Skip to content

Instantly share code, notes, and snippets.

@mbodo

mbodo/lpi.md

Last active October 15, 2018 21:26
Show Gist options
  • Save mbodo/19f36dc93287a98d37d99de79eed6908 to your computer and use it in GitHub Desktop.
Save mbodo/19f36dc93287a98d37d99de79eed6908 to your computer and use it in GitHub Desktop.
Download ZIP
LPI notices
Raw
lpi.md

LPI Essentials Notices

9 Managing File Ownership and Permissions

  • Permisions:

    Permission File Directory Value
    Read (r) Open,view List Dir contents 4
    Write (w) Open,view,modify,save Add or Del contect to Dir 2
    Execute (x) Run executable file Enter the Dir 1
    • Permissions are not additive
    -r---w---x 1 user1 group1  43 28. Jun 06:49 runme.sh

What is true:
user1 - can only read file, but not write to file,
        so if permission where additive than user1 should
        by able to read/write/execute
group1 - can only write to file, e.g so as user2 member of group1 
         can 'cat "Changed" > runme.sh'
others - can execute, but without read permission can't really
         execute the script

    Links:

    as user1

--x--x--x user1 /dir1/dir2/dir3

--x--x--x dir1
--x--x--x dir2

cd /dir1/dir2/dir3 - works

if one from the path doesn't have permission, it want let you to change one dir after

as user1

--x--x--x dir1
-----x--x dir2

cd /dir1/dir2/dir3 want let you enter dir3
    • Syntaxes to get:
    -rwxrw-r-- 1 user1 group1 41 Jun 28 07:02 runme.sh
    • chmod -v u=rwx,g=rw,o=r runme.sh
    • chmod -v u+rwx,g+rw,o+r runme.sh
    • chmod -v 764 runme.sh

  • Working with Default Permissions

    • Linux create files/directories with default permission:

      • files 666 rw-rw-rw-
      • directories 777 rwxrwxrwx

    • umask

      • default is 022
      • represents a numeric permission value to be removed
      default by linux:

with umask 000:

touch myfile.txt
rw-rw-rw- myfile.txt

with to umask 022:

default: rw-rw-rw- myfile.txt
umask    ----w--w-

finally: rw-r--r-- myfile.txt
      • change umask
      umask 026 - g-w, o-rw

    • umask for directories

      umask 027 - g-w, o-rwx
mkdir mydir1

default: rwxrwxrwx mydir1
umask 027 : rwxr-x--- mydir1

    • 'umask xxxx' not persistent

      • must by added /etc/profile or /etc/login.defs

  • Working with Special Permissions

    • SUID(4): can only applied to binary files (not shell scripts), user becomes temp. file owner when run executable binary file

      chmod -v u+s dir1

(rwsrwxr-x)

    • GUID(2): can only applied to binary files (not shell scripts),

      • file: user becomes temp. group member when run executable binary file
      • directory: when create file, group is set from parent dir, not the user primary group
      chmod -v g+s dir1

(rwxrwsr-x)

    • Sticky bit(1):

      • directory (only): when set should allowed to delete files within directory where he doesn't have w-permission
      chmod -v o+t dir1

(rwxrwsr-t)

      Links:

11 Managing Linux Processes and Log Files

  • Understanding Linux Processes

    • Binary executables
    • Internal shell commands
    • Shell scripts

  • How Linux Processes Are Loaded

    • Parent/Child process
    • PID - Process ID Number
    • PPID - Parent Process ID Number
    • init process PID 1, PPID 0 , which is Kernel process PID 0
    • forking e.g. (execute) $ vi
    bash (PPID=111, PID=211) --> start --> subshell (PPID=211, PID=311) --> vi (PPID=311, PID=411)

so:
a, vi (PPID=311, PID=411) runs within subshell (PPID=211, PID=311)
b, when vi ends than also subshell (PPID=211, PID=311) ends
c, returned back to bash (PPID=111, PID=211) process

TODO not shure if this is still true

  • Viewing Running Processes

    • top - see h for help to manipulate top format output
    • ps 
      ps          - display processes only belogs to current shell
ps -e (-A)  - display all processes, PID, TTY, TIME, COMD
ps -ef      - like previous plus, UID, PPID, C, STIME
ps -efl     - like previous plus, F, S, PRI, ADDR, NI, SZ, WCHAN(if running than - )
    • free 
      free -mt
-m megabytes
-t total

  • Prioritizing Processes

    • priority (PR) - higher number -> lower priority of process, default is 80
    • nice (-20 +19) - lower number -> higher priority of process, default is 0
    • to execute nice, user must by root, if not than cannot set nice values lower than 0
    as root

nice -n -15 vi

PRI will be 65
NI  will be -15  

    as normal user
  
nice -n +5 vi

PRI will be 85
NI  will be 5

nice -n -5 vi
will violate premissions

  • Setting Priorities of Running Processes with renice

    • renice
    vi process runs under normal user

as root user

current process
0 S 54321  3809  3790  0  91  11 - 31561 poll_s pts/0    00:00:00 vi

PID is 3809
PRI is 91
NI  is 11  

renice 5 3809

PRI will be 85
NI  will be 5  

0 S 54321  3809  3790  0  85  5 - 31561 poll_s pts/0    00:00:00 vi

as normal user, only higher number are allowed so:

renice 6 3809 - will 
0 S 54321  3809  3790  0  86  6 - 31561 poll_s pts/0    00:00:00 vi

renice back to 

renice 5 3809 - ist not allowed for normal user

  • Managing Foreground and Background Processes

    • Running Processes in the Background (& | Ctrl + z): 
      e.g

touch myscript.sh && chmod -v 0775 myscript.sh
vi myscript.sh

myscript.sh:
#!/bin/bash

sleep 1000

exit 0

:wq

$ ./mysript.sh
...

press Ctrl + Z

[1]+  3908 Stopped             ./myscript.sh

jobs -l

[1]+  3908                    ./myscript.sh

then

fg 1

$ ./mysript.sh
...

  • Ending a Running Process

    • kill (64 signals)
    Syntax: kill -signal PID

signal:

SIGHUP  (1)  - restarts the process with same PID
SIGINT  (2)  - send Ctrl + c
SIGKILL (9)  - brute-force process will not clean up allocated resources
SIGTERM (15) - (default for kill when no signal is set) terminate process immediately,
               but allows process to clean up
               
e.g let 8662 vi process
kill -15 8662

or

kill -SIGTERM 8662


- killall - same as kill instead of PID use process name e.g

killall -15 vi


## 13 Connecting Linux to a Network

* What is protocol

* OSI Model
 - Physical
 - Datalink - Datagrams
 - Network - IP (Internet Protocol), ICMP (Internet Control Message Protocol)
 - Transport - Packets, TCP (Transmission Control Protocol), UDP (User Datagram Protocol)
 - Session
 - Presentation
 - Application

* Ports
  ICANN ( Internet Corporation for Assigned Names and Numbers)
  Port range: 0 - 65536
 - Well-know ports (0 - 1023):
   ```
   Ports 20 and 21: FTP
   Port 23: Telnet
   Port 25: SMTP
   Port 80: HTTP
   Port 110: POP3
   Port 119: NNTP (news)
   Ports 137, 138, 139: NetBIOS
   Port 443: HTTPS
   ```
 - Registered ports (1024 - 49151)
 - Dynamic ports/Private ports (49152 - 65535)
 
* IP Addresses ( Network layer) - It's logically assigned to network host
 - MAC address (Datalink layer) - Pernament, hardware address
 - ARP protocol maps logical IP addresses to hard-coded MAC addresses
 - IP Address consist from octet, binary number.
   Example:
   192.168.1.1 - 11000000.10101000.00000001.00000001
 - Conversion:
   ```
   Bit 1 = 128
   Bit 2 = 64
   Bit 3 = 32
   Bit 4 = 16
   Bit 5 = 8
   Bit 6 = 4
   Bit 7 = 2
   Bit 8 = 1
   
   11000000 = 128 + 64 = 192
   ```
 - IP Address must by unique
 - Public Network Address must be globally unique (IANA - Internet Assigned Numbers Authority )
 - IPv4 - 32-bit addressing scheme
 - IPv6 - 128-bit addressing scheme, eight four HEX numbers, e.g:
   ```
   35BC:FA77:4898:DAFC:200C:FBBC:A007:8973
   ```
 - NAT (Network Address Translation) - connect private subnets to single public IP
 - The Private IP address range (https://en.wikipedia.org/wiki/Private_network):
   ```
   10.0.0.0–10.255.255.255     (Class A)
   172.16.0.0–172.31.255.255   (Class B)
   192.168.0.0–192.168.255.255 (Class C)
   ```
* Subnet Mask
 - Network address
 - Node address

192.168.1.1 Network | Node

- To identify network the host resides on.

Network - same numbers 192.168.1 Node - 0 - 255

- Default subnet masks:

255.0.0.0 255.255.0.0 255.255.255.0

- Calculating subnet 

> Links: 

  - [how-do-you-calculate-the-prefix-network-subnet-and-host-numbers](https://networkengineering.stackexchange.com/questions/7106/how-do-you-calculate-the-prefix-network-subnet-and-host-numbers)
  
- Address Classes (5, but importatnt are those 3):

Class A - octet 1 - 126, subnet mask 255.0.0.0, networks 126, nodes 16.7mil Class B - octet 128 - 191, subnet mask 255.255.0.0, networks 16.384, nodes 65.534mil Class B - octet 191 - 223, subnet mask 255.255.255.0, networks 2.097.152, nodes 254

- Shorthand subnet masks:

192.168.1.1/24 24bits longhand 255.255.255.0

- Partial subnetting e.g 255.255.252.0
- The condition for two nodes to communicate each other: 

> Two nodes must to have same network address, which means they must have same subnet mask

e.g wrong hosts configuration

Host 1, 192.168.1.1, 255.255.255.0 Host 2, 192.168.1.2, 255.255.255.0 Host 3, 192.168.1.3, 255.255.252.0 - wrong, won't be able to communicate with Host1, Host2 without the use of a network router

* DNS Server and Default Gateway Router Address

dig www.google.com

* Configuring IP Parameters
- ifconfig (not permanent config):

ifconfig eth0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255

- ip (not permanent config):

ip a add 192.168.1.1/255.255.255.0 dev eth0

or

ip a add 192.168.1.1/24 dev eth0

add broadcast

ip addr add broadcast 192.168.1.255 dev eth0

> Links:
  - [ifconfig vs ip: What’s Difference and Comparing Network Configuration](https://www.tecmint.com/ifconfig-vs-ip-command-comparing-network-configuration/)
  - [Linux ip Command Examples](https://www.cyberciti.biz/faq/linux-ip-command-examples-usage-syntax/)
  
- permanent through (RHEL) /etc/network-scripts/ifcfg-eth0

 > Chages will be accepted when:
 
 ```
 ifdown interface 
 e.g.  ifdown eth0
 
 ifup interface
 e.g.  ifup eth0
 ```
- dhclient
 
 ```
 dhclient -v eth0
 ```
 
 > Links:
 
   - [howto-linux-renew-dhcp-client-ip-address](https://www.cyberciti.biz/faq/howto-linux-renew-dhcp-client-ip-address/)
   
* Configuring Routing Parameters (Network layer)
- routing table config (SUSE)

cat /etc/sysconfig/network/routes

$ default 192.168.1.1 - -

which is

DESTINATION GATEWAY NETMASK INTERFACE [TYPE]

TYPE:

  • unicast
  • local
  • broadcast
  • multicast
  • unreachable

- static routing table config (RHEL), if exists /etc/sysconfig/network-scripts/route-interface

e.g

cat /etc/sysconfig/network-scripts/route-eth0

> Links:

  - [RHEL 7 - Static-Routes_and_the_Default_Gateway](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Networking_Guide/index.html#sec-Static-Routes_and_the_Default_Gateway)

- route command (obsolete, for future use *ip route*):

add:

route add –net network_address netmask netmask gw router_address e.g route add –net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.254

del:

route del –net network_address netmask netmask gw router_address e.g route del –net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.254

default route:

route add default gw router_address e.g route add default gw 192.168.1.254


> Links:
  - [howto-linux-configuring-default-route-with-ipcommand](https://www.cyberciti.biz/faq/howto-linux-configuring-default-route-with-ipcommand/)
  
* Configuring Name Resolver Settings
- /etc/hosts is the first name resolver
- if record doesn't exists then operating system try to resolve the hostname using DNS
- How it works: e.g google.com.
  1. Request to DNS port 53, if DNS is authoritative for zone, it responds with IP address. 
     If not than
  2. The DNS server sends a request to a root-level DNS server (. dot). 
     There are 13 root-level DNS servers on the Internet.
     The root-levle DNS servers are configured with records for authoritative DNS servers for each TLD (.com,.gov,.de ..etc)
  3. The root-level DNS server responds to your DNS with address of DNS server authoritative for TLD (top level domain)
  4. Your DNS server sends request to DNS server that’s authoritative for TLD (in this case .com)
  5. TLD DNS responds to your server with IP address of DNS server authoritative for the DNS (in this case google)
  6. Your DNS server sends a name resolution request to the DNS server that’s authoritative for the zone
  7. The authoritative DNS to your DNS server with the IP address.
  8. Your DNS server responds to your system with the IP address mapped to the hostname
  
  ```
  (not cached)
  DNS Request -> Your DNS Server -> Root DNS sends TLD IP Address -> Your DNS Server -> 
  TLD DNS Server sends IP address of DNS server authoritative to zone -> Your DNS Server -> 
  DNS server authoritative to zone send IP address -> Your DNS Server
  -> Finally IP address for hostname
  ```
- configuration file in /etc/resolv.conf
  ```
  search somedome.com
  nameserver 192.168.1.1
  nameserver 192.168.1.2
  ```
  > search, used to specify incomplete hostnames (hostname some1, will be some1.somedome.com)

- /etc/nsswitch.conf used to define order of service used to resolve name
  ```
  hosts:     files dns
  networks:  files dns
  ```
  > Links:
    - [Name_Service_Switch](https://en.wikipedia.org/wiki/Name_Service_Switch)

* Using ping
  - ICMP protocol
  - If the ICMP echo response packet is received by the sending system, than is valid:
    > 1. your network interface works correctly
    > 2. destination system is up and works correctly
    > 3. network hardware between requester system and destination system works correctly

* Using netstat
- TODO
* Using traceroute
- TODO
* Using dig, host
- TODO

* Encrypting Remote Access with OpenSSH
- How Encryption Works:
  - Symetric encryption: 
    - the sender and the receiver must have exactly the same key to both encrypt and decrypt messages
    - 3DES - 112bit - 168bit
    - AES - 128 - 192 - 256 bit
    - Blowfish - 448 bit
    
      > Links:
      - [Symmetric-key_algorithm](https://en.wikipedia.org/wiki/Symmetric-key_algorithm)
      
  - Asymetric encryption:
    - uses two keys, private key and public key
    - data encoded with public key, can be decoded only with private key and vice versa
    - DSA (Digital Signature Algorithm)
    - RSA (Rivest Shamir Adleman)
    - public/private key are much longer 1024 bits and higher
    - main disadvantage slower than symetric encryption
    - verify that a public key is legitimate we use CA (Certificate Authority)
    - private key is given only to requesting entity (one who request certificate from CA)
    - public key certificates, is a digital message signed with private key
    - A certificate contains:
      - The name of the organization
      - The public key of the organization
      - The expiration date of the certificate
      - The certificate’s serial number
      - The name of the CA that signed the certificate
      - A digital signature from the CA
    - 2 type of CAs:
      - internal CA (self signed, only for internal purposes)
      - external CA 
    - browser comes with lot of preinstalled certificated from external CA, 
      see Firefox - Edit - Preferences - Advanced - Certificates
      
      > Links:
      - [Public-key_cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography)
      - [RSA_(cryptosystem)](https://en.wikipedia.org/wiki/RSA_\(cryptosystem\))
      - [Public_key_infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure)
      - [how-to-get-public-key-of-a-secure-webpage](https://security.stackexchange.com/questions/16085/how-to-get-public-key-of-a-secure-webpage)
      - [how-should-i-distribute-my-public-key](https://security.stackexchange.com/questions/406/how-should-i-distribute-my-public-key)

* How OpenSSH Works
- OpenSSH provides:
  - sshd
  - ssh
  - scp
  - sftp
  - slogin
- Keys are stored in:
  - Private key: /etc/ssh/ssh_host_key
  - Public key:  /etc/ssh/ssh_host_key.pub
- SSH client stores keys in:
  - /etc/ssh/ssh_known_hosts
  - ~/.ssh/known_hosts
- It works like this:
  - server send public key to client -> client accept it and decrypt new key 
    -> send to sshd server  -> server decrypt with private key (asymetric)
    -> now both have a same key and they start to use symetric encryption
- SSH version 2 differences:
  - host key files in:
    - /etc/ssh/ssh_host_dsa_key
    - /etc/ssh/ssh_host_rsa_key
  - the secret key is not transmitted from client to server
  - Diffie-Hellman key agreement
  
    > Links:
    - [Diffie-Hellman_key_exchange](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange)

* Configuring OpenSSH
- sshd daemon: /etc/ssh/sshd_config
- ssh client:  /etc/ssh/ssh_config file or the ~/.ssh/ssh_config file.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment