Skip to content

LFCE - LFS211- LINUX ENGINEER

https://trainingportal.linuxfoundation.org/learn/course/linux-networking-and-administration-lfs211/

https://www.katacoda.com/courses/ubuntu/playground

NETWORKING

less /etc/sysconfig/network-scripts/ifcfg-eth0

ifdown eth0; ifup eth0

ip a show eth0

ip route show
ip route

nmcli device show # NetworkManager: dettagli per network devices
nmcli -f ip4.address device show enp1s0

nmtui # interfaccia da terminale

se il networkmanager non gestisce connessioni allora forse lo sta facendo
networkctl

puoi verificare il manager anche tramite
netplan get all
network:
renderer: NetworkManager
version: 2

Esempi di configurazioni si trovano in /usr/share/doc/netplan/examples/

# Change speed and mode of current enp0 interface
sudo ethtool enp0s3 --change speed 1000 duplex full

DNS
systemd-resolve --status

systemd-resolve --set-dns=192.168.178.1 --set-dns=10.34.168.6 --interface=enp0s3

nmcli device show enp0

https://phoenixnap.com/kb/linux-dig-command-examples
dig -x 172.217.14.238 Reverse DNS
dig google.com -t A +trace Type Address, trace the request

# Ask server 8.8.4.4 the name google.com for records of type NameServer
dig @8.8.4.4 google.com -t NS -c IN

nslookup google.com 8.8.8.8

PING
load test
ping -f -s 4096 IP

TRACEROUTE
traceroute -I IP usa ICMP per tentare bypass dei firewall

NMAP

ARP / TELNET
telnet github.com 80

openssl s_client -connect github.com:443

TCPDUMP
https://danielmiessler.com/study/tcpdump/

To capture packets with tcpdump for use with wireshark, use:
$ sudo tcpdump -i eth0 -s 65535 -w capture.pcap port 22

# tcpdump -nnvv -i any net 127.0.0.1 and port 4200 and not 'tcp[tcpflags] == tcp-syn'

SERVER SIDE
SS
sudo ss -ltp | grep httpd

NETSTAT
sudo netstat -palute

/etc/hosts
man hosts_access

  • /proc/sys/net/ipv4/ip_forward
    Allows for network traffic to be forwarded from one interface to another.
  • /proc/sys/net/ipv4/conf/*/accept_redirects
    Accepting Internet Control Message Protocol (ICMP) redirects from a router to find better routes. This setting has the potential to be exploited by a malicious party to redirect your traffic.
  • /proc/sys/net/ipv4/icmp_echo_ignore_all
    Changing this setting will affect the host's visibility to ICMP ping packets.

To persistently enable changes you must use the sysctl command with its configuration file /etc/sysctl.conf.

sudo sysctl --all |grep redirect

esempio:
scrivi un log ogni volta che tentano la connessione ftp dal dominio .esempio.com
hosts.deny
vsftpd : 192.168.1. , .esempio.com : spawn /bin/echo `/bin/date` access denied >> /var/log/vsftpd.log : deny

NETCAT
netcat -l 2000 ascolta sul server sulla 2000
netcat IP 2000 si connette

TC Traffic Control
https://linux.die.net/man/8/tc

tc qdisc add dev lo root netem loss random 40
aggiunge una queue discilipline sul device lo tramite netEmulator che perderà il 40% dei pacchetti

ping localhost #1
sudo tcpdump -nnvvS src 127.0.0.1 -i lo #2
sudo tcpdump -i lo -nnvvS icmp

sudo tc qdisc show
sudo tc qdisc delete lo root

UDEV
ACPI is the Advanced Configuration and Power Interface standard (Preexisting ACPI Specifications) by which the computer firmware (either the BIOS, for older machines, or its replacement, EUFI) can communicate what hardware is preinstalled in the computer to the operating system

udevadm test /sys/class/net/enp0s3
udevadm info /sys/class/net/enp0s3

TUN e TAP sono driver che permettono la creazione di periferiche di rete virtuali. Rispetto alle comuni periferiche (ad es. eth0) che sono controllate direttamente dalle schede di rete, i pacchetti spediti da o verso dispositivi TUN/TAP sono spediti da o verso programmi software. TUN è in grado di simulare una periferica di rete di tipo punto-punto e lavora con pacchetti di tipo IP mentre TAP è in grado di simulare un dispositivo Ethernet e logicamente utilizza i frame Ethernet.

FILES
/etc/hostname hostname della macchina
/etc/resolv.conf DNS
/etc/network
/etc/netplan/01.. Stesso risultato di ‘netplan get all’
/usr/share/doc/ppp/examples/interfaces

IFCONFIG

https://www.computerhope.com/unix/uifconfi.htm

FIREWALL

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

SSH

pssh -H box -H node1 -H node2 "yum install -y tmux bash-completion bash-completion-extras && mandb"

/etc/ssh/ssh_config
sudo apt install openssh-server → /etc/ssh/sshd_config
grep -E “^\w” /etc/ssh/sshd_config

ssh-keygen -f $HOME/.ssh/id_rsa -N 'supersecret' -t rsa
ssh-copy-id alex@IP

DNS

https://ns1.com/resources/dns-types-records-servers-and-queries

host
dig
resolvectl query
nslookup

DNS SERVER
apt install -y bind9 resolvconf
systemctl start bind9
/etc/resolv.conf
/etc/systemd/resolved.conf
/etc/bind/named.conf

/etc/bind/named.conf.options
options {
listen-on port 53 { any; };
allow-query { any; };
recursion yes;
};

SYSTEM SERVICES

Understanding Systemd Units and Unit Files

Systemd has a flexible configuration architecture that uses override and drop-in directories. The sequence in which systemd processes the configuration files is predictable and extensible. The common sequence is:

  • The vendor-supplied unit file in /usr/lib/systemd/\<service>.service or /lib/systemd/system/\<service>.service.
  • Optional or dynamically-created unit files in the /run/systemd/system/ directory.
  • Optional user-unit override files in the /etc/systemd/system/ directory.
  • Optional user drop-in files in /etc/systemd/system/\<service>.d.

man 5 systemd-system.conf
When packages need to customize the configuration, they can install configuration snippets in /usr/lib/systemd/*.conf.d/. Files in /etc/ are reserved for the local administrator, who may use this logic to override the configuration files installed by vendor packages.

ES: manually launch ftp service
# /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf &

YUM

yum provides */traceroute

HTTP

ubuntu apache2
centos httpd

/var/www/html siti
/var/log/apache2 access e error log

$ grep "^\w" /etc/apache2/apache2.conf
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
AccessFileName .htaccess
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats

sudo apachectl configtest

https://www.digitalocean.com/community/tutorials/how-to-set-up-password-authentication-with-apache-on-ubuntu-14-04

sudo vim /etc/apache2/sites-enabled/000-default.conf
\<Directory "/var/www/html/get-only">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/secure.passwords
Require valid-user
\</Directory>
sudo systemctl restart apache2

https://www.ibm.com/docs/en/aspera-on-demand/3.9?topic=appendix-enable-ssl-apache

KVM forward ports to guests VM with UFW on Linux

Rewrite flags RewriteRule Flags - Apache HTTP Server Version 2.4
Directory directives https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride

Create a new key and certificate with openssl

https://www.katacoda.com/courses/ubuntu/playground

man 1 req
openssl req -x509 -newkey rsa:2048 -keyout my.key -out mycert.crt
vim sites-enabled/000-default.conf
cp sites-available/default-ssl.conf sites-enabled/
echo "127.0.0.1 alex.com" >> /etc/hosts
curl -Ik https://alex.com
HTTP/1.1 200 OK

MAIL

https://doc.dovecot.org/configuration_manual/
http://www.postfix.org/postconf.5.html

/etc/postfix/main.cf

only a few mail parameters need to be altered in /etc/postfix/main.cf.

  • The domain name to use for outbound mail (myorigin).
  • The domains to receive mail for (mydestination).
  • The clients to allow relaying of mail (mynetworks).
  • The destinations to relay mail to (relay_domains).
  • The delivery method, indirect or direct (relayhost).

The postconf command can be used to customize /etc/postfix/main.conf:

# postconf -e 'inet_interfaces = all'
# postconf -e "mynetworks_style = subnet"

~# vim /etc/postfix/master.cf
~# vim /etc/postfix/main.cf
~# vim /etc/aliases

PROXY

https://en.wikipedia.org/wiki/Reverse_proxy

http://www.squid-cache.org/Versions/v6/cfgman/
SquidFaq/SquidAcl - Squid Web Proxy Wiki

https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect

Squid can also parse and check its syntax with a built-in syntax checker:
# squid -k parse

The first match wins. Therefore, start your ACLs with the most specific options in the beginning.
# grep "^\w" /etc/squid/squid.conf
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
-------

NFS

# groupadd -g 42000 share
# chown nfsnobody /home/export
# chgrp share -R /home/export
# chmod -R 2770 /home/export
# usermod -aG share student
# usermod -aG share root

# cat \<\<EOF >>/etc/exports
> /home/export 127.0.0.1/32(rw) 192.168.0.0/16(ro)
> EOF

systemctl restart nfs-server
mount 127.0.0.1:/home/export /mnt/my-nfs

man exports

SAMBA

# apt install samba smbclient

man smb.conf

cat \<\<EOF >>/etc/samba/smb.conf
[lab13-3]
guest ok = yes
read only = yes
path = /home/export/cifs
EOF

smbclient -L localhost
smbclient //localhost/lab13-3

-- PRIVATE ACCESS EXAMPLE
cat \<\<EOF >>/etc/samba/smb.conf
[lab-private]
path = /home/export/private
valid users = alex
read only = no
public = no
EOF

# chown -R alex /home/export/private/my-secret
# smbpasswd -a alex
# systemctl restart smbd.service
# smbclient -L localhost
# smbclient -U alex //localhost/lab-private
smb: \> get my-secret

-- ETC/FSTAB
man systemd.mount

127.0.0.1:/home/export/nfs /home/share/nfs nfs x-systemd.automount,x-systemd.idle-timeout=10,noauto,_netdev
0 0

//localhost/mainexports /home/share/cifs cifs credentials=/root/smbfile,x-systemd.automount,x-systemd.idle-timeout=10,noauto,_netdev 0 0

SECURITY

SELINUX
Basic SELinux Troubleshooting in CLI

APPARMOR
https://wiki.debian.org/AppArmor/HowToUse
/etc/apparmor.d
apparmor_status

PAM
Framework for authentication called Pluggable Authentication Module (PAM).

CHROOT

https://us-cert.cisa.gov/ncas/alerts

nmap
tcpdump
snort

FIREWALL
netfilter
nftables

When traffic comes to a libwrap-enabled daemon, those two files are consulted

  • /etc/hosts.allow
  • /etc/hosts.deny

  • The netfilter firewall consists of tables.

  • Tables consist of chains.
  • Chains have a default policy.
  • Chains consist of rules.
  • Rules consist of a match criteria and a target.

  • filter table deals with packets bound for the local machine, being routed through the machine, or packets generated by processes on the machine.
    chains: forward, input, output

  • NAT table for traffic creating a new network connection. Chains: prerouting, output, postrouting
  • mangle for all network packets rules: prerouting, input, output, forward, postrouting

sudo ufw app list
sudo ufw show listening
raw

IPTABLES
7.4. Regole FORWARD e NAT

man iptables
man iptables-extensions

iptables --list-rules
--list
iptables --list INPUT --type mangle -v

Targets: ACCEPT, DROP, REJECT

# Con drop la connessione rimane in attesa, con reject chiusa subito
iptables -A INPUT --proto tcp --dport 80 --jump DROP

iptables -A INPUT --proto tcp --dport 8080 --jump REJECT --reject-with icmp-net-prohibited

# apt install iptables-persistent
# iptables-save

To enable DNAT redirect (DMZ ecc):
echo 1 > /proc/sys/net/ipv4/ip_forward
/etc/sysctl.conf -----> net.ipv4.ip_forward=1 # Rileggi le conf con sysctl -p /etc/sysctl.conf

MASQUERADE
This target is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP (dialup) connections: if you have a static IP address, you should use the SNAT target.
# iptables -t nat -A POSTROUTING -o eth1 ! -d 192.168.12.0/24 -j MASQUERADE

Accettando i pacchetti inoltrati tramite il dispositivo IP interno, si abilita la comunicazione tra i nodi LAN; tuttavia essi non sono ancora abilitati a comunicare esternamente con Internet. Per abilitare i nodi LAN con indirizzi IP privati alla comunicazione con le reti pubbliche esterne, configurate il firewall per l'IP masquerading, il quale maschera le richieste provenienti dai nodi LAN con l'indirizzo IP dei dispositivi esterni del firewall
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Traffic redirect through Squid
iptables -t nat -A PREROUTING -s $SQUIDIP -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port $SQUIDPORT
iptables -t nat -A POSTROUTING -j MASQUERADE

LOG connections
iptables -A INPUT -i lo -p tcp --dport 4200 --destination localhost -m state NEW -j LOG --log-level info --log-prefix “NEW CON LOCAL “

journactl -f

block all other traffic
# iptables -P INPUT DROP

CONTAINERS

https://book.hacktricks.xyz/pentesting/2375-pentesting-docker

Note sul corso

https://trainingportal.linuxfoundation.org/learn/course/linux-networking-and-administration-lfs211/network-security/knowledge-check?page=1
no knowledge check