I recently found another good “sample exam” website here: http://www.sys-blog.net/?p=1930 so i’m going to try and go through each question in the .pdf and how I would do it, more for my own personal understanding than anything!
1. Enable IPv4 forwarding on your system; make sure changes survive a reboot.
Answer: Use sysctl to find the value (net.ipv4.ip_forward) and then use sysctl -w to set it.
[root@ip-10-37-161-18 ec2-user]# sysctl -a | grep forward net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.eth0.forwarding = 0 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 net.ipv6.conf.all.mc_forwarding = 0 net.ipv6.conf.default.forwarding = 0 net.ipv6.conf.default.mc_forwarding = 0 net.ipv6.conf.lo.forwarding = 0 net.ipv6.conf.lo.mc_forwarding = 0 net.ipv6.conf.eth0.forwarding = 0 net.ipv6.conf.eth0.mc_forwarding = 0 [root@ip-10-37-161-18 ec2-user]# sysctl -w net.ipv4.ip_forward=1 net.ipv4.ip_forward = 1 [root@ip-10-37-161-18 ec2-user]#
2. Create the local users: Bill, Phil and Stephanie. Add Bill and Phil to Sysadmins group and Stephanie to the Presale group.
Answer: create users using “useradd”, groups using “groupadd”, then “usermod -aG group user” to add users to groups:
[root@ip-10-37-161-18 ec2-user]# useradd bill [root@ip-10-37-161-18 ec2-user]# useradd phil [root@ip-10-37-161-18 ec2-user]# useradd stephanie [root@ip-10-37-161-18 ec2-user]# groupadd sysadmins [root@ip-10-37-161-18 ec2-user]# usermod -aG sysadmins bill [root@ip-10-37-161-18 ec2-user]# usermod -aG sysadmins phil [root@ip-10-37-161-18 ec2-user]# groupadd Presale [root@ip-10-37-161-18 ec2-user]# usermod -aG Presale stephanie [root@ip-10-37-161-18 ec2-user]# su bill -c groups bill sysadmins [root@ip-10-37-161-18 ec2-user]#
3. Set up SSH access to your system, limited to the 192.168.0.0 and 192.168.1.0 networks. Deny access only to Stephanie from the 192.168.1.0 network.
Answer: Here we need to use iptables to limit access to 192.168.0.0/23, (as to satisfy the first part). We can be doubly sure here and use tcp wrappers also. And finally, use sshd_config to restrict it so that user stephanie cannot access via ssh:
[root@ip-10-37-161-18 ec2-user]# iptables -I INPUT 2 -s 192.168.0.0/23 -p tcp --dport 22 -j ACCEPT [root@ip-10-37-161-18 ec2-user]# iptables -nL --line-numbers | grep 192.168.0.0 2 ACCEPT tcp -- 192.168.0.0/23 0.0.0.0/0 tcp dpt:22 [root@ip-10-37-161-18 ec2-user]# echo "DenyUsers [email protected]/24" >> /etc/ssh/sshd_config [root@ip-10-37-161-18 ec2-user]# echo "AllowUsers [email protected]/24" >> /etc/ssh/sshd_config [root@ip-10-37-161-18 ec2-user]# echo "sshd : ALL EXCEPT 192.168.0.0/23" >> /etc/hosts.deny
4. Configure your server as a web server, configure virtual host for the website www.exam.com, create an index.html and place it at /www/virt-sites/exam.com
Answer: So this is pretty straight forward. We need to install httpd, configure it, set the iptables rules, and then set the selinux settings on it:
[root@ip-10-37-161-18 ec2-user]# yum grouplist | grep "Web" Web Server Web Servlet Engine Web-Based Enterprise Management [root@ip-10-37-161-18 ec2-user]# yum groupinstall "Web Server" <output removed for brevity> [root@ip-10-37-161-18 ec2-user]# nano $(locate httpd.conf)
Then uncomment “#NameVirtualHost *:80” and add the lines:
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /www/virt-sites/exam.com ServerName www.exam.com ServerAlias exam.com </VirtualHost>
Then the rest of the commands:
[root@ip-10-37-161-18 ec2-user]# mkdir -p /www/virt-sites/exam.com [root@ip-10-37-161-18 ec2-user]# semanage fcontext -a -t httpd_sys_content_t "/www(/.*)?" [root@ip-10-37-161-18 ec2-user]# restorecon -R -v /www restorecon reset /www context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /www/virt-sites context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 restorecon reset /www/virt-sites/exam.com context unconfined_u:object_r:default_t:s0->unconfined_u:object_r:httpd_sys_content_t:s0 [root@ip-10-37-161-18 ec2-user]# ls -dZ /www drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 /www [root@ip-10-37-161-18 ec2-user]# iptables -I INPUT 5 -p tcp --dport 80 -j ACCEPT [root@ip-10-37-161-18 ec2-user]# iptables -nL --line-numbers | grep 80 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 [root@ip-10-37-161-18 /]# chown -R apache:apache /www [root@ip-10-37-161-18 exam.com]# nano index.html [root@ip-10-37-161-18 exam.com]# echo "Hello website 123" >> index.html [root@ip-10-37-161-18 exam.com]# chkconfig httpd on [root@ip-10-37-161-18 exam.com]# service httpd start Starting httpd: [ OK ] [root@ip-10-37-161-18 exam.com]#
5. Configure a private folder named private under the document root of that website, specifically for Phil,, set his access password to redhateng, make sure the file is hidden under /etc/httpd, and limit access to the directory to the local host only.
Answer: So here, we need to create our directory in /www/virt-sites/exam.com. We need to set up a htpasswd file, install httpd-manual for the commands (saves time), copy and paste the relevant files, and then use “allow from, deny all” permissions on the directory:
[root@ip-10-37-161-18 exam.com]# pwd /www/virt-sites/exam.com [root@ip-10-37-161-18 exam.com]# mkdir private [root@ip-10-37-161-18 exam.com]# chown apache:apache private/ [root@ip-10-37-161-18 exam.com]# ls -dZ private/ drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 private/ [root@ip-10-37-161-18 private]# echo "This is secret!!" >> index.html echo "This is secretcd private/" >> index.html [root@ip-10-37-161-18 private]# htpasswd -cm /etc/httpd/.htpasswd phil New password: Re-type new password: Adding password for user phil [root@ip-10-37-161-18 private]# yum -y install httpd-manual <output removed for brevity> [root@ip-10-37-161-18 private]# nano $(locate httpd.conf)
Our httpd.conf should now look like:
<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /www/virt-sites/exam.com ServerName www.exam.com ServerAlias exam.com <Directory private> Order allow,deny Allow from 127.0.0.1 AuthType Basic AuthName "Restricted Files" AuthBasicProvider file AuthUserFile etc/httpd/.htpasswd Require user phil </Directory> </VirtualHost>
6. Configure your server as a Samba server, create a directory for the Presale department for group collaboration, any other user is NOT allowed to access or browse this folder, limit the access to stations on the 192.168.0.0 network ONLY.
Answer: So here, we need to create a directory, set permissions on it appropriately for “presales”, then SE Linux settings on it for smb/cifs. Then we need to install samba, modify smb.conf, use “group allow” (or similar) and then iptables to restrict to a subnet:
[root@ip-10-37-161-18 private]# iptables -I INPUT 6 -s 192.168.0.0/24 -p tcp --dport 137 -j ACCEPT [root@ip-10-37-161-18 private]# iptables -I INPUT 7 -s 192.168.0.0/24 -p tcp --dport 445 -j ACCEPT [root@ip-10-37-161-18 private]# iptables -nL ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:137 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:445 [root@ip-10-37-161-18 var]# mkdir smb [root@ip-10-37-161-18 var]# semanage fcontext -a -t samba_share_t "/var/smb" [root@ip-10-37-161-18 var]# restorecon -R -v /var/smb restorecon reset /var/smb context unconfined_u:object_r:var_t:s0->unconfined_u:object_r:samba_share_t:s0 [root@ip-10-37-161-18 var]# yum install samba <output removed for brevity>
Edit smb.conf and add the following:
[Presales] comment = Presales Share path = /var/smb hosts allow = 192.168.0.* valid users = @Presales
Then ..
[root@ip-10-37-161-18 var]# cd /var/ [root@ip-10-37-161-18 var]# chown root:Presale smb [root@ip-10-37-161-18 var]# chmod g+s smb [root@ip-10-37-161-18 var]# setfacl -m d:g:Presale:rwx smb [root@ip-10-37-161-18 var]# setfacl -m g:Presale:rwx smb [root@ip-10-37-161-18 var]# setfacl -m o::- smb [root@ip-10-37-161-18 var]# getfacl smb # file: smb # owner: root # group: Presale # flags: -s- user::rwx group::r-x group:Presale:rwx mask::rwx other::--- default:user::rwx default:group::r-x default:group:Presale:rwx default:mask::rwx default:other::r-x [root@ip-10-37-161-18 var]# chkconfig smb on [root@ip-10-37-161-18 var]# service smb start Starting SMB services: [ OK ] [root@ip-10-37-161-18 var]#
7. Configure your system to reject any kind of ICMP requests, from any network.
Answer: We can do this using sysctl as below:
[root@ip-10-37-161-18 tmp]# sysctl -a | grep icmp net.netfilter.nf_conntrack_icmpv6_timeout = 30 net.netfilter.nf_conntrack_icmp_timeout = 30 net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_errors_use_inbound_ifaddr = 0 net.ipv4.icmp_ratelimit = 1000 net.ipv4.icmp_ratemask = 6168 net.ipv6.icmp.ratelimit = 1000 [root@ip-10-37-161-18 tmp]# sysctl -w net.ipv4.icmp_echo_ignore_all=1 net.ipv4.icmp_echo_ignore_all = 1 [root@ip-10-37-161-18 tmp]#
8. Write a script that backs up all content of /root to /backup/root and writes a log to /var/log/rootbackup.log with the date and time in the format of “13:55:01 01/11/2013”, make sure it is running on Sunday through Friday, without Saturday, at 22:45.
Answer: So we need to write a script, that copies /root to /backup/root, echos a entry to /var/log/rootbackup.log with the date output, and have this script called by cron.
#!/bin/bash cp -R /root/ /backup/ date1=$(date +"%H:%M:%S %d/%m/%Y") echo $date1 >> /var/log/rootbackup.log
Next we need to configure the crontab entry to run Monday to Friday, Sunday – at 22:45:
SHELL=/bin/bash PATH=/sbin:/bin:/usr/sbin:/usr/bin MAILTO=root HOME=/ # For details see man 4 crontabs # Example of job definition: # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed 45 22 * * sun,mon,tue,wed,thu,fri root bash /runbackup
9. Configure your system to accept logs from remote machines on the network 192.168.0.0 over TCP, and not from any other network.
Answer: Here we need to configure rsyslog using the rsyslog.conf file, and open up TCP 514 through the firewall. The main editing is in the rsyslog.conf file, so edit it as below:
# Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
Then iptables:
[root@ip-10-224-74-103 /]# iptables -I INPUT 4 -s 192.168.0.0/24 -p tcp --dport 514 -j ACCEPT [root@ip-10-224-74-103 /]# iptables -nL --line-numbers | grep 514 4 ACCEPT tcp -- 192.168.0.0/24 0.0.0.0/0 tcp dpt:514 [root@ip-10-224-74-103 /]#
This restricts it to the 192.168.0.0 network – and by uncommenting TCP and not the UDP section, we satisfy both criterion.
10. Configure your system as an FTP server that allows anonymous downloads only from network 192.168.1.0.
Answer: We need to setup iptables to allow inbound port 21 (FTP) from 192.168.1.0/24, we need to install vsftpd, configure vsftpd.conf, and then have a look at SE Linux also.
[root@ip-10-224-74-103 /]# yum install vsftpd* <removed for brevity> [root@ip-10-224-74-103 /]# iptables -I INPUT 6 -s 192.168.1.0/24 -p tcp --dport 21 -j ACCEPT [root@ip-10-224-74-103 sam]# setsebool -P ftp_home_dir on [root@ip-10-224-74-103 ec2-user]# nano $(locate vsftpd.conf)
Ensure that vsftpd.conf has the following lines:
# Allow anonymous FTP? (Beware - allowed by default if you comment this out). anonymous_enable=YES # # Uncomment this to allow local users to log in. local_enable=YES
Then ..
[root@ip-10-224-74-103 ec2-user]# chkconfig vsftpd on [root@ip-10-224-74-103 ec2-user]# service vsftpd start Starting vsftpd for vsftpd: [ OK ]
And thats the configuration done. We can test this quickly from a 192.168.1.0/24 host, as below:
[root@rhelserver media]# ftp ec2-54-216-181-60.eu-west-1.compute.amazonaws.com Connected to ec2-54-216-181-60.eu-west-1.compute.amazonaws.com (54.216.181.60). 220 (vsFTPd 2.2.2) Name (ec2-54-216-181-60.eu-west-1.compute.amazonaws.com:sam): sam 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp>
11. Create the directory /srv/nfs-share and export it as read only for networks 192.168.1.0 and 192.168.0.0 via NFS, make sure remote root users do not have root privileges on your system.
Answer: So here we need to create the directory, add the iptables rule, setup SE Linux for that folder, then add the export, and also add a TCP Wrappers line (so deny on iptables, deny on tcp wrappers, export only to a subnet – that should stick somewhere!). Then chkconfig and start it.
[root@ip-10-224-74-103 sam]# mkdir -p /srv/nfs-share [root@ip-10-224-74-103 sam]# iptables -I INPUT 3 -s 192.168.0.0/23 -p tcp --dport 2049 -j ACCEPT [root@ip-10-224-74-103 sam]# cd /srv/ [root@ip-10-224-74-103 srv]# man nfsd_selinux [root@ip-10-224-74-103 srv]# semanage fcontext -a -t nfsd_rw_t nfs-share [root@ip-10-224-74-103 srv]# echo "/srv/nfs-share 192.168.0.0/23(ro,root_squash)" >> /etc/exports [root@ip-10-224-74-103 srv]# echo "mountd : ALL EXCEPT 192.168.0.0/23" >> /etc/hosts.deny [root@ip-10-224-74-103 srv]# chkconfig nfs on [root@ip-10-224-74-103 srv]# service nfs start
12. Configure your system as a DNS server that forwards requests to Google’s DNS server, IP 8.8.8.8. Configure your DNS server to accept DNS queries only from the 192.168.0.0 network.
Answer: We need to install bind, allow port 53 through the firewall for 192.168.0.0, then configure named.conf setting the forwarders/listen on/allow-query, then chkconfig and start it:
[root@ip-10-224-74-103 srv]# yum install bind
<Removed for brevity>
[root@ip-10-224-74-103 srv]# nano /etc/named.conf
...
options {
listen-on port 53 { 192.168.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.0.0/24; };
recursion yes;
forwarders { 8.8.8.8; };
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
..
13. Change the connection port of the Secure Shell Host (SSH) to any port other than the default.
Answer: We need to open the iptables port we are using (1022 in this example), then modify sshd_config to use that port.
[root@ip-10-224-74-103 srv]# iptables -I INPUT 2 -p tcp --dport 1022 -j ACCEPT [root@ip-10-224-74-103 srv]# nano $(locate sshd_config) ... Port 1022 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: ... [root@ip-10-224-74-103 srv]# service sshd restart
14. Configure your system to accept emails from all networks. Test your email flow with mail or mutt commands.
Answer: we need to edit main.cf here and change the listen on address and then open up the firewall.
[root@ip-10-224-74-103 srv]# nano $(locate main.cf) ... inet_interfaces = all #inet_interfaces = $myhostname #inet_interfaces = $myhostname, localhost #inet_interfaces = localhost ... [root@ip-10-224-74-103 srv]# /etc/init.d/postfix start [root@ip-10-224-74-103 srv]# /etc/init.d/postfix status master (pid 1268) is running... [root@ip-10-224-74-103 srv]# chkconfig postfix on [root@ip-10-224-74-103 srv]# iptables -I INPUT 3 -p tcp --dport 25 -j ACCEPT
15. All emails received by Stephanie should be forwarded automatically to the root user for observation.
Answer: We need to edit the aliases file here, and alias Stephanie with root.
[root@ip-10-224-74-103 srv]# nano /etc/aliases stephanie: root [root@ip-10-224-74-103 srv]# newaliases
16. Deny access to Stephanie for the crontab and at services.
Answer: Add user to /etc/cron.deny.
[root@ip-10-224-74-103 srv]# echo "stephanie" >> /etc/cron.deny
SEO: RHCE Example answers, RHCE example questions, RHCE sample exam, RHCE guide
