Difference between revisions of "CentOS Linux Distribution Reference"
m |
|||
(One intermediate revision by one user not shown) | |||
Line 77: | Line 77: | ||
nologin is the more user friendly option, with a customizable message given to the user trying to login, so you would theoretically want to use that but both nologin and false will have the same end result of someone not having a shell and not being able to ssh in. | nologin is the more user friendly option, with a customizable message given to the user trying to login, so you would theoretically want to use that but both nologin and false will have the same end result of someone not having a shell and not being able to ssh in. | ||
− | + | {{:CentOS_Linux_Distribution_Enable_Telnet}} | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
== SELinux == | == SELinux == | ||
Line 191: | Line 161: | ||
=== sshd or other service wont start because system clock is wrong === | === sshd or other service wont start because system clock is wrong === | ||
Some useful commands to correct system clock so services run correctly. | Some useful commands to correct system clock so services run correctly. | ||
− | + | hwclock -r shows cmos time | |
− | + | date +%Y%m%d -s "20170618" set the linux date | |
− | + | date +%T -s "19:25:00" set the linux time | |
− | + | hwclock -w force cmos clock to match linux clock | |
− | + | hwclock -hctosys force linux clock to match cmos clock | |
+ | |||
+ | === sshd or other service wont start because of selinux === | ||
+ | You can disable selinux and then try to start the service. This will allow you to test and determine if selinux is | ||
+ | the culprit so that you can make adjustments to selinux. | ||
+ | setenforce 0 | ||
+ | sestatus | ||
+ | If you need selinux to remain permissive after reboot for testing purposes, | ||
+ | vi /etc/selinux/config | ||
+ | Change | ||
+ | #SELINUX=enforcing | ||
+ | SELINUX=permissive | ||
+ | |||
+ | === system uses postfix to receive email === | ||
+ | You can manually start postfix | ||
+ | systemctl start postfix | ||
+ | systemctl status postfix | ||
+ | |||
+ | === system uses dovecot for secure socket pop and imap === | ||
+ | You can manually start dovecot | ||
+ | systemctl start dovecot | ||
+ | systemctl status dovecot | ||
+ | |||
+ | |||
+ | |||
Latest revision as of 11:23, 5 March 2018
Contents
- 1 CentOS boot screen- show messages
- 2 yum versus rpm
- 3 CentOS How to install lrzsz offering rz and sz commands
- 4 In any unix environment you can extract tzg files
- 5 iptables/netfilter
- 6 adding new users to system
- 7 /sbin/nologin vs /bin/false
- 8 Want to install telnet?
- 9 Enable TELNET as ROOT on GUEST CentOS system
- 10 SELinux
- 11 OPENSSL Certificate
- 12 Limiting Access to TCP-wrapped Services
- 13 vi editor vim syntax highlighting
- 14 Startup Troubleshooting
CentOS boot screen- show messages
CentOS 6 comes with a splash screen that displays a progress bar as it boots. You can hit any key during the boot process to make the boot splash screen disappear and display what its doing when its booting.
To make CentOS 6 display the details about what its doing while it boots, first make a backup of the file at /etc/grub.conf
Open /etc/grub.conf in vi and look for the line(s) that begin with ‘kernel’. At the end of them you’ll see ‘rhgb’ and ‘quiet’. Remove both of those words from grub.conf. After saving, reboot the server.
title CentOS Linux (2.6.32-71.29.1.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-71.29.1.el6.x86_64 ro root=UUID=c209fbd2-0738-4672-b225-6a5c09f65ad2 rd_NO_LUKS rd_NO_LVM rd_NO_MD rd_NO_DM LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us crashkernel=auto rhgb quiet initrd /initramfs-2.6.32-71.29.1.el6.x86_64.img
source: http://blog.nexcess.net/2011/08/22/making-the-centos-6-boot-splash-screen-more-verbose/
yum versus rpm
RPM is a package manager while YUM is a frontend that can be used with RPM. YUM deals with more dependencies whereas RPM all too frequently does not.
You can 'yum' to install a package and dependencies (additional packages needed to make your package work.)
CentOS How to install lrzsz offering rz and sz commands
# yum install lrzsz
In any unix environment you can extract tzg files
# gtar xzvf foo.tgz
or using gzip and tar
# gzip -d foo.tgz # tar xvf foo.tar
iptables/netfilter
see if iptables is actually running
# lsmod | grep table # iptables -L
Save new IP tables entered- writes the current iptables configuration to /etc/sysconfig/iptables
# /sbin/service iptables save
Do not use 'service iptables save'
adding new users to system
set up all the defaults for useradd
# cd /etc/skel
set all the profile defaults, such as in .bash_profile
# vi /etc/login.defs
Every new user is assigned to an initial (or primary) group. Two conventions exist.
Traditionally this primary group is the same for all users and is called users with a group id (GID) of 100. Many Linux distributions adhere to this convention such as Suse and Debian.
The User Private Group scheme (UPG) was introduced by RedHat and changes this convention without changing the way in which UNIX groups work. With UPG each new user belongs to their own primary group. The group has the same name as the login-name (default), and the GID is in the 500 to 60000 range (same as UIDs).
NOTE: When using the traditional scheme for groups the user’s umask (see LPI 101) is set to 022, whereas in the UPG scheme the umask is set to 002.
ref: http://en.wikibooks.org/wiki/Ict-innovation/LPI/107.1
/sbin/nologin vs /bin/false
When /sbin/nologin is set as the shell, if user with that shell logs in, they'll get a polite message saying 'This account is currently not available.'. This message can be changed with the file /etc/nologin.txt.
/bin/false is just a binary that immediately exits, returning false, when its called, so when someone who has false as shell logs in, they're immediately logged out when false exits. Setting the shell to /bin/true has the same affect of not allowing someone to log in but false is probably used as a convention over true since its much better at conveying the concept that person doesn't have a shell.
Looking at nologin's man page, it says it was created in 4.4 BSD (early 1990s) so it came long after false was created. The use of false as a shell is probably just a convention carried over from the early days of UNIX.
nologin is the more user friendly option, with a customizable message given to the user trying to login, so you would theoretically want to use that but both nologin and false will have the same end result of someone not having a shell and not being able to ssh in.
Want to install telnet?
telnet server is not recommended for security reasons, plain text over tcp/ip
# yum install telnet telnet-server -y
How about telnet client? It is not installed by default.
#yum intall telnet -y
The package is Package telnet.i686
Enable TELNET as ROOT on GUEST CentOS system
Simply edit the file /etc/securetty and add the following to the end of the file:
pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9
This will allow up to 10 telnet sessions to the server as root. note: Just one is probably fine
ref: http://www.idevelopment.info/data/Unix/Linux/LINUX_TelnetFTPAsRoot.shtml
SELinux
SELinux users and roles are not related to the actual system users and roles.
All processes and files have an SELinux security context. The -Z switch will work with most utilities to show SELinux security contexts (e.g, 'ls -Z', 'ps axZ' etc)
_u user system_u _r role object_r _t type httpd_sys_content_t
User: system_u Role: object_r Type: httpd_sys_content_t Level: s0
To manage directory and file SELinux contexts ensure that the semanage software is installed.
# setenforce 0 turn off SELinux enforcement # setenforce 1 enable
With setenforce 0 SELinux is not actively restrictive, however, still monitors and reports file system violations. Use this mode for diagnostics.
OPENSSL Certificate
SSL certificates are valid for certain period of time, usually 365 days. They must be renewed once expired.
Validate certificate by issuing the following command:
# openssl verify my-cert.pem
my-cert.pem: OK
Expired:
# openssl verify my-cert.pem
error 10 at 0 depth lookup:certificate has expired OK
Renewal of expired certificate consists of two steps: revoke old one, sign certificate request.
Limiting Access to TCP-wrapped Services
To determine if a client machine is allowed to connect to a service, TCP wrappers reference the following two files, which are commonly referred to as hosts access files:
/etc/hosts.allow /etc/hosts.deny
Changes to hosts.allow or hosts.deny take effect immediately without restarting network services.
Both /etc/hosts.allow and /etc/hosts.deny uses the following format:
daemon_list : client_list [ : shell_command ]
<daemon list> is a comma-separated list of process names (not service names) or the ALL wildcard.
vi editor vim syntax highlighting
On CentOS the command 'vi' and 'vim' by default, both open the vim editor (vim enhanced), however, with some differences. The vi command utilizes what is known as 'Small version without GUI' while executing the vim command utilizes 'Huge version without GUI', both when executed from the console respectively. You can test this by using the :version command within the vim editor. Another way to see the differences is to execute the following from the shell:
vi --version | fgrep syntax vim --version | fgrep syntax
If -syntax is on the line, you don't have syntax highlighting compiled in. If +syntax is on the line, then it does. Note that on CentOS you will see different options for vi as opposed to vim. Unlike some Fedora versions, and variants like Trustix, it is not an issue with only vim minimum installed, this is not the case. See by the version output on CentOS both are using vim enhanced.
The vi command points to /bin/vi while the vim command points to /usr/bin/vim yet they both use vim enhanced. The fastest solution is to do the following:
mv /bin/vi /bin/vi.small ln -s /usr/bin/vim /bin/vi
If your system doesn't have the vim enhanced package installed, simply install with yum; 'yum install vim-enhanced'
Startup Troubleshooting
failed to start crash recovery kernel arming
Problems after power loss or crash, the crash kernel error message. You can fix by making simple change to grub and reboot.
vi /etc/default/grub
change "crash kernel=auto" to "crash kernel=512M" then type the following command
grub2-mkconfig -o /boot/grub2/grub.cfg
sshd or other service wont start because system clock is wrong
Some useful commands to correct system clock so services run correctly.
hwclock -r shows cmos time date +%Y%m%d -s "20170618" set the linux date date +%T -s "19:25:00" set the linux time hwclock -w force cmos clock to match linux clock hwclock -hctosys force linux clock to match cmos clock
sshd or other service wont start because of selinux
You can disable selinux and then try to start the service. This will allow you to test and determine if selinux is the culprit so that you can make adjustments to selinux.
setenforce 0 sestatus
If you need selinux to remain permissive after reboot for testing purposes,
vi /etc/selinux/config
Change
#SELINUX=enforcing SELINUX=permissive
system uses postfix to receive email
You can manually start postfix
systemctl start postfix systemctl status postfix
system uses dovecot for secure socket pop and imap
You can manually start dovecot
systemctl start dovecot systemctl status dovecot