SA3 E7 Advanced Linux System Administration III Internet Network Services and Security Synopsis: This is a fast paced, level 3, advanced class for experienced administrators of Linux based hosts on a network wanting to clarify security concepts and understand secure configuration issues of network file services (NFS, SMB, FTP), Internet services (DHCP, DNS, HTTP, sendmail), IPv4 and IPv6 networking, advanced LVM, encrypted file system usage, with extensive consideration of SELinux pertaining to secure services. This class builds security related concepts and configuration techniques required to manage a large WAN connected Red Hat Enterprise Linux hosts exposed to the Internet and assumes significant prerequisite knowledge. Duration SA3-E7: 4 Days System Administration III ( SA3-E7) Description: This course is a very fast paced, high level review of the standard file sharing services of Linux and Microsoft systems (NFS, FTP, SMB) with a significant emphasis towards security configuration related to firewall access control and the Secure Environment Linux, SELinux, requirements. Students will review configuring file space using advanced partitioning services of LVM, creating signed RPM packages for network wide secure software deployment, securing common file sharing networking services, synchronized hosts for remote log management, secure Wide Area Network (WAN) service (FTP, NFS, HTTPS, SSH, sendmail) management, SELinux managed process control, advanced Firewall packet filtering, Intrusion Detection and Process Account Reporting, testing of services for compliance, sniffing and port scanning, as well as tips for troubleshooting a damaged, misconfigured or compromised system. This class is not the starting point for anyone new to Linux or UNIX. Students MUST already understand a significant level of knowledge related to Linux file systems, file manipulation utilities and have excellent experience working and administering a Linux based operating system on a live network, preferably Internet facing. NO Beginners Are Expected In This SA3-E7 Course! Prerequisites For SA3-E7: A significant level of Linux and or UN*X experience is required for this course. Including: LAN fundamentals or equivalent; Internetworking with TCP/IP or equivalent. 3+ months of solid hands on experience managing any other type of system is also ideal. SA1 Linux System Administration 1 - Essential Commands and Utilities course ASP-123 Advanced Shell Programming SA2 Linux System Administration 2 - Installation and LAN Configuration Copyright 2000-2015 All Rights Reserved www.linuxcourses.net SA3-1
Follow-on After SA3-E7: Red Hat Architect Courses : RH3xx, RH4xx,.. (RHCA related courses) Students attending SA3-E7 course will learn: Installation, LVM Partitioning for Files and Swap space Secure User Administration for Large Installations Secure Configuration of NFS, SMB and FTP Network File Services Encrypted File System Concepts and Management Configuration of SSL Secured Web Service Synchronization Of Host Logging: syslogd, NTP Hosting Multiple Web Sites Using Virtual Hosts Encryption Utilities Within Administration PGP, SSH Firewall Configuration and Testing: firewalld, firewall-cmd Secure Environment Linux (SELinux) Management Secure Remote Management : SSH Utilizing Kerberos Security With Remote Authentication Services Building and Publishing Signed RPM Packages Establishing Web Site Security Certificate: PGP Scan and Sniff Network Packets : nmap, wireshark Configuring Secure email : postfix Install, Configure and Backup MariaDB version of MySQL Intrusion Detection Option: aide System Account Reporting: sar Troubleshooting Tips and Techniques Copyright 2000-2015 All Rights Reserved www.linuxcourses.net SA3-2
Detailed Outline For Linux SA3-E7 1 Hardware Requirements and Installing Linux Custom Installation For Server Services Selecting Packages, Network, Firewall and SELinux options Using kickstart to automate installation Description of kickstart directives LAB Install a 'Server' configuration Create a kickstart script and test it 2 The Boot Process Grub.conf configuration, Grub Stages and Commands Kernel Initialization, init and Run Level Management : chkconfig Initialization scripts: /etc/inittab, /etc/init.d/*, Shutdown and Reboot Configuring and using the YUM frontend to RPM Basic security settings, Access Control Lists, ACL's Security on files and directories Creating a directory shared by a group of users Pluggable Authentication Modules, PAM, configuration and use Centralized user accounts from NIS and LDAP, client setup Testing Name Services : getent Creating, managing and monitoring file system quotas Configuring GRUB restricted access option Create a public and a group restricted directory Configure limited access using PAM Configure access to NIS and LDAP services for additional users Configure quotas for users and groups 3 File System Management Add, formatting partitions : fdisk, mkfs, ext4, xfs, mkswap Mount, umount and fsck Creating RAID Devices and Volumes Info and Recovery Options For mdadm Flexible File Systems With LVM Creating Physical Volume, Volume Group and Logical Volume Logical Volumes : lvcreate, lvextend, extende2fs Physical Volumes : pvcreate, vgcreate, vgextend Display LVM Information : pvdisplay, vgdisplay, lvdisplay Create, Format, Moun/umount Encryped File System Copyright 2000-2015 All Rights Reserved www.linuxcourses.net SA3-3
Create data and swap partitions Configure a new RAID device, format and make it available after reboot Configure a new LVM device, format and make it available after reboot Extend a logical volume while the logical volume is still active 4 Building And Publishing RPMs Review Internal Contents Of RPM Packages How To Build An Signed RPM For Distribution Create Source Code Tree Build An RPM SPEC File Build YourPackage.rpm Sign and Publish YourPackage.rpm Review An Existing RPM Package SPEC File Build An RPM Package Troubleshoot Building An RPM Package 5 Advanced User Administration User Account Management Tools SUDO Administration LDAP and NIS Remote User Configuration Kerberos Security With LDAP Enabling Remote User AutoMount of Home Directory Configuring SSH Keys On Multiple Hosts Configure Remote Users Connect Remote User Home Directories With autofs Establish Trusted Identities On Remote Hosts With ssh 6 Kernel and SELinux Management Tune Specific Kernel Network Parameters /proc Virtual File System Access, Usage and Control : sysctl Kernel Module Management Understanding and Troubleshooting SELinux HowTo Configure New SELinux Settings Observe modules being loaded by kernel Create and Troubleshoot SELinux errors Copyright 2000-2015 All Rights Reserved www.linuxcourses.net SA3-4
7 Advanced Network Admin Tools Configuring Multiple IP Values Per NIC : IP Alias Configuring A Virtual Bridge Between Virtual Machines Aggregating Multiple Network Adapters Into A Bond Set Configuring Bond Service IPv6 Features and Management Tools Configure Second IP (Alias) Create A Bond Create A Bridge Create and Troubleshoot SELinux errors 8 MariaDB + Secure Virtual Web Services Apache Overview Of Support Apache Server Configuration Server and Namespace Configuration Creating Multiple Virtual Hosts Apache Access Control Using LDAP and.htaccess Apache SELinux Configuration CGI Scripts Implementation and Issues Apache Encrypted Web Server Certificates Installing MariaDB (MySQL Replacement) Back Up And Restore MariaDB Implementing multiple web sites Add password controlled directories Restrict access to non web related directories Use CGI scripts in web pages Install MariaDB, Create Tables and Records Backup and Restore MariaDB Databases 9 Network Services : NTP,FTP,NFS,CIFS File Transfer Protocol (FTP) Network File Service (NFS) Network Time Protocol Configuration (NTP) Samba Services and Daemons (CIFS) Configuring File Sharing and Selective User Access Samba Managing Authentication Methods Printing to the Samba Server Copyright 2000-2015 All Rights Reserved www.linuxcourses.net SA3-5
Samba Syntax checkers: testparm Samba Client Tools: smbclient Admin tools: nmblookup, mount, fstab Firewall Requirements Update FTP service, add NFS and SMB shares Limit access to local net for all shares in firewall 10 DNS + DHCP Configuration DNS-Specific Resolvers Trace a DNS Query with dig, nslookup DNS Basics : Zones, Domains & Delegation Internet DNS and Name Server Hierarchy Client-side DNS, Server-side DNS Berkeley Internet Name Daemon (BIND) Configuring BIND : Configuration File Basics bind-chroot Package Address Match Lists and acl Usage Testing Utilities: named-checkconf, named-checkzone Caching-only Name Server Round Robin Load Sharing through DNS Remote Name Daemon Control (rndc) The DHCP Service Overview Configuring an IPv4 DHCP Server Implement DNS Server, add subdomain, slave to a master domain Provide DHCP Services 11 Electronic Mail Services A Review of Email Services and features Basic sendmail Features Main Configuration Files Security and "Anti-Spam" Features Blacklisting Recipients Generating sendmail Configuration with m4 sendmail Client Configuration Debugging sendmail Using alternatives to Switch MTAs Postfix version of sendmail Using and configuring Postfix Additional postfix Configuration Files Mail Retrieval Protocols Copyright 2000-2015 All Rights Reserved www.linuxcourses.net SA3-6
Basics of procmail for Local Delivery Configuring POP3 and IMAP Configuring Secure POP3S and IMAPS Creating Local Certificate for POP3S and IMAPS Configuring no relay, open email Adding POP3, POP3S, IMAP, IMAPS and certificate Testing email services, configuring procmail 12 Secure Access And Monitoring: Scan + Sniff Overview Why We Monitor Users Using Process and User Monitoring Tools Sniffing Network Connections : wireshark, tcpdump Port scanning Locking Down Network Access With SSH Services Utilizing Secure Inter-Host Utilities Securing Remote Desktop Management The Need For Encryption : Random Numbers Symmetric and Asymmetric Encryption Using PKI : Public Key Infrastructures Digital Certificates SSH Server and Client Configuration Client Key Management Using SSH keys with and without passphrases Configuring Secure Remote Hosts Access 13 Securing The Host: Firewall, IDE, rsyslog, SSH Aide - Intrusion Detection Configuration And Management Process Accounting With System Account Reporter : sar Netfilter Firewall (FW) Overview Firewall Rules: General Considerations Firewall Port Options Firewall Connection Tracking Firewall Network Address Translation (NAT) Secure Tunnelling Using SSH Install and Configure aide Install and Configure sar Securing Local Network Services With A Firewall Tunneling X Applications Through SSH Copyright 2000-2015 All Rights Reserved www.linuxcourses.net SA3-7
14 Troubleshooting Where to start looking for trouble Review common errors of service management Understand new 'single user mode' and Rescue Mode Practice Fixing Misconfigurations Using the chroot command within rescue mode Copyright 2000-2015 All Rights Reserved www.linuxcourses.net SA3-8