Linux - CertificationThis forum is for the discussion of all topics relating to Linux certification.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Does any of you guys who take it the exam remember if RHEL had some fix pack version. 5.1, 5.2 or 5.3?
Tks
now sure about now, but it was 5.1 in jan 2009.
Quote:
In the RHCE it's results that matter; so any method that gets the results will be ok.
This is what I like about redhat hands-on exam. Like the lengthy iptables discussion, we know there are a few ways to achieve the same result. As long as you can get it to work, you are fine.
In regards to the iptables configuration I wonder if you had it configured correctly. If I remember right the default config of iptables (during install) is to allow all localhost packets. Then, the last line will deny all packets if not specifically allowed. This is from the config file /etc/sysconfig/iptables. If the exam does not specifically ask to deny all packets then I'd remove that last line for sanity sake.
Also, I would not use tcp_wrappers at all. Just stick with iptables. It makes it so you only have one thing to learn and it is more secure since it is at the kernel level. You would need to know the ports (from /etc/services), but that shouldn't be too tough.
In regards to the iptables configuration I wonder if you had it configured correctly. If I remember right the default config of iptables (during install) is to allow all localhost packets. Then, the last line will deny all packets if not specifically allowed. This is from the config file /etc/sysconfig/iptables. If the exam does not specifically ask to deny all packets then I'd remove that last line for sanity sake.
Also, I would not use tcp_wrappers at all. Just stick with iptables. It makes it so you only have one thing to learn and it is more secure since it is at the kernel level. You would need to know the ports (from /etc/services), but that shouldn't be too tough.
Michael
Interesting thought...I'm not sure if I would just ignore tcp_wrappers all together, although you can most certainly accomplish a lot with iptables without the use of tcp_wrappers.
Since I'm no guru in iptables, forgive the ignorance in my question. But can iptables do user based ACLs?
What would the syntax be if I wanted to restrict ssh to 192.168.13.0/24 AND also restrict it to user mary using iptables?
Since I'm no guru in iptables, forgive the ignorance in my question. But can iptables do user based ACLs?
What would the syntax be if I wanted to restrict ssh to 192.168.13.0/24 AND also restrict it to user mary using iptables?
Yes, but...
Quote:
owner
This module attempts to match various characteristics of the packet
creator, for locally-generated packets. It is only valid in the OUTPUT
chain, and even this some packets (such as ICMP ping responses) may
have no owner, and hence never match.
--uid-owner userid
Matches if the packet was created by a process with the given
effective user id.
--gid-owner groupid
Matches if the packet was created by a process with the given
effective group id.
AFAIK, this doesn't work for incoming (unrelated) tcp/udp packets, since they're not associated with any UID or GID on the local system. I'm sure someone has written an application-layer inspection module for iptables, but even in that case openssh encrypts the traffic anyway.
I think you will be stuck using e.g. AllowUsers in sshd_config.
custangro, I see Anomie gave some insight, but you bring up an interresting question for me. From what you are asking it makes me wonder if tcp_wrappers can do what you ask. Is it true tcp_wrappers can do ACL down to user level? It would be nice.
Now, I'm feeling ignorant, but that's ok. It creates a learning opportunity.
What would the syntax be if I wanted to restrict ssh to 192.168.13.0/24 AND also restrict it to user mary using iptables?
I don't think you can use iptables for user level restriction. I would also use the SSH Configuration file in addition to the iptables firewall if it specified to allow ONLY mary.
vi sshd_config
AllowUsers mary
This will only allow mary to access the ssh
Would it screw up the system if I also used tcp-wrappers? My guess is not.
custangro, I see Anomie gave some insight, but you bring up an interresting question for me. From what you are asking it makes me wonder if tcp_wrappers can do what you ask. Is it true tcp_wrappers can do ACL down to user level? It would be nice.
Now, I'm feeling ignorant, but that's ok. It creates a learning opportunity.
Thanks custango, I didn't know that - or I forgot it. I guess I'll go back to using tcp_wrappers now that I have a good reason.
Good point rhel5. Either way we tighten things down.
Michael
I don't deny tcp_wrappers can be handy. but as pointed out earlier, got to becareful though. apps that do not implement libwrap.so cannot be controlled by tcpwrappers. So you have to be familiar with it and not spend time troubleshooting problems that you create for yourself in the exams. say for eg,
Quote:
[root@web home]# whereis libwrap
libwrap: /usr/lib/libwrap.so /usr/lib/libwrap.a
[root@web home]# lsof /usr/lib/libwrap.so
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 1409 root mem REG 202,2 32824 392720 /usr/lib/libwrap.so.0.7.6
sendmail 1558 root mem REG 202,2 32824 392720 /usr/lib/libwrap.so.0.7.6
sendmail 1566 smmsp mem REG 202,2 32824 392720 /usr/lib/libwrap.so.0.7.6
sshd 10118 root mem REG 202,2 32824 392720 /usr/lib/libwrap.so.0.7.6
[root@web home]# /etc/init.d/httpd status
httpd (pid 28770 28769 28768 28767 28766 28765 28764 28763 1614) is running.
oops httpd is running ant not in the list.
I got my rhce without using tcp_wrappers. I believe custango got his with tcp_wrappers. everyone works differently and it is the result that matters in the exam. But as a good sys admin and looking beyond the certificate, we have to know all possible methods of achieving certain result, or at least know how things work in the backend. I know sysadm who just keep using yum or apt-get. When dealing with extreme scenario like rescue environment, the rpm command line mastery becomes important.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.