February 2020
« Jan    


WordPress Quotes

What we plant in the soil of contemplation, we shall reap in the harvest of action.
Meister Eckhart
February 2020
« Jan    

Short Cuts

2012 SERVER (64)
2016 windows (9)
AIX (13)
Amazon (40)
Ansibile (19)
Apache (135)
Asterisk (2)
cassandra (2)
Centos (211)
Centos RHEL 7 (268)
chef (3)
cloud (2)
cluster (3)
Coherence (1)
DB2 (5)
DISK (25)
DNS (9)
Docker (30)
Eassy (11)
ELKS (1)
Fedora (6)
ftp (5)
GIT (3)
GOD (2)
Grub (1)
Hacking (10)
Hadoop (6)
health (2)
horoscope (23)
Hyper-V (10)
IIS (15)
JAVA (7)
JBOSS (32)
jenkins (1)
Kubernetes (7)
Ldap (5)
Linux (188)
Linux Commands (166)
Load balancer (5)
mariadb (14)
Mongodb (4)
MQ Server (24)
MYSQL (84)
Nagios (5)
NaturalOil (13)
Nginx (35)
Ngix (1)
openldap (1)
Openstack (6)
Oracle (35)
Perl (3)
Postfix (19)
Postgresql (1)
PowerShell (2)
Python (3)
qmail (36)
Redis (12)
RHCE (28)
Security on Centos (29)
SFTP (1)
Shell (64)
Solaris (58)
Sql Server 2012 (4)
squid (3)
SSH (10)
SSL (14)
Storage (1)
swap (3)
TIPS on Linux (28)
tomcat (62)
Ubuntu (1)
Uncategorized (30)
Veritas (2)
vfabric (1)
VMware (28)
Weblogic (38)
Websphere (71)
Windows (19)
Windows Software (2)
wordpress (1)

WP Cumulus Flash tag cloud by Roy Tanck requires Flash Player 9 or better.

Who's Online

21 visitors online now
6 guests, 15 bots, 0 members

Hit Counter provided by dental implants orange county

RHEL 7 – RHCSA Notes – Create and manage Access Control Lists (ACLs)

The file access control lists (FACLs) or simply ACLs are the list of additional user/groups and their permission to the file. Although the default file permissions does their jobs perfectly, it does not allow you to give permissions to more than one user or one group on the same file.

How to know when a file has ACL attached to it

ls -l command would produce a output as show below. Note the + sign at the end of the permissions. This confirms that the file has an ACL attached to it.

# ls -l
-rw-r–r-+ 1 root root 0 Sep 19 14:41 file
Viewing ACLs

To display details ACL information of a file use the getfacl command. If you see carefully, the users sam and john have some extra permissions (shown highlighted). The default user/group permissions are specified using “user::permission” and “group::

# getfacl /tmp/test
# file: test
# owner: root
# group: root
In contrast, if you check the ACLs on a a file with “no ACLs” the additional “user:” lines and “mask” line will not be shown and standard file permissions will be shown. :

# getfacl test
# file: test
# owner: root
# group: root
Creating and Managing FACLs

The setfacl command is used to set ACL on the given file. To give a rw access to user john on the file /tmp/test :

# setfacl -m u:john:rw /tmp/test
The -m option tells setfacl to modify ACLs on the file(s) mentioned in command line. Instead of user john we can have a group to have a specific permission on the file :

# setfacl -m g:accounts:rw /tmp/test
FACLs for multiple user and groups can also be set with single command :

# setfacl -m u:john:rw,g:accounts:rwx /tmp/test
Default ACLs

By setting a default ACL, you’ll determine the permissions that will be set for all new items that are created in the directory. But the permissions of existing files and subdirectories remains same.

To create a default FACL on a directory :

# setfacl -m default:u:john:rw /accounts
Notice the default permissions in the getfacl command :

# getfacl accounts/
# file: accounts/
# owner: root
# group: root
Removing FACLs

To remove ACLs, use the setfacl command with -x option :

# setfacl -x u:john /tmp/test
The above command removes the ACL for the user john on the file /tmp/test. The ACLs for other user/groups if any remains unaffected. To remove all ACLs associated to a file use the -b option with setfacl :

# setfacl -b /tmp/test
You can also create a backup of ACLs using getfacl, and restore ACLs using setfacl command. To create the backup, use getfacl -R /dir > file.acls. To restore the settings from the backup file, use setfacl –restore=file.acl

RHEL 7 – RHCSA Notes : Change passwords and adjust password aging for local user accounts

Password configuration

password aging requires users to change their password periodically. Use the chage to configure password expiration. The syntax is :

# chage [options] user_name
– When you fire the command chage, the currently set options are displayed as well.

# chage oracle
Changing the aging information for oracle
Enter the new value, or press ENTER for the default

Minimum Password Age [14]:
Maximum Password Age [30]:
Last Password Change (YYYY-MM-DD) [2016-08-23]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
Password expiration information is stored in /etc/shadow file.

# grep oracle /etc/shadow
As shown above the oracle user has minimum password age of 14 and maximum password age of 30 – It means that in 14 days the user will have 30 days to change the password. Also the user is warned to change the password 7 days prior to password expiry date.

chage options

Number of options are available in chage command. To list aging information :

# chage -l geek
Last password change : Sep 18, 2016
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7
To force a user to set a new password immediately (force immediate expiration), set the last password change value to 0 :

# chage –d 0 geek

The Linux user password hashing algorithm is also configurable. Use the authconfig command to determine the current algorithm being used, or to set it to something different. To determine the current algorithm:

# authconfig –test | grep hashing
password hashing algorithm is sha512
To change the algorithm, use the –passalgo option with one of the following as a parameter: descrypt, bigcrypt, md5, sha256, or sha512, followed by the –update option.

# authconfig –passalgo=md5 –update
/etc/login.defs file

/etc/login.defs file provides default user account settings. Default values include:

Location of user mailboxes
Password aging controls
Values for automatic UID selection
Values for automatic GID selection
User home directory creation options
Encryption method used to encrypt passwords
Sample /etc/login.defs file :

# cat /etc/login.defs
GID_MIN 1000
GID_MAX 60000
UID_MIN 1000
UID_MAX 60000

RHEL 7 – RHCSA Notes – Set enforcing and permissive modes for SELinux

SELinux modes

SELinux gives that extra layer of security to the resources in the system. It provides the MAC (mandatory access control) as contrary to the DAC (Discretionary access control). Before we dive into setting the SELinux modes, let us see what are the different SELinux modes of operation and how do they work. SELinux can operate in any of the 3 modes :

1. Enforced : Actions contrary to the policy are blocked and a corresponding event is logged in the audit log.
2. Permissive : Actions contrary to the policy are only logged in the audit log.
3. Disabled : The SELinux is disabled entirely.

Configuration file

SELinux configuration file /etc/selinux/config :

# cat /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
# SELINUXTYPE= can take one of three two values:
# targeted – Targeted processes are protected,
# minimum – Modification of targeted policy. Only selected processes are protected.
# mls – Multi Level Security protection.
Toggling SELinux modes (Temporarily)

To switch between the SELinux modes temporarily we can use the setenforce command as shown below :

# setenforce [ Enforcing | Permissive | 1 | 0 ]
0 –> Permissive
1 –> Enforcing

Verify the current mode of SELinux :

# getenforce
or we can also use the sestatus command to get a detailed status :

# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux –> virtual FS similar to /proc
Current mode: enforcing –> current mode of operation
Mode from config file: permissive –> mode set in the /etc/sysconfig/selinux file.
Policy version: 24
Policy from config file: targeted
Toggling SELinux modes (Permanently) [reboot require]

SELinux mode can be set permanently using either of below methods :
1. editing /etc/selinux/config file
2. editing kernel boot options

1. editing /etc/selinux/config file

to set SELinux to permissive, set the below line in the file /etc/selinux/config to :

vi /etc/selinux/config

Similarly the mode can be set to enforcing/disable by setting the mode in the same line.

2. editing kernel boot options

Edit the kernel boot line and append enforcing=0 to the kernel boot options. For example:

title Red Hat Enterprise Linux AS (2.6.9-42.ELsmp)
root (hd0,0)
kernel /vmlinuz-2.6.9-42.ELsmp ro root=LABEL=/ rhgb quiet enforcing=0
initrd /initrd-2.6.9-42.ELsmp.img
Reboot the server.

# shutdown -r now
Forcing reboot on changing mode

We can force a reboot on changing the selinux mode :

# setsebool secure_mode_policyload on

CentOS / RHEL 7 : How to Create and Remove the LVM Mirrors Using lvconvert

When you convert a linear volume to a mirrored volume, you are basically creating an extra mirror copy for an existing volume. This means that your volume group must contain the devices and space for the mirrors and for the mirror log. If losing a copy of a mirror, LVM converts the volume to a linear volume so that you still have access to the volume. And Option ‘[ -m | –mirrors ]’ specifies the degree of the mirror you wish to create.

For example:

“-m 1” would convert the original logical volume to a mirror volume with 2-sides; that is, a linear volume plus one copy.
And ” -m 0 ” will converts the mirrored logical volume to a linear logical volume, removing or breaking the mirror leg including the mirrored devices.
Creating LVM mirrors

The following command converts the linear logical volume ‘datavg/testlv’ to a mirrored logical volume :

# lvconvert -m1 datavg/testlv
The below commands shows the configuration of the volume after the lvconvert command changed the volume to a volume with two mirror copies.

# lvs -a -o name,copy_percent,devices datavg
LV Cpy%Sync Devices
testlv 100.00 testlv_rimage_0(0),testlv_rimage_1(0)
[testlv_rimage_0] /dev/sdb(0)
[testlv_rimage_1] /dev/sdc(1)
[testlv_rmeta_0] /dev/sdb(256)
[testlv_rmeta_1] /dev/sdc(0)
# lvs –all –segments -o +devices
LV VG Attr #Str Type SSize Devices
root centos -wi-ao—- 1 linear 17.47g /dev/sda2(512)
swap centos -wi-ao—- 1 linear 2.00g /dev/sda2(0)
testlv datavg rwi-aor— 2 raid1 1.00g testlv_rimage_0(0),testlv_rimage_1(0)
[testlv_rimage_0] datavg iwi-aor— 1 linear 1.00g /dev/sdb(0)
[testlv_rimage_1] datavg iwi-aor— 1 linear 1.00g /dev/sdc(1)
[testlv_rmeta_0] datavg ewi-aor— 1 linear 4.00m /dev/sdb(256)
[testlv_rmeta_1] datavg ewi-aor— 1 linear 4.00m /dev/sdc(0)
Removing LVM mirrors

The following command converts the mirrored logical volume datavg/testlv to a linear logical volume, removing or breaking the mirror copy including the mirrored devices. Note that, we have to specify the device to detach the mirror copy.

# lvconvert -m0 datavg/testlv /dev/sdc
Check the status of volume and devices again to see the difference :

# lvs -a -o +devices
LV VG Attr LSize Pool Origin Data% Meta% Move Log Cpy%Sync Convert Devices
root centos -wi-ao—- 17.47g /dev/sda2(512)
swap centos -wi-ao—- 2.00g /dev/sda2(0)
testlv datavg -wi-ao—- 1.00g /dev/sdb(0)
# lvs -a -o name,devices datavg
LV Devices
testlv /dev/sdb(0)

CentOS / RHEL 7 : Beginners guide to firewalld


– A packet filtering firewall reads incoming network packets and filters (allows or denies) each data packet based on the header information in the packet. The Linux kernel has built-in packet filtering functionality called Netfilter.
– Two services are available in RHEL 7 to create, maintain, and display the rules stored by Netfilter:
1. firewalld
2. iptables
– In RHEL 7, the default firewall service is firewalld.
– firewalld is a dynamic firewall manager which supports firewall (network) zones.
– The firewalld service has support for IPv4, IPv6, and for Ethernet bridges.
– The firewalld service also provides a D-BUS interface. Services or applications already using D-BUS can add or request changes to firewall rules directly through the D-BUS interface.

Advantages over iptables

firewalld has the following advantages over iptables :
1. Unlike the iptables command, the firewall-cmd command does not restart the firewall and disrupt established TCP connections.
2. firewalld supports dynamic zones.
3. firewalld supports D-Bus for better integration with services that depend on firewall configuration.

Configuration options

The firewalld service has two types of configuration options:
1. Runtime: Changes to firewall settings take effect immediately but are not permanent. Changes made in runtime configuration mode are lost when the firewalld service is restarted.
2. Permanent: Changes to firewall settings are written to configuration files. These changes are applied when the firewalld service restarts.

Configuration files

Configuration files for firewalld exist in two directories:
/usr/lib/firewalld: Contains default configuration files. Do not make changes to these files. An upgrade of the firewalld package overwrites this directory.
/etc/firewalld: Changes to the default configuration files are stored in this directory.Files in this directory overload the default configuration files.

firewalld zones

The firewalld service allows you to separate networks into different zones based on the level of trust you want to place on the devices and traffic within a specific network. For each zone you can define the following features:
Services: Predefined or custom services to trust. Trusted services are a combination of ports and protocols that are accessible from other systems and networks.
Ports: Additional ports or port ranges and associated protocols that are accessible from other systems and networks.
Masquerading: Translate IPv4 addresses to a single external address. With masquerading enabled, addresses of a private network are mapped to and hidden behind a public address.
Port Forwarding: Forward inbound network traffic from a specific port or port range to an alternative port on the local system, or to a port on another IPv4 address.
ICMP Filter: Block selected Internet Control Message Protocol messages.
Rich Rules: Extend existing firewalld rules to include additional source and destination addresses and logging and auditing actions.
Interfaces: Network interfaces bound to the zone. The zone for an interface is specified with the ZONE=option in the /etc/sysconfig/network-scripts/ifcfg file. If the option is missing, the interface is bound to the default zone.

Predefined firewalld Zones

The firewalld software package includes a set of predefined network zones in the following directory:

# ls -lrt /usr/lib/firewalld/zones/
total 36
-rw-r—– 1 root root 342 Sep 15 2015 work.xml
-rw-r—– 1 root root 162 Sep 15 2015 trusted.xml
-rw-r—– 1 root root 315 Sep 15 2015 public.xml
-rw-r—– 1 root root 415 Sep 15 2015 internal.xml
-rw-r—– 1 root root 400 Sep 15 2015 home.xml
-rw-r—– 1 root root 304 Sep 15 2015 external.xml
-rw-r—– 1 root root 291 Sep 15 2015 drop.xml
-rw-r—– 1 root root 293 Sep 15 2015 dmz.xml
-rw-r—– 1 root root 299 Sep 15 2015 block.xml
The zone files contain preset settings, which can be applied to a network interface. For example:

# grep –i service /usr/lib/firewalld/zones/public.xml

In this example, network interfaces bound to the public zone trust only two services, ssh and dhcpv6-client.

A brief explanation of each zone follows:
drop: Any incoming network packets are dropped, there is no reply. Only outgoing
network connections are possible.
block: Any incoming network connections are rejected with an icmp-host- prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
home: For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
public: For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
work: For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmz: For computers in your demilitarized zone that are publicly accessible with limited access to your internal network. Only selected incoming connections are accepted.
external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
internal: For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted: All network connections are accepted.

Setting the Default firewalld Zone

After an initial installation, the public zone is the default zone as specified in the configuration file, /etc/firewalld/firewalld.conf.

# grep –i defaultzone /etc/firewalld/firewalld.conf
Network interfaces are bound to the default zone unless specified with ZONE=[zone] in the ifcfg file. The following command shows the interfaces that are bound to the public zone:

# firewall-cmd –get-active-zone
interfaces: eth0 eth1
You can use the firewall-cmd command to change the default zone:

# firewall-cmd –set-default-zone=work
You can also use the firewall-config GUI to change the default zone. From the menu bar, select Options->Change Default Zone, and then select a zone from a pop-up list.

firewalld Services

– A firewalld service is a combination of local ports and protocols and destination addresses.
– A firewalld service can also include Netfilter kernel modules that are automatically loaded when a service is enabled.
– The firewalld software package includes a set of predefined services in the following directory:

# # ls -lrt /usr/lib/firewalld/zones/
total 36
-rw-r—– 1 root root 342 Sep 15 2015 work.xml
-rw-r—– 1 root root 162 Sep 15 2015 trusted.xml
-rw-r—– 1 root root 315 Sep 15 2015 public.xml
-rw-r—– 1 root root 415 Sep 15 2015 internal.xml
-rw-r—– 1 root root 400 Sep 15 2015 home.xml
-rw-r—– 1 root root 304 Sep 15 2015 external.xml
-rw-r—– 1 root root 291 Sep 15 2015 drop.xml
-rw-r—– 1 root root 293 Sep 15 2015 dmz.xml
-rw-r—– 1 root root 299 Sep 15 2015 block.xml
– Services can be enabled for a zone in Runtime mode.
– Service definitions can only be edited in Permanent mode.

Start firewalld

To start firewalld:

# systemctl start firewalld
To ensure firewalld starts at boot time:

# systemctl enable firewalld
To check if firewalld is running:

# systemctl status firewalld
# firewall-cmd –state
Three methods to configure the firewalld service:
– firewall-cmd : Command-line interface
– firewall-config : Graphical user interface
– Edit various XML configuration files.

The firewall-cmd Utility

The command-line tool firewall-cmd is part of the firewalld application, which is installed by default. To get help on the firewall-cmd command:

# firewall-cmd –help
The firewall-cmd command offers categories of options such as General, Status, Permanent, Zone, IcmpType, Service, Adapt and Query Zones, Direct, Lockdown, Lockdown Whitelist, and Panic. To list information for all zones:

# firewall-cmd –list-all-zones public (default, active)
interfaces: eth0 eth1
services: dhcpv6-client ssh

To permit access by HTTP clients for the public zone:

# firewall-cmd –zone=public –add-service=http
To list services that are allowed for the public zone:

# firewall-cmd –zone=work –list-services
dhcpv6-client http ssh
Using this command only changes the Runtime configuration and does not update the configuration files.
The configuration changes made in Runtime configuration mode are lost when the firewalld service is restarted:

# systemctl restart firewalld
# firewall-cmd –zone=work –list-services dhcpv6-client ssh
To make changes permanent, use the –permanent option. Example:

# firewall-cmd –permanent –zone=public –add-service=http
Changes made in Permanent configuration mode are not implemented immediately. However, changes made in Permanent configuration are written to configuration files. Restarting the firewalld service reads the configuration files and implements the changes. Example:

# systemctl restart firewalld
# firewall-cmd –zone=work –list-services
dhcpv6-client http ssh

CentOS / RHEL 7 : Configuring an NFS server and NFS client

NFS allows a linux server to share directories with other UNIX clients over network. NFS server exports a directory and NFS client mounts this directory. RHEL 7 supports two version of NFS – NFSv3 and NFSv4.

NFS server and RPC processes

starting the nfs-server process starts the NFS server and other RPC processes. RPC processes includes:
– rpc.statd : implements monitoring protocol (NSM) between NFS client and NFS server
– rpc.mountd : NFS mount daemon that implements the server side of the mount requests from NFSv3 clients.
– rpc.idmapd : Maps NFSv4 names and local UIDs and GIDs
– rpc.rquotad : provides user quota information for remote users.

Configuring NFS server

1. Install the required nfs packages if not already installed on the server :

# rpm -qa | grep nfs-utils
# yum install nfs-utils rpcbind
2. Enable the services at boot time:

# systemctl enable nfs-server
# systemctl enable rpcbind
# systemctl enable nfs-lock
In RHEL7.1 (nfs-utils-1.3.0-8.el7) enabling nfs-lock does not work (No such file or directory). it does not need to be enabled since rpc-statd.service is static.

# systemctl enable nfs-idmap
In RHEL7.1 (nfs-utils-1.3.0-8.el7) this does not work (No such file or directory). it does not need to be enabled since nfs-idmapd.service is static.

3. Start the NFS services:

# systemctl start rpcbind
# systemctl start nfs-server
# systemctl start nfs-lock
# systemctl start nfs-idmap
4. Check the status of NFS service:

# systemctl status nfs
5. Create a shared directory:

# mkdir /test
6. Export the directory. The format of the /etc/exports file is :

dir client1 (options) [client2(options)…]
Client options include (defaults are listed first) :
ro / rw :
a) ro : allow clients read only access to the share.
b) rw : allow clients read write access to the share.
sync / async :
a) sync : NFS server replies to request only after changes made by previous request are written to disk.
b) async : specifies that the server does not have to wait.
wdelay / no_wdelay
a) wdelay : NFS server delays committing write requests when it suspects another write request is imminent.
b) no_wdelay : use this option to disable to the delay. no_wdelay option can only be enabled if default sync option is enabled.
no_all_squash / all_squash :
a) no_all_squash : does not change the mapping of remote users.
b) all_squash : to squash all remote users including root.
root_squash / no_root_squash :
a) root_squash : prevent root users connected remotely from having root access. Effectively squashing remote root privileges.
b) no_root_squash : disable root squashing.

Example :

# vi /etc/exports
/test *(rw)
7. Exporting the share :

# exportfs -r
-r re-exports entries in /etc/exports and sync /var/lib/nfs/etab with /etc/exports. The /var/lib/nfs/etab is the master export table. Other options that can be used with exportfs command are :

-a : exports entries in /etc/exports but do not synchronize with /var/lib/nfs/etab
-i : ignore entries in /etc/exports and uses command line arguments.
-u : un-export one or more directories
-o : specify client options on command line
8. Restart the NFS service:

# systemctl restart nfs-server
Configuring NFS client

1. Install the required nfs packages if not already installed on the server :

# rpm -qa | grep nfs-utils
# yum install nfs-utils
2. Use the mount command to mount exported file systems. Syntax for the command:

mount -t nfs -o options host:/remote/export /local/directory
Eample :

# mount -t nfs -o ro,nosuid remote_host:/home /remote_home
This example does the following:
– It mounts /home from remote host (remote_host) on local mount point /remote_home.
– File system is mounted read-only and users are prevented from running a setuid program (-o ro,nosuid options).

3. Update /etc/fstab to mount NFS shares at boot time.

# vi /etc/fstab
remote_host:/home /remote_home nfs ro,nosuid 0 0
Firewalld services to be active on NFS server

For the NFS server to work, enable the nfs, mountd, and rpc-bind services in the relevant zone in the firewall-config application or using firewall-cmd :

# firewall-cmd –add-service=nfs –zone=internal –permanent
# firewall-cmd –add-service=mountd –zone=internal –permanent
# firewall-cmd –add-service=rpc-bind –zone=internal –permanent

CentOS / RHEL 7 : How to switch to iptables from firewalld

Question : How to disable firewalld and enable iptables instead?

Answer :
To switch to from firewalld to iptables follow the steps given below.

1. Firstly ensure the iptables-services package is installed.

# yum install -y -q iptables-services
2. Then prepare the iptables rules you wish to use by editing /etc/sysconfig/iptables and /etc/sysconfig/ipt6tables.

3. Next, disable and stop the firewalld service

# systemctl disable firewalld
rm ‘/etc/systemd/system/basic.target.wants/firewalld.service’
rm ‘/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service’
# systemctl stop firewalld
4. Then start iptables services :

# systemctl start iptables
# systemctl start ip6tables
5. Enable iptables service to automatically start at boot :

# systemctl enable iptables
ln -s ‘/usr/lib/systemd/system/iptables.service’ ‘/etc/systemd/system/basic.target.wants/iptables.service’
# systemctl enable ip6tables
ln -s ‘/usr/lib/systemd/system/ip6tables.service’ ‘/etc/systemd/system/basic.target.w

CentOS / RHEL 7 firewalld : Command line reference (Cheat Sheet)

Firewalld is the new way of interacting with the iptables rules in RHEL 7. It allows to set new sucurity rules and activate them in runtime without disconnecting any existing connections.

Managing firewalld

# firewall-cmd –state — Display whether service is running
# systemctl status firewalld — Another command to display status of service
# systemctl restart firewall-cmd — To restart service
# firewall-cmd –reload — To reload the permanent rules without interrupting existing persistent connections
To start/stop/status firewalld service

# systemctl start firewalld.service
# systemctl stop firewalld.service
# systemctl status firewalld.service
To enable/disable firewalld service at boot time

To enable firewalld service from starting at boot time.

# systemctl enable firewalld
To disable firewalld service from starting at boot time.

# systemctl disable firewalld
To list details of default and active zones

# firewall-cmd –get-default-zone
# firewall-cmd –get-active-zones
# firewall-cmd –list-all
To add/remove interfaces to zones

To add interface “eth1” to “public” zone.

# firewall-cmd –zone=public –change-interface=eth1
To list/add/remove services to zones

To list available services :

# firewall-cmd –get-services
To add “samba and samba-client” service to a specific zone. You may include, “permanent” flag to make this permanent change.

# firewall-cmd –zone=public –add-service=samba –add-service=samba-client –permanent
To list services configured in a specific zone.

# firewall-cmd –zone=public –list-service
To list and Add ports to firewall

# firewall-cmd –list-ports
# firewall-cmd –zone=public –add-port=5000/tcp
You may restart the Network service followed by Firewall server.

# systemctl restart network.service
# systemctl restart firewalld.service

CentOS / RHEL 7 : How to password protect GRUB2 menu entries

Why should a Linux boot loader have password protection?

The following are the primary reasons for password protecting a Linux boot loader:
1. Preventing Access to Single User Mode – If an attacker can boot into single user mode, he becomes the root user.
2. Preventing Access to the GRUB Console – If the machine uses GRUB as its boot loader, an attacker can use the GRUB editor interface to change its configuration or to gather information using the cat command.
3. Preventing Access to Non-Secure Operating Systems – If it is a dual-boot system, an attacker can select at boot time an operating system, such as DOS, which ignores access controls and file permissions.

Password protecting GRUB2

Follow the steps below to password protect GRUB2 in RHEL 7.
1. Remove –unrestricted from the main CLASS= declaration in /etc/grub.d/10_linux file.
This can be done by using sed to replace the

# sed -i “/^CLASS=/s/ –unrestricted//” /etc/grub.d/10_linux
2. If a user hasn’t already been configured, use grub2-setpassword to set a password for the root user :

# grub2-setpassword
This creates a file /boot/grub2/user.cfg if not already present, which contains the hashed GRUB bootloader password. This utility only supports configurations where there is a single root user.
Example /boot/grub2/user.cfg file :

# cat /boot/grub2/user.cfg
3. Recreate the grub config with grub2-mkconfig :

# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file …
Found linux image: /boot/vmlinuz-3.10.0-327.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-f9725b0c842348ce9e0bc81968cf7181
Found initrd image: /boot/initramfs-0-rescue-f9725b0c842348ce9e0bc81968cf7181.img
4. Reboot the server and verify.

# shutdown -r now
Note that all defined grub menu entries will now require entering user & password each time at boot; henceforth, the system will not boot any kernel without direct user intervention from the console. When prompted for user, enter “root”. When prompted for password, enter whatever was passed to the grub2-setpassword command :

password protect GRUB2 menu entries
Remove password protection

To remove the password protection we can add the –unrestricted text in the main CLASS= declaration in /etc/grub.d/10_linux file again. Another way is to remove the /boot/grub2/user.cfg file which stores the hashed GRUB bootloader password.

Restricting only GRUB menu entry editing

If you only want to simply prevent users from entering the grub command line and edit menu entries (as opposed to completely locking menu entries), then all that is needed is execution of grub2-setpassword command.

CentOS / RHEL 7 : Chrony V/s NTP (Differences Between ntpd and chronyd) Chosing between Chrony and NTP

CentOS / RHEL 7 : Chrony V/s NTP (Differences Between ntpd and chronyd)
Chosing between Chrony and NTP

– In RHEL 7 ntpd is replaced by chronyd as the default network time protocol daemon.
– Basic configuration for synchronize time and date is stored in the file /etc/chrony.conf.
– ntpd is still included in yum repository for customers who need to run an NTP service.
– Chrony is a different implementation of the network time protocol (NTP) than the network time protocol daemon (ntpd) that is able to synchronize the system clock faster and with better accuracy than ntpd.

Benefits of Chrony include:

1. Faster synchronization requiring only minutes instead of hours to minimize the time and frequency error, which is useful on desktops or systems not running 24 hours a day.
2. Better response to rapid changes in the clock frequency, which is useful for virtual machines that have unstable clocks or for power-saving technologies that don’t keep the clock frequency constant.
3. After the initial synchronization, it never steps the clock so as not to affect applications needing system time to be monotonic.
4. Better stability when dealing with temporary asymmetric delays, for example when the link is saturated by a large download.
5. Periodic polling of servers is not required, so systems with intermittent network connections can still quickly synchronize clocks.

When to use chrony

Chrony would be considered a best match for the systems which are frequently suspended or otherwise intermittently disconnected from a network (mobile and virtual servers etc).

When to use NTP

The NTP daemon (ntpd) should be considered for systems which are normally kept permanently on. Systems which are required to use broadcast or multicast IP, or to perform authentication of packets with the Autokey protocol, should consider using ntpd.

CentOS / RHEL 7 : How to sync chrony to local clock

Question : How to sync chrony to the local clock.

Answer :
When the chrony service starts, there are some settings in the /etc/chrony/chrony.conf file that tells it to actually set the time if specific conditions occur. Below procedure lts you set the local clock as the source for chrony to synchronize the time.

1. Currently the chrony does not sync to local clock and ‘chronyc sources’ command gives the following result :

# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
^? localhost
2. Edit /etc/chrony.conf to add the settings below. The configuration file needs atleast 3 of the below entries to have a local clock synchronization.

# vi /etc/chrony.conf
local stratum 10
3. Restart chronyd service

# systemctl restart chronyd.service
4. Verify the status of chrony synchronization

# chronyc sources
210 Number of sources = 1
MS Name/IP address Stratum Poll Reach LastRx Last sample
^* 15 6 377 42 -4471ns[ -13us] +/- 204us