LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General > Linux - Certification
User Name
Password
Linux - Certification This forum is for the discussion of all topics relating to Linux certification.

Notices


Reply
  Search this Thread
Old 03-23-2009, 06:37 PM   #31
descarte
LQ Newbie
 
Registered: Mar 2009
Location: melbourne
Distribution: rhel, centos, debian, ubuntu
Posts: 18

Rep: Reputation: 1

Quote:
Originally Posted by juscelino View Post
Does any of you guys who take it the exam remember if RHEL had some fix pack version. 5.1, 5.2 or 5.3?

Tks
now sure about now, but it was 5.1 in jan 2009.


Quote:
In the RHCE it's results that matter; so any method that gets the results will be ok.
This is what I like about redhat hands-on exam. Like the lengthy iptables discussion, we know there are a few ways to achieve the same result. As long as you can get it to work, you are fine.
 
Old 03-24-2009, 04:19 PM   #32
instrumentpilot
Member
 
Registered: May 2006
Posts: 34

Rep: Reputation: 2
In regards to the iptables configuration I wonder if you had it configured correctly. If I remember right the default config of iptables (during install) is to allow all localhost packets. Then, the last line will deny all packets if not specifically allowed. This is from the config file /etc/sysconfig/iptables. If the exam does not specifically ask to deny all packets then I'd remove that last line for sanity sake.

Also, I would not use tcp_wrappers at all. Just stick with iptables. It makes it so you only have one thing to learn and it is more secure since it is at the kernel level. You would need to know the ports (from /etc/services), but that shouldn't be too tough.

Michael
 
Old 03-24-2009, 04:38 PM   #33
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,978
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
Quote:
Originally Posted by instrumentpilot View Post
In regards to the iptables configuration I wonder if you had it configured correctly. If I remember right the default config of iptables (during install) is to allow all localhost packets. Then, the last line will deny all packets if not specifically allowed. This is from the config file /etc/sysconfig/iptables. If the exam does not specifically ask to deny all packets then I'd remove that last line for sanity sake.

Also, I would not use tcp_wrappers at all. Just stick with iptables. It makes it so you only have one thing to learn and it is more secure since it is at the kernel level. You would need to know the ports (from /etc/services), but that shouldn't be too tough.

Michael
Interesting thought...I'm not sure if I would just ignore tcp_wrappers all together, although you can most certainly accomplish a lot with iptables without the use of tcp_wrappers.

Since I'm no guru in iptables, forgive the ignorance in my question. But can iptables do user based ACLs?

What would the syntax be if I wanted to restrict ssh to 192.168.13.0/24 AND also restrict it to user mary using iptables?

Last edited by custangro; 03-24-2009 at 04:41 PM.
 
Old 03-24-2009, 04:53 PM   #34
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by custangro
Since I'm no guru in iptables, forgive the ignorance in my question. But can iptables do user based ACLs?

What would the syntax be if I wanted to restrict ssh to 192.168.13.0/24 AND also restrict it to user mary using iptables?
Yes, but...
Quote:
owner
This module attempts to match various characteristics of the packet
creator, for locally-generated packets. It is only valid in the OUTPUT
chain, and even this some packets (such as ICMP ping responses) may
have no owner, and hence never match.

--uid-owner userid
Matches if the packet was created by a process with the given
effective user id.

--gid-owner groupid
Matches if the packet was created by a process with the given
effective group id.
AFAIK, this doesn't work for incoming (unrelated) tcp/udp packets, since they're not associated with any UID or GID on the local system. I'm sure someone has written an application-layer inspection module for iptables, but even in that case openssh encrypts the traffic anyway.

I think you will be stuck using e.g. AllowUsers in sshd_config.
 
Old 03-24-2009, 07:54 PM   #35
latinmusic74
Member
 
Registered: Jun 2007
Posts: 118

Rep: Reputation: 16
Maybe Michael Jang book is not good for the RHCE part of the test.
 
Old 03-24-2009, 09:41 PM   #36
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,978
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
Quote:
Originally Posted by latinmusic74 View Post
Maybe Michael Jang book is not good for the RHCE part of the test.
I think it is good...

But I've learned in the past that you should never study from only one source...

-C
 
Old 03-24-2009, 11:45 PM   #37
instrumentpilot
Member
 
Registered: May 2006
Posts: 34

Rep: Reputation: 2
custangro, I see Anomie gave some insight, but you bring up an interresting question for me. From what you are asking it makes me wonder if tcp_wrappers can do what you ask. Is it true tcp_wrappers can do ACL down to user level? It would be nice.

Now, I'm feeling ignorant, but that's ok. It creates a learning opportunity.

Michael
 
Old 03-25-2009, 01:18 AM   #38
rhel5
Member
 
Registered: Mar 2009
Location: Bay Area, CA
Distribution: Redhat Enterprise Linux
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by custangro View Post
What would the syntax be if I wanted to restrict ssh to 192.168.13.0/24 AND also restrict it to user mary using iptables?
I don't think you can use iptables for user level restriction. I would also use the SSH Configuration file in addition to the iptables firewall if it specified to allow ONLY mary.

vi sshd_config
AllowUsers mary

This will only allow mary to access the ssh

Would it screw up the system if I also used tcp-wrappers? My guess is not.

vi /etc/hosts.deny
sshd:ALL EXCEPT .whatever.com
 
Old 03-25-2009, 09:58 AM   #39
custangro
Senior Member
 
Registered: Nov 2006
Location: California
Distribution: Fedora , CentOS , RHEL
Posts: 1,978
Blog Entries: 1

Rep: Reputation: 209Reputation: 209Reputation: 209
Quote:
Originally Posted by instrumentpilot View Post
custangro, I see Anomie gave some insight, but you bring up an interresting question for me. From what you are asking it makes me wonder if tcp_wrappers can do what you ask. Is it true tcp_wrappers can do ACL down to user level? It would be nice.

Now, I'm feeling ignorant, but that's ok. It creates a learning opportunity.

Michael
You can use the user@host syntax...

/etc/hosts.allow
Code:
sshd : mary@192.168.1.0/255.255.255.0
-C
 
Old 03-25-2009, 02:40 PM   #40
instrumentpilot
Member
 
Registered: May 2006
Posts: 34

Rep: Reputation: 2
Thanks custango, I didn't know that - or I forgot it. I guess I'll go back to using tcp_wrappers now that I have a good reason.

Good point rhel5. Either way we tighten things down.

Michael

Last edited by instrumentpilot; 03-25-2009 at 02:41 PM.
 
Old 03-25-2009, 04:18 PM   #41
latinmusic74
Member
 
Registered: Jun 2007
Posts: 118

Rep: Reputation: 16
Interested this thread have became a tcp_wrapper and iptables tutorial.

nice
 
Old 03-25-2009, 04:31 PM   #42
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
You can be more granular in sshd_config, so

DenyUsers hacker@192.168.1.*
AllowUsers *@127.0.0.* *@192.168.1.* brad@192.168.2*

etc.
 
Old 03-25-2009, 05:00 PM   #43
rhel5
Member
 
Registered: Mar 2009
Location: Bay Area, CA
Distribution: Redhat Enterprise Linux
Posts: 59

Original Poster
Rep: Reputation: 15
thanks billymayday

Didn't know that we can do so much with sshd_config file.

Also thanks Custangro

I didn't know that we can filter by user with tcp_wrappers. I always thought that tcp_wrappers were host-based security.
 
Old 03-25-2009, 05:08 PM   #44
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Have a scan through man sshd_config - you'll find all sorts of interesting stuff.
 
Old 03-26-2009, 04:39 AM   #45
descarte
LQ Newbie
 
Registered: Mar 2009
Location: melbourne
Distribution: rhel, centos, debian, ubuntu
Posts: 18

Rep: Reputation: 1
Quote:
Originally Posted by instrumentpilot View Post
Thanks custango, I didn't know that - or I forgot it. I guess I'll go back to using tcp_wrappers now that I have a good reason.

Good point rhel5. Either way we tighten things down.

Michael
I don't deny tcp_wrappers can be handy. but as pointed out earlier, got to becareful though. apps that do not implement libwrap.so cannot be controlled by tcpwrappers. So you have to be familiar with it and not spend time troubleshooting problems that you create for yourself in the exams. say for eg,

Quote:
[root@web home]# whereis libwrap
libwrap: /usr/lib/libwrap.so /usr/lib/libwrap.a
[root@web home]# lsof /usr/lib/libwrap.so
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
sshd 1409 root mem REG 202,2 32824 392720 /usr/lib/libwrap.so.0.7.6
sendmail 1558 root mem REG 202,2 32824 392720 /usr/lib/libwrap.so.0.7.6
sendmail 1566 smmsp mem REG 202,2 32824 392720 /usr/lib/libwrap.so.0.7.6
sshd 10118 root mem REG 202,2 32824 392720 /usr/lib/libwrap.so.0.7.6
[root@web home]# /etc/init.d/httpd status
httpd (pid 28770 28769 28768 28767 28766 28765 28764 28763 1614) is running.
oops httpd is running ant not in the list.

I got my rhce without using tcp_wrappers. I believe custango got his with tcp_wrappers. everyone works differently and it is the result that matters in the exam. But as a good sys admin and looking beyond the certificate, we have to know all possible methods of achieving certain result, or at least know how things work in the backend. I know sysadm who just keep using yum or apt-get. When dealing with extreme scenario like rescue environment, the rpm command line mastery becomes important.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bind9: NDC command failed : rndc: connect failed: connection refused Boudewijn Linux - Networking 19 01-02-2014 07:19 AM
i need tools to practice for RHCE exams like rhce-config was for RHEL4 ashu.wifi Linux - Certification 16 12-10-2008 04:48 PM
No internet (no ethernet plug) - ppp0 failed and Audio CD - host failed new2 Linux - Laptop and Netbook 9 09-19-2008 12:18 PM
online_update failed - ERROR(Media:connection failed)[Connect failed] rover SUSE / openSUSE 8 02-22-2005 07:57 AM
unpacking of archive failed: cpio: read failed-input/output error rafc Linux - Newbie 0 04-21-2004 09:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - General > Linux - Certification

All times are GMT -5. The time now is 08:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration