sys-blog.net

User creation bash script

Dolev — Thu, 02 May 2013 07:56:34 +0000

So a friend asked me to write a little script for him that looks up for a specific username on a system, and if it doesn’t exist, it will create it for him. pretty easy right ?

since adding a user with useradd with a password ( -p ) requires the password to be encrypted, I also included that option in the script.

#!/bin/bash
USER="Enter your username"

if [ `whoami` != root ]
    then
              echo "Script must be executed with the root privileges"
              exit
fi

echo "Attempting to find user $USER" ; sleep 1
cat /etc/passwd | cut -d':' -f 1 | grep $USER > /dev/null

if [ "$?" -eq 0 ]
     then
       echo "User $USER already exists on the system"
       exit
     else
        echo -n "User $USER was not found, do you want to create the user $USER? "; sleep 1
        read ans
        case $ans in
                     Y|y|YES|yes)
                                 echo "Creating user $USER..."
                                 pass=$(perl -e 'print crypt($ARGV[0], "password")' $password)
                                 useradd $USER -p $pass
                                 sleep 1 && echo "...OK"
                                 ;;
                     N|n|NO|no|q)
                                 exit
                                  ;;
        esac
fi

yum checksum error -3

Dolev — Thu, 18 Apr 2013 14:05:37 +0000

While trying to update my repository on a RHEL 5.5 system, (note: I use a local repository on a RHEL6.0 distro), I faced this error:

[Errno -3] Error performing checksum
Trying other mirror.
Error: failure: repodata/primary.xml.gz from Updates: [Errno 256] No more mirrors to try.

This error relates to the SHA module support in 5.x version

this error is fixed once you re-create the repo with the -a sha1 command

$createrepo -a sha1 .

$yum clean all

$yum repolist

and the error was gone.

RHCE: Sample Exam

Dolev — Tue, 09 Apr 2013 06:16:16 +0000

First, I would like to thank all people who find my site valuable and sent me an email about their experience with it, that was very warming to see.

After receiving many emails asking for some more exam samples, I have created a new exam for RHCE.

The exam tends to cover all RHCE objectives in different ways and approaches, feel free to ask me regarding anything that is in there.

You may download the RHCE exam in pdf format from the following Link

Edit: I’m in the process of creating a video with solutions to the exam together with sound, this may take time, please be patient.

Edit 2: you can find the complete video ( 1:22 hours!) of each objective + some tips regarding the RHCE exam. in the Link below

I would like to get feed backs regarding this tutorial, if things were clear enough, I may include a similar video with the objectives I had not managed to cover in video 1.

Download (152MB RAR -> AVI)

Central package repository with createrepo for RHEL

Dolev — Fri, 29 Mar 2013 10:45:26 +0000

Where I work, we have an isolated network with no internet access, and many (many) Linux servers, mostly Red Hat Enterprise, from versions 4.0 to 6.4. and Fedora.

Wouldn’t it be awesome if you could use yum inside a network without internet access?

basically what I wanted to achieve is a central server that will serve the others with packages according to their architecture and version.

I came across the CreateRepo package that creates the metadata for your ISOs and that way the servers in your network can retrieve desired packages via httpd, with a small .repo file in their /etc/yum.repos.d.

all it takes is installing httpd, mounting ISOs to a directory (neat order preferred, each ISO gets a directory and “i386″ & “x86_64″ sub directories with rpms) and running the

createrepo .

inside that directory, and that way you get the metadata files that allows others to use the correct RPMs according to the yum command..

I have also spread a script across the linux systems that automatically detects the OS and architecture and that way creates the proper .repo file for the server with the correct path to the repository of the server.

to install createrepo simply rum

yum install createrepo

RHCE: Mission accomplished

Dolev — Thu, 21 Mar 2013 08:51:03 +0000

Well, like everybody else says, it’s a hard nut to break, but it’s doable

when I first started this blog, it was my first goal, and now it’s here.

the exam is tough, covers many objects, all of them are on this blog and very relevant (Hint!)

I will be providing more tips, scripts and possibly videos with sound in the near future.

RHCE: FTP – Configure anonymous download only

Dolev — Sat, 09 Mar 2013 09:33:20 +0000

This objective expects you to configure your FTP server to allow anonymous download only.

Since most if not all RHCE objectives aim for securing the network services, the host based security here can pretty much be expressed by limiting so a single client / single network subnet.

Server side:
Install vsftpd packages
yum -y install vsftpd

Edit vsftpd.conf file and uncomment
vi /etc/vsftpd/vsftpd.conf
#local_enable=YES

by default, anonymous_enable is set to yes, leave it that way.

Start vsftpd
service vsftpd start

Allow port 21 to network 10.0.0.0/255.255.255.0
iptables -I INPUT -p tcp -s 10.0.0.0/24 –dport 21 -j ACCEPT
service iptables save

while labbing I found a “problem” listing files in directories after logging in, after many searches, I found the mod ip_conntrack_ftp responsible for this, it must be loaded on startup for users to be able to login to their home directories and list files.
Fixing this can be in 2 ways.
either add a ip_conntrack_ftp.module shell script to /etc/sysconfig/modules/
with the context

#!/bin/bash
/sbin/modprobe ”ip_conntrack_ftp”

the other option is to edit the file
/etc/sysconfig/iptables-config
and edit the line
IPTABLES_MODULES=”ip_conntrack_ftp”
save and restart iptables to load the module
service iptables save && service iptables restart

Enable the SELinux boolean
setsebool -P ftp_home_dir 1

Client Side

install ftp and connect to the ftp server anonymously
yum install ftp
ftp server.example.com

','hspace':null,'vspace':null,'align':null,'bgcolor':null}" alt="" />

RHCE: NFS – Provide network shares suitable for group collaboration.

Dolev — Fri, 08 Mar 2013 16:11:41 +0000

This task requires you to provide a network share via samba, which will be suitable for sharing in between users of the same group.
You can pretty much find the same idea of objective in the NFS section of the exam.
I checked the settings integrity through a Windows client , make sure you do so with a Linux client. since mapping the directory and editing /etc/fstab is a requirement for this objective and the exam itself.

Install required samba packages
yum -y install samba samba-common

Open relevant ports
iptables -I INPUT -p udp –dport 137 -j ACCEPT
iptables -I INPUT -p tcp –dport 445 -j ACCEPT
service iptables save

Make sure services start on boot
chkconfig smb on
chkconfig nmb on

Create the group and its’ directory
mkdir /IT
groupadd sysadmins
chmod 2770 /IT
chown nobody:sysadmins /IT

Add the SELinux context to the directory
chcon -t samba_share_t /IT

Create a user in the system and a samba user
useradd Paul -s /sbin/nologin -G sysadmins
smbpasswd -a Paul

Add the Samba share directives
vi /etc/samba/smb.conf

[IT]
comment = System Administrator Share Directory
path = /IT
write list = @sysadmins
read only = yes
valid users = @sysadmins
create mask = 2770
directory mask = 2770
public = no

','hspace':null,'vspace':null,'align':null,'bgcolor':null}" alt="" />

RHCE: DNS – Configure a caching-only name server to forward DNS queries

Dolev — Fri, 08 Mar 2013 15:30:30 +0000

This tasks requires you to either configure a caching only server or configure a caching only server that forwards DNS queries.

fairly simple once you get the idea.

Server steps:

Install relevant packages
yum -y install bind bind-chroot

open the right ports
iptables -I INPUT -p tcp -s 10.0.0.0/24 –dport 53 -j ACCEPT
iptables -I INPUT -p udp -s 10.0.0.0/24 –dport 53 -j ACCEPT

Edit /etc/named.conf
For a caching only server
listen-on port 53 { 127.0.0.1; eth-ip-address; };
allow-query { localhost; network-ip-address; };

For a caching only that forwards requests:
listen-on port 53 { 127.0.0.1; eth-ip-address; };
allow-query { localhost; network-ip-address; };
forward only;
forwarders { forward-ip1; forward ip2; };

Enable logging
rndc querylog

View logs
tail -f /var/log/messages

Client Side:
set the DNS server IP statically and query some servers/sites.

','hspace':null,'vspace':null,'align':null,'bgcolor':null}" alt="" />

RHCE: NFS – Provide network shares to specific clients

Dolev — Tue, 26 Feb 2013 17:50:48 +0000

This task requires you to setup an NFS server and to provide a share to other clients, possibly on different networks.

the key here is to supply host based security either by iptables or the exports file to either a network range, single client, or several specific clients.

In the video example I am using 3 different machines. server, client, and an outsider client.

The NFS share will be configured in the server, and the server will export the share to the client, while we will be testing functionality with the outsider to figure out if we properly configured the security.

Server steps:
Install NFS:
yum groupinstall “NFS file server” -y

Open FW rules:
iptables -I INPUT -m tcp -p tcp -s 192.168.0.0/24 –dport 2049 -j ACCEPT
iptables -I INPUT -m tcp -p tcp -s 192.168.0.0/24 –dport 111 -j ACCEPT
iptables -I INPUT -m udp -p udp -s 192.168.0.0/24 –dport 111 -j ACCEPT

Create the share:
mkdir /srv/nfs

Start the services:
service rpcbind start
service nfs start
Make sure they survive a reboot
chkconfig rpcbind on
chkconfig nfs on

Edit /etc/exports
/srv/nfs 192.168.0.0/24(ro)
Export shares
exportfs -va

Client steps:
yum install nfs-utils
mount -t nfs 192.168.0.254:/srv/nfs /mnt/nfs
Edit /etc/fstab

Outsider steps:
yum install nfs-utils
see if you can mount it from a different IP, if things go well, you shouldn’t be able to.

','hspace':null,'vspace':null,'align':null,'bgcolor':null}" alt="" />

RHCE – configure a system to log to a remote system & configure a system to accept logging from a remote system

Dolev — Mon, 25 Feb 2013 20:09:03 +0000

This task is fairly easy. one machine send its’ logs to the other

I set up 2 machines, 1 server and 1 client.
Server IP: 10.10.0.23
Client IP : 10.10.0.20

the client is configured to send its’ logs to the server, which is configured to accept logs over port 514 (UDP or TCP depends on the configuration).

Client:
edit /etc/rsyslog.conf and edit the last line with the server IP (one @ = UDP, two @@ = TCP)

restart rsyslog service
service rsyslog restart

Server:
open port 514 tcp/udp
IPTABLES -I INPUT -m tcp -p tcp –dport 514 -j ACCEPT
IPTABLES -I INPUT -m udp -p udp –dport 514 -j ACCEPT

Edit rsyslog.conf and uncomment to directives
#$ModLoad imtcp
#$InputTCPServerRun 514

Test functionality
logger “Hello from client”

RHCE clearly states host based security in each objectives, you could permit just one machine through the firewall via port 514 with “-s 10.10.0.20″

','hspace':null,'vspace':null,'align':null,'bgcolor':null}" alt="" />