Rescue Linux Installation in RHEL / CENTOS / Fedora

Rescuing a Linux system is an easier task. There are several aspects of rescuing a Linux system.

Here we are going to see how to rescue an installed Linux system when the GRUB is deleted.

Suppose you are having a Linux system. Recently you installed a Windows OS into a new partition unchanging the Linux partitions. Once after you have installed Windows, the Linux no longer boots. This is because the windows install will overwrite the MBR thereby deleting / removing the GRUB boot loader.

In this case you are having the Linux partitions. Only thing is that it is not booting. Fixing this problem is very simple. Just install GRUB. That’s all to do.

Step 1: Boot from the install CD / DVD (net-install also)
Step 2: Select the “Rescue Installed System” in GUI

Or type in “linux rescue” command in the “boot: “

Now the system is booting the rescue image. Choose your language.

Select Keyboard type

The networking setup. We dont want the networking interfaces during the rescue process. So prefer opt the “No” option to not start the networking interfaces.

This step will now attempt to find your Linux installation and mount it under the directory /mnt/sysimage. So to continue select “Continue“.

Searching…
10-> 20-> 30-> 40-> 50-> 60-> 70-> 80-> 90-> 100

If the rescue environment was unable to find your Linux installation you will be getting a message like this.

And if the rescue environment was able to find the Linux installation, it will get mounted under the /mnt/sysimage directory.

Now Supply the following commands

sh-3.2# chroot /mnt/sysimage

sh-3.2# grub-install /dev/sda

Installation finished. No error reported.

This is the contents of the device map /boot/grub/device.map.

Check if this is correct or not. If any of the lines is incorrect,

fix it and re-run the script 'grub-install'.

# this device map was generated by anaconda

(hd0)     /dev/sda

/dev/sda is the name of you hdd. check it carefully.

Now reboot.

sh-3.2# reboot

Or

init 6 to reboot.

Now see your Linux OS in the OS chooser menu.

Posted by Unknown 0 comments

Read More

Authentication / Password Protection in Apache

There are many ways you can password protect directories under Apache web server. This is important to keep your file privates from both unauthorized users and search engines (when you do not want to get your data indexed). Here you will see the basics of password protecting a directory on your server. You can use any one of the following method:

1. Putting authentication directives in a <Directory> section, in your main server configuration httpd.conf file, is the preferred way to implement this kind of authentication.

2. If you do not have access to Apache httpd.conf file (for example shared hosting) then with the help of file called .htaccess you can create password protect directories. .htaccess file provide a way to make configuration changes on a per-directory basis.

In order to create apache password protected directories you need:

Ø         a password file

Ø         and Directory name which you would like to password protect (/var/www/html/private)

Step 1: Make sure Apache is configured to use .htaccess file

You need to have AllowOverride AuthConfig directive in httpd.conf file in order for these directives to have any effect. Look for DocumentRoot Directory entry. In this example, our DocumentRoot directory is set to /var/www/html/private. Therefore, my entry in httpd.conf looks like as follows:

Options Indexes Includes FollowSymLinks MultiViews

AllowOverride AuthConfig

Order allow,deny

Allow from all

Save the file and restart Apache

# service httpd restart

Step 2: Create a password file with htpasswd

htpasswd command is used to create and update the flat-files (text file) used to store usernames and password for basic authentication of Apache users. General syntax:

# htpasswd -c password-file username

Where,

• -c: Create the password-file. If password-file already exists, it is rewritten and truncated.
• Username: The username to create or update in password-file. If username does not exist in this file, an entry is added. If it does exist, the password is changed.

Create directory outside apache document root, so that only Apache can access password file. The password-file should be placed somewhere not accessible from the web. This is so that people cannot download the password file:

# mkdir -p /home/password/

Add new user called marshal

# htpasswd -c /home/password/.htpasswd marshal

Make sure “/home/password/.htpasswd” file is readable by Apache web server. If Apache cannot read your password file, it will not authenticate you. You need to setup a correct permission using chown command.

Now allow apache user apache to read our password file:

# chown apache:apache /home/password/.htpasswd # chmod 0660 

/home/password/.htpasswd

Create a directory /var/www/html/private if it does not exist:

# mkdir -p /var/www/html/private

Create .htaccess file using text editor:

# cd /var/www/html/private # vi .htaccess

Add following text:

AuthType Basic

AuthName "Restricted Access"

AuthUserFile /home/password/.htpasswd

Require user marshal

Save file and exit to shell prompt.

Step 3: Test your configuration

Fire your browser type url http://yourdomain.com/private or http://localhost/private or http://ip-address/private

When prompted for username and password please supply username marshal and password. You can add following lines to any file <Directory> entry in httpd.conf file:

AuthType Basic

AuthName "Restricted Access"

AuthUserFile /home/password/.htpasswd

Require user marshal

To change or setup new user use htpasswd command again.

Posted by Unknown 0 comments

Read More

Securing Apache Web Server with Encryption

In this blog we are going to discuss about encrypting communications to web server using TLS/SSL.

Step 1:  Install mod_ssl and httpd

# yum -y install mod_ssl httpd

Step 2: Perform the things required for web server by editing the “/etc/httpd/conf/httpd.conf” and also the creation of web pages in the directories described in the configuration file.

Steps 3: Edit the ssl configuration file

# vim /etc/httpd/conf.d/ssl.conf

Check line number 88

SSLEngine on    ------>>> remove comments if exists

We are using the default certificate and it’s key

Line number 105 pointing to certificate file

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

line nu 112 pointing to certificate key file

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Thats all editing the ssl configuration file.

Step 4: Restart httpd service

# service httpd restart

Step 5: Check it out

Open Browser and type the URL in the address bar

http://server.example.com

Now an error message is displayed saying that “this page can only be viewed using the URL “https://server.example.com”. Type the URL

https://server.example.com

When Browser presents a warning,> click the “I understand the Risks” link > click the “Add Exceptions… ” button, > click “View…” when it becomes active. > click “Close”… > click “Confirm security exception”…

Above we used the default certificate / key pair. We too can use a custom self signed certificate using crypto-utils.

Install crypto-utils

# yum -y install crypto-utils

Generate self signed certificate/key pair using “genkey” tool

You should be root to generate a key.

First, use the “cd” command to change to the ”/etc/httpd/conf/” directory. Remove the fake key and certificate that were generated during the installation with the following commands:

# rm ssl.key/server.key rm ssl.crt/server.crt

# genkey www.example.com

 Click next >>

Click next >>

On generating your key, you will be prompted to send a Certificate Request (CSR) to a Certificate Authority (CA).

Click no >>

Click next >>

If you choose to encrypt, you should set a pass phrase to decrypt the key. And also selecting “encrypt the private key”, always you will be asked for the pass phrase whenever restarting the httpd service.

enter the pass phrase and click next >>

Click close.

Now configure the server to use the new certificate and key.

Check whether you have the new certificate and key.

# ls /etc/pki/tls/certs/

ca-bundle.crt  ca-bundle.trust.crt  localhost.crt  make-dummy-cert  

Makefile  server.csr    server.crt    www.example.com.crt

# ls /etc/pki/tls/private/

server.key     www.example.com.key

Edit “/etc/httpd/conf.d/ssl.conf”. Change the SSLCertificateFile and SSLCertificateKey lines to be.

SSLCertificateFile /etc/pki/tls/certs/www.example.com.crt

SSLCertificateKeyFile /etc/pki/tls/private/www.example.com.key

Now restart the httpd service

# service httpd restart

Posted by Unknown 0 comments

Read More

Configure Apache in RHEL / CENTOS

Packages required	httpd, httpd-devel, httpd-manual
Daemon	/usr/sbin/httpd
Script	/etc/init.d/httpd
Ports	80/tcp (http) , 443/tcp (https)
Configuration	/etc/httpd/* /var/www/*

These are the things to be thought of while setting web server.

Posted by Unknown 1 comments

Read More

Password protect GRUB / Lock Single User Mode in Linux / RHEL / CENTOS

The primary reasons for password protecting a Linux boot loader are as follows:

1.       Preventing Access to Single User Mode — If attackers can boot the system into single user mode, they are logged in automatically as root without being prompted for the root password.

2.       Preventing Access to the GRUB Console — If the machine uses GRUB as its boot loader, an attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command.

3.       Preventing Access to Insecure Operating Systems — If it is a dual-boot system, an attacker can select an operating system at boot time (for example, DOS), which ignores access controls and file permissions.

How to password protect GRUB

Step 1: Open a shell, login as root, type the following command.

[root@server ~]# /sbin/grub-md5-crypt

Password:

Retype password:

$1$ZqLKR0$cimxs9UxGPM11IG/U.FW41

Once you have confirmed the password, an MD5 hash of the password entered is returned.

Step 2: Edit the GRUB configuration file /boot/grub/grub.conf. Open the file and add the below things just after the timeout line.

 password --md5 <password-hash>

Replace <password-hash> with the value returned by /sbin/grub-md5-crypt

Now the GRUB configuration file will look like this

# grub.conf generated by anaconda

 #

 # Note that you do not have to rerun grub after making changes to this file

 # NOTICE:  You do not have a /boot partition.  This means that

 #          all kernel and initrd paths are relative to /, eg.

 #          root (hd0,0)

 #          kernel /boot/vmlinuz-version ro root=/dev/sda1

 #          initrd /boot/initrd-[generic-]version.img

 #boot=/dev/sda

 default=0

 timeout=5

 password --md5 $1$ZqLKR0$cimxs9UxGPM11IG/U.FW41

 splashimage=(hd0,0)/boot/grub/bootimage1.xpm.gz

 hiddenmenu

 title CentOS (2.6.32-131.21.1.el6.x86_64)

 root (hd0,0)

 kernel /boot/vmlinuz-2.6.32-131.21.1.el6.x86_64 ro root=UUID=7aa8bb3f-2566-4d14-ae10-4d2c24ecbb0a rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet

 initrd /boot/initramfs-2.6.32-131.21.1.el6.x86_64.img

 title Other

        rootnoverify (hd0,0)

        chainloader +1

Now reboot the system and see the access to the GRUB menu editor or command interface is being locked down. To do so he should press the p followed by the GRUB password. 

Unfortunately, this solution does not prevent an attacker from booting into an insecure operating system in a dual-boot environment. For this, a different part of the /boot/grub/grub.conf file must be edited.

Look for the title line of the operating system that you want to secure. Add the lock directive immediately after it.

For a non Linux system, the stanza will begin like this

title Other lock

Note: A password line must be present in the main section of the /boot/grub/grub.conf file for this method to work properly. Otherwise, an attacker can access the GRUB editor interface and remove the lock line.

Also you can set different passwords of each kernel or operating system you have.For this you have to add lockline to that particular stanza followed by a password line.

title Other lock password --md5 <password-hash>

Replace <password-hash> with the value returned by /sbin/grub-md5-crypt

Now the kernel or the operating system part with password protected in the GRUB configuration file will look like this.

title Other lock password --md5 $1$rjTKR0$GzSI4M.q8EREUsAw674Z5/

        rootnoverify (hd0,0)

        chainloader +1

That’s it….

Posted by Unknown 0 comments

Read More

Change / Hack the Root password in Linux / RHEL / CENTOS

Forgot root password

Suppose you want to get into a Linux system. You know nothing about the existing user’s or their passwords. You have no idea about these things. Then what will you do??
The only thing you know that the user root exists. So we must find a way to get the root’s password.

I think you know about the different run-levels on a UNIX machine. The single user mode or the run-level 1 is used for these kind of rescue purposes. So what you should do is to enter the rescue mode. Click here to learn How to enter Rescue mode in Linux / UNIX.

Once the Rescue environment is loaded, you will get a shell which is your default bash shell.

Now use the passwd command to set / change the root’s password.

[root@server ~]# Passwd

Changing password for user root

New password:

BAD PASSWORD: it is too simplistic/systematic

Retype new password:

Passwd: all authentication tokens updated successfully.

Now the password has been changed the newly set one.

Note:
If you are using Red Hat Enterprise Linux 6, a security bug was there which blocked the passwd command from working in single user mode. Later this was fixed by a bug fix update (http://rhn.redhat.com/errata/RHBA-2010-0845.html).

If you have installed the original selinux-policy package, the passwd command might not run. So make the SELinux policy to permissive for the passwd command to run.

Get the SELinux status by,

# getenforce Enforcing

Now change to permissive by,

# setenforce 0

Again check the status and see the change

# getenforce Permissive

Now run the passwd command and after that change the SELinux back to the Enforcing state by the

# setenforce 1

# getenforce Enforcing

Now reboot the machine and boot normally.

That’s all you are done.

Posted by Unknown 0 comments

Read More

Swap Space in Linux / RHEL / CENTOS / Fedora

What is a Swap space?

• Swap space is hard disk space that extends system RAM.

Swap space or virtual memory is hard disk space that acts as an extension of system RAM. Of course, due to the relative differential in data access on RAM versus hard disk, we prefer not to use swap space if it can be avoided. Nonetheless, it is vital to the proper functioning of a typical Linux system that some swap space be made available.

Posted by Unknown 0 comments

Read More

RHCSA & RHCE Exam

RHCSA Exam

The RHCSA (RedHat Certified System Administrator) exam is a hands-on, practical exam that lasts 2.5 hours. The exam is performance-based, meaning that candidates must perform tasks on a live system, rather than answering multiple choice questions.

Exam Objectives

RHCSA exam candidates should be able to accomplish the tasks below without assistance. These have been grouped into several categories.

Understand and Use Essential Tools

• Access a shell prompt and issue commands with correct syntax
• Use input-output redirection (>, >>, |, 2>, etc.)
• Use grep and regular expressions to analyze text
• Access remote systems using ssh and VNC
• Log in and switch users in multi-user runlevels
• Archive, compress, unpack and uncompress files using tar, star, gzip, and bzip2
• Create and edit text files
• Create, delete, copy and move files and directories
• Create hard and soft links
• List, set and change standard ugo/rwx permissions
• Locate, read and use system documentation including man, info, and files in /usr/share/doc .
  [Note: Red Hat may use applications during the exam that are not included in Red Hat Enterprise Linux for the purpose of evaluating candidate's abilities to meet this objective.]

Operate Running Systems

• Boot, reboot, and shut down a system normally
• Boot systems into different runlevels manually
• Use single-user mode to gain access to a system
• Identify CPU/memory intensive processes, adjust process priority with renice, and kill processes
• Locate and interpret system log files
• Access a virtual machine’s console
• Start and stop virtual machines
• Start, stop and check the status of network services

Configure Local Storage

• List, create, delete and set partition type for primary, extended, and logical partitions
• Create and remove physical volumes, assign physical volumes to volume groups, create and delete logical volumes
• Create and configure LUKS-encrypted partitions and logical volumes to prompt for password and mount a decrypted file system at boot
• Configure systems to mount file systems at boot by Universally Unique ID (UUID) or label
• Add new partitions, logical volumes and swap to a system non-destructively

Create and Configure File Systems

• Create, mount, unmount and use ext2, ext3 and ext4 file systems
• Mount, unmount and use LUKS-encrypted file systems
• Mount and unmount CIFS and NFS network file systems
• Configure systems to mount ext4, LUKS-encrypted and network file systems automatically
• Extend existing unencrypted ext4-formatted logical volumes
• Create and configure set-GID directories for collaboration
• Create and manage Access Control Lists (ACLs)
• Diagnose and correct file permission problems

Deploy, Configure and Maintain Systems

• Configure networking and hostname resolution statically or dynamically
• Schedule tasks using cron
• Configure systems to boot into a specific runlevel automatically
• Install Red Hat Enterprise Linux automatically using Kickstart
• Configure a physical machine to host virtual guests
• Install Red Hat Enterprise Linux systems as virtual guests
• Configure systems to launch virtual machines at boot
• Configure network services to start automatically at boot
• Configure a system to run a default configuration HTTP server
• Configure a system to run a default configuration FTP server
• Install and update software packages from Red Hat Network, a remote repository, or from the local filesystem
• Update the kernel package appropriately to ensure a bootable system
• Modify the system bootloader
• Configure a system to run a default configuration NTP server and synchronize time using other NTP peers

Manage Users and Groups

• Create, delete, and modify local user accounts
• Change passwords and adjust password aging for local user accounts
• Create, delete and modify local groups and group memberships
• Configure a system to use an existing LDAP directory service for user and group information

Manage Security

• Configure firewall settings using system-config-firewall or iptables
• Set enforcing and permissive modes for SELinux
• List and identify SELinux file and process context
• Restore default file contexts
• Use boolean settings to modify system SELinux settings
• Diagnose and address routine SELinux policy violations

References:

https://www.redhat.com/courses/ex200_rhcsa_exam/

https://www.redhat.com/certification/rhcsa/objectives/

RHCE Exam

The RHCE (RedHat Certified Engineer) exam is a hands-on, practical exam that lasts 2.0 hours. Candidates are eligible to take the RHCE exam without first having passed the RHCSA exam, but RHCE will not be issued until both credentials are earned by a candidate.

Objectives:

RHCE exam candidates should consult the RHCSA Exam Objectives document and be capable of RHCSA-level tasks, as some of these skills may be required in order to meet RHCE exam objectives. Red Hat reserves the right to add, modify and remove objectives. Such changes will be made public in advance through revisions to this document.

RHCE exam candidates should be able to accomplish the following without assistance. These have been grouped into several categories.

System Configuration and Management

• Route IP traffic and create static routes
• Use iptables to implement packet filtering and configure network address translation (NAT)
• Use /proc/sys and sysctl to modify and set kernel run-time parameters
• Configure system to authenticate using Kerberos
• Configure a system as an iSCSI initiator that persistently mounts an iSCSI target
• Produce and deliver reports on system utilization (processor, memory, disk, and network)
• Use shell scripting to automate system maintenance tasks
• Configure a system to log to a remote system
• Configure a system to accept logging from a remote system

Network Services

Network services are an important subset of the exam objectives. RHCE candidates should be capable of meeting the following objectives for each of the network services listed below:

• Install the packages needed to provide the service
• Configure SELinux to support the service
• Configure the service to start when the system is booted
• Configure the service for basic operation
• Configure host-based and user-based security for the service

RHCE candidates should also be capable of meeting the following objectives associated with specific services:

HTTP/HTTPS

• Configure a virtual host
• Configure private directories
• Deploy a basic CGI application
• Configure group-managed content

DNS

• Configure a caching-only name server
• Configure a caching-only name server to forward DNS queries
• Note: Candidates are not expected to configure master or slave name servers

FTP

• Configure anonymous-only download

NFS

• Provide network shares to specific clients
• Provide network shares suitable for group collaboration

SMB

• Provide network shares to specific clients
• Provide network shares suitable for group collaboration

SMTP

• Configure a mail transfer agent (MTA) to accept inbound email from other systems
• Configure an MTA to forward (relay) email through a smart host

SSH

• Configure key-based authentication
• Configure additional options described in documentation

References:

https://www.redhat.com/courses/ex300_red_hat_certified_engineer_exam/

https://www.redhat.com/certification/rhce/objectives/

Posted by Unknown 0 comments

Read More