RHCE notes

From Wiki
Jump to: navigation, search

Forward port 8080

firewall-cmd --permanent --zone=dmz --add-forward-port='port=8080:proto=tcp:toport=80:toaddr=10.8.8.71'
firewall-cmd --permanent --zone=dmz --add-masquerade
firewall-cmd --reload

Allow ssh from a specific client

The simplest way to accomplish this is to create a zone for the host that you want to allow access. This zone will then allow traffic from the source host on the defined ports.

firewall-cmd --permanent --new-zone=special
firewall-cmd --permanent --zone=special --add-source=10.8.8.72/32
firewall-cmd --permanent --zone=special --add-port=2222/tcp
firewall-cmd --reload

log ssh packets

firewall-cmd --permanent --zone=dmz --add-rich-rule='rule service name="ssh" log prefix="_SSH" limit value="2/m" audit accept' 
firewall-cmd --reload

Configure LDAP and Kerberos Client Authentication on RHEL 7.3

Install packages needed.

yum -y install nss-pam-ldapd pam_krb5 krb5-workstation

Set up CA cert.

mkdir /etc/openldap/cacerts
cd /etc/openldap/cacerts
curl -O ftp://ipa.rhce.local/pub/cacert.p12

Zero out the kerberos config file.

> /etc/krb5.conf

Run authconfig-tui. Enable LDAP for user information. Enable kerberos for authentication.

Test.

kinit admin
klist

Update nslcd config.

tls_reqcert never
systemctl restart nslcd

Configure NFS v 4.2 with kerberos

yum install -y nfs-utils policycoreutils-python
systemctl enable nfs-server && systemctl start nfs-server

Obtain a Kerberos ticket and verify:

If you have the IPA admin credentials you can use the ipa-getkeytab command to create the keytab file.

yum install -y ipa-client
ipa-getkeytab -s ipa.rhce.local -p nfs/srv1.rhce.local -k /etc/krb5.keytab
Keytab successfully retrieved and stored in: /etc/krb5.keytab

Verify using klist.

klist -k

If you do not have IPA credentials the keytab can be downloaded using FTP.

curl -o /etc/krb5.keytab ftp://ipa.rhce.local/pub/srv[12].keytab
chmod 600 /etc/krb5.keytab

Update firewall rules

firewall-cmd --permanent --zone=dmz --add-service=nfs
firewall-cmd --reload

Create shares:

mkdir -m 0755 /srv/nfssec
chown alice /srv/nfssec
semanage fcontext -a -t nfs_t "/srv/nfssec(/.*)?
restorecon -FRv /srv/nfssec

Update /etc/exports

/srv/nfs_secure  srv2.rhce.local(sec=krb5p,rw,sync)

Export dirs

exportfs -rav

Enable NFS v4.2 by adding the following line to the file /etc/sysconfig/nfs. This may not be needed. Check /proc/fs/nfsd/versions file.

RPCNFSDARGS="-V 4.2"

Restart nfs-server

systemctl restart nfs-server

NFS 4.2 client with kerberos

Update fstab.

srv1.rhce.local:/srv/nfssec /mnt/protected nfs nfsvers=4.2,sec=krb5p,_netdev 0 0

Mount

mkdir /mnt/protected
mount -a

One other thing to check, by default the nfs_export_all_ro and the nfs_export_all_rw SELinux booleans are both enabled. These should be enabled by default.

# getsebool -a | grep nfs_ex
nfs_export_all_ro --> on
nfs_export_all_rw --> on

Mariadb

Install package.

yum -y install mariadb-server

Update config.

port=5555
datadir=/srv/mariadb
socket=/srv/mariadb/mysql.sock

Update SELinux rules.

semanage port -a -t mysqld_port_t -p tcp 5555
semanage fcontext -a -t mysqld_db_t "/srv/mariadb(/.*)?"

Update firewall rules.

firewall-cmd --permanent --new-zone=special
firewall-cmd --permanent --zone=special --add-source=10.8.8.71
firewall-cmd --permanent --zone=special --add-port=5555/tcp
firewall-cmd --reload

Enable and start service.

systemctl enable mariadb
systemctl start mariadb

Configure iscsi targets

Install packages and enable the service.

yum -y install targetd targetcli 
systemctl enable target
firewall-cmd --permanent --zone=public --add-service=iscsi-target
firewall-cmd --reload

Create volume for iscsi data. Use fdisk to create a new partition on /dev/sda and reboot. Add this partition to the volume group.

pvcreate /dev/sda3
vgextend rhel /dev/sda3
lvcreate -L 100M -n lv_iscsi rhel

Run targetcli.

backstores/fileio create file1 /srv/iscsifile size=200M sparse=true write_back=false
backstores/block create block1 dev=/dev/rhel/lv_iscsi

iscsi/ create iqn.2003-01.local.rhce.srv1:target
iscsi/iqn.2003-01.local.rhce.srv1:target/tpg1/luns create /backstores/fileio/file1
iscsi/iqn.2003-01.local.rhce.srv1:target/tpg1/luns create /backstores/block/block1
iscsi/iqn.2003-01.local.rhce.srv1:target/tpg1/acls create iqn.2003-01.local.rhce:srv1 add_mapped_luns=false
iscsi/iqn.2003-01.local.rhce.srv1:target/tpg1/acls create iqn.2003-01.local.rhce:srv2
iscsi/iqn.2003-01.local.rhce.srv1:target/tpg1/acls/iqn.2003-01.local.rhce:srv2/ set auth userid=client password=client
saveconfig
firewall-cmd --permanent --zone=dmz --add-service=iscsi-target 
systemctl restart target

Configure iscsi initiator

yum -y install iscsi-initiator-utils
systemctl enable iscsi
systemctl enable iscsid

Update CHAP info in /etc/iscsi/iscsid.conf. Do not configure authentication for sendtargets.

Update name in /etc/iscsi/initiatorname.iscsi

Start services.

Log in to target.

iscsiadm -m discovery -p srv1.rhce.local -t sendtargets
iscsiadm -m node -T iqn.2003-01.local.rhce.srv1:target --login

Run `lsblk --scsi` to see devices.

mkfs and mount as needed.

Apache

yum -y install httpd mod_ssl php php-mysql crypto-utils
systemctl enable httpd
semanage port -a -t mysqld_port_t -p tcp 5555
setsebool -P httpd_can_network_connect_db on 

Remove the welcome file.

rm /etc/httpd/conf.d/welcome.conf

Create ssl cert.

openssl req -new -nodes -x509 -keyout /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt

Or use genkey (easier to remember)

/usr/bin/genkey --days 90 --genreq `hostname`

Update apache config to restrict access. Add a directory block in the ssl.conf file.

Require ip 127.0.0.1
Require ip ::1
Require ip 10.8.8.71

Add default virtual host.

<VirtualHost *>
    ServerName srv1.rhce.local
    DocumentRoot "/var/www/html"
</VirtualHost>

Configure virtual host with password protection

Create a vhost named vhost1.rhce.local with the following configuration.

<VirtualHost *>
    ServerName vhost1.rhce.local
    DocumentRoot "/srv/www/vhost1"

<Directory "/srv/www/vhost1">
    AuthType Basic
    AuthName "vhost1"
    AuthUserFile "/etc/httpd/conf/htpasswd"
    Require valid-user
</Directory>
</VirtualHost>

Create a security context for the document root.

semanage fcontext -a -t httpd_sys_content_t "/srv/www/vhost1(/.*)?"
restorecon -Rv /srv/www/vhost1

Restart apache.

systemctl restart httpd

Test the changes.

curl http://alice:password@vhost1.rhce.local

Group Based Security

On the vhost2, create a group directory that we can use for group-based authentication:

mkdir /mnt/block1/vhost2/group
echo "group" >/mnt/block1/vhost2/group/index.html

Add another user, sandy, to the Apache password file:

htpasswd /etc/httpd/conf/htpasswd sandy

Create a group file /etc/httpd/conf/htgroup to use with Apache, and add the following:

admins: alice sandy

Open the file /etc/httpd/conf.d/vhosts.conf and add the following under the vhost2 configuration:

<Directory "/mnt/block1/vhost2/group">
   AuthType Basic
   AuthName "Group"
   AuthGroupFile "/etc/httpd/conf/htgroup"
   AuthUserFile "/etc/httpd/conf/htpasswd"
   Require group admins
   Require valid-user
</Directory>

vhost with dynamic content

Add to vhosts.conf file.

Listen 8888

<VirtualHost *:8888>
    ServerName dynamic1.rhce.local
    DocumentRoot /srv/www/scripts
    DirectoryIndex index.php

    <Directory "/srv/www/scripts">
        Require all granted
    </Directory>
</VirtualHost>

Update SELinux configuration to allow the script to work.

semanage port -a -t http_port_t -p tcp 8888
semanage port -a -t mysqld_port_t -p tcp 5555
setsebool -P httpd_can_network_connect_db on
semanage fcontext -a -t httpd_sys_script_exec_t "/srv/www/scripts(/.*)?"
restorecon -Rv /srv/www/scripts

Install script.

cd /srv/www/scripts
curl -O ftp://ipa.rhce.local/pub/index.php

Test.

curl http://dynamic1.rhce.local:8888

DNS caching name server

yum install unbound
systemctl enable unbound
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload
unbound-control-setup

Edit the configuration file.

vi /etc/unbound/unbound.conf

Open the file /etc/unbound/unbound.conf for editing, and add the following lines, where access control is set to our lab LAN:

interface: 0.0.0.0
access-control: 10.8.8.0/24 allow
forward-zone:
   name: "rhce.local"
   forward-addr: 10.8.8.70
forward-zone:
   name: "."
   forward-addr: 10.8.8.69
domain-insecure: "rhce.local"
harden-dnssec-stripped: no

Test config.

unbound-checkconf

Restart service.

systemctl restart unbound

Update resolver configuration

nmcli con mod bond0 ipv4.dns 127.0.0.1
systemctl restart NetworkManager

Configure firewall to restrict access.

firewall-cmd --permanent --zone=public --remove-service=dns                                                                                                         
firewall-cmd --permanent --new-zone=special
firewall-cmd --permanent --zone=special --add-source=10.8.8.72/32
firewall-cmd --permanent --zone=special --add-service=dns
firewall-cmd --reload

ssh configuration

Configure ports.

Listen 22
Listen 2222
semanage port -a -t ssh_port_t -p tcp 2222
systemctl restart sshd

Update hosts.deny

sshd: ipa.rhce.local 

Allow srv2 access on port 2222.

firewall-cmd --permanent --zone=srv2 --add-port=2222/tcp
firewall-cmd --reload

Scripting

Create a bash script which creates some users.

#!/bin/bash

if [ $# -lt 1 ]; then
    echo "Usage: /root/newusers users.txt"
    exit 1
elif [ $1 == 'users.txt' ]; then
    for user in `curl -s ftp://ipa.rhce.local/pub/users.txt`; do
        useradd -s /sbin/nologin $user
    done
else
    echo "Input File Not Found"
    exit 1
fi

Samba

yum -y install samba

firewall-cmd --permanent --add-service=samba
firewall-cmd --reload

mkdir /srv/smb_docs
semanage fcontext -a -t samba_share_t "/srv/smb_docs(/.*)?"
restorecon -RFv /srv/smb_docs

setsebool -P use_samba_home_dirs on
setsebool -P samba_enable_home_dirs on

chown vince /srv/smb_docs
setfacl -d -m u:vince:rwx /srv/smb_docs

Edit /etc/samba.conf

[global]
    workgroup = DEVOPS
    hostname lookups = yes

[docs]
    comment = Docs
    hosts allow = srv2.rhce.local
    browseable = yes
    writeable = no
    printable = no
    path = /srv/smb_docs
    write list = vince
systemctl enable smb
systemctl start smb

Update user login:

smbpasswd -a vince

Samba Client

yum -y install samba-client cifs-utils

Create creds file.

vi /etc/samba/creds.txt
username=vince
password=pass
mkdir /mnt/samba

Add share to fstab

//srv1.rhce.local/docs /mnt/samba cifs credentials=/etc/samba/creds.txt,multiuser,_netdev 0 0
mount -a

Test:

su -vince
cifscreds add srv1