Skip to content

Instantly share code, notes, and snippets.

@dmi3mis

dmi3mis/bind_and_others.txt

Last active June 13, 2020 10:52
Show Gist options
  • Save dmi3mis/3bbcd4f64f6d2edb488df7a3e88bf268 to your computer and use it in GitHub Desktop.
Save dmi3mis/3bbcd4f64f6d2edb488df7a3e88bf268 to your computer and use it in GitHub Desktop.
Download ZIP
Some files to work with on LL-103
Raw
bind_and_others.txt
[root@server0 ~]# yum install bind bind-utils -y
[root@server0 ~]# vim /etc/named.conf
:set number
11 #listen-on port 53 { ; };
12 #listen-on-v6 port 53 { ::1; };
17 #allow-query { localhost; };
55 zone "domain0.example.com" IN {
56 type master;
57 file "domain.example.com.zone";
58 };
:wq
[root@server0 ~]# named-checkconf
[root@server0 ~]# wget https://gist.githubusercontent.com/dmi3mis/3bbcd4f64f6d2edb488df7a3e88bf268/raw/97229fe20f118954e51f1cef85972cb9bf71def4/domainN.example.com.zone.txt -O /var/named/domain.example.com.zone
[root@server0 ~]# vim /var/named/domain.example.com.zone
:%s/domain0/domainN/g
:wq
[root@server0 ~]# named-checkzone domainN.example.com /var/named/domain.example.com.zone
zone domainN.example.com/IN: loaded serial 2016092000
OK
[root@server0 ~]# systemctl enable named
[root@server0 ~]# systemctl start named
[root@server0 ~]# firewall-cmd --permanent --add-service=dns
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]# netstat -taupen |grep ":53 "
tcp 0 0 172.25.0.11:53 0.0.0.0:* LISTEN 25 68951 4477/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25 68949 4477/named
udp 0 0 172.25.0.11:53 0.0.0.0:* 25 68950 4477/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 25 68948 4477/named
[user@host ~]# dig domain0.example.com
Raw
domainN.example.com.zone.txt
$TTL 86400;
domain0.example.com. IN SOA ns.domain0.example.com. postmaster.domain0.example.com. (
2016092000 ; serial number
1H ; refresh slave
5M ; retry query
1W ; expire
1M ; negative TTL
)
@ IN NS ns.domain0.example.com.
@ IN MX 10 server0.domain0.example.com.
@ IN MX 10 mail.domain0.example.com.
IN A 172.25.0.11
ns IN A 172.25.0.11
server0 IN A 172.25.0.11
desktop0 IN A 172.25.0.11
mail IN A 172.25.0.11
desktop IN A 172.25.0.11
Raw
firewalld.txt
[root@serverX ~]# systemctl status firewalld.service
.....
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Thu 2016-10-06 10:21:22 SAKT; 3h 2min ago
.....
[root@serverX ~]# yum install httpd mod_ssl -y
[root@serverX ~]# systemctl enable httpd.service
[root@serverX ~]# systemctl start httpd.service
[root@serverX ~]# echo "Test Server" >> /var/www/html/index.html
[root@serverX ~]# firewall-cmd --set-default-zone=dmz
[root@serverX ~]# firewall-cmd --permanent --zone=work --add-source=172.25.X.0/24
[root@serverX ~]# firewall-cmd --permanent --zone=work --add-service=https
[root@serverX ~]# firewall-cmd --reload
[root@serverX ~]# firewall-cmd --get-default-zone
dmz
interface: eth0
work
sources: 172.25.X.0/24
.....
[root@serverN ~]# firewall-cmd --zone=work --list-all
work
interfaces:
sources: 172.25.X.0/24
services: dhcpv6-client https ipp-client ssh
.....
[student@desktopX ~]# curl http://serverX.example.com
curl: (7) Failed to connect to serverX.example.com:80; No route to host
[student@desktopX ~]# curl -k https://serverX.example.com # Certificate is self-signed so we need to use curl with -k
Test server
[root@serverX ~]# firewall-cmd --permanent --zone=work --add-service=http
# Lets test packet logging with firewalld
[root@serverX ~]# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=172.25.X.10/32 service name="http" log level=notice prefix="NEW HTTP " limit value="3/s" accept'
[root@serverX ~]# firewall-cmd --reload
[root@serverX ~]# tail -f /var/log/messages # Lets see http packets logs
[student@desktopX ~]# curl http://serverX.example.com
#Lets test packet forwarding with firewalld
[root@serverX ~]# firewall-cmd --permanent --add-rich-rule 'rule family=ipv4 source address=172.25.X.10/32 forward port port=44 protocol=tcp to-port=22'
[root@serverX ~]# firewall-cmd --reload
[student@desktopX ~]# ssh -p 44 serverX.example.com
The authenticity of host 'server0 (172.25.X.11)' can't be established.
ECDSA key fingerprint is XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'server0,172.25.X.11' (ECDSA) to the list of known hosts.
student@server0's password: student
Last login: XXXXX
[student@serverX ~]# hostname
serverx.example.com
#Lets test selinux port labels
[root@server0 ~]# semanage port -l |grep http_port_t
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
[root@server0 ~]# vim /etc/httpd/conf/httpd.conf
42 Listen: 85 #change string 80 to 85
[root@server0 ~]# systemctl restart httpd
Job for httpd.service failed. See 'systemctl status httpd.service' and 'journalctl -xn' for details.
[root@server0 ~]# journalctl -u httpd -p err
-- Logs begin at Thu 2016-10-06 10:21:16 SAKT, end at Thu 2016-10-06 13:36:49 SAKT. --
Oct 06 13:36:38 server0.example.com systemd[1]: Failed to start The Apache HTTP Server.
[root@server0 ~]# semanage port -a -t http_port_t -p tcp 85
[root@server0 ~]# systemctl restart httpd
[root@server0 ~]# systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
Active: active (running) since Thu 2016-10-06 13:39:27 SAKT; 9s ago
Process: 2248 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
Main PID: 2340 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec"
CGroup: /system.slice/httpd.service
├─2340 /usr/sbin/httpd -DFOREGROUND
├─2341 /usr/sbin/httpd -DFOREGROUND
├─2342 /usr/sbin/httpd -DFOREGROUND
├─2343 /usr/sbin/httpd -DFOREGROUND
├─2344 /usr/sbin/httpd -DFOREGROUND
└─2345 /usr/sbin/httpd -DFOREGROUND
Oct 06 13:39:27 server0.example.com systemd[1]: Starting The Apache HTTP Server...
Oct 06 13:39:27 server0.example.com systemd[1]: Started The Apache HTTP Server.
[root@server0 ~]# netstat -taupne |grep :::85
tcp6 0 0 :::85 :::* LISTEN 0 197542 2340/httpd
[root@server0 ~]# firewall-cmd --permanent --add-port=85/tcp
success
[root@server0 ~]# firewall-cmd --reload
success
[root@server0 ~]# echo "test server" >> /var/www/html/index.html
[root@server0 ~]# netstat -taupne |grep :::85^C
[root@server0 ~]# curl http://server0.example.com:85
test server
Raw
gistfile1.txt
mkdir web_content
cp /usr/share/doc/pam*/ ~/web_content
mv ~/web_content /var/www/html
ls -alZ /var/www/html
http://localhost/web_content #?
/var/log/httpd/error.log #?
sealert -b
restorecon -R /var/www/html/web_content
Raw
gistfile2.txt
[root@demo ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
1e:d8:cf:e4:fb:e1:76:a9:a9:54:c1:a8:2b:e4:03:d1 root@demo.example.com
The key's randomart image is:
+--[ RSA 2048]----+
| |
| . o |
| . E . o |
| . o . . |
| . o S . . |
| + . B . |
| + o = . . |
| o . o.oo |
| o+=o |
+-----------------+
[root@demo ~]# man ssh-copy-id
[root@demo ~]# ssh-copy-id -i /root/.ssh/id_rsa.pub root@remote1.remote.test
The authenticity of host 'remote1.remote.test (192.168.1.1)' can't be established.
RSA key fingerprint is a8:0d:2c:6a:b5:fa:d0:07:a1:0f:41:72:ad:0d:dc:9e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'remote1.remote.test,192.168.1.1' (RSA) to the list of known hosts.
root@remote1.remote.test's password:
Now try logging into the machine, with "ssh 'root@remote1.remote.test'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
[root@demo ~]# ssh remote1.remote.test
Last login: Thu Nov 7 11:45:53 2013 from instructor.remote.test
[student@demo ~]$ gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N)
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N)
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Trainer
Email address: trainer@company.com
Comment: key for tests
You selected this USER-ID:
"Trainer (key for tests) <trainer@company.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
can't connect to `/home/student/.gnupg/S.gpg-agent': No such file or directory
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key B718FC2B marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/B718FC2B 2013-10-26
Key fingerprint = 8E2E C64C 2E6C B137 CA3F C32D 5048 E16B B718 FC2B
uid Trainer (key for tests) <trainer@company.com>
sub 2048R/2101D3E8 2013-10-26
[student@demo ~]$ gpg --list-keys
/home/student/.gnupg/pubring.gpg
--------------------------------
pub 2048R/B718FC2B 2013-10-26
uid Trainer (key for tests) <trainer@company.com>
sub 2048R/2101D3E8 2013-10-26
[student@demo ~]$ gpg --export --armor B718FC2B > GPG-KEY.key
[student@demo ~]$ less GPG-KEY.key
[student@demo ~]$ less GPG-KEY.key
[student@demo ~]$ scp GPG-KEY.key remote1.remote.test:~
GPG-KEY.key 100% 1739 1.7KB/s 00:00
[student@demo ~]$ ssh remote1.remote.test
Last login: Sat Oct 26 03:31:10 2013 from demo.example.com
[student@remote1 ~]$ less GPG-KEY.key
[student@remote1 ~]$ vim secret.txt
[student@remote1 ~]$ gpg --import GPG-KEY.key
gpg: key B718FC2B: public key "Trainer (key for tests) <trainer@company.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[student@remote1 ~]$ gpg --list-keyz
gpg: invalid option "--list-keyz"
[student@remote1 ~]$ gpg --list-keys
/home/student/.gnupg/pubring.gpg
--------------------------------
pub 2048R/B718FC2B 2013-10-26
uid Trainer (key for tests) <trainer@company.com>
sub 2048R/2101D3E8 2013-10-26
[student@remote1 ~]$ gpg --encrypt --armor -r B718FC2B secret.txt
gpg: 2101D3E8: There is no assurance this key belongs to the named user
pub 2048R/2101D3E8 2013-10-26 Trainer (key for tests) <trainer@company.com>
Primary key fingerprint: 8E2E C64C 2E6C B137 CA3F C32D 5048 E16B B718 FC2B
Subkey fingerprint: F8F5 9F32 B6CF C7A4 A43A DC20 D7D3 B59B 2101 D3E8
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[student@remote1 ~]$ less secret.txt
secret.txt secret.txt.asc
[student@remote1 ~]$ less secret.txt.asc
[student@remote1 ~]$ logout
Connection to remote1.remote.test closed.
[student@demo ~]$ scp remote1.remote.test:~/secret.txt.asc ~
secret.txt.asc 100% 584 0.6KB/s 00:00
[student@demo ~]$ gpg --decrypt secret.txt.asc
gpg: encrypted with 2048-bit RSA key, ID 2101D3E8, created 2013-10-26
"Trainer (key for tests) <trainer@company.com>"
this is a BIG secret!
Raw
vsftpd_with_upload.txt
[user@host ~]$ ssh root@serverX
[root@serverX ~]# yum install vsftpd -y
[root@serverX ~]# systemctl enable vsftpd
[root@serverX ~]# systemctl start vsftpd
[root@serverX ~]# firewall-cmd --add-service=ftp --permanent
[root@serverX ~]# firewall-cmd --reload
[root@serverX ~]# echo "test file" >> /var/ftp/pub/file.txt
[user@host ~]$ ssh root@desktopX
[root@desktopX] yum install ftp lftp -y
[student@desktopX] lftp server0.example.com
cd pub
get file.txt
#Lets make anonymous upload
[root@serverX ~]# yum install selinux-policy-devel -y
[root@serverX ~]# mandb
[root@serverX ~]# man -k _selinux |grep ftp
[root@serverX ~]# man ftpd_selinux
[root@serverX ~]# mkdir /var/ftp/upload
[root@serverX ~]# chgrp ftp /var/ftp/upload
[root@serverX ~]# chmod 0730 /var/ftp/upload
[root@serverX ~]# yum install policycoreutils-python -y
[root@serverX ~]# semanage fcontext -a -t public_content_rw_t "/var/ftp/upload(/.*)?"
[root@serverX ~]# restorecon -R -vv /var/ftp
[root@serverX ~]# getsebool -a |grep ftp
[root@serverX ~]# setsebool -P ftpd_anon_write on
[root@serverX ~]# vim /etc/vsftpd/vsftpd.conf
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_umask=077
chown_uploads = yes
chown_username = root
[root@serverX ~]# systemctl restart vsftpd
[student@desktopX ~] echo "test data" > file.txt
[student@desktopX ~] lftp serverX
cd upload
put file.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment