144 | vi /etc/hosts 145 | 127.0.0.1 bucket 146 | 147 | vi /etc/nginx/nginx.conf 148 | 149 | http { 150 | ... 151 | 152 | upstream bucket { 153 | server 10.0.3.59 weight=2; 154 | server 10.0.3.231 weight=1; 155 | } 156 | server { 157 | listen 8080; 158 | server_name bucket; 159 | location / { 160 | proxy_pass http://bucket; 161 | } 162 | } 163 | 164 | server { 165 | listen 80 default_server; 166 | listen [::]:80 default_server; 167 | server_name _; 168 | root /usr/share/nginx/html; 169 | 170 | # Load configuration files for the default server block. 171 | include /etc/nginx/default.d/*.conf; 172 | 173 | location / { 174 | } 175 | 176 | ... 177 | } 178 | 179 | 180 | systemctl restart nginx 181 | 182 | for i in $(seq 1 8); do curl http://bucket:80; done 183 | #---- 184 | 185 | #---- On the host 186 | echo 10.0.3.59 bucket >> /etc/hosts 187 | for i in $(seq 1 8); do curl http://bucket; done 188 | ``` 189 | 190 | 191 | 192 | ### Useful links 193 | - https://blog.simos.info/a-network-isolated-container-in-lxd/ 194 | - https://linuxcontainers.org/lxd/try-it/?id=2aca4d17-96c8-4244-876c-825a8ac5f468#introduction 195 | - https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/ 196 | - https://upcloud.com/community/tutorials/configure-load-balancing-nginx/ 197 | - https://www.nginx.com/resources/wiki/start/topics/examples/full/ 198 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## This repo helps in preparing for LFCE. 2 | 3 | LFCE 4 | - https://www.safaribooksonline.com/videos/linux-foundation-certified/9780134774015/9780134774015-LFCE_01_01_06 5 | - https://learning.oreilly.com/videos/linux-foundation-certified/9780134774015/9780134774015-LFCE_01_01_00 6 | - https://github.com/rilindo/LFCE_Practice_Exams 7 | - https://linuxacademy.com/linux/training/course/name/linux-foundation-certified-systems-engineer 8 | - https://trainingportal.linuxfoundation.org/learn/course/linux-networking-and-administration-lfs211/ 9 | - [Youtube - Linux Foundation Ceritifed Engineer (LFCE)](https://www.youtube.com/watch?v=D0Xob4DGbFQ) 10 | 11 | NETWORK 12 | - http://www.tecmint.com/installing-network-services-and-configuring-services-at-system-boot/ 13 | - https://wiki.squid-cache.org/KnowledgeBase/TransparentProxySelectiveBypass 14 | 15 | SECURITY 16 | - https://www.coursera.org/learn/real-time-cyber-threat-detection/home/welcome 17 | - http://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sg-it-4/s1-firewall-ipt-fwd.html 18 | - https://medium.com/information-and-technology/so-what-is-apparmor-64d7ae211ed 19 | - [ Basic SELinux Troubleshooting in CLI ](https://access.redhat.com/articles/2191331) 20 | 21 | STORAGE 22 | - https://mariadb.com/kb/en/connecting-to-mariadb/ 23 | 24 | 25 | ## Requirements 26 | https://training.linuxfoundation.org/certification/linux-foundation-certified-engineer-lfce/ 27 | 28 | Essential Commands 5% 29 | Use version control tools 30 | Manipulate file content programmatically 31 | Run commands on many systems simultaneously 32 | Install Linux Distribution 33 | 34 | Operation of Running Systems 18 % 35 | Monitor, tune and troubleshoot system performance 36 | Update operating systems to provide required functionality and security 37 | Update the kernel and ensure the system is bootable 38 | Script automation tools to make work faster and more accurate 39 | Train team members on new technology or changes to existing systems 40 | Maintain systems via configuration management tools 41 | Maintain the integrity and availability of hardware 42 | Develop and test disaster recovery plans 43 | Support incident management for outages/trouble 44 | Produce and deliver reports on system use (processor, memory, disk, and network), outages, and user requests 45 | Monitor security and conduct audits 46 | Manipulate Linux system during the recovery process 47 | Use udev for device detection and management 48 | Configure and modify SELinux/AppArmor policies 49 | 50 | User and Group Management 10% 51 | Connect to an external authentication source 52 | Configure advanced PAM 53 | 54 | Networking 15% 55 | Monitor, tune and troubleshoot network performance 56 | Configure network traffic tunneling 57 | Configure a system to perform Network Address Translation 58 | Dynamically route IP traffic 59 | Implement advanced packet filtering 60 | 61 | Service Configuration 17% 62 | Implement and configure an HTTP server 63 | Implement and configure time synchronization server 64 | Implement and configure network logging server 65 | Configure a DHCP server 66 | Implement and configure an SMTP service 67 | Implement and configure the HTTP proxy server 68 | Configure host-based and user-based security for a service 69 | Implement and configure a centralized authentication server 70 | Implement and configure a PXE Boot server 71 | Implement and configure an authoritative DNS server 72 | 73 | Storage Management 10% 74 | Manage advanced LVM configuration 75 | Identify storage devices using block device attributes 76 | Manage Linux file system features and flags 77 | Implement and configure remote block storage devices 78 | Implement and configure network shares 79 | 80 | System Design and Deployment 25% 81 | Define a capacity planning strategy 82 | Conduct post deployment verifications 83 | Create and maintain software packages 84 | Create, configure and maintain containers 85 | Deploy, configure, and maintain high availability/clustering/replication 86 | 87 | 88 | ## Notes 89 | 1st: 90 | 91 | Starting docker image. 92 | Pam 93 | Put firewall for TCP port and specific user 94 | DNS zone example.com. 95 | Apache server 96 | Squid 97 | Degrade a package 98 | Ctrl + w , ctrl +alt + w wasn't working 99 | 100 | 2nd: 101 | 102 | >Docker 103 | create a docker with nginx:xxx 104 | docker was not installed 105 | 106 | >udev 107 | maybe: do somthing with /srv/xxxx 108 | or maybe: create some drives 109 | 110 | >systemd 111 | fix issues with mysql without modifying configuration files 112 | 113 | >Packaging 114 | create deb package, tar was provided 115 | 116 | >samba 117 | create filesystem 118 | create user xxxxx 119 | allow that user 120 | 121 | >git 122 | clone a git repo from gitserver(didn't mention username) at /srv/xxx, ssh has been configured correctly, to /anther/location 123 | then do bunch of stuff using git 124 | 125 | >squid 126 | install squid and configure it to take configuration from squid-upstream and then maybe clone to squid-downstream 127 | 128 | >kernel/random question 129 | there's a kernel in /srv/xxxx, make it bootable or installable at bootup. I did it using systemd. I used command to install dpkg --install .... 130 | >rsyslog 131 | install and enable and someother stuff 132 | 133 | >partition 134 | create volume group vgx using /dev/xxx /dev/xxx /dev/xxx with 500 MB. 135 | create ...... with slicing 5MB. 136 | total of two questions 137 | 138 | >pam 139 | configure pam ssh so that if user tries to login 5 time, it gets refused 140 | 141 | >Database 142 | 143 | >Openldap 144 | looks like ldap server was already installed. kind of exercise provided by linuxacademy.com 145 | 146 | >Firewall 147 | i)this one may not have to be done using firewall -> disallow user charlie to get or maybe send at tcp/portxxx on computer xxxxx. 148 | ii) route traffic from port xxx at internet interface to ip address xx.x.x.x at port xx 149 | 150 | >LXC 151 | it was mentioned they were using lxc for all the machines in the beginning. Create lxc Fxxxx and clone Gxxxx and with or something related to /srv/xxx 152 | maybe also boot + not boot with these lxc images 153 | 154 | >Permission 155 | many questions: give permission to directory /xxx/xxx 740 and all the files inside this directory 6xx 156 | 157 | >Email 158 | configure postfix 159 | use /xxx/xxx.key to create certificate signing request and put it at /xxx/xxxx 160 | use same key and create self signed certificate and put it /xxx/xxx 161 | use that ssl key and certificate 162 | 163 | >Apache 164 | install apache 165 | configure http to listen on port 123 and https to listen on port 567. 166 | 167 | >Random question 168 | i) failsafe to server xxxxxxx 169 | ii do it using only nginx or haproxy 170 | 171 | >Downgrade 172 | downgrade package cesxxxx to last version 173 | 174 | >NFS 175 | create nfs share 176 | give ro insecure access to network xx.xx.xx.xx 177 | give rw secure access to example.com 178 | 179 | >DNS 180 | install bind 181 | configure it so that at-least it's listening at lo 182 | create a policy at /etc/bind/zones for example.com 183 | 184 | >JAVE=xxxx 185 | setup environment variable and confirm using ssh 186 | 187 | >sed 188 | Question to do a lot of things with file manipulation, like delete all redundant lines, delete second column, and many more. 189 | -------------------------------------------------------------------------------- /apache.txt: -------------------------------------------------------------------------------- 1 | Install apache 2 | sudo apt-get install apache2 3 | 4 | If apache is not working. 5 | sudo apt-get purge apache2 libapache2-mod-php* php* 6 | sudo apt-get remove apache2 7 | sudo apt-get install apache2 8 | sudo apt-get install php7.0 libapache2-mod-php7.0 9 | 10 | sudo /etc/init.d/apache2 restart 11 | 12 | Inside vagrant 13 | [vagrant up] 14 | [vagrant ssh] 15 | 16 | sudo apt-get install apache2 17 | 18 | Verify apache is installed and running 19 | ps -ef | grep apache | grep -v grep 20 | 21 | Server directory 22 | DocumentRoot /var/www 23 | 24 | Access log is at following location, normally. 25 | /var/log/apache2/ 26 | access.log 27 | error.log 28 | 29 | Log Format 30 | LogFormat "%h %l %u %t \"%r\" %>s %b" [nickname] 31 | %h Remote hostname or IP address 32 | %l Remote log name 33 | %u Remote user if the request is authenticated 34 | %t Date and time when the request was received 35 | %r First line of request to the server 36 | %>s Final status of the request 37 | %b Size of the response [bytes] 38 | 39 | If there's following error: 40 | Could not reliably determine the server's fully qualified domain name, using 127.0.1.1 for ServerName 41 | It's just a warning. In order to remove it add following line to /etc/apache2/apache2.conf 42 | ServerName localhost 43 | 44 | Adding Virtualhost 45 | If we want to make a website www.ghummantech.com [inside vagrant] 46 | 1) Create a directory at /var/www/ghummantech (no html dir exists) and add following content to ghummantech/index.html 47 | 48 | 49 |

ghummantech created.

50 | 51 | 52 | 53 | 2) sudo vim /etc/apache2/sites-available/ghummantech.conf 54 | (minimum) 55 | 56 | DocumentRoot /var/www/ghummantech 57 | ServerName www.ghummantech.com 58 | 59 | (full version) 60 | 61 | ServerAdmin admin@ghummantech.com 62 | DocumentRoot /var/www/ghummantech 63 | ServerName www.ghummantech.com 64 | ServerAlias www.ghummantech.org ghummantech.com 65 | ErrorLog /var/www/ghummantech/error.log 66 | LogFormat "%v %l %u %t \"%r\" %>s %b" myvhost 67 | CustomLog /var/www/ghummantech/access.log myvhost 68 | 69 | 3) 70 | cd /etc/apache2/sites-available/ 71 | sudo a2ensite /etc/apache2/sites-available/ghummantech.conf 72 | 73 | 4) sudo vim /etc/hosts. Add following 74 | 127.0.0.1 www.ghummantech.com 75 | 127.0.0.1 ghummantech.com 76 | 77 | 5) sudo service apache2 restart (sudo systemctl restart apache) 78 | 79 | NOTES: 80 | a) On my linux laptop, I saw that if you put 'VirtualHost' paragraph inside a seperate file like /etc/apache/sites-available/ghummantech.conf, it doesn't work. I need to add VirtualHost paragraph inside 000-default.conf file. I put new paragrah in the beginning. 81 | 82 | b) Without putting names of websites with server address inside /etc/hosts, none of the redirection method worked. 83 | Redirection can be done using one of the following techniques, maybe even more. 84 | i) Inside VirtualHost use ServerAlias www.ghummantech.org ghummantech.com (also in /etc/hosts add: 192.168.33.88 www.ghummantech.org ghummantech.com) 85 | ii) It didn't work using curl, but worked on firefox 86 | 87 | Servername 54borden.com 88 | RedirectMatch permanent ^/(.*) http://www.54borden.com/$1 89 | 90 | iii) sudo ln -s /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/ 91 | Inside 000-default.conf add following inside VirtualHost 92 | RewriteEngine On 93 | RewriteCond %{HTTP_HOST} !^www\. [NC] 94 | RewriteRule ^(.*)$ http://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L] 95 | 96 | ##################################################################### 97 | # Self Signed/Certificate Signing Request 98 | # SSL (Secure Sockets Layer) 99 | ##################################################################### 100 | 101 | 1) Enable SSL module 102 | a2enmod ssl 103 | 104 | 2) Create key and certificates 105 | mkdir -p /etc/apache2/ssl-certs 106 | openssl req -x509 -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl-certs/apache.key -out /etc/apache2/ssl-certs/apache.out 107 | 108 | 3) Configure 000-defulat-site 109 | 110 | ServerName www.mynewsite.com 111 | DocumentRoot /var/www/mynewsite.com 112 | SSLEngine on 113 | SSLCertificateFile /etc/apache2/ssl-certs/apache.out 114 | SSLCertificateKeyFile /etc/apache2/ssl-certs/apache.key 115 | 116 | 117 | ####################################################################### 118 | # My understanding about Apache in ubuntu 119 | ####################################################################### 120 | 121 | Virtual host is needed when you want to host more than one site. 122 | It can be name-based or ip-based or both. 123 | 124 | Name-Based: 125 | 126 | one website 'business.example.com' hosted at say '/vhost/business.example.com' and other website 'sales.example.com' hosted at say '/vhost/sales.example.com'. Inside /etc/hosts all www.business.example.com, business.example.com, www.sales.example.com and sales.example.com are refering to one ip address which is also localhost/eth0/eth1 ip address, meaning original website /var/www/html will also be hosted using the same ip adress. 127 | Go to /etc/apache/sites-enabled/000-default and at the end of the file add following lines 128 | 129 | ServerName www.business.example.com 130 | ServerAlias www.business.example.com business.example.com 131 | DocumentRoot /vhost/business.example.com/ 132 | 133 | 134 | ServerName www.sales.example.com 135 | ServerAlias www.sales.example.com sales.example.com 136 | DocumentRoot /vhost/sales.example.com/ 137 | 138 | To access with SSL like https://www.business.example.com, after doing above step, do following 139 | 1) 140 | cd /etc/apache2/mods-available 141 | sudo a2enmod ssl 142 | 2) 143 | sudo ln -s /etc/apache2/site-available/default-ssl /etc/apache2/sites-enable/ (or just copy it) 144 | sudo vim /etc/apache2/sites-enable/default-ssl 145 | 3) 146 | a) After the first line 147 | NameVirtualHost 192.168.33.10:443 148 | b) Replace with (Trying to implement name based virtual host) 149 | c) At the end of the file but before last line , add following 150 | 151 | ServerName www.business.example.com 152 | ServerAlias www.business.example.com business.example.com 153 | DocumentRoot /vhost/business.example.com/ 154 | SSLEngine on 155 | SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem 156 | SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key 157 | 158 | 159 | ServerName www.sales.example.com 160 | ServerAlias www.sales.example.com sales.example.com 161 | DocumentRoot /vhost/sales.example.com/ 162 | SSLEngine on 163 | SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem 164 | SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key 165 | 166 | 167 | 168 | IP-Based And/Or Both 169 | 170 | IP based means assign a seperate ip address to every domain (name based virtual host). It's the recommended way to implement SSL. As SSL has issues (though it kind of works in above example) when multiple sites are referring to same ip address. Assign ip addresses using following commands. 171 | sudo ip addr add 192.168.33.88/24 dev eth1 172 | sudo ip addr add 192.168.33.89/24 dev eth1 173 | Update /etc/hosts for different websites 174 | Edit 000-default as follows 175 | 176 | ServerName www.business.example.com 177 | ServerAlias www.business.example.com business.example.com 178 | DocumentRoot /vhost/business.example.com/ 179 | 180 | 181 | ServerName www.sales.example.com 182 | ServerAlias www.sales.example.com sales.example.com 183 | DocumentRoot /vhost/sales.example.com/ 184 | 185 | In default-ssl there's no need for line 'NameVirtualHost 192.168.33.10:443' as every VirtualHost is going to have a seperate ip address. Original one can stay as . And add the folloing. 186 | 187 | ServerName www.business.example.com 188 | ServerAlias www.business.example.com business.example.com 189 | DocumentRoot /vhost/business.example.com/ 190 | SSLEngine on 191 | SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem 192 | SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key 193 | 194 | 195 | ServerName www.sales.example.com 196 | ServerAlias www.sales.example.com sales.example.com 197 | DocumentRoot /vhost/sales.example.com/ 198 | SSLEngine on 199 | SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem 200 | SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key 201 | 202 | 203 | ################################################################# 204 | # Password Protected Sub Directory 205 | ################################################################# 206 | 207 | 208 | Inside 000-default or default-ssl(for https) or create new file '/etc/apache2/sites-enabled/secure-dir.conf'(manual recommends it), and add following insdie VirtualHost Directory for desired website. If created new file and added independently I think I will look for secure directory inside /var/www/html(default website) 209 | 210 | AuthType Basic 211 | AuthName "Restricted Area" 212 | AuthUserFile secure.users 213 | Require valid-user 214 | 215 | Then to create username/password/file go to /etc/apache2 and use following 216 | htpasswd -c secure.users ghumman 217 | 218 | ################################################################# 219 | # Advanced Settings 220 | ################################################################# 221 | 222 | 1) cgi 223 | (common gateway interface) 224 | when user says www.54borden.com/scripts/foo.cgi?, run a script /new-cgi/foo.cgi 225 | it involves two steps. Route from script to new-cgi and then run the script 226 | Add following to 000-default.conf 227 | ScriptAlias /scripts/ /new-cgi/ 228 | 229 | Require all granted 230 | 231 | Content of /new-cgi/foo.cgi, it should be executable (chmod +x /new-cgi/foo.cgi) 232 | #!/bin/bash 233 | echo -e "\n" 234 | echo -e "Content-type: text/plain\n\n" 235 | echo -e "File is $1\n" 236 | # Enable cgi module 237 | a2enmod cgi 238 | #To test 239 | w3m http://54borden.com/scripts/foo.cgi?bar 240 | 241 | 2) rewrite 242 | Redirect http://54borden.com/foo/.* to http://54borden.com/scripts/foo.cgi?.* 243 | Add following to 000-default.conf 244 | RewriteEngine on 245 | RewriteOptions inherit 246 | RewriteRule ^/foo/(.*) /scripts/foo.cgi?$1 [L,PT] 247 | #Enable rewrite 248 | a2enmod rewrite 249 | #Test 250 | w3m www.54borden.com/foo/bar 251 | 252 | 3) status 253 | Show status at www.54borden.com/server-status 254 | Add following to 000-default.conf 255 | 256 | SetHandler server-status 257 | Require ip 192.168.33.0/24 ::1 127. 258 | 259 | #Enable status 260 | a2enmod status (default is enabled) 261 | #Test 262 | w3m www.54borden.com/server-status/ 263 | 264 | 4) include 265 | Include/Read/Redirect html files inside html file 266 | #Add following to 000-default.conf 267 | 268 | Options +Includes 269 | XBitHack on 270 | 271 | #Enable include 272 | a2enmod include 273 | #Create following files 274 | /ipvhost/www.54borden.com/magic/index.html 275 | " 276 | 277 | 278 | This file is a magic include file 279 | 280 | 281 |

This file is a magic include file

282 |

Foo include below

283 | 284 |

Bar include below

285 | 286 | 287 | 288 | " 289 | /ipvhost/www.54borden.com/magic/includes/foo.html 290 | this is foo file 291 | /ipvhost/www.54borden.com/magic/includes/bar.html 292 | this is bar file 293 | #Test 294 | w3m www.54borden.com/magic/index.html 295 | --------------------------------------------------------------------------------