LPIC-1 Junior Level Linux Certification Exam 102 Study Notes.txt - Notepad

LPIC-1 Junior Level Linux Certification Exam 102 Study Notes

My study notes for the LPIC-1 102 Exam.

1.Customize and use the shell environment

/etc/profile - is a global profile for all users on the system. It calls all files in /etc/profile.d globally (*.sh files), and then points to one of 3 hidden files in ~ for the user, .bash_profile, .bash_login, .profile. /etc/profile will execute the first one it finds in the above order. So if you had all three files in ~, /etc/profile would only execute .bash_profile. Next /etc/profile calls ~/.bashrc (aliases and functions are executed here for the user only).
/etc/profile calls /etc/bash.bashrc or /etc/bashrc depending on the naming convention - these files globally set functions and aliases.
.profile (or whatever the local profile is) load environmental variables and ~/.bashrc.
/etc/skel - specifies what files new users will have in their ~ dir. Allows you to modify the local profile and bashrc file that new users will have. .bash_logout clears the console when the user logs out.

alias ll='ls -la' - An alias allows you to set a short command to something longer. Set either globally in /etc/.bashrc or for the in user in ~/.bashrc

Functions - set in same files as above, example function below:
function seatemp ()
{
echo "here's temp";
ls -l /tmp;
}

Variables store information in the current shell process. TEST="Hi there" - sets variable TEST to the value of Hi there. To reference the variable type $TEST eg echo $TEST. Will only work in current shell process.

Environment variables store the data for all child process of the current shell process. export TEST to make variable accessible by all child processes, not accessible by new processes though (child of login). Put the variable in ~/.profile to make it accessible by all your processes.

env - lists all environmental variables. PATH variable is here, it sets the order for where it looks for executable files. You can edit ~.profile to set your PATH. You can also type PATH=$PATH:/home/nick/bin to add to your path variable. If you want the path change to be permanent you need to add the previous line to ~/.profile.

unset - deletes variables.

set - shows all variables and functions that the shell is currently aware of.

test - command line program that tests for conditions.
-x = is the file executable
-e = does the file exist
-ew = are the values equal
-ne = are the values not equal
-z = is there a value to the expression
The output of the above commands is not displayed to standard output. It is set as an exit code, 0 = true, 1 = false. To view the exit code type echo $? this will return a 0 or a 1.


2.Customize or write simple scripts

#!/bin/bash - specifies the command interpretor. You need this at the top line of any shell scripts. Scripts need to be readable and executable.

Know suids (refer to lpic101 notes).

Command substitution - var=$(ls-l) sets a variable to the results of something. You can also type var=`ls -l`

Conditional statements
if [condition];
then
command1
command2
else
command3
command4
fi

for loops
for x in 1 2 3
do
echo "number $x"
done

In this loop x is set to 1 in the first loop, 2 in the 2nd loop and 3 in the third. The number is echoed each cycle.

for x in `seq 5 50`
do
echo $x
done

This script echos the numbers 5 to 50.

files=`ls ~`
for x in $files
do
echo $x
done

This loop echos each entry from the ls ~ command.

while Loops
x=1
while {$x -ne 5]
do
echo "Number $x"
x=$(($x+1))
done

In this loop x is set to 1 and while it is not 5, echo the number and then add 1.

echo "type anything or STOP to stop."
x="Go"
while [x!="STOP"]
do
read x
echo $x
done

In this loop while x does not equal STOP, keep echoing x.

read is used to get input from a user. read ISNAME assigns the user's input to a variable named ISNAME.

Seq outputs numbers in sequence.
seq 5 = count from 1 to 5
seq 5 10 = count from 5 to 10


3.SQL data management

Creating a database
Login as the mysql root user to create the database - mysql -u root -p
Add a database called sampleDB - CREATE DATABASE sampleDB;
Now the database is created. Use a database with the use command - USE sampleDB;
Now create a table called sampleTABLE with the fields name, email and id - CREATE TABLE sampleTABLE (id INT, name VARCHAR(20), email VARCHAR(20)); Note, VARCHAR(20) represents strings and INT represents numbers.
Display the table you just created - SHOW TABLES;
Now add a data row to the table sampleTABLE using the INSERT statement - INSERT INTO sampleTABLE (id,name,email) VALUES(1,"nick","nick@mail.com");
Add few more rows - INSERT INTO sampleTABLE (id,name,email) VALUES(2,"arya","arya@gmail.com");

Interacting with a database
MYSQL is the most commonly used database program on Linux systems. To open a database using MYSQL type mysql -u username database_name
SHOW TABLES; - shows all the tables in the database. Note, you need to include either a ; or \g at the end of commands. It is also good practice to write all SQL commands in uppercase.

SELECT * FROM table1; - selects all rows from a table named table1.
SELECT field1 FROM table1; - only shows data under field1 from table1.
SELECT field1 FROM table1 WHERE field1 = "value1"; - selects data from table1 / field1 in which the value was value1.
SELECT * FROM table1 WHERE field1 = "value1" - select all rows from table1 where field1 is value1
SELECT * FROM table1 WHERE field1 = "value1" AND field2 = "value2"; - only shows rows from table1 where field1 equals value1, and field2 equals value2.
SELECT * FROM table1 ORDER BY field1; - selects everything from table1 and orders it by field1.
SELECT * FROM table1 GROUP BY field1; - selects everything from table1 and groups it together by field1.
INSERT INTO table1 (field1, field2, field3) VALUES ('value1', 'value2', 'value3'); - inserts a data entry (row) into the table. You don't have to have a value for every field in the row and these can be added in any order.
DELETE FROM table1 WHERE field1 = 'value1'; - removes data entry (row) from the table.
UPDATE table1 SET field1 = 'valueX' WHERE field2 = 'valueY'; - sets the value of field1 to valueX when field2 is valueY.
SELECT * FROM table1 JOIN table2 ON table1.field1 = table2.field2; - selects everything from both tables and shows rows in which field1 and field2 match.


4.Install and configure X11

The X configuration file
Type X -configure to autodetect hardware and create a file called xorg.conf.new. This file is a generic configuration file based on the detected hardware. Modern Linux systems like Ubuntu don't create this file, instead they make several configuration files in /usr/lib/X11/xorg.conf.d

How to determine if your video card and monitor are supported by the X server
Go to the hardware vendor's website and check the linux driver's compatability. For unsupported cards the VESA driver will normally work. There will be no acceleration though.

The X font server
Not really used anymore with modern computers. In the past, fonts for the X server were rendered by a font server. In xorg.conf you can specify a server ip address under fontpath to indicate a font server. Nowadays the paths are just local and rendered by the X server.

The xorg.conf file
The generic place that xorg.conf lives in is /etc/X11.
The files section tells the x server where it can looks for things it needs (fonts, modules).
The module section loads modules to add abilities to the X server.
The Input device section mentions things like keyboards and mice and specifies which driver to use.
The monitor section specifies information about the monitor.
The device section is where the video card is configured.
The screen section mentions things like screen resolution and colour depth.

xwininfo
Can only be used in a GUI. Presents a crosshair that lists information such as window width, height, colour depth etc when clicked on a program window.

xdpyinfo
Lists info about the X server (version, extensions, screen dimensions).

echo $DISPLAY
The result :0.0 with nothing before : indicates the local computer, 0 indicates that the GUI is running on display 0 (you could specify a server name before :).

It is possible to run up to 7 X server console processes. Press ctrl + alt F1-F7 to switch between the 7 consoles (tty). To return to your original GUI console use F7.

To start X windows from a CLI, type startx. start x -- :1 will launch a GUI in a different X window environment. If you type echo $DISPLAY it should return :1 You could specify another number other than 1 as long as it wasn't in use already.

xhost
Type xhost +ip_address to add an address to the access control list. This allows the machine on the ip address to start programs on the display of the X server (set their display variable to the same as that of the X server). Sometimes thin clients connect using xhost, but this is really been phased out as you can do this over SSH.


5.Setup a display manager

GDM - Gnome Display Manager
KDM - KDE display manager
XDM - old school display manager

How to disable the graphical display manager
Redhat - edit /etc/inittab. Find id:5:initdefault: and change the runlevel from 5 to 3 to disable the GDM.
Ubuntu - don't use the inittab file, they use upstart. You can also change the default runlevel by editing the grub file - /etc/default/grub. Add text to the following line GRUB_CMDLINE_LINUX="text"

How to change which display manager to use in Ubuntu
Edit /etc/X11/default-display-manager - /usr/sbin/xxx eg /usr/sbin/gdm

How to change which display manager to use in Redhat
Edit /etc/sysconfig/desktop and add the line DISPLAYMANAGER="xxx" KDE, GNOME or XDM

Configure GDM
Redhat - edit /etc/gdm/custom.conf. To change the login screen under [daemon] type Greeter=/usr/libexec/gdmlogin. Under [greeter] type DefaultWelcome=false - this prevents the default login theme from being applied. On the next line type the welcome message you want - Welcome=Welcome to Beare's computer! To allow remote xstations to use GDM (thinclient), under [daemon] add RemoteGreeter=/usr/libexec/gdmlogin and under [xdmcp] type Enable=true, this is the protocol that remote computers connect over.
The colour depth for GDM matches that of X Windows.

Configure KDM
First find the KDM configuration file, located in different places depending on the version of KDM. Use locate kdmrc, usually in /usr/share/config/kdm. Edit kdmrc to customise KDM. To set the greeting find the section called GreetString= and change it to what you want the greeting to be. To allow remote access find [Xdmcp] and type Enable=true below. Find Willing and make sure it is set to Willing=/usr/share/config/kdm/Xwilling. Search for Xaccess and make sure it is set to Xaccess=/usr/share/config/kdm/Xaccess You will also need to set UseTheme=false if you are customising the login screen. Edit the Xaccess file and make sure that * is on a line by itself (uncomment it). This means that any host can get a login window. Also uncomment * CHOOSER BROADCAST.
To specify the colour depth find the Xserver file and add -depth 24 to the line :0 local /usr/bin/X

Configure XDM
XDM config files live in /etc/X11/xdm. Edit the Xresources file. ! indicate comments. Find xlogin*greeting: and add your greeting here.
To enable thin clients edit the xdm-config file and look for DisplayManager.requestPort: and add an ! at the beginning of the line to comment it out as it is specifying a request port of 0. Next go into the Xaccess file and uncomment * any host can get a login window and * CHOOSER BROADCAST


6.Accessibility

On the GDM login screen you can set accessibility options such as an on-screen keyboard, magnifier, on-screen text reader, contrast settings, text size, sticky keys (you don't have to press multiple keys simultaneoulsy), bounce keys (ignores fast duplicate key presses) and slow keys (only accepts long key presses).
Under the Assistive Technologies section the beep toggle key setting will sound a beep if you tap a toggle key like caps lock. Mousekeys allow you to control the mouse pointer using your keypad. You can set the system to trigger a secondary mouse click by holding down the primary mouse button and initiate a click when stopping the mouse.
Orca is a screen reader, brail and magnifier program.
gok is a gnome onscreen keyboard.
Universal Access Preferences allows you to enhance contrast and increase text size etc.
There are high contrast and large text themes available in GDM and KDM.
Emacs Speak is a screen reader application like Orca (text to speech).
Access X is the system you actually configure when changing Assistive Technologi es Preferences.

7.Manage user and group accounts and related system files

/etc/passwd - username:password (nowadays stored in /etc/shadow, is represented by an x, * = account disabled):uid (start at 1000):gid (start at 1000):info:home dir:login shell (/bin/bash), /bin/false is for system accounts, has no shell. This file is readable by everyone.

/etc/shadow - only readable by root. Contains encrypted passwords. username:password:time since last passwd change (in number of days since jan 1 1970):min passwd lifetime (how long you have to wait till you can change your passwd again, normally 0):max passwd lifetime (how long does it last, by default 99999 - in days):warning days (warns you when that passwd is about to expire, default 7 days):inactive days (how long after passwd expires will account be disabled:account disable (when will account be disabled since number of days since Jan 1 1970)

/etc/group - readable by everyone. group name:password (usually blank):gid:members (comma seperates multiple users)

/etc/gshadow - readable by root only. group name:password (usually blank, ! means no passwd):gid (can be listed in group file instead):members(comma seperated list)

useradd
-d = specify home dir
-m = create home dir. Ubuntu does not normally do this by default, redhat does.
-s = specify shell (default normally /bin/bash
-g = initial group number
-G = additional groups by name
-u = uid
-c = put comments with space in quotes

useradd -d /home/newuser -m -G smbshare,cdrom newuser = creates a new user called newuser with a home dir of /home/newuser, and additional group membership of smbshare and cdrom

usermod- change settings for existing users
Most of the same options as useradd, plus:
-L = lock/disable account. usermod -L username = lock account for user named username.
-U = unlock account. usermod -U username = unlock account for user named username.
-aG = add user to group. If you did just G you have to specify all groups needed (starts afresh)

usermod -s /bin/bash -c "This is a comment" newuser = modify user newuser so that they now have the bash shell by default and have a comment that appears in /etc/passwd.

userdel deletes user. Use the -r flag to delete their home dir too eg userdel -r newuser.

passwd username = asks you to enter passwd for a user named username. To change your own password just type passwd, root changes their own passwd this way too.

Groups
groupadd -g 10000 pumpkingroup = add a group called pumpkingroup with a gid of 10000.
usermod -aG pumpkingroup newuser = add user named newuser to pumpkingroup.
usermod -g 20000 pumpkingroup = change gid for group pumkingroup to 20000
groupdel pumpkingroup = delete pumpkingroup group.

chage
-l username = gives password age info on user, see when it will expire or if it has expired.
-E YYYY-MM-DD = set expiration date for user. chage -E 2001-07-19 username = account username will now expire on 19 July 2001.

System accounts like apache should have a shell of /bin/nologin or /bin/false. You don't want people logging in with system accounts.


8.Automate system administration tasks by scheduling jobs

crontab
BG process used to schedule recurring events. /etc/crontab is the system cron file. Environmental variables such as path are set here. Job format:
* * * * * user command
min; hr; day; mnth; dow 1-7, 0=sun; usernm; what do you want to do?
Example Cron entries:

*/5 * * 6 1 root cat /home/beare/love.txt | mail -s "hi there" loser84@mail.com
= Processed every 5 minutes in June on a Monday.
01,15,45 3 * 7 1-5 root free -m > /home/beare/stats.txt ; df -h >> /home/beare/stats.txt ; cat /home/beare/stats.txt | mail -s "mem and storage stats" loser84@mail.com
= Processed Monday to Friday at 3:01, 3:15 and 3:45 in July.

cron.d
/etc/cron.d - a directory which contains cron files in the same format as /etc/crontab, it is only in these two places that you will find system wide cron files where you are able to specify a user. We don't really want all applications using /etc/crontab. Installed programs can put cron files in /etc/cron.d instead, cleaner/safer.

In /etc/ there are a number of cron folders - cron.daily, cron.hourly, cron.weekly, cron.monthly. The contents of these folders are not cron files. These are just executable scripts that are run according to the timeframe named in the folder (eg hourly, daily, weekly or monthly.) The specific details for these folders are specified in /etc/crontab.

crontab
crontab -e - Allows a user to schedule their own jobs in a privately owned cron file. Stored in /var/spool/cron/username (redhat) or /var/spool/cron/crontabs/username (ubuntu).

anacron
Looks for cron jobs that were not run on time and runs them. Eg if /etc/cron.daily/script which runs at 6am each day doesn't run due to a power outage, anacron will detect this and run the job. anacron lives in /etc/cron.daily (and /etc/cron.weekly etc) and updates the timestamp for each script in the folder when they run. If it detects an out of date timestamp on a script it will manually run the script.

at scheduler
Used to schedule one off events. Type at 17:00 14/06/1978
Specify a script or command that you want to run.
ctrl d
The job is now created. Type atq to view scheduled jobs by job number.
atrm jobnumber to delete scheduled job.
You can also specify time such as at now +5 minutes
at now + 1 week
at teatime = 4pm.

access control
Used to control access to cron or at. If neither file exists, cron or at are fully accessible. If a user is specified in the .deny file they will not be able to use the corressponding service. .allow often does not exist. If .allow exists on it's own with no names, only the super user can use the service. Users need to be specifically named in .allow to use the service if the file exists. Usually only one of these files (.allow or .deny) will exist. If both exist .allow takes precedence over .deny.
/etc/cron.allow
/etc/cron.deny
/etc/at.allow
/etc/at.deny
To create one of these files type vi /etc/cron.deny and just enter the username on it's own line.


9.Localisation and internationalisation

Locale variables
Localisation refers to what language we see in our terminal by default. In env there is a LANG variable. en_US specifies the US version of English.

locale will show the LANG variable as well as other locale variables like date, measurement and time. You can set your system to use English time (date format) by typing LC_TIME=en_GB.utf8; export LC_TIME

Use LC_ALL to overide any changed locale variables. Eg LC_ALL=en.US.utf8; export LC_ALL sets all locale variables to US. If you unset LC_ALL the system will revert back to the customised local variables.

Character encoding
ASCII - 128 chars, mostly text, only English characters. Not widely used anymore, doesn't support other languages.
ISO-8859 - supports different languages
UTF-8 - Unicode Translation Format, supports most languages. Most commonly used, the best.

iconv
You can convert between different character encoding formats using iconv.
iconv --list = shows all supported encoding formats.
iconv -f UTF-8 -t ACSII /etc/fstab - converts /etc/fstab from UTF-8 to ASCII and prints it to the screen.

Timezones
tzconfig has been replaced with tzselect, it was used to set the system timezone.

tzselect
A program that prompts you to set your timezone by selecting options that correspond with your location. The result modifies the TZ variable in .profile

/etc/timezone - one line describing a location in the /usr/share/zoneinfo folder. You can manually enter your timezone here.

/usr/share/zoneinfo - country timezone options exist here.

/etc/localtime - this file is a copy of the binary file referenced by /etc/timezone (/usr/share/zoneinfo).

You can also type cp /usr/share/zoneinfo/America/Detroit /etc/localtime to change the timezone.

The date command
date - shows the date and time.
date MMDDHHMMYYYY - set the date/time
MONTH:MONTH/DAY:DAY/HOUR:HOUR/MINUTE:MINUTE/YEAR:YEAR:YEAR:YEAR


10.Maintain system time

Hardware clock
The system has two clocks; the system clock (date - runs when the PC is turned on) and the hardware clock (runs when the computer is shutoff - powered by the motherboard battery). When the computer boots up it reads the hardware clock and sets the system clock accordingly. Type hwclock to see the hardware clock time.

The hardware clock always gives the date/time for your local timezone. The last line in /etc/adjtime tells you whether the hardware clock uses LOCAL time or UTC time (Grenwich mean time). To set the hardware clock to UTC time type hwclock -u -w
The -u flag indicates UTC time. --localtime can be used to set the hardware clock to local time.

To set the hardware clock manually type hwclock --set --date="MM/DD/YYY HH:MM"
Type hwclock -w to write the system time to the hardware clock.

NTP
www.pool.ntp.org lists servers that you can synchronise your system's clock with. Servers are listed by geographical location. ntpdate servername - gets the current time from the specified timeserver. offset specifies the time difference between your clock and the timeserver prior to synchronisation.

service ntp start - starts the NTP service. This keeps your system's clock synchronised constantly with the timeserver (no need to manually type ntpdate). If you run ntpdate and get the "NTP socket is in use" message, it means that you already have the NTP service running on your computer.

/etc/ntp.conf - NTP configuration file. You can specify multiple NTP servers in this file (specify a pool or individual server). Eg server ntp.ubuntu.com OR server 0.us.pool.ntp.org


11.System logging

syslog
Many Linux systems now user rsyslog.

What gets logged where - facility, priority, action

Facilities are preset groups used by the syslog daemon, they are areas of logging - auth, cron, daemon, ftp, kern, mail, user. This list cannot be added to or modified. Services log to the facility that is most relevant to them.

Priorities
emerg, panic - a priority 1 issue, all users are advised.
alert - immediate action required.
crit - serious prolbem (HD failure)
err, error - something went wrong, but not too serious eg somebody tried to access a file and it wasn't there.
warning, warn - something seems to be wrong, not causing any problems yet, but could potentially cause problems.
notice - notifies you about something because you should do something about it.
info - default priority, used for issuing information eg a webserver serving a file.
debug - used when debugging a program, displays a large amount of information.

You can combine facility and priority eg auth.info records logins (authentications) each time someone logs into an SSH server.

Actions
file - write event to a file.
user - send it to a user.
pipe - pipe data to another command.
remote host - send log to a remote host.

The syslog configuration file
/etc/syslog.conf
Uncomment or add lines to enable logging. kron.* logs all priorities of the kron facility to /dev/console (output shown directly on the screen).

*.info;mail.none;authpriv.none;cron.none /var/log/messages- logs the info priority (and above) for evey single facility except mail, authpriv and cron; and writes it to /var/log/messages.

/var/log/secure is generally only readable by root.

A dash in front of a filename under the action section indicates that the cache should not be flushed (provides better performance, but if the server crashed some of the information could be lost).

A * for action means that every logged in user is notified of the event.

kron,news.crit - indicates that anything critical and above for kron and news is logged.
To specify logging for just one type of priority type facility.=priority

An action of @192.168.1.240 logs the file to a remote server.

service syslog restart - restarts the syslog service. Necessary to recognise new configuration changes. The syslog.conf configuration file controls both the system and kernel logger.

How to set up a server to accept remote logging commands
Add the -r flag to the syslog daemon startup script (redhat - /etc/sysconfig/syslog).
add -r to SYSLOGD_OPTIONS="-r"

logger
Used to manually add an entry into a system log.
logger -p facility.priority customised_message

The kernel logger is a separate process that uses the /etc/syslog.conf configuration file to determine where it writes it's logs.


12.Mail Transfer Agent (MTA) basics

Common MTAs
sendmail - most popular, difficult to configure, one of the oldest.
qmail - Not GPL (public domain). Designed to replace sendmail, made with security in mind.
exim - feature rich, supporting authentication, ACLs.
postfix - default for many distributions, supports encryption, virtual domains, configuration files are clear and easy to understand.

Config files are different for each MTA, but the commands often have an emulation mode so they are understood by different MTAs (sendmail emulation layer).

mailq - shows current mail in the queue (waiting to go out), regardless of MTA being used.

Email aliases
/etc/aliases - you could add pat.burn: spowers to the file using vi. This would result in mail sent to pat.burn being forwarded to spowers. Type newaliases after you have modified this file. This tells the MTA to check the changes.

Email forwarding
Users can forward their email to other accounts by creating /home/user/.forward In this file you just type the email address or local user name you want email forwarded to. Just remove the name from the file to disable forwarding.

Command mail program
mail - check email. N = new mail, type the corressponding number to read the email. After reading it type d to delete it.
mail user - starts interactive mail program. CC:, Subject, Body, ctrl-d to send email.
mail -s "subject" user < message.txt OR echo "message" | mail -s "subject" user either method will send email from the command line.


13.Manage printers and printing

CUPS runs on port 631. A web based printer administrative tool is accessible via http://localhost:631. You can add printers here.

/etc/cups - the CUPS directory
/etc/cups/ppd - printer drivers are stored here.

cupsd.conf - CUPS configuration file - you can set printing policies and access here.
SystemGroup - You can specify groups in here that have administrative access to CUPS.
Listen - specifies the port that CUPS listen on eg Listen localhost:631. If you want the server to listen to CUPS requests on all other network interfaces enter Listen 631.
Browsing - set this to on to allow other devices to browse to the shared printer and print to it.

/etc/printers.conf - lists installed printers.
DeviceURI specifies how the printer is connected to the system; via network or USB. The printer name is specified here (Printer name).

Managing print queues
Print jobs are held in a queue. These are stored in /var/spool/cups. Jobs are completed one by one. If there is any issue with a particular job, other jobs may not run.

lpq
lpq shows information about currently queued print jobs. lpq -a shows all current print jobs on the system. lpq -Pprinter will show all print jobs for the printer named printer. lpq lists the job number of print jobs.

lprm
lprm deletes specific prints job. lprm 1 deletes print job 1 (refer to lpq for print job numbers). lprm -Pprinter - will delete all print jobs on a printer named printer.

lpr
lpr allows you to print a document. Type lpr -Pprinter document_name to print a file named document_name on a printer named printer. lpr filename prints a file named filename to the default printer.

Printer troubleshooting
lpc status all shows the status of all printers. /etc/cups/printer.conf shows more info.

cupsenable printer_name enables a printer.

cupsdiasble printer_name disables a printer, but still allows print jobs to continue to queue. cupsdisable -r "comment" printer_name adds a comment to the printer status.

cupsreject printer_name - leaves printing enabled, but disables queueing. This prevents new jobs from coming in. Takes the printer offline.

lpmove job# printer_name # stands for job number (use lpq to check job number). This command moves a job to another printer.
lpmove printer_name printer_name2 moves all the print jobs from printer_name to printer_name2.


14.Fundamentals of internet protocols

IPv4 addresses
An IPv4 address has 4 octets with 8 bits in each octet. The address is 32 bits in total and it is written in dotted quad format. Shown in decimal notation (base 10). Each octet has 256 possibilities (0-255). 128, 64, 32, 16, 8, 4, 2, 1 represent the value of each bit. The network-mask seperates the network and host portions of the address. 1s indicate the network section, whilst 0s indicate the host portion. For example, in a network with an address range of 192.168.1.x and subnet-mask of 255.255.128/25 there will be two seperate networks - 192.168.1.(0-128) and 192.168.1.(128-255).

A computer needs an ip address, network-mask, and default gateway. If the computer cannot connect to an ip address based on its known routes (local subnet) it forwards the request to its default gateway. The default gateway is a device that is connected to more than one network. It's a router. route add default gw address_of_gateway - adds a default route.

There are 3 sets of private addresses (about 4 billion public). They are not routeable on the Internet and can only be used locally. 10.*.*.*, 172.(16-31).*.*, 192.168.*.*

IPv6 addresses
Uses 8 sets of 16 bits, 128 bit address length. Uses hexadecimal notation (base 16). 8 sets of 4 hexadecimal numbers seperated by colons. 3.4 x 10^38 = total number of IPv6 addresses.

Network Protocols - the way in which traffic is delivered.
TCP - Transmission Control Protocol. Transmits data with verified delivery. Error checking. Most reliable method.
UDP - User Datagram Protocol. Data is sent without error checking. Faster than TCP but prone to errors. Video streaming is dona via UDP.
ICMP - Internet Control Messaging Protocol. Simple messaging regarding the connection itself, this link is down/up, this is so many hops away etc. Used by ping, traceroute etc.

Common Ports
20 (TCP) = ftp-data
21 (TCP) = ftp (login access)
22 (TCP/UDP) = SSH
23 (TCP) = Telnet
25 (TCP) = SMTP (mail)
53 (TCP/UDP) = DNS
80 (TCP/UDP) = HTTP (web)
110 (TCP/UDP) = POP3 (fetch email from an email server)
119 (TCP) = NNTP (usenet news - has kind of faded out of use, old internet news)
139 (TCP/UDP) = NetBios (Microsoft)
143 (TCP/UDP) = IMAP (allows you to access email remotely)
161 (TCP/UDP) = SNMP (network monitoring)
443 (TCP/UDP) = HTTPS (secure encrypted HTTP stream using SSL or TLS
465 (TCP) = SMTPS (secure mail over SSL)
993 (TCp/UDP) = IMAPS (secure IMAP over SSL)
995 (TCP/UDP) = POP3S (secure POP3 over SSL encryption)

/etc/services - entire list of reserved ports that the computer knows abouts.

host google.com and dig google.com - looks up DNS info.

tracepath google.com - shows every hop between your machine and google.com. Uses ICMP. traceroute google.com gives similar info.

ftp, telnet = protocols and programs for file transfer and remote terminal sessions, respectively.

ping 192.168.1.1 - tests connectivity using ICMP.


15.Basic network configuration

/etc/hostname - set the hostname of your computer here. You can also type hostname to view the name. Each time the computer boots it sets the name according to value in /etc/hostname.

/etc/hosts - format = ip_address domain1 domain2. Provides local DNS name resolution.

/etc/resolv.conf - tells computer what DNS servers to use for name resolution. Format = nameserver ip_address. You can list several name servers here.

/etc/nsswitch.conf - tells the computer what order to search for things. The hosts line tells the computer which order of files to look in when resolving DNS names. files = /etc/hosts, dns = /etc/resolv.conf

Redhat network files
/etc/sysconfig/network-scripts/ - interfaces are configured here. Each interface has a seperate config file within this dir. You can specify the ip address, netmask, gateway, DNS, static/auto and other interface details here. DEVICE = the network device eg eth0, BOOTPROTO = dhcp or static, ONBOOT = yes/no startup interface on boot.
/etc/sysconfig/network - you can set the hostname here. Non-standard way for redhat systems, most systems use /etc/hostname. Format - HOSTNAME=beare.zapto.org.

Debian/Ubuntu network files - one main network file /etc/network/interfaces. All network interfaces on the computer are stored in this one file. You can specify the ip address, netmask, gateway etc here. auto = start interface automatically.

Configuring network interfaces manually
ifdown eth0 - brings interface down.
ifup eth0 - brings interface up according to the network config files.
ifconfig etho - shows a bunch of info about the interface.
ifconfig eth0 192.168.1.1 255.255.0.0 - set ip address to 192.168.1.1 and netmask to 255.255.0.0 for eth0.
Using ifconfig you can even change the MAC address for an interface as it's reported from your computer.
route - shows the current routing table.
route add default gw 192.168.1.10 - sets a default gateway of 192.168.1.10.


16.Basic network troubleshooting

How to restart a network interface manually
/etc/init.d/networking restart
Type ifdown eth0 and then ifup eth0
Type ifconfig eth0 down and then ifconfig eth0 up

How to remove a network card
Look at all interfaces with ifconfig -a
Take the interface down with ifconfig eth1 down
Type lsmod and look for the module that is making the network card active Then type rmmod module_name

How to manually fix an incorrect default gateway and perform troubleshooting
Use ping to see what you can reach inside the network (default gateway) and outside the network.
Use the host command to see if DNS is working.
Use ifconfig to check the settings for network adapters.
To check your routing table type netstat -tuna
-n shows you numbers in the output
-t shows tcp traffic
-u shows udp traffic
-a listen to all interfaces
netstat -r shows the routing table, same as route. The netstat -rn command, shows the routing table in number form.
route del default - remove the default route.
route add default gw 192.168.1.1 - add a default route.


17.Configure client side DNS

How to modify the order that DNS name resolution is done. Open /etc/nsswitch.conf - locate the hosts line. This tells the computer what order to look for DNS names. files = /etc/hosts, dns = query DNS sever.

/etc/hosts - you can set up the local host for IPv6 here. It is ::1 localhost6. For IPv4 it is 127.0.0.1 localhost. You can add addresses and names for local servers here too, it is a flat text file for DNS entries, useful on a LAN.

/etc/resolv.conf - list nameservers here. They must be in the form of an ip address, not DNS name.

host google.com - lists ip addresses that the domain is configured to use (forward lookup).
host 8.8.8.8 - reverse lookup on an ip address to see reverse DNS entries.

dig google.com - gives more info than host, includes nameservers. You can also do dig @8.8.8.8 google.com to give different info to primary DNS server.


18.Perform security administration tasks

How to find files with the SUID bit set
Type find / -perm -u+s to return every file in / with a SUID.

How to find files with the GUID bit set
Type find / -perm -g+s to return every file in / with a GUID.

How to find files with the SUID and GUID bit set
Type find / -perm -u+s,g+s to return every file in / with a SUID AND GUID.

How to find files with the SUID or GUID bit set
Type find / -perm /u+s,g+s to return every file in / with a SUID OR GUID.

chage
password user - change a user's password
usermod -L user - lock a user account
usermod -U user - unlock a user account
chage -l user - view account information about a user
chage user - brings up an interactive setup for a user. Includes fields such as:
Minimum password age - how long people must wait until they can change their password.
Maximum password age - how often do they need to change their password
Last password change
Password expiration warning - how long before their password expires will they receive warning messages.
Password Inactive - How many days after the password expires will the account be disabled. -1 means the account will never deactivate when the password expires.
Account expiration date - set an expiry date for a account.

Set up limits on user logins, processes, and memory usage
ulimit - used to configure limits for the current environment.
ulimit -a shows all current limits (including flags). Type ulimit -x value to set a limit where x is the desired attribute specified in ulimit -a

/etc/security/limits.conf - you can set system-wide limits here.
You can specify hard and soft limits here. Hard limits are instantly enforced, soft limits have a grace period (warnings).
Adding limits to this file follows a naming convention - domain, type of limit (hard or soft), item (eg maxlogins, nice (max process priority), nproc (max number of processes)), value.
domain - * equals everyone, you can specify individual users, or groups by placing an @ symbol at the front of the group.

Use nmap and netstat to find open ports on a system
netstat -tuna shows all ports currently open on the system. /etc/services lists what the ports stand for eg HTTP, SSH, FTP etc
lsof -i similar to netstat, but tries to map port numbers with entries from /etc/services.
nmap ip_address - scans your computer for open ports by looking from the outside (sees what other people see). ip_address could be either 127.0.0.1 (localhost) or the ip address of the network facing interface.

sudo
/etc/sudoers is the sudo configuration file. Type visudo to edit this file (visudo uses error correction). You can give users special privileges here. Add the following lines to give a user different permissions.

username ALL=(ALL) ALL
The username comes first, ALL indicates all machines the system is in control of, =(ALL) means the user can do things as any user, ALL means they can run any commands.

username ALL= ALL
Similar to above line except that the user cannot become anyone else.

username All=(ALL) NOPASSWD: ALL
NOPASSWD: ALL means the user will never be prompted for a password when running sudo.

Redhat doesn't come with sudo installed by default. You can type su -c 'command' It then asks for the root password.

Ubuntu doesn't set a password for the root user when you install it (root is disabled). In /etc/sudoers on a Ubuntu system, Ubuntu assigns the first user created during installation to the admin group. A member of the admin group can run the sudo command.


19.Setup host security

Understand how shadow passwords work
In /etc/passwd an x indicates that the password is stored in /etc/shadow. In /etc/shadow an ! or * in the second field means that the account is disabled. The encrypted password is stored here. /etc/shadow is only readable by the root user.

Disable all logins on the system
touch /etc/nologin
There doesn't need to be anything in the file, /etc/nologin just needs to exist. Only the root user will be able to log in if the file exists.

Turn off network services that are not in use
Redhat based systems
/etc/init.d/httpd stop stops the httpd service (temporary).
To turn a service off by default, first confirm your current run level (/etc/inittab). Now run chkconfig --level 3 httpd off this turns off httpd for run level 3 by default (permanent).

Ubuntu based systems
/etc/init.d/apache2 stop stops the apache service (temporary).
To turn a service off by default, first confirm your current run level (runlevel, who -r). Now run update-rc.d -f apache2 remove this turns off apache by default for all runlevels (permanent).

Super servers
A super server has one process that manages a bunch of other server processes.
inetd
/etc/inetd.conf holds the Internet Super Server Configuration Database. Each line indicates a service that the the super server controls - service name, socket type, protocol (eg udp), flags, user, server path, arguments.

xinetd
/etc/xinetd.conf includes all the files in /etc/xinetd.d
Services will sit in /etc/xinetd.d
To enable these services set disable to no in the relevant service file.

It's a bad idea to use both of these super servers as they will conflict with one another, use one or the other. inetd is being phased out by xinetd.

Understand the role of TCP wrappers
/etc/hosts.allow - inetd and xinetd refer to this file. /etc/hosts.allow is not a firewall, but it can be used to prevent outsiders from accessing services.
tftpd: 192.168.1.
When added to /etc/hosts.allow, the above line will allow anyone on the 192.168.1 network to access tftpd.
/etc/hosts.allow is looked at before /etc/hosts.deny. Therefore an entry in hosts.allow will be permitted even if there is an identical entry in hosts.deny. If a reference does not exist in either file then it is allowed by default.


20.Securing data with encryption

Private & Public Keys and Signing & Encryption
Private (id_rsa) - noone sees this key except the owner or possibly the SSHD server. Anything signed with a private key can only be verified by a public key.
Public (id_rsa.pub) - everyone can see this, data encrypted with the public key can only be decrypted with the private key.

Encryption - encrypting data using the public key so that only those with the private key can decrypt it. This is known as Encryption (security/privacy).
Signing - data is encrypted with private key, anyone who has the public key can then verify that it came from the person with the private key (verification).

SSH Client/Server Model
The client will store a copy of the server's public key to verify that the server is the correct device. This requires you to have a trusted copy of the public key in the first place.

Client's verify their identity with the SSH server by logging in with their username and password, digital signature, OR with a copy of the client's public key on the server.

~/.ssh/known_hosts contains public keys for known hosts. This relates to "The authenticity of the host 'beare.zapto.org'". If you type "yes" the server's public key is stored in the client's known_hosts file. This file states whether the key uses rsa or dsa and specifies the name of the user/computer it belongs to. You can add a server's public key to /etc/ssh/ssh_known_hosts so that all users can access it.

Generating Key Pairs - no more passwords!
ssh-keygen -t rsa - creates public and private keys in ~/.ssd. You can use dsa (signing) instead of rsa (encryption & signing). When prompted you should enter a passphrase for your private key (more security), although it keeps asking you like a password. If you specified rsa, the contents of ~/.ssh will include id_rsa (private key) and id_rsa.pub (public key). If you used dsa the filenames have dsa instead of rsa.

ssh-copy-id -i /home/beare/.ssh/id_rsa.pub some_user@beare.zapto.org - copies your workstation's public key to the server.

On the server you must make sure that the ~/.ssh folder and possibly even the home dir is NOT group or other writeable. Best practice would be to set the permissions on ~/.ssh to 700.

On the server you can check the client public keys by viewing ~/.ssh/authorized_keys. These should match the client's public key in ~/.ssh/id_rsa.pub

Gnome and other interfaces will hold passphrases by default. You can do this the old school way by using ssh-agent (keeps private key passphrase in memory so you only have to enter it once).
ssh-agent bash
ssh-add .ssh/id_rsa:
Enter passphrase

X11 - X forwarding
All GUI apps started on a remote server will appear on your workstation so you can use them. The server can be in command line mode. Type ssh -X user@fancyserver.com - to log in with your usual command line interface. Run a GUI command such as gnome-terminal or google-chrome and it will run on your PC locally in full GUI mode. All processing is performed on the server.

SSH Tunnels/Port forwarding
ssh user@me.org -N -L 7777:user@me.org:80 - the N flag means nothing is executed - just setting up a tunnel, pick a port number for localhost, select what server and port you want to forward to your local port (could be any server, doesn't have to be the one you are sshing into.)

After you enter the command you wont get any standard output back. The tunnel would have started though. You can test it by typing http://localhost:7777 (or whatever port number you selected earlier). This is now redirected or tunneled to the selected server. Useful for getting to ports that are blocked by a network that you are on.

scp - secure copy
scp localdestination user@server:/remote destination eg scp /home/user user@backup.org:/home

GPG Encryption
Like SSH, you need to make keypairs for GPG. Type gpg --gen-key for an interactive setup that will allow you to make keys. You will be prompted to enter a name and email address to identify the new key. You will also be prompted to enter a passphrase. Towards the end of the setup process, the system may ask you to open some applications and perform some random tasks to develop entropy. This allows the system to develop a random keypair. The keypair is stored in ~/.gnupg/ In this directory there is a configuration file (gpg.conf), pubring.gpg (stores all public keys), and other GPG files.

To view the keys that you currently have on the system type gpg --list-key. Type gpg --export name/email > key_filename to export the public key to a binary file named key_filename. name/email refers to the identifier you set for the key when you created it. You can copy this file onto a remote computer. On the remote computer you can import the key by typing gpg --import key_filename. To encrypt a file using the public key type gpg --out output_encrypted_file --recipient name/email --encrypt input_raw_filename (name/email listed in gpg --list-keys). To decrypt the file type gpg --out output_filename --decrypt source_filename. You will be prompted for a passphrase if one was set.


Other LPI-102 related info

Use dig to perform a reverse DNS lookup
dig +noall +answer -x 144.140.84.16
You could also use host ip_address

Block an IP address from accessing services like ssh and ftp
Initially, only services that were spawned for each connection from a super-server (such as inetd) got wrapped, utilizing the tcpd program. However most common network service daemons today can be linked against libwrap directly. This is used by daemons that operate without being spawned from a super-server, or when a single process handles multiple connections.
In the file /etc/hosts.deny add the below line. You can specify multiple services, IP address and even networks eg 192.168.1. twist will return a message to the blockee.
sshd, vsftpd: 192.168.1.240, 10.2.2.3 : twist echo "private property!"

Login banners
To set a a message to appear before a user logs into the system edit /etc/issue for local logins; and /etc/issue.net for remote logins. To enable the banner for SSH add the line Banner /etc/issue.net to /etc/ssh/sshd_config. /etc/motd handles banners after the user logs in.

echo $? shows the exit status of the previous command.
echo $$ shows the process ID of the script/process itself.
echo $! shows the process ID of the last job run in the background.

pwck - verifies the integrity of password files
pwck checks the integrity of the /etc/passwd file.
pwck /etc/shadow checks the integrity of the /etc/shadow file.

CUPS
lpr -r filename prints and then deletes a file.
lpr -#12 filename prints 12 copies of a file.

Set a user's password so that it forces them to change it every 60 days
passwd -x 60 username
chage -M 60 usernamep

SSH config files
/etc/ssh/ssh_config is the config file for outgoing ssh connections.
/etc/ssh/sshd_config is the config file for incoming ssh connections (the daemon). In this file you can set it so root cannot log directly into the system via ssh. To do this add PermitRootLogin no by default this is set to yes.

declare -f lists usable functions in the environemnt.
setup when run as root on redhat based systems (including fedora) will present a simple gui-like interface for settings network settings.

pwconv
pwconv creates and updates /etc/shadow with information from /etc/passwd. pwconv relies on a special value of 'x' in the password field of /etc/passwd. This value of 'x' indicates that the password for the user is already in /etc/shadow and should not be modified. If the /etc/shadow file does not exist, this command will create /etc/shadow with information from /etc/passwd.

How to enable portforwarding on a linux ystem
The '1' in "/proc/sys/net/ipv4/ip_forward" enables IP forwarding.
A '0' signifies IP forwarding is disabled.
Before you issue the echo... command, try
cat /proc/sys/net/ipv4/ip_forward
and you will see a '0'.
You can add
echo "1" > /proc/sys/net/ipv4/ip_forward
to one of your startup files if you need this enabled all the time.
Add to the end of /etc/rc.d/rc.local.

Use the find command to search for files with specific permissions and owners
find /home -uid 1 lists all files in /home owned by the root user (UID 1). You could replace 1 with another user's UID from /etc/passwd.
find /home -perm u=rw,g=r,o=r lists all files in /home with a permission of 644.

groups username lists what groups a user is a member of.
id username lists what groups a user is a member of and includes GUIDs.