This should be the third last topic that I'd like to share related to my RHCE course, but my brain just hang there without any progress. So I proceed with SELinux and firewall first.
I am still trying to understand the networking terms, teaming and bridge are 2 new words that I learned from RH Admin III course. Actually, I still don't quite understand what is the usage for these. When I setup VirtualBox for this series of sharings, I started to understand more for bridge... Anyway, let me stay focus on the topic (how-to).
The Network Manager commands (nmcli) are rather easy to use, if you know what you are trying to do.
Network teaming
I did some hacks to make 2 available interfaces, enp0s8 and enp0s10.
Next, create a team master. This team master will configured to activebackup setting, i.e. one port/link is used while other reserved as backup.
Now create the team slaves (team ports).
Use teamdctl to see the status of the teaming. This is provided in teamd package.
Currently, enp0s8 is the active port. Let's bring down this port and check the status again. It is automatically switch to the other port.
If we bring up enp0s8 again, the enp0s12 will remain as the active port, and the "new port" will be the backup port in this settings.
Network bridging
Let me bring down enp0s8 for this demo purpose. Then create bridge, and a bridge-slave.
You can use brctl to view the bridge details. This is provided in bridge-utils package.
Note that, the connections that we created earlier have its configuration saved in the file in /etc/sysconfig/network-scripts/
Link aggregation
NetworkManager does not support link aggregations. If you need to combine the bridge and team together, you must stop NetworkManager. Modify the connection config files manually, and restart network.
Say we want to have the team0 is linked to bridge0. Do the necessary modification in /etc/sysconfig/network-scritps/ifcfg-team0. In this case is just add the highlighted in red box line as shown in the image below.
I stopped and disabled NetworkManager, then restarted the network service. But I am facing failure. However, I rebooted my VM and check the network service again, all bridge and team connections are running fine. I tried to restart it again, it's also running fine. I wonder why...
With this, I conclude my notes on this topic. Frankly, I am still don't understand the network setup well, but what I concern more is, it works. :D
The hack that I applied to gain these 2 interfaces in my VM is, I created 2 additional network adapters (bridge adapter), and delete the associated connection via nmcli command.
Monday, October 23, 2017
Tuesday, October 17, 2017
SELinux
SELinux stands for NSA Security-Enhanced Linux.
By default, the setting for SELinux is set at /etc/selinux/config. Theh default setup is permissive, which if the SELinux policy is violated, warnings will be logged rather than prohibit the service from running properly.
SELinux config file content.
In permissive mode, the log is captured in /var/log/audit/audit.log file.
Port related
Let's do a test.
I set the httpd service also listen to port 1234, which is not a convention port number for httpd. When it is in permissive mode, the httpd service is successfully to restart. However, there's an entry in the audit.log file.
When I set SELinux to enforcing, the service failed to start. This is the snippets of log when I get the status of httpd service.
From the log in audit.log file and also the status log, port 1234 is the culprit. It should be added to related SELinux policy. I am adding the port to http_port_t as well.
Now it can be successfully restarted!
File related
SELinux policy is not limited to port context, but also file context.
For example, the files in /var/www/html is already set with httpd_sys_content_t context. Therefore, there's no additional steps required to set the SELinux policy.
There's another path that is also a convention path to host the html files, which is at /srv/*/www. However, for new directory, this fcontext is not automatically setup properly. You'll need to run once restorecon on /srv to make it set correctly.
If the file is put in a different path, then you'll need to set the path to the correct fcontext, then run restorecon command.
Boolean related
There is also another main topic in semanage, which is the SELinux boolean.
You can use semanage boolean -l command to list out all boolean.
Example, let's check the network and db related boolean, and modify it.
These boolean policy adding an additional security layer to the service in case the configuration of the service is contaminated.
That's all for the 3 main domains in SELinux policy management.
By default, the setting for SELinux is set at /etc/selinux/config. Theh default setup is permissive, which if the SELinux policy is violated, warnings will be logged rather than prohibit the service from running properly.
SELinux config file content.
In permissive mode, the log is captured in /var/log/audit/audit.log file.
Port related
Let's do a test.
I set the httpd service also listen to port 1234, which is not a convention port number for httpd. When it is in permissive mode, the httpd service is successfully to restart. However, there's an entry in the audit.log file.
When I set SELinux to enforcing, the service failed to start. This is the snippets of log when I get the status of httpd service.
From the log in audit.log file and also the status log, port 1234 is the culprit. It should be added to related SELinux policy. I am adding the port to http_port_t as well.
Now it can be successfully restarted!
File related
SELinux policy is not limited to port context, but also file context.
For example, the files in /var/www/html is already set with httpd_sys_content_t context. Therefore, there's no additional steps required to set the SELinux policy.
There's another path that is also a convention path to host the html files, which is at /srv/*/www. However, for new directory, this fcontext is not automatically setup properly. You'll need to run once restorecon on /srv to make it set correctly.
If the file is put in a different path, then you'll need to set the path to the correct fcontext, then run restorecon command.
Boolean related
There is also another main topic in semanage, which is the SELinux boolean.
You can use semanage boolean -l command to list out all boolean.
Example, let's check the network and db related boolean, and modify it.
These boolean policy adding an additional security layer to the service in case the configuration of the service is contaminated.
That's all for the 3 main domains in SELinux policy management.
Firewall
By default, firewalld is ready installed when you setup your machine. So, nothing extra needs to be install in order to use this.
Basically, there are a few default zones predefined and by default, the public zone will be set as the default zone.
I got this from man firewalld.
List of predefined zones, and the default zone.
Basic firewall command is to allow external to access local machine services or port.
To list current firewall rules.
To allow a service or port.
To remove the service or port from firewall rule, simply replace the add to remove. Note that, this is just a temporary allowing the service and port. After the firewalld service restarted, these rules will be gone. To make it permanent, run again the commands with additional --permanent option. Another way is, run the command with --permanent option first, then run firewall-cmd --reload.
For a more complicated firewall rule setting, which uses rich language. You may set to drop or reject or accept certain packets. In addition, you may also log / audit the connections.
The structure of the rule.
Example 1.
Drop all https request from 192.56.168.0/24.
Before I proceed with second example, I am doing a reload. All the non-permanent rules are gone after the reload.
Example 2.
Log at a rate of 3 per minute and accept http requests.
Example 3.
Port forwarding from 999 to 22.
To see the man page for rich language, use man firewalld.richlanguage.
Basically, there are a few default zones predefined and by default, the public zone will be set as the default zone.
I got this from man firewalld.
List of predefined zones, and the default zone.
Basic firewall command is to allow external to access local machine services or port.
To list current firewall rules.
To allow a service or port.
To remove the service or port from firewall rule, simply replace the add to remove. Note that, this is just a temporary allowing the service and port. After the firewalld service restarted, these rules will be gone. To make it permanent, run again the commands with additional --permanent option. Another way is, run the command with --permanent option first, then run firewall-cmd --reload.
For a more complicated firewall rule setting, which uses rich language. You may set to drop or reject or accept certain packets. In addition, you may also log / audit the connections.
The structure of the rule.
Example 1.
Drop all https request from 192.56.168.0/24.
Before I proceed with second example, I am doing a reload. All the non-permanent rules are gone after the reload.
Example 2.
Log at a rate of 3 per minute and accept http requests.
Example 3.
Port forwarding from 999 to 22.
To see the man page for rich language, use man firewalld.richlanguage.
Friday, October 6, 2017
Server Message Block (SMB)
This post is about setting up SMB server, and how to setup for client access. The samba daemon is mainly to provide the file/print service for Workgroups or LanManager, which is out of scope for this post. I have no idea how to link to a Windows AD. :D
Install samba and samba-client package in server.
Let's observe the configuration file (/etc/samba/smb.conf.
This is highlighted in RH administration III manual:
workgroup = <WORKGROUP NAME> : act as "the workgroup".
security = user
passdb backend = tdbsam
At this point, or in this post, let's just leave it as default.
Let's share the /data in the server as user share with the name data.
The [data] denotes the new section for user share, and the share name is data.
path specify the path to share
writable set this path can be modify or not, you can also use read only parameter to control.
browseable is for whether this share is visible when user try to list the shares.
Now enable and start the related services. Also, update the firewall rule.
Before I forgot, I also setup a samba user account in the server (for user from client to login) using the following command. It will prompt you to setup the password.
At client site, install cifs-utils and samba-client.
To list the share from the server in client machine, highlighted in yellow box.
To access it, create a mount point, and mount it.
Remember the /data was used for NFS in previous post? Seems like it's not contradicting with additional share in Samba for the same path.
Now, let's go to Windows. We can connect to this share via net use command.
We can use the same share in Windows!
I just realize I have set the SELinux in this server box to permissive. No wonder I don't see issue in yesterday NFS setup and today's Samba service setup... :D This is another difficult topic, I did a quick test and set it to enforcing, update the fcontext to samba_share_t for the share path, but it still complain access deny at client side. Giving up for now. Maybe I'll revisit this again when I am writing about SELinux in near future.
Install samba and samba-client package in server.
yum install -y samba samba-client
Let's observe the configuration file (/etc/samba/smb.conf.
This is highlighted in RH administration III manual:
workgroup = <WORKGROUP NAME> : act as "the workgroup".
security = user
passdb backend = tdbsam
At this point, or in this post, let's just leave it as default.
Let's share the /data in the server as user share with the name data.
The [data] denotes the new section for user share, and the share name is data.
path specify the path to share
writable set this path can be modify or not, you can also use read only parameter to control.
browseable is for whether this share is visible when user try to list the shares.
Now enable and start the related services. Also, update the firewall rule.
systemctl enable smb nmb systemctl start smb nmb firewall-cmd --permanent --add-service=samba firewall-cmd --reload
Before I forgot, I also setup a samba user account in the server (for user from client to login) using the following command. It will prompt you to setup the password.
smbpasswd -a jlim
At client site, install cifs-utils and samba-client.
yum install -y cifs-utils samba-client
To list the share from the server in client machine, highlighted in yellow box.
To access it, create a mount point, and mount it.
Remember the /data was used for NFS in previous post? Seems like it's not contradicting with additional share in Samba for the same path.
Now, let's go to Windows. We can connect to this share via net use command.
We can use the same share in Windows!
I just realize I have set the SELinux in this server box to permissive. No wonder I don't see issue in yesterday NFS setup and today's Samba service setup... :D This is another difficult topic, I did a quick test and set it to enforcing, update the fcontext to samba_share_t for the share path, but it still complain access deny at client side. Giving up for now. Maybe I'll revisit this again when I am writing about SELinux in near future.
Thursday, October 5, 2017
Network File System (NFS)
This post is about how to setup NFS share, and how to access the NFS from another machine.
Both server and client must have nfs-utils installed.
Enable and start nfs-server on server machine.
Say /data is to be shared as NFS.
The sharing information needs to be updated in /etc/exports, then reload the configuration. The syntax of /etc/exports is
This means, any machine from this network 192.168.56.1/24 can access to it.
You must enable this service in firewall as well.
Let me create a file in the directory.
At client machine, you can set a permanent mount by specifying it in /etc/fstab.
If you create a file from this client machine, you'll get something like this.
There are a few options can be used to control the access level in /etc/exports.
rw : read write access.
ro : read only access.
root_squash : map client root to anonymous user, which you can see in the above testing (nfsnobody). This is turn on by default.
no_root_squash : turn off the root squashing.
all_squash : all client user will be mapped to anonymous user.
You can also set for secured access... but I am not familiar with it... yet. :P
Both server and client must have nfs-utils installed.
yum install -y nfs-utils
Enable and start nfs-server on server machine.
systemctl enable nfs-server systemctl start nfs-server
Say /data is to be shared as NFS.
The sharing information needs to be updated in /etc/exports, then reload the configuration. The syntax of /etc/exports is
<path to share> <allowed network>(<options>)
This means, any machine from this network 192.168.56.1/24 can access to it.
You must enable this service in firewall as well.
firewall-cmd --permanent --add-service=nfs firewall-cmd --reload
Let me create a file in the directory.
At client machine, you can set a permanent mount by specifying it in /etc/fstab.
If you create a file from this client machine, you'll get something like this.
There are a few options can be used to control the access level in /etc/exports.
rw : read write access.
ro : read only access.
root_squash : map client root to anonymous user, which you can see in the above testing (nfsnobody). This is turn on by default.
no_root_squash : turn off the root squashing.
all_squash : all client user will be mapped to anonymous user.
You can also set for secured access... but I am not familiar with it... yet. :P
Secured web server
This post is mainly about configuring secured web server. Certificates generation related will be discussed in future.
There's a package required to be installed, mod_ssl.
After installation, httpd needs to be restarted, and firewall rule should be updated, if it's meant to be accessible by other machines.
When you try to access, you'll get this.
You can proceed by Add Exception to view the page.
If I try to access https://test.com (based on the existing setup continue from yesterday virtual web server, I'll get this.
Why? This is because test.com is point to the same IP, and this URL is only set to listen to port 80, not port 443. When a match is not found, it will always refer back to the DocumentRoot in /etc/httpd/conf/httpd.conf.
If additional setting as below is setup, it will point to the "actual" test.com content again.
You'll get this.
Potential issue you might face is the secured virtual host is not working.
1. Due to Listen 443 is found only in /etc/httpd/conf.d/ssl.conf, thus the virtual host listening to port 443 must be defined after this. The conf file loaded is based on file name alphabetical order. I defined it in test.conf, so I don't face any issue. In order to make it effective for all conf files in this directory, you can move that line to /etc/httpd/conf/httpd.conf, before IncludeOptional conf.d/*.conf line.
2. Follow to rule #1, if you missed the bold word... Listen 443 can be defined only once, or httpd will fail to start.
You always can set it to listen to other port number. Just remember to open the port in firewall rule, and also set the correct port SELinux policy if you have SELinux set to enforcing.
There's a package required to be installed, mod_ssl.
yum install -y mod_ssl
After installation, httpd needs to be restarted, and firewall rule should be updated, if it's meant to be accessible by other machines.
systemctl restart httpd firewall-cmd --permanent --add-service=https firewall-cmd --reload
When you try to access, you'll get this.
You can proceed by Add Exception to view the page.
If I try to access https://test.com (based on the existing setup continue from yesterday virtual web server, I'll get this.
Why? This is because test.com is point to the same IP, and this URL is only set to listen to port 80, not port 443. When a match is not found, it will always refer back to the DocumentRoot in /etc/httpd/conf/httpd.conf.
If additional setting as below is setup, it will point to the "actual" test.com content again.
You'll get this.
Potential issue you might face is the secured virtual host is not working.
1. Due to Listen 443 is found only in /etc/httpd/conf.d/ssl.conf, thus the virtual host listening to port 443 must be defined after this. The conf file loaded is based on file name alphabetical order. I defined it in test.conf, so I don't face any issue. In order to make it effective for all conf files in this directory, you can move that line to /etc/httpd/conf/httpd.conf, before IncludeOptional conf.d/*.conf line.
2. Follow to rule #1, if you missed the bold word... Listen 443 can be defined only once, or httpd will fail to start.
You always can set it to listen to other port number. Just remember to open the port in firewall rule, and also set the correct port SELinux policy if you have SELinux set to enforcing.
Wednesday, October 4, 2017
Virtual web server
I am not sure what it is actually called, virtual web server or virtual host, whatever. This configuration is to allow multiple web applications to be hosted in single machine.
The default configuration file of httpd service is at /etc/httpd/conf/httpd.conf. Notable default settings are :
ServerRoot : where the server configuration/log files are kept.
Listen : listening to which port
DocumentRoot : where the incoming requests will refer to
The above section sets the default file that Apache will serve if a directory is requested.
Another "default" DocumentRoot location to put your hosted files are at /srv/<folder>/www. We will use this location to host our virtual host.
Now, let's proceed to create the configuration file in /etc/httpd/conf.d/
Now, let's create the index.html file. Take note on the file properties.
We can proceed to restart httpd service.
However, when you try to access, you'll get this page instead.
Notice the error message in error log.
This is due to I set the SELinux (Security-Enhanced Linux) to enforcing. Since this is a new path, thus it doesn't have the correct permission setup. What I need to do is, a restorecon command on the directory.
Now the web page is displayed.
Creating new file on the same directory will automatically has the file context setup properly after the restorecon command run.
You can create as many virtual host as your machine support by repeating the above steps.
Additional note : You may put the DocumentRoot anywhere besides the "default" locations. However, you'll need to set the fcontext of the folder and files to have httpd_sys_content_t using semanage. I'll talk about SELinux in another post.
One important thing that I didn't show here is, I updated my hosts file, so that the URL point to my web server. :D
Just add this line in your hosts file will do.
<ip> <host name>
For windows, it's located at C:\Windows\System32\drivers\etc.
For linux, it's located at /etc/
Also, I did not mentioned in earlier, to allow external to access to the web server, the firewall need to configure to allow http access.
The default configuration file of httpd service is at /etc/httpd/conf/httpd.conf. Notable default settings are :
ServerRoot "/etc/httpd" Listen 80 DocumentRoot "/var/www/html"
ServerRoot : where the server configuration/log files are kept.
Listen : listening to which port
DocumentRoot : where the incoming requests will refer to
<ifmodule dir_module> DirectoryIndex index.html </ifmodule>
The above section sets the default file that Apache will serve if a directory is requested.
Another "default" DocumentRoot location to put your hosted files are at /srv/<folder>/www. We will use this location to host our virtual host.
Now, let's proceed to create the configuration file in /etc/httpd/conf.d/
Now, let's create the index.html file. Take note on the file properties.
We can proceed to restart httpd service.
systemctl restart httpd
However, when you try to access, you'll get this page instead.
Notice the error message in error log.
This is due to I set the SELinux (Security-Enhanced Linux) to enforcing. Since this is a new path, thus it doesn't have the correct permission setup. What I need to do is, a restorecon command on the directory.
Now the web page is displayed.
Creating new file on the same directory will automatically has the file context setup properly after the restorecon command run.
You can create as many virtual host as your machine support by repeating the above steps.
Additional note : You may put the DocumentRoot anywhere besides the "default" locations. However, you'll need to set the fcontext of the folder and files to have httpd_sys_content_t using semanage. I'll talk about SELinux in another post.
One important thing that I didn't show here is, I updated my hosts file, so that the URL point to my web server. :D
Just add this line in your hosts file will do.
<ip> <host name>
For windows, it's located at C:\Windows\System32\drivers\etc.
For linux, it's located at /etc/
Also, I did not mentioned in earlier, to allow external to access to the web server, the firewall need to configure to allow http access.
firewall-cmd --permanent --add-service=http firewall-cmd --reload
Subscribe to:
Posts (Atom)