Linux Lab

ssh

vi /etc/apt/sources.list

su

ssh username@ipaddress

eg : ssh root@172.16.247.143

实验一

fdisk /dev/sdb (create partitions)

mdadm --create /dev/md0 --level=raid0 --raid-devices=2 /dev/sdb1 /dev/sdc1 (create raid 0)

mkfs.ext3 /dev/md0 (create an ext3 filesystem on your RAID device)

mount /dev/md0 /mnt/ (mount it on /mnt)

find / -exec cp -R {} /mnt/ \; (copy files from the root filesystem to fill your new raid array with data.)

mdadm --detail /dev/md0 (show the current status of your RAID array)

umount /dev/md0 (umount your RAID array)

mdadm --stop /dev/md0 (stop /dev/md0)

cat /proc/mdstat (show running raid arrays)

/etc/init.d/mdadm-raid restart (restart the RAID service to automatically rebuild the array)

mdadm --stop /dev/md0 (stop your raid array)

rm /dev/sdc1 (delete the /dev/sdc1 special file)

/etc/init.d/mdadm-raid restart (restart the raid arrays)

mount /dev/md0 /mnt/ (mount /dev/md0)

mdadm --create /dev/md0 --level=raid1 --raid-device=2 /dev/sdb1 /dev/sdc1 (create a RAID1 array using your first two disks)

mdadm -f /dev/md0 /dev/sdc1 (simulate a hard disk fail on /dev/sdc1)

mdadm /dev/md0 --add /dev/sdd1 (add another disk to rebuild the array, add /dev/sdd1 to the array)

umount /mnt/ (umount the array)

mdadm --stop /dev/md0 (stop the array)

mdadm --zero-superblock /dev/sdb1) (erase used devices superblock.)

mdadm --create /dev/md0 --level=raid5 --raid-devices=3 /dev/sdb1 /dev/sdc1 /dev/sdd1 (create a RAID5 array using your first three disks)

df -h (show the size of your new filsystem)

hexdump /mnt/usr/sbin/groupadd (to read your files)

mdadm --remove /dev/md0 /dev/sdc1 (to remove /dev/sdc1 from /dev/md0)

mdadm --create /dev/md0 --level=raid --raid-devices=2 /dev/sdb1 /dev/sdc1 create a first RAID0 array out of your two first available disks)

mdadm --create /dev/md1 --level=raid0 --raid-devices=2 /dev/sdd1 /dev/sde1 (create a second (md1) RAID0 array from the remaining disks)

mdadm --create /dev/md2 --level=raid1 --raid-devices=2 /dev/md0 /dev/md1 (create a RAID1 out of the two RAID devices you've just created)

实验二

2.1

fdisk /dev/sdb (create a physical volume out of the first hard drive you've just added to the virtual machine)

pvcreate /dev/sdb1 (create a physica volume out of the partition you've just created)

pvdisplay (confirm the creation by listing the currently available physical volumes)

vgcreate storage /dev/sdb1 (put your new physical volume into a volume group named "storage")

vgdisplay (list all currently available volume groups to confirm your creation)

lvcreate -L 3GB -n movies storage (create a new logical volumes in the storage volume group , movies, size 3GB)

lvcreate -L 0.9GB -n music storage (create a new logical volumes in the storage volume group, music, size 0.9 GB)

apt-get install xfsprogs (install filesystem tools as needed)

mkfs.xfs /dev/storage/movies (create an XFS filesystem on the movies logical volume)

mkfs.ext3 /dev/storage/music (add an ext3 filesystem for the music lv)

mkdir /mnt/{movies, music}

mount /dev/storage/movies /mnt/movies/ (mount this filesystem to /mnt/movies)

mount /dev/storage/music /mnt/music/ (mount this filesystem to /mnt/music)

df -h (show available disk space on your filesystems)

2.2

umount /mnt/{movies,music}

e2fsck -f /dev/storage/music

resize2fs /dev/storage/music 100M

lvreduce -L 100M /dev/storage/music (shrink your lv music to 100M)

lvextend /dev/storage/movies /dev/sdf1 (extend your lv movies)

mount /dev/storage/movies /mnt/movies/(to mount your lv movies)

sfx_growfs /dev/dtorage/movies

lvextend -L +1GB /dev/storage/movies (extend lv movies to 4.9 GB(before it is 3.9GB))

lvextend -L +1GB /dev/storage/music (extend lv music to 1.1GB (before it is 0.1GB))

xfs_growfs /dev/storage/movies

e2fsck -f /dev/storage/music

resize2fs /dev/storage/music

lvcreate -L1GB -s -n movies-snapshot /dev/storage/movies (create a 1GB snapshot named movies-snapshot of the movies lv)

mkdir /mnt/snapshot

mount /dev/storage/movies /mnt/snapshot/ (mount your snapshot to /mnt/snapshot/)

tar -czf /dev/null /mnt/snapshot/ (do a full tar backup using the fastest tape writer ever: /dev/null)

umount /mnt/snapshot (unmount the now useless snapshot)

lvremove /dev/storage/movies-snapshot (delete the now useless snapshot)

Lab

3.1

cp /boot/initrd.img-2.6.32-5-686 . (copy the original initrd into your home directory)

file initrd.img-2.6.32-5-686 (see the filetype)

zcat initrd.img-2.6.32-5-686 > initrd.raw (unpack it in a dedicated working directory)

cpio -i < ../initrd.raw (copy file to ../initrd.raw file)

mkdir initrd (make directory)

sed -i 's/Loading, please wait/Loading Custom System, please wait/' init (open the init script with a text editor and modify the "Loading, please wait..." message. Replace it by "Loading Custom System, please wait>".)

find | cpio -o --format=newc > ../initrd-new.cpio (rebuild a compressed cpio initrd in your home directory)

cp initrd-new.cpio.gz /boot/initrd.img-2.6.32-5-686 (replace the original initrd by your custom one)

3.2

runlevel (show the current runlevel)

ls /etc/rc2.d/S* (list services started in the current runlevel)

update-rc.d exim4 disable 2 (disable the exim4 service)

init 3 (change your runlevel to 3)

runlevel (show the current runlevel)

pgrep -l exim4 (check if exim4 is running)

init 2 (switch back to runlevel 2)

runlevel (show the current runlevel)

update-rc.d exim4 enable 2 (re-enable exim4 in runlevel 2)

3.3

grep initdefault /etc/inittab (show the default runlevel)

sed -i 's/id:2:initdefault:id:6:initdefault:/' /etc/inittab (change the default runlevel to 6)

reboot (reboot your system,your system keeps on rebooting endlessly)

Lab

4.1

groupadd -r wheel (add group)

edit /etc/pam.d/su and add the following line :

auth required pam_wheel.so group=wheel

gpasswd -a supinfo wheel (add supinfo to the wheel group)

add the following line to /etc/pam.d/su before the previous one :

auth sufficient pam_wheel.so group=root trust

gpasswd -a supinfo root

4.2

edit /tec/pam.d/common-password and add the following line before all others :

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

4.3

grep -niH nologin /etc/pam.d/* (find the name of a PAM module which is responsible of preventing users to open sessions if the /etc/nologin exists.)

Disallow non-root login when /etc/nologin exists.

grep -niH moth /etc/pam.d/* (to see which PAM module displays the content of /et/motd)

recommened book :

Network Security with OpenSSL

Apache2 pocket reference

Running Linux

DNS and BIND

Essential System Administration pocket reference

Managing NFS and NIS

Using Samba

Pro Linux System Administration

Expert Network Time Protocol

MySQL Cookbook

LDAP/OpenLDAP

Kerberos The Definitive Guide

post :for creation

pup :for update

init lab SOE

root password

init 0123456

init=0 --> init=/bin/ssh

pam.d pam.conf

apache create virtual host website

raid 0

raid 1

raid 5

lvresize = lvextend = lvreduce

lvreduce can have an argument as your Physical Volume but not lvextend

lvresize => growing

info any_command

Lab

5.1

mkdir -p certificate-authority/{private,certs,newcerts,crl} (create a certificate-authority directory in your home, create 4 subdirectories : private, certs, newcerts, crl.)

touch index.txt (create a blank index.txt)

echo "01" > serial (create serial file with "01" as content(without double quotes))

cp /etc/ssl/openssl.cnf ca-config (copy the default OpenSSL configuration file to ~/certificate-authority/ca-config)

5.2

openssl req -new -x509 -extensions v3_ca -nodes -keyout private/ca.key -out certs/ca.crt -config ca-config (create a new x509 certificate authority using the openssl command)

5.3

openssl req -new -nodes -keyout private/webserver.key -out webserver.csr -config ca-config (use openssl to create a csr for a webserver. the key will be stored in ~/certificate-authority/private/webserver.key and the request in ~/certificate-authority/webserver.csr)

openssl req -new -keyout private/john-smith.key -out john-smith.csr -config ca-config (use openssl to create a certificate to be used to authenticate a VPN user. the key will be written to ~/certificate-authority/private/john-smith.key and the request in ~/certificate-authority/john-smith.csr)

openssl ca -config ca-config -policy policy_anything -out certs/webserver.crt -infiles websever.csr (use the openssl ca command to sign off the webserver request. the final certificate should be stored in ~/certificate-authority/certs/webserver.crt)

openssl ca -config ca-config -policy policy_anything -out certs/john-smith.crt -infiles john-smith.csr (use the openssl ca command to sign off the second request. the final certificate should be stored in ~/certificate-authority/certs/john-smith.crt)

rm *.csr (remove the now useless certificate signining requests.)

5.4

openssl x509 -in certs/webserver.crt -noout -text (do a text dump the webserver.crt certificate.)

openssl x509 -in certs/john-smith.crt -subject -issuer -startdate -endate -noout (show the following informations from the john-smith.crt certificate : subject, issuer, startdate, enddate)

openssl verify -CAfile certs/ca.crt certs/john-smith.crt  (verify the validity of the john-smith.crt certificate against your certification authority.)

5.5

openssl ca -revoke certs/john-smith.crt -config ca-config (revoke John Smith's certificate.)

openssl ca -gencrl -out crl/revoked.crl -config ca-config (to generate the certificate revokation list in ~/certificate-authority/crl/revoked.crl.)

Lab

6.1

mkdir /var/www/{www.site1.com,www.site2.com}

echo "<html><body>Welcome on site1.com</body></html>" > /var/www/www.site1.com/index.html

echo "<html><body>Welcome on site2.com</body></html>" > /var/www/www.site2.com/index.html

mkdit /var/log/apache2/{www.site1.com,ww.site2.com}

create the /etc/apache2/sites-available/www.site1.com file

create the /etc/apache2/sites-available/www.site2.com file

a2ensite www.site1.com (enable website)

a2ensite www.site2.com (enable website)

/etc/init.d/apache2 restart (restart the service)

curl www.site1.com (query your server)

curl www.site2.com (query your server)

6.2

mkdir /var/www/www.site1.com/restricted

touch /var/www/www.site1.com/restricted/{movie1.avi,movie2.avi}

mkdir /etc/apache2/users

htpasswd -bc /etc/apache2/users/site1.passwd john qwerty

htpasswd -b /etc/apache2/users/site1.passwd sarah secret

htpasswd -b /etc/apache2/users/site1.passwd bob password

/etc/init.d/apache2 restart (restart the service)

curl www.site2.com/restricted

cd /var/lib/apt

ls

cd lists/

ls

rm -rf *

cd ~

info coreutils 'ls invocation'

cp -avr certificate-authority /home/supinfo/certificate/authority

This is one of the problem faced by many person’s“what if i lost the root password”First thing that comes in mind is “use single user mode” but the answer is NO.

coz debian takes the system security to one more level up and by default ask’s for the root password.

so the BIG QUESTION IS HOW TO proceed further

follow these steps

1) on grub-boot prompt.

press “e” to enter edit mode

2) then press downarrow to reach the line that starts with “kernel “

press “e” again

3) at the end of this line type in “init=/bin/sh” or “/bin/bash”

4) then press enter to make that change and press “b” to boot

in a few seconds you will be on your “#” prompt

5) only one step left

“mount -o remount rw /”

this step is necessary coz in this case root file system is mounted as read only.

6) finally type “passwd” and you get the screen to change the password

and then type in “init 6? or “reboot”

NOTE FOR TECHNICAL USERS

those who are looking for the technical details, the main work is the init command that we passed as an argument to kernel, it told kernel to specifically run the command specified in parameter instead of working on normal routine.

TRICK = if you have any program you wish to run instead of this then you can do that too using init command only.

init 0

init 6 (restart)

cd /etc/rc

cd /etc/rc0.d/

ls

cd /etc/rc1.d/

ls

cd /etc/rc6.d/

ls

/etc/inittab (to set level)

BIOS :

Bootloader :

Kernel :

init :

rc :

file (to see the filetype)

zcat file.gz > test.txt (to see the file.gz and put the content to test.txt)

cpio ()

sed (to replace the content )

pgrep (to see if a progress is ongoing)

auth required pam_wheel.so group=wheel