AIDE, Advanced intrusion detection environment is a tool to check the integrity of files on the system
Steps to deploy AIDE
1. install the aide package
2. customize /etc/aide.conf to your preference
3. run /usr/sbin/aide --init to build the initial database
4. Store /etc/aide.conf, /usr/sbin/aide, /var/lib/aide/aide.db.new.gz in a secure location
5. Copy /var/lib/aide/aide.db.new.gz to /var/lib/aide/aide.db.gz
6. you can run the checking by # aide --check
Result will be display or save to /var/log/aide/aide.log by default
System Activity report
Install the sysstat package
run # sar -A to display all information collected
run # sar -u 2 5 to display five sample of system CPU usage with interval 2 second
Monday, October 8, 2012
Static route
The routing table for the system is display with the ip route show command.
Routing must be enabled with a tunable kernel parameter, named net.ipv4.ip_forward
- 0 = discard foreign packet
- 1 = forward foreign packets to the network interface determined by the routing table
Edit /etc/sysctl.conf for permanent change and run sysctl -p to reload it
To add a route dynamically
# ip route add IP/netmask via router_IP
To persistent add a route, edit /etc/sysconfig/network-scripts/route-iface
ADDRESS0=network
NETMASK0=netmask
GATEWAY0=router_ip
Routing must be enabled with a tunable kernel parameter, named net.ipv4.ip_forward
- 0 = discard foreign packet
- 1 = forward foreign packets to the network interface determined by the routing table
Edit /etc/sysctl.conf for permanent change and run sysctl -p to reload it
To add a route dynamically
# ip route add IP/netmask via router_IP
To persistent add a route, edit /etc/sysconfig/network-scripts/route-iface
ADDRESS0=network
NETMASK0=netmask
GATEWAY0=router_ip
Tuning kernel network parameter
Install kernel-doc RPM for the documentation
# sysctl -a
will show all the list
the kernel parameter are located at
/proc/sys/net/ipv4/
# sysctl -a
will show all the list
the kernel parameter are located at
/proc/sys/net/ipv4/
Tuesday, October 2, 2012
network monitoring
Detect Local Services
# netstat -tulnp
Detect Remote Services
# nmap -A -sT <server>
Capturing and analyzing network traffic
# tcpdump -D
to show all available capture interface
Example to capture port 22 from interface eth0
# tcpdump -nn -l -s 2000 -w packets -i eth0 'port 22'
Analyzing network packet with wireshark
install the wireshark-gnome
copy out the output of tcpdumb
# wireshark <tcpdumb file>
# netstat -tulnp
Detect Remote Services
# nmap -A -sT <server>
Capturing and analyzing network traffic
# tcpdump -D
to show all available capture interface
Example to capture port 22 from interface eth0
# tcpdump -nn -l -s 2000 -w packets -i eth0 'port 22'
Analyzing network packet with wireshark
install the wireshark-gnome
copy out the output of tcpdumb
# wireshark <tcpdumb file>
sample yum repo
create a file
# touch /etc/yum.repo.d/redhat
then edit it with this sample
[redhat]
name = Redhat
baseurl = http://server.example.com/repo
enabled = 1
gpgcheck = 0
# touch /etc/yum.repo.d/redhat
then edit it with this sample
[redhat]
name = Redhat
baseurl = http://server.example.com/repo
enabled = 1
gpgcheck = 0
Encrypting files with GnuPG
Generate a key pair
# gpg --gen-key
List public keys
# gpg --list-keys
Export a public key
# gpg -o mykey.key --export --armor key-id
Import a public key
# gpg --import file.key
Encrypt a file
# gpg --encrypt --armor -r key-id <file>
Decrypt a file
# gpg --decrypt <file>
# gpg --gen-key
List public keys
# gpg --list-keys
Export a public key
# gpg -o mykey.key --export --armor key-id
Import a public key
# gpg --import file.key
Encrypt a file
# gpg --encrypt --armor -r key-id <file>
Decrypt a file
# gpg --decrypt <file>
Monday, October 1, 2012
Text Processing Tools
# diff
example:
# diff <file1> <file2>
# diff -Naur <original> <updated> > patchfile
this command will created a relatively small patch
# patch
example:
# patch <file-need-to-patch> <patchfile>
# cut
example:
# cut -f3 -d: /etc/passwd
# /sbin/ip addr | grep 'inet' | cut -d ' ' -f6 | cut -d / -f1
this command will cut a single piece of information which is IP address from /sbin/ip addr
# head
example
# head /etc/passwd
by default will display first 10 line
# head -n 3 /etc/passwd
will display first 3 line
# tail
example
# tail /etc/passwd
# tail -n 3 /etc/passwd
# tail -f /var/log/messages
this command will keep update the message log until Ctrl + c is pressed
# wc
example
# wc <file>
to count number of lines, words, bytes or character in a file
# sort
sort line
# uniq
remove duplicate line from file
# tr
# tr 'A-Z' 'a-z'
change the upper to smaller and wise visa
example:
# diff <file1> <file2>
# diff -Naur <original> <updated> > patchfile
this command will created a relatively small patch
# patch
example:
# patch <file-need-to-patch> <patchfile>
# cut
example:
# cut -f3 -d: /etc/passwd
# /sbin/ip addr | grep 'inet' | cut -d ' ' -f6 | cut -d / -f1
this command will cut a single piece of information which is IP address from /sbin/ip addr
# head
example
# head /etc/passwd
by default will display first 10 line
# head -n 3 /etc/passwd
will display first 3 line
# tail
example
# tail /etc/passwd
# tail -n 3 /etc/passwd
# tail -f /var/log/messages
this command will keep update the message log until Ctrl + c is pressed
# wc
example
# wc <file>
to count number of lines, words, bytes or character in a file
# sort
sort line
# uniq
remove duplicate line from file
# tr
# tr 'A-Z' 'a-z'
change the upper to smaller and wise visa
Auto mount
/etc/auto.master provides the master configuration for autofs
Example:
/home/guests /etc/auto.guests
/etc/auto.guests file was specified in /etc/auto.master
Example using LDAP user home directories
ldapuser1 -rw ldap.example.com:/home/guests/ldapuser1
there are wild card if you intend to auto mount all
* ldap.example.com:/home/guests/&
After all done, just do
# service autofs reload
* note, if we mount /home/guests for using automount. the whole folder of guests will be take over by it and we unable to edit things in it
Example:
/home/guests /etc/auto.guests
/etc/auto.guests file was specified in /etc/auto.master
Example using LDAP user home directories
ldapuser1 -rw ldap.example.com:/home/guests/ldapuser1
there are wild card if you intend to auto mount all
* ldap.example.com:/home/guests/&
After all done, just do
# service autofs reload
* note, if we mount /home/guests for using automount. the whole folder of guests will be take over by it and we unable to edit things in it
Centos 6 Virtual machine tools
Virtual machine manager is the graphical tool used to manage virtual machine.
it was only available in 64bit installation.
you can run the tools from Application > system tools > Virtual machine manager
Virsh command allow you to manage your virtual machine
Here are the some command to use with virsh
# virsh list
# virsh destroy <server name>
# virsh list --all
# virsh start <server name>
# virst shutdown <server name>
it was only available in 64bit installation.
you can run the tools from Application > system tools > Virtual machine manager
Virsh command allow you to manage your virtual machine
Here are the some command to use with virsh
# virsh list
# virsh destroy <server name>
# virsh list --all
# virsh start <server name>
# virst shutdown <server name>
Subscribe to:
Posts (Atom)