124 134 254
10/18,19,20 考前辅导
10/21 考试
满分通过 RHCSA 300 - RHCE 300 恭喜下自己!
call me redhat certified engineer plz.
1.开机破密码
不能在本地做的实验 nfs ldap Kerberos
2. 6. 18 - 164. el5
主版本号 次版本号 末版本号 - 修正号 RH
版本号第二位数字 奇数:开发版本 偶数:稳定版本
~ //home
. //hide file
-- //option with more than one char ,it needs two -
* &//通配符
vncviewer rhce &
//中文input
system->input method->enable input method feature->use ibus->input method preferences->input method->add chinese
whatis ls//show what does ls do
which ls//show the path of ls
locate iptables.sh//showw all the file or executive file will be found
作业 whatis 为何会自动更新数据库
man 1-8 程序,文件等 8类信息 5为文件信息
/Key 向下搜索
?Key 向上搜索
N 向上搜
n 向下搜
G 跳到尾页
g 跳到首页
q 退出
man -k pass 模糊查找
system-config-users 用户,组图形管理工具
硬盘名字
rhel5
scsi sata usb : sdx
PATA(ide) : hdx
虚拟机 : vdx
rhel6 : sdx
分区
sda1 sda2...
sdb1 sdb2...
每个硬盘最多15个分区
文件系统->目录 挂载
把sda1挂载到根目录
建议将boot目录单独挂载
/boot //bootConfig etc. 100M is enough
swap 交换分区
var目录 log,mail,www等频繁访问
一切皆文件
$Path //环境变量
/media,/mnt //空目录,用于U盘等挂载
/dev/null //黑洞
/etc //配置文件等
startx //login into graphic
file FileName 查看文件类型
pwd 显示完整目录 -P 如果是链接,显示源路径
ls -a 查看隐藏文件 -l详细信息 -d显示目录本身属性 -R递归
ls a[1-3]?*
ll //ls -l --color=auto
cp /etc/passwd . 拷贝 -p 保留权限 -R|-r递归 -d保留链接属性 -a所有
rm 删除 -rf .* 删除隐藏文件
cat|less|tail|head|more //text toools
grep --color=auto ^xx& //begin with xx ,end after xx
tail -n 20 -f messages //-f show dynamically
cut -d[:|' '] -c2-5 -f1 /etc/passwd //-d separate symbol -c number of chars -f column
wc -l line -w word -c byte -m
sort -r reverse -n numeric sort -u unique
sed '1,3|/beginWord/,/endWord/s/dog/cat/g'|-f expressionFile FileName //s search g global
//1,3 line1to3 or begin2endWord
tr 'a-z' 'A-Z' //repalce
diff -u foo.conf-broken foo.conf-work > foo.patch
patch -b foo.conf-broken foo.patch
find / -user UserName// find all file belong to UserName
find / -user harry -exec cp -rp {} /opt/dir \;
system-config-packages //control panel
带路径的命令可以执行,如/var/tmp/test.sh or ./test.h
cat /proc/cpuinfo|meminfo
lftp IP// ls get cd can be used
wget http|ftp://192.168.0.254/1.txt
alias vi=vim //let vi has the same function as vim
vim command
50-> //move five chars
h j k l//as arrow key in old version
wb //move by work
),( },{ //move by sentence paragraph
x G gg//jump to line x v jump to end jump to begin
/xx //search xx
1,5s/cat/dog/ //x,y line range
%s/cat/dog/gi //g global i write %s every line
cc p dd yy //replace paste cut copy numbers can add to front
u|U ctrl+r //撤销 全部撤销 撤销恢复
q //quit
q! //force quit
w //write
wq //save and quit
wq! //write read only file use
evince //views PDF
date [MMDDhhmm[[CC]YY][.ss]]
date 010113302007.05
stat fileName 显示文件详细信息
a time 访问时间
m time 仅内容修改
c time 文件源数据更改
touch -a更新"a c time" -m 更新"mc time"
mkdir -p 创建多级目录,如1/2/3/4/
vim /etc/sysconfig/il8n charset
system-config-date
watch -n 1 ifconfig eth0 //refresh ifconfig every one second
ifdown ifup ifconfig //down up show
/etc/sysconfig/network-scripts/ifcfg-eht0
DEVICE=ethX
HWADDR=0:02:8A:A6:30:45
{
BOOTPROTO=dhcp
or
BOOTPROTO=none|static|\null
IPADDR=192.l68.0.123
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
}
ONBOOT=yes
Type=Ethernet
NM_CONTROLLED="yes"
/etc/sysconfig/network //hostname
HOSTNAME=server1
/etc/resolv.conf //hostname nameserver
NETWORKING_IPV6=no
HOSTNAME=server1
NETWORKING=yes
search example.com
nameserver 192.168.0.254//dns
/etc/init.d/network restart
/etc/init.d/NetworkManager restart
/etc/hosts
172.24.0.X stationX.example.com stationX
//Services
/etc/rc.d/init.d/ServiceName start|stop|restart|reload//reload config only
/etc/init.d/aServiceName start//linux
servivce ServiceName start//redhat
/etc/sysconfig/networking/profiles/default/ //network configs backup(auto)
route -n
route add default gw 192.168.0.88
route del fefault
system-cofnig-printer
lpr /etc/fstab
lpq
read -p "enter a filename:" FILE
echo $FILE
/etc/shells //7 shells
set with VARIABLE=VALUE
referenced with $VARIABLE
uid 0 则为超级用户,等于root
普通用户从500 开始
su - root //change user
su - -- /etc/profile
登陆shell -- ~/.bash.profiel
su -- /etc/bashrc
非登陆shell -- ~/.bashrc
. /etc/profile //load this file immediatlly
~/.bash_logout //logout script
/etc/passwd
用户名:password(x):uid:gid:描述(非必须):home目录:shell
x 映射到了/etc/shadow文件,此问价对其他用户不可读写执行
创建用户时,用户必须创建私有组,私有组号与uid相同
r read
w write
x execute
r作用在文件上,用户可读取该文件内容;作用在目录上,用户可短列出该目录下文件
w作用在文件上,用户可修改该文件内容;仅有w作用在目录上,什么都没有
x作用在文件上,用户可执行该文件;仅有x作用在目录上,用户可进入该目录
wx作用在目录上,代表可执行长列出,新建,删除等
rx作用在目录上,可进入,短列出子目录
-rwx-r----- l
1
-普通文件
d目录
c符号文件
b块文件
l链接文件
2-10
所属人,所属组,其他人
11
硬链接数|子目录数
12
uid
13
gid
14
Size bytes
15
修改时间
16
path
localVariable=value
export EnvironmentVariable=value
$PS1 //command prompt
id //show user
useradd -u 500 -g 500 -d /openlab/redhat student
chown UserName FileName //only root can do this -R递归
chgrp GroupName FileName //only root and owner can do this ;owner must be in this group to change
chmod ugo-w FileName //user group others add write attribute
chmod o=--- FileName
chmod g+s DirName //inherit from parent dir
r:4 w:2 x:1 rwx:7
root's umask is 022// /etc/bashrc
cd // 返回上一次目录
ln a.txt //hard link
ln -s b.txt //soft link
special permissions for executables
suid|sgid on file //command run with permissions of the owener|group of the command
special permissions for directories
sticky //files can only removed by the owner and root
sgid //files have group affiliations of the group of the directory
uesrmod -g GroupName UserName //add user to group -g private group -G public group -a just add not modify
w //connected user
last lasttb lastlog //recent logins
outer directory read privilidge is not permit than inner directory is not pmermit
but write does not the same
File can remove or move decide on directory privilidge
output redirect
find /etc/ -name passwd 2>|&>|>|>> find.output
>//into file update
>>//into file append
2>//stderr
2>&1 //redirect STDERR to STDOUT
tee [-ai][--help][--version][文件...]//标准输入设备读取数据,将其内容输出到标准输出设备,同时保存成文件。
intput redirect
tr 'A-Z' 'a-z' < .bash_profile
mail -s "pleas xx" << ABC
>
>!
>ABC
Piping
ls -l /etc | less|mail -s "test"
ls -lR /etc/ | tee output1.txt | sort | tee output2.txt | uniq -c | tee output3.txt
tar is pack,no compress
bz2 gz is compress
file FileName //show file type
gzip File//compress
gzip -d //decompress
gunzip File//decompress
bzip2 (-d) File//(de)compress
bunzip2 File//decompress
tar j|zvf[x] FileName //x decompress f file v view z gzip j bzip2
tar j|zcvf destinationFileName dir 打包
scp .
scp scripts.sh
ssh
ssh -l root 192.168.0.1 | ssh
A -------------------------------------------- B
1 A ssh B
2 B has a pair of private/public key and send public key(768bytes) to A
3 A send 256 bytes key to B and make it 1024 sized Kay Pair
the 256 bytes is encrypt by 768 public key
4 B received the 256 bytes and decode it by private key
the key pair changes every connection
/root/.ssh/known_hosts file key where stored
rm /etc/ssh/*key* -f//remove all keys
where private key decode the public key successed ,it means the another is true user
ssh-keygen -t rsa //mannual build an key
passphrase //the password of key
than two file: /root/.ssh/id_rsa id_rsa.pub is built
ssh-copy-id -i id_rsa.pub //let the key to another so no password is needed
ssh-agent bash//enter the the password of key automatically
ssh-add //enter the password of key
ssh-add -l
vim /etc/ssh/sshd_config
password authentication //set to false
/etc/inti.d/ssh restart //restart services
ls /etc/inittab
bc 计算器 scale=10//保留10位小数
palimpsest //grafice disk manager
mkswap /dev/vda3
swapon /dev/vda3
vim /etc/fstab
/dev/vda3 swap swap
swapoff -a
swapon -a
dd if=/dev/zero of=/swap.img bs=1M count=512 //build an empty file with 512m
vim /etc/fstab
/swap.img swap swap
priority also can be changed in /etc/fstab ,write like defaults,pri=10
0磁道1扇区 mbr 512字节
446bytes bootloader //one of bootloader:grub
//1 boot solutions 2 read kernel 3pass to other bootLoader in other partions
16bytes*4 Partition table
2bytes Magic Number
主分区,扩展分区 记录起始,结束柱面数 逻辑分区
inode ext 128B 指针4字节
512-bootSector 1024-superbloack inode-block//other partions
删除硬链接,则文件硬链接数减1
如果硬链接数为0,则删除了inode
du DirName //file size and total size
df //show mount
mount /source /destination
磁道从内向外,以0开始,依次增大
lvdisplay //display logical info
tune2fs -l /dev/vdal //detail -o ^method //remove the method
fdisk -l /dev/sda|vda -u以扇区方式显示 -c 从最后个分区的扇区开始
//include dm info //vda is virturl machine hd
+1G
command n new p partition t filetype w write d delete m help
partx -a /dev/vda //tell the partion info to kernel
partx -d --nr 4-5 /dev/sda //kill partion from 4 - 5
ls /dev/sda* //look at the partition of /dev/sda
4 Partition is the limit of partition number
Primary Extended can be use as PPPP PPPE
if there are 3 Primary partitions ,
the rest space of the harddisk must be all assing to Extended
device mapper //linear driver
sector 扇区
track 磁道
heads 磁头
mkfs.ext4|vfat /dev/vda3 //format
blkid //show file systems
mount /dev/vda3 /mnt/ //mount all file system by /etc/fstab
df -h//show mount
http ks=http://serverip/dir/file
ftp ks=ftp://serverip/dir/file
nfs ks=nfs:serverip:/dir/file
hard ks=hd:device:/dir/file
cdrom ks=cdrom:/dir/file
free -m //show mem swap
mkswap /dev/vda5
swapon|swapoff /dev/vda5
vim /etc/fstab
/dev/vda5 swap swap defaults,pri=10 0 0 //pri more big more priority
//new a file swap.img sa 512M, it can also be write in /etc/fstab and be a swap
swapon -a //turn on all swap in /etc/fstab -s//show all swap
Logical volumn manager //lvm
system-config-lvm
pvcreate /dev/vda6 //change pisical to pv
vgcreate -s PeSize VgName /dev/vda6
vgdisplay VgName
lvcreate -L lvSize -n LvName VgName //lv是vg的倍数
ll /dev/VgName/LvName|/dev/mapper/VgName-LvName //they are same dev
lvs //show lv info
vgs//show vloume group
mkfs.ext4 /dev/VgName/LvName
/etc/fstab /dev/mapper/VgName-LvName /mnt/lvm1 ......
lvcreate -l peSize -n rhcsa openlab
lvcreate -l 100%FREE -n rhca openlab
vgextend vgName /dev/vda7
lvextend -L lvSize /dev/openlab/rhce //lv add online
resize2fs -p /dev/openlab/rhce
umount /mnt/rhce
e2fsck -f /dev/openlab/rhce
resize2fs /dev/openlab/rhce 100M //reduce filesystem
lvreduce -L 100M /dev/openlab/rhce //reduce lv offline
mount /mnt/rhce
pvmove /dev/sda7 //move data in sda7 to other pv in the same vg
vgreduce VgName /dev/sda7 //remove pv from vg
pvremove /dev/sda7 //than /dev/sda7 is not a pv
lvcreate -L 20 -s -n rhca-snap /dev/openlab/rcha //snap shot with lv
//encrypt disk
cryptsetup luksFormat /dev/sda3
YES
cryptsetup luksOpen /dev/sda3 openlab
cryptsetup luskClose openlab
mkfs.ext4 /dev/mapper/openlab
/etc/fstab
touch /etc/openlab.key
cryptsetup luksAddKey /dev/vda3 /etc/openlab.key
/etc/crypttab
openlab /dev/vda3 /etc/openlab.key
showmount -e 192.168.0.254//show nfs(linux share folders protocol)status
mount -t nfs 192.168.0.254:/var/ftp/pub /mnt
192.168.0.254:/var/ftp/pub /mnt nfs defaults 0 0// /etc/fstab
mount -t cifs //192.168.1.3/game /media -o username=Joen%password
//windows share folders protocol cifs
// /etc/fstab
{
//192.168.0.18/game /windowsdir cifs credentials=/etc/passwordfile 0 0
/etc/passwordfile
username=joen
password=redhat
}
autofs //mount before the dir using
/etc/auto.master //mount source ,but last path is no written
//autofs services last path will be overwritten ,so path must be more than 2
/1/2/3/ /etc/auto.rhce(next file name) --timeout=10(s)
vim /etc/auto.rhce //write last path,may copy from /etc/auto.mis
4 -fstype=ext4 :/dev/vda5
/etc/init.d/autofs start
ps aux
ps axo %cpu,%mem,pid,comm --sort -%cpu | head -n 11
top //show cpu etc. dynamica
pstree
pgrep -U root
pidof bash
init //the first process ,pid is 1
Signals //man 7 signal
19 Stop //Ctrl-z
15 Termiante cleanly
9 Kill
1 Re-read configuration files
kill -9 3810
pkill httpd
nice -n 5 /etc/init.d/httpd restart//set the process priority ,the less value,the higher priority
renice -n -20 'pidof httpd'//set all http process to -20
firefox &
jobs
bg %1
fg %1
usermod -s /sbin/nologin visitor //set the user no login
usermod -aG GroupName UserName //Public group
$PS1//提示符var,in . /etc/bashrc
usseradd -u uid -g GroupName -G 额外组 UserName -d home
//copy /etc/skel to /home/user when useradd automatically
userdel -r UserName //-r del with home directory
id user1//show user info
1970-1-1 birth of unix and c
/etc/shadow
UserName:password:LastModifyTime:MinLiveTime:MaxLiveTime:NotifyUserDays:
AccountOutAfterPasswordOut:AccountOutTimeFrom1970:reserved
passwd UserName
chage -m 2 -M 2 UserName //update Min|MaxLiveTime
/etc/group /etc/gshadow
gpasswd admin
newgrp admin
ldap server
system-config-authentication
dc=example,dc=com
Use TLS
LDAP password
vim /etc/sssd/sssd.conf
enumerate = ture//get all info
mount -nfs /home/ldapuser1 192.l68.0.254:/rhome/ldapuser1
/rhome /etc/auto.rhce
* -fstype=nfs 192.168.0.254:/rhome/& //autofs
getent passwd ldapuser1
ldapadd -x //add ldap user
showmount -e instructor.example.com //query share folders
acl
tune2fs -l /dev/mapper/vgsrv-root |grep option //user_xattr acl
tune2fs -o (^)acl /etv/mapper/dev/vda3 //add or remove acl permanently
mount -o acl /dev/vda3 /commmon/ //add acl when mount
setfacl [-R recursion] [-x delete one] [-b delete all] [-m add one] u|g|m:harry:rwx /common/
drwxrwxr-x+ //"+" is acl's signal
getfacl /common/
owner//acl first
mask//group,group_acl bigger one first
setfacl -m d:u:sarah:rwx /common/ //set default property of subdir other than /common
ntfs-3g_ntfsprogs-2011.4.12.tar.gz //config built install follow readme,compile need gcc
mount -t ntfs-3g .......
rpm -ivh vsftpd-2.2.2-6.el6.x86_64.rpm//v show procedure h show progress
//-U update or new//-F update//-i just new//--force ignore all
//-q is install //-qa show all installed //-ql show the files in rpm
rpm -e vsftpd //uinstall
rpm -qf /etc/inittab //show which rpm does the inittab file in ,db is /etc/lib/rpm
rpm2cpio xxxx.rpm | cpio -id //decompress the rpm to files
rpm --import /etc/pki/rpg-gpg/xxxxx //ipmort public key
/etc/pki/rpm-gpg/ //where public key in
rpm -K xxx.rpm //authenticate the rpm package
yum -y install vsftpd
/etc/yum.repos.d/server1.repo
[base]
name=openlab rhce
baseurl=ftp://instructor.example.com/pub/rhel6/dvd
//baseurl=file:///media
enable=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPR-GPG-KEY-redhat-release
yum clean all
yum makecache
yum list
yum grouplist
mount -t nfs 192.168.0.254:/etc/download/pub /mnt
mount -o loop rhelxxxx.iso /media
/rhel.iso /mnt iso9660 loop,ro defaults 0 0 //fstab
yum groupinstall Virtualization
yum remove vsftpd
yum provides fileName //search which rpm does file in de
/etc/yum.conf
add default option mandatory in it
gpk-application
pidof vsftpd
kill -1 2649
runlevel
chkconfig --level 5 vsftpd on
chkconfig --list vsftpd
ntsysv | system-config-services //service list show in graphic
/var/log/message
/etc/rsyslog.conf
*.info;mail.none;authpriv.none;cron.none//log into files other than mail,auth,cron where level >=info
日志类型.日志级别
log level
1.debug
2.info
3.notice
4.warning
5.error
6.crit
7.alert
8.emerg
tailf /var/log/messsages
/etc/init.d/crond restart
crontab -l //look at crontab
crontab -r //delete all
crontab -e //edit
min hour day month week
00 08 * * * /bin/echo "GoodMorming"
00 16-21 * * sat,sun|6-7|6,0 /bin/echo ""
*/10 09 * * * /usr/sbin/wall ""//show 2 all people
vim /etc/cron.deny //write userName in it
/var/spool/cron //crond config in it
vim /etc/anacrontab
at 12:00|now +2 min //do it once,use absolut path
at -l //show list and id
at -d id //delete
$ping -c1 -W2 station1 &> /dev/null \
> && echo "station1 is up" \
> || (echo 'station1 is unreachable';exit 1)
man test
0 for true
1 for false
test "$A" = "$B" && echo "strings are equal"
test "$A" -eq "$B" && echo "integers are equal"
[ "$A" -eq "$B" ] && echo "integers are equal"
-eq =
-ge >=
-gt >
-le <=
-lt <
-ne <>
-d //is pain file
-f //is dir
-e //is file
-a //and
-o //or
#!/bin/bash //#! use the next tools to execute next command
//bash $variableName when use,variableName when set
PATH=$PATH:/var/tmp
export PATH
A=hel
echo "$A"lo//print hello
echo $(hostname) //use the command hostname's result
"" //clear the special meanings of symbols except $~!\
'' //clear all special meanings
{1..20} //1 to 20 separate with space
!! //last command
$? //when command is success:0, fail:1,error:2
&& //if success , do
|| //if error , do
mkdir newdir && echo "xx"
mkdir /var/backup &> /dev/null || ( rm -rf /var/backup && mkdir /var/backup
&& /bin/cp /etc/*.conf /var/backup ) && /bin/cp /etc/*.conf /var/backup
./posit.sh Red Hat Enterprise Linux
echo "The program name is $0"
printf "The first argument is %s and the second is %s\n" $1 $2
echo -e "\nAll command line paraments are $*\n"
read -p "what's your name?: " name//talk model
echo $name
A=&(/bin/ls -l) //let the result to variable A
for n int harry natasha sarah;do useradd $n;echo redhat|pass --stdin%n;done
if [! -d /rhome];then
if [ -f /rhome ];then
rm -f /rhome
if;
mkdir /rhome
fi
for user in $(seq 1 20);do
id &user &> /dev/null
let UID=2000+User
if [ $? = 0 ];then
echo "exist $user"
else
if [$user -le 10];then
useradd -u $UID -d /rhome/nisuser$user user
else
useradd -u $UID -s /sbin/nologin
fi
echo openlabrhce | passwd --stdin user
if
done
for USER in user1 user2 user3
do
useradd $USER
echo "password" | passwd --stdin $USER
done
for n in $(seq 1 10)|{1..10};do// 1 - 10
host=192.168.0.$n
ping -c2 $host &> /dev/null
if [ $? = 0 ];then
echo "$host is up"
else
echo "$host is down"
fi
done
Errmsg='usage:/root/program kernel|user'
if [ $# -ne 1 ]
then
echo $Errmsg
exit 1
fi
case $1 in
(kernel)echo "user"
;;
(uesr)echo "kernel"
;;
(*)echo "msg"
exit 1
;
esac
for file in *.txt
$SHELL //default shell
kernal
vmlinuz-2.6.32-71.el6.i686 //kernel
initrd-anaconda.img //drives etc. image
zcat initramfs-2.6......|cpio -id
cat /etc/redhat-realse //version
uname -r //kernal version
uname -a //all version
lsmod | grep ext4
/etc/modprobe.d //modual confige
cat /proc/cmdline
/etc/inittab
id:5:initdefault:
runlevel
0 halt
1 Single user mode
2 Multiuser,with out networking
3 Full multiuser mode
4 unused
5 X11
6 reboot
/boot/grub/grub.conf //add boot parameter
default=0//title no which login
timeout=5//choose title time out
splashimage=(hd0,4)/grub/xxxx //login image
hiddenmenu//show choose title or not
password --md5 xxxxxxxxyyyyyyy // use grub-md5-crypt
{
title //os boot name
root hd(0,0)//it is /boot/
kernel /vmlinuz-2.6..... ro root=/dev/mapper/vgsrv-root|root=UUID=xx-xx-xx-xx
initrd /initramfs
}
/etc/fstab
mount_source destination fileSystemType mount_parameter IsDumpBack IsDetect
/var/lock/subsys/*
when services is on ,one file is in this dir ,the file is stored in memory
/etc/rc.local /etc/rc.d/rc5.d/S99local //vim /etc/rc.d/rc.local ,start at boot
boot process
cmos -> //basis config
bios -> //hardware detection
Bootloader //mbr where grub is
grub -> //read kernel by (hd0,0)/grub/grub.conf
kernel -> //hardware detection second ,vmlinuz-2.6.32-71.el6.i686
boot -> //Initial RAM DISK initrd ,initrd-anaconda.img 解开此驱动等文件镜像
UpStart/Sysvinit rhel6/5 ->
/sbin/init ->
[5.4 /etc/inittab //init runlevel etc.]
6.0 /etc/init/ //more config files
/etc/init/rcS.conf //runlevel if exists /etc/inittab or default
/etc/rc.d/rc.sysinit //network
/etc/fstab
/etc/init/rc.conf //to /etc/rc.d/rc
/etc/rc.d/rc // /etc/rc.d/rcRunLevel.d
/etc/rcRunLevel.d //K kill S start the service,one file one services,K|S Number
//Number the less ,the higher priority ,
//when change runlevel then do K|S use /etc/rc.d/init.d
/etc/rc.d/init.d = /etc/init.d //where service script in
chkconfig [--level 35] vsftpd on|off //default effect on 2345 level
chkconfig --list vsftpd
grub.conf is missing
grub>root (hd0,0)
kernel /vmlinuz.... ro root=LABEL=/
initrd /initramfs...
boot
setenforce 1//can not change passwd ,use setenforce 0 to go on
getenforce
press a when grub choosing to change kernel parameter,and single to enter runlevel 1
vim /etc/sysconfig/init
SINGLE=/sbin/sushell|sulogin //login mode in single
sudo COMMAND
vim /etc/sudoers
UserName ALL=(AuthenticationUsers) /user/sbin/command1,/user/sbin/command2
,NOPASSWORD:,/user/bin/passwd ?*,!/user/bin/passwd root
Kerberos
Key Distribution Center(KDC)
Application Servers(network services)
Client users
1
Client DRB_AS_REQ KDC //client has cm
Client KRB_AS_REP KDC
SKDC-client
copy1 + cm
copy2 + Client.Info + Timeout +K.M
Client got SKDC-client and TGT
2
Client KRB_TGS_REQ TGS
TimeStamp +SKDC-client + c.r + s.r + TGT
Client KRB_TGT_REP TGS
SServer-Client
copy1 enc by SKDC.Client
copy2 S_S_C +C.R(客户端信息) + Timeout enc by A.M
3
Client KRB_CS_REQ SSH //SSH server has a.s a.m
TimeStamp enc by s.sc + Ticket enc by A.M
Client KRB_SC_REP SSH
Accept
ntpdate -u instructor
server ntp1.leonard.com//ntp
system-config-authentication
choose kerberos
Netfilter
iptables -A INPUT '!' -s 192.168.0.0/24 -p tcp --dport 22 -j EJECT//v6.0
iptables -A INPUT -s '!' 192.168.0.0/24 -p tcp --dport 22 -j EJECT//v5.4
//EJECT ssh other than 192.168.0.0
dport|sport //destination source port
Chain policy
iptables -P INPUT DROP|ACCEPT
iptables -nL
iptables -N RHCE
iptables -A INPUT -s 192.168.0.100 -j RHCE
iptables -A RHCE -j REJECT
iptables -D RHCE 1
iptables -X RHCE
vim /etc/init.d/cus_firewall
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
#ftp
iptables -A INPUT -s 192.168.0.0/24 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j REJECT
/etc/rc.d/rc5.d
ln -s /etc/init.d/cus_firewall S99cus_filewall
iptables -t nat -A POSTROUTING -o eth0 -j MAS....//伪装
/etc/init.d/iptables stop//refresh firewall ,set all to accept
/etc/init.d/iptables start//use /etc/sysconfig/iptables
/etc/init.d/iptables save//save the policy now to /etc/sysconfig/iptables
system-config-firewall//there is a default policy by redhat
//click disable and apply ,set the default policy to disable
DNS
bind //dns software
. (root)->
.com .net (TopLevelDomain) Replay NS record,no A record->
.com -> ns.hostname.com //NS record
ns.hostname.com //A record
sina.com ->
t.sina.com
/etc/resolv.conf
nameserver 192.168.0.254 //no more than 4 records
//ask the second dns server when the first has don't find --linux
//ask the second dns server when the first is unavailable --windows
nslookup
>desktop1.example.com
dig -t soa baidu.com
vim /etc/nsswitch.conf //change the dns not to look at host first
yum -y install bind
/etc/named.conf
yum -y install bind-chroot//security
cp -p /var/named/chroot/etc/named.rfc1912.zones
chroot named stop //move config chroot/etc to /etc
chroot named start //move config /etc to chroot/etc
master
/etc/named.conf
listen-on port 53 {any;};
forward only//just look at forward
forward first//look at forward first and then internet
allow-query {any; };
allow-transfer {192.168.0.189;};//for slave
include "/etc/named.rhce.zones"
/etc/named.rhce/zones
include zone files
zone "rhce.cn" IN {
type master;
file "rhce.zone";
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "0.168.192.zone";
};
/var/named/rhce.zone
$TTL 1D //1D ,when others use this dns,it will knows the ttl and save at local
serial //update serial number
refresh|retry|expire //assist dns refresh interval
rhce.zone
{
NS rhce.cn
A 192.168.0.1
CNAME rhce.cn//find the ip every time
$GENERATE 1-200 desktop$ A 192.168.0.$
}
0.168.192.zone
{
NS rhce.cn.
231 PTR rhce.cn.
}
slave
zone "rhce.cn" IN {
type slave;
masters { 192.168.0.188;};
file "slaves/xx.rhce.zone"
}
zone "0.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.0.188;};
file "slaves/192.168.0.zone-slave"
};
rndc flush//clean cache
yum install -y iscsi-initiator-utils
iscsiadm -m discovery - t sendtargets -p 192.168.0.254:3260//find iscsi
iscsiadm -m node -T iqn.2011-09.com.example:common -p 192.l68.0.254 -l//mount iscsi
SELinux
/etc/selinux/config //selinux mode
system-config-selinux
setenforce 1|0 //Enforcing | Permissive
getenforce //get mode
sestatus //get mode now and config
ls -Z[d] File//view context
chcon tmp_content_t //change context
restorecon pub/ //restore the context by parent
setsebool -P
getsebool -a |grep ftp
/etc/sysconfig/nfs //change the nfs port to static
yum install -y vsftpd
/etc/init.d/vsftpd restart
/etc/vsftpd/vsftpd.conf
setsebool -P ftp_home_dir=1
chkconfig vsftpd on
iptables -A INPUT '!' -s 192.168.0.0./24 -p tcp --dport 21 -j REJECT
samba
/etc/samba/smb.conf
config file = /etc/samba/%U.conf
[public]
comment = Public Share
path = /home/sharehome
public = yes
writalbe = no
write list = visitor,student,@smbgroup
browseable = no
create mask = 0660
directory mask = 0770
group = uesrGroup
smpasswd -a UserName//add password to smb user at the frist time
setsebool -P samba_enable_home_dirs=1
smbclient //192.168.0.188/rhce -U visitor
net use * /del //windows net del
/dev/mapper/vgsmb-lvsmb /common ext4 defaults,acl 0 0//fstab
man samba_selinux
chcon -R -t samba_share_t /common/
chkconfig smb on
192.168.0.188:/rhce /mnt cifs credentials=/etc/samba/rhce.txt 0 0
//rhce.txt
username=user1
password=redhat
/dev/sda1 /common ext4 default,userquota //disk quota
quotacheck -cum /common/
quotaon /common/
quota -l
edquota -u user1
edquota -p user1 user2
for n in $(cat /etc/passswd | awk -F: '($3>500){print $1}'
|grep -v ^user);do edquota -p user1 $n; done
repquota -av
Apache HTTP
httpd
/var/www/html //default web path,default page is index.html
vim /etc/sysconfig/network-script/ifcfg-eth0:0
/etc/httpd/conf/httpd.conf
Listen 80
//when there is a virtual host,than the first virtual host is the default host
<VirtualHost 192.168.0.88:80>
ServerAdmin
DocumentRoot /var/www/desktop88
</VirtualHost>
postfix
sendmail//mail in 5.4
alternatives --config mta
mail -s "hi,tiger"
/etc/postfix/main.cf
/etc/init.d/postfix status
postconf -n(effective) -d(default)//show postfix config
postconf -e inet_interfaces=all
nestat -tulnpa |grep :25