Last active
June 13, 2020 10:52
-
-
Save dmi3mis/3bbcd4f64f6d2edb488df7a3e88bf268 to your computer and use it in GitHub Desktop.
Some files to work with on LL-103
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[root@server0 ~]# yum install bind bind-utils -y | |
[root@server0 ~]# vim /etc/named.conf | |
:set number | |
11 #listen-on port 53 { ; }; | |
12 #listen-on-v6 port 53 { ::1; }; | |
17 #allow-query { localhost; }; | |
55 zone "domain0.example.com" IN { | |
56 type master; | |
57 file "domain.example.com.zone"; | |
58 }; | |
:wq | |
[root@server0 ~]# named-checkconf | |
[root@server0 ~]# wget https://gist.githubusercontent.com/dmi3mis/3bbcd4f64f6d2edb488df7a3e88bf268/raw/97229fe20f118954e51f1cef85972cb9bf71def4/domainN.example.com.zone.txt -O /var/named/domain.example.com.zone | |
[root@server0 ~]# vim /var/named/domain.example.com.zone | |
:%s/domain0/domainN/g | |
:wq | |
[root@server0 ~]# named-checkzone domainN.example.com /var/named/domain.example.com.zone | |
zone domainN.example.com/IN: loaded serial 2016092000 | |
OK | |
[root@server0 ~]# systemctl enable named | |
[root@server0 ~]# systemctl start named | |
[root@server0 ~]# firewall-cmd --permanent --add-service=dns | |
success | |
[root@server0 ~]# firewall-cmd --reload | |
success | |
[root@server0 ~]# netstat -taupen |grep ":53 " | |
tcp 0 0 172.25.0.11:53 0.0.0.0:* LISTEN 25 68951 4477/named | |
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25 68949 4477/named | |
udp 0 0 172.25.0.11:53 0.0.0.0:* 25 68950 4477/named | |
udp 0 0 127.0.0.1:53 0.0.0.0:* 25 68948 4477/named | |
[user@host ~]# dig domain0.example.com | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$TTL 86400; | |
domain0.example.com. IN SOA ns.domain0.example.com. postmaster.domain0.example.com. ( | |
2016092000 ; serial number | |
1H ; refresh slave | |
5M ; retry query | |
1W ; expire | |
1M ; negative TTL | |
) | |
@ IN NS ns.domain0.example.com. | |
@ IN MX 10 server0.domain0.example.com. | |
@ IN MX 10 mail.domain0.example.com. | |
IN A 172.25.0.11 | |
ns IN A 172.25.0.11 | |
server0 IN A 172.25.0.11 | |
desktop0 IN A 172.25.0.11 | |
mail IN A 172.25.0.11 | |
desktop IN A 172.25.0.11 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[root@serverX ~]# systemctl status firewalld.service | |
..... | |
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) | |
Active: active (running) since Thu 2016-10-06 10:21:22 SAKT; 3h 2min ago | |
..... | |
[root@serverX ~]# yum install httpd mod_ssl -y | |
[root@serverX ~]# systemctl enable httpd.service | |
[root@serverX ~]# systemctl start httpd.service | |
[root@serverX ~]# echo "Test Server" >> /var/www/html/index.html | |
[root@serverX ~]# firewall-cmd --set-default-zone=dmz | |
[root@serverX ~]# firewall-cmd --permanent --zone=work --add-source=172.25.X.0/24 | |
[root@serverX ~]# firewall-cmd --permanent --zone=work --add-service=https | |
[root@serverX ~]# firewall-cmd --reload | |
[root@serverX ~]# firewall-cmd --get-default-zone | |
dmz | |
interface: eth0 | |
work | |
sources: 172.25.X.0/24 | |
..... | |
[root@serverN ~]# firewall-cmd --zone=work --list-all | |
work | |
interfaces: | |
sources: 172.25.X.0/24 | |
services: dhcpv6-client https ipp-client ssh | |
..... | |
[student@desktopX ~]# curl http://serverX.example.com | |
curl: (7) Failed to connect to serverX.example.com:80; No route to host | |
[student@desktopX ~]# curl -k https://serverX.example.com # Certificate is self-signed so we need to use curl with -k | |
Test server | |
[root@serverX ~]# firewall-cmd --permanent --zone=work --add-service=http | |
# Lets test packet logging with firewalld | |
[root@serverX ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.X.10/32 service name="http" log level=notice prefix="NEW HTTP " limit value="3/s" accept' | |
[root@serverX ~]# firewall-cmd --reload | |
[root@serverX ~]# tail -f /var/log/messages # Lets see http packets logs | |
[student@desktopX ~]# curl http://serverX.example.com | |
#Lets test packet forwarding with firewalld | |
[root@serverX ~]# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=172.25.X.10/32 forward port port=44 protocol=tcp to-port=22' | |
[root@serverX ~]# firewall-cmd --reload | |
[student@desktopX ~]# ssh -p 44 serverX.example.com | |
The authenticity of host 'server0 (172.25.X.11)' can't be established. | |
ECDSA key fingerprint is XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX. | |
Are you sure you want to continue connecting (yes/no)? yes | |
Warning: Permanently added 'server0,172.25.X.11' (ECDSA) to the list of known hosts. | |
student@server0's password: student | |
Last login: XXXXX | |
[student@serverX ~]# hostname | |
serverx.example.com | |
#Lets test selinux port labels | |
[root@server0 ~]# semanage port -l |grep http_port_t | |
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000 | |
[root@server0 ~]# vim /etc/httpd/conf/httpd.conf | |
42 Listen: 85 #change string 80 to 85 | |
[root@server0 ~]# systemctl restart httpd | |
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details. | |
[root@server0 ~]# journalctl -u httpd -p err | |
-- Logs begin at Thu 2016-10-06 10:21:16 SAKT, end at Thu 2016-10-06 13:36:49 SAKT. -- | |
Oct 06 13:36:38 server0.example.com systemd[1]: Failed to start The Apache HTTP Server. | |
[root@server0 ~]# semanage port -a -t http_port_t -p tcp 85 | |
[root@server0 ~]# systemctl restart httpd | |
[root@server0 ~]# systemctl status httpd | |
httpd.service - The Apache HTTP Server | |
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled) | |
Active: active (running) since Thu 2016-10-06 13:39:27 SAKT; 9s ago | |
Process: 2248 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS) | |
Main PID: 2340 (httpd) | |
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" | |
CGroup: /system.slice/httpd.service | |
├─2340 /usr/sbin/httpd -DFOREGROUND | |
├─2341 /usr/sbin/httpd -DFOREGROUND | |
├─2342 /usr/sbin/httpd -DFOREGROUND | |
├─2343 /usr/sbin/httpd -DFOREGROUND | |
├─2344 /usr/sbin/httpd -DFOREGROUND | |
└─2345 /usr/sbin/httpd -DFOREGROUND | |
Oct 06 13:39:27 server0.example.com systemd[1]: Starting The Apache HTTP Server... | |
Oct 06 13:39:27 server0.example.com systemd[1]: Started The Apache HTTP Server. | |
[root@server0 ~]# netstat -taupne |grep :::85 | |
tcp6 0 0 :::85 :::* LISTEN 0 197542 2340/httpd | |
[root@server0 ~]# firewall-cmd --permanent --add-port=85/tcp | |
success | |
[root@server0 ~]# firewall-cmd --reload | |
success | |
[root@server0 ~]# echo "test server" >> /var/www/html/index.html | |
[root@server0 ~]# netstat -taupne |grep :::85^C | |
[root@server0 ~]# curl http://server0.example.com:85 | |
test server |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mkdir web_content | |
cp /usr/share/doc/pam*/ ~/web_content | |
mv ~/web_content /var/www/html | |
ls -alZ /var/www/html | |
http://localhost/web_content #? | |
/var/log/httpd/error.log #? | |
sealert -b | |
restorecon -R /var/www/html/web_content |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[root@demo ~]# ssh-keygen -t rsa | |
Generating public/private rsa key pair. | |
Enter file in which to save the key (/root/.ssh/id_rsa): | |
Enter passphrase (empty for no passphrase): | |
Enter same passphrase again: | |
Your identification has been saved in /root/.ssh/id_rsa. | |
Your public key has been saved in /root/.ssh/id_rsa.pub. | |
The key fingerprint is: | |
1e:d8:cf:e4:fb:e1:76:a9:a9:54:c1:a8:2b:e4:03:d1 root@demo.example.com | |
The key's randomart image is: | |
+--[ RSA 2048]----+ | |
| | | |
| . o | | |
| . E . o | | |
| . o . . | | |
| . o S . . | | |
| + . B . | | |
| + o = . . | | |
| o . o.oo | | |
| o+=o | | |
+-----------------+ | |
[root@demo ~]# man ssh-copy-id | |
[root@demo ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@remote1.remote.test | |
The authenticity of host 'remote1.remote.test (192.168.1.1)' can't be established. | |
RSA key fingerprint is a8:0d:2c:6a:b5:fa:d0:07:a1:0f:41:72:ad:0d:dc:9e. | |
Are you sure you want to continue connecting (yes/no)? yes | |
Warning: Permanently added 'remote1.remote.test,192.168.1.1' (RSA) to the list of known hosts. | |
root@remote1.remote.test's password: | |
Now try logging into the machine, with "ssh 'root@remote1.remote.test'", and check in: | |
.ssh/authorized_keys | |
to make sure we haven't added extra keys that you weren't expecting. | |
[root@demo ~]# ssh remote1.remote.test | |
Last login: Thu Nov 7 11:45:53 2013 from instructor.remote.test | |
[student@demo ~]$ gpg --gen-key | |
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. | |
This is free software: you are free to change and redistribute it. | |
There is NO WARRANTY, to the extent permitted by law. | |
Please select what kind of key you want: | |
(1) RSA and RSA (default) | |
(2) DSA and Elgamal | |
(3) DSA (sign only) | |
(4) RSA (sign only) | |
Your selection? | |
RSA keys may be between 1024 and 4096 bits long. | |
What keysize do you want? (2048) | |
Requested keysize is 2048 bits | |
Please specify how long the key should be valid. | |
0 = key does not expire | |
<n> = key expires in n days | |
<n>w = key expires in n weeks | |
<n>m = key expires in n months | |
<n>y = key expires in n years | |
Key is valid for? (0) | |
Key does not expire at all | |
Is this correct? (y/N) | |
Key is valid for? (0) | |
Key does not expire at all | |
Is this correct? (y/N) | |
Key is valid for? (0) | |
Key does not expire at all | |
Is this correct? (y/N) y | |
GnuPG needs to construct a user ID to identify your key. | |
Real name: Trainer | |
Email address: trainer@company.com | |
Comment: key for tests | |
You selected this USER-ID: | |
"Trainer (key for tests) <trainer@company.com>" | |
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o | |
You need a Passphrase to protect your secret key. | |
can't connect to `/home/student/.gnupg/S.gpg-agent': No such file or directory | |
You don't want a passphrase - this is probably a *bad* idea! | |
I will do it anyway. You can change your passphrase at any time, | |
using this program with the option "--edit-key". | |
We need to generate a lot of random bytes. It is a good idea to perform | |
some other action (type on the keyboard, move the mouse, utilize the | |
disks) during the prime generation; this gives the random number | |
generator a better chance to gain enough entropy. | |
We need to generate a lot of random bytes. It is a good idea to perform | |
some other action (type on the keyboard, move the mouse, utilize the | |
disks) during the prime generation; this gives the random number | |
generator a better chance to gain enough entropy. | |
gpg: key B718FC2B marked as ultimately trusted | |
public and secret key created and signed. | |
gpg: checking the trustdb | |
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model | |
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u | |
pub 2048R/B718FC2B 2013-10-26 | |
Key fingerprint = 8E2E C64C 2E6C B137 CA3F C32D 5048 E16B B718 FC2B | |
uid Trainer (key for tests) <trainer@company.com> | |
sub 2048R/2101D3E8 2013-10-26 | |
[student@demo ~]$ gpg --list-keys | |
/home/student/.gnupg/pubring.gpg | |
-------------------------------- | |
pub 2048R/B718FC2B 2013-10-26 | |
uid Trainer (key for tests) <trainer@company.com> | |
sub 2048R/2101D3E8 2013-10-26 | |
[student@demo ~]$ gpg --export --armor B718FC2B > GPG-KEY.key | |
[student@demo ~]$ less GPG-KEY.key | |
[student@demo ~]$ less GPG-KEY.key | |
[student@demo ~]$ scp GPG-KEY.key remote1.remote.test:~ | |
GPG-KEY.key 100% 1739 1.7KB/s 00:00 | |
[student@demo ~]$ ssh remote1.remote.test | |
Last login: Sat Oct 26 03:31:10 2013 from demo.example.com | |
[student@remote1 ~]$ less GPG-KEY.key | |
[student@remote1 ~]$ vim secret.txt | |
[student@remote1 ~]$ gpg --import GPG-KEY.key | |
gpg: key B718FC2B: public key "Trainer (key for tests) <trainer@company.com>" imported | |
gpg: Total number processed: 1 | |
gpg: imported: 1 (RSA: 1) | |
[student@remote1 ~]$ gpg --list-keyz | |
gpg: invalid option "--list-keyz" | |
[student@remote1 ~]$ gpg --list-keys | |
/home/student/.gnupg/pubring.gpg | |
-------------------------------- | |
pub 2048R/B718FC2B 2013-10-26 | |
uid Trainer (key for tests) <trainer@company.com> | |
sub 2048R/2101D3E8 2013-10-26 | |
[student@remote1 ~]$ gpg --encrypt --armor -r B718FC2B secret.txt | |
gpg: 2101D3E8: There is no assurance this key belongs to the named user | |
pub 2048R/2101D3E8 2013-10-26 Trainer (key for tests) <trainer@company.com> | |
Primary key fingerprint: 8E2E C64C 2E6C B137 CA3F C32D 5048 E16B B718 FC2B | |
Subkey fingerprint: F8F5 9F32 B6CF C7A4 A43A DC20 D7D3 B59B 2101 D3E8 | |
It is NOT certain that the key belongs to the person named | |
in the user ID. If you *really* know what you are doing, | |
you may answer the next question with yes. | |
Use this key anyway? (y/N) y | |
[student@remote1 ~]$ less secret.txt | |
secret.txt secret.txt.asc | |
[student@remote1 ~]$ less secret.txt.asc | |
[student@remote1 ~]$ logout | |
Connection to remote1.remote.test closed. | |
[student@demo ~]$ scp remote1.remote.test:~/secret.txt.asc ~ | |
secret.txt.asc 100% 584 0.6KB/s 00:00 | |
[student@demo ~]$ gpg --decrypt secret.txt.asc | |
gpg: encrypted with 2048-bit RSA key, ID 2101D3E8, created 2013-10-26 | |
"Trainer (key for tests) <trainer@company.com>" | |
this is a BIG secret! | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[user@host ~]$ ssh root@serverX | |
[root@serverX ~]# yum install vsftpd -y | |
[root@serverX ~]# systemctl enable vsftpd | |
[root@serverX ~]# systemctl start vsftpd | |
[root@serverX ~]# firewall-cmd --add-service=ftp --permanent | |
[root@serverX ~]# firewall-cmd --reload | |
[root@serverX ~]# echo "test file" >> /var/ftp/pub/file.txt | |
[user@host ~]$ ssh root@desktopX | |
[root@desktopX] yum install ftp lftp -y | |
[student@desktopX] lftp server0.example.com | |
cd pub | |
get file.txt | |
#Lets make anonymous upload | |
[root@serverX ~]# yum install selinux-policy-devel -y | |
[root@serverX ~]# mandb | |
[root@serverX ~]# man -k _selinux |grep ftp | |
[root@serverX ~]# man ftpd_selinux | |
[root@serverX ~]# mkdir /var/ftp/upload | |
[root@serverX ~]# chgrp ftp /var/ftp/upload | |
[root@serverX ~]# chmod 0730 /var/ftp/upload | |
[root@serverX ~]# yum install policycoreutils-python -y | |
[root@serverX ~]# semanage fcontext -a -t public_content_rw_t "/var/ftp/upload(/.*)?" | |
[root@serverX ~]# restorecon -R -vv /var/ftp | |
[root@serverX ~]# getsebool -a |grep ftp | |
[root@serverX ~]# setsebool -P ftpd_anon_write on | |
[root@serverX ~]# vim /etc/vsftpd/vsftpd.conf | |
anon_upload_enable=YES | |
anon_mkdir_write_enable=YES | |
anon_umask=077 | |
chown_uploads = yes | |
chown_username = root | |
[root@serverX ~]# systemctl restart vsftpd | |
[student@desktopX ~] echo "test data" > file.txt | |
[student@desktopX ~] lftp serverX | |
cd upload | |
put file.txt | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment