Software >> OS >> Unix >> Linux >> RHEL >> 7 >> RHCE >> Section 3 - Network Services

Install the Packages Needed to Provide the Service

 
# to list all installed packages
yum list installed

# to install a package
yum install telnet

# download only, use yumdownloader
# will download the telnet rpm file
yumdownloader telnet

# install using the rpm
yum localinstall package.rpm

# search if package available in the repo
yum search packagename

# which package provide a feature
yum provides tcsd.conf

# check if update available
yum check-update

# update all packages
yum update

# update specific package
yum update telnet

# if there is full revision update
yum upgrade

# update about the package
yum info telnet

back to Objectives

 

 

Configure SELinux to support the Service

 
# check current stattus
getenforce

# set for the current running session
setenforce 1

# more details of the status
sestatus

back to Objectives

 

 

Use SELinux Port Labelling to Allow Services to use non-standard port


### Example for apache httpd service


## install the httpd service and the elinks browser

[root@rhel7server1 ~]# yum install -y httpd elinks


## enable and start the service

[root@rhel7server1 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

[root@rhel7server1 conf]# systemctl start httpd


## Check the current list of ports labelled for httpd

[root@rhel7server1 conf]# semanage port -l  | grep ^http_port
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000


## if we change the Listen port to 81

[root@rhel7server1 conf]# cd /etc/httpd/conf
[root@rhel7server1 conf]# vi httpd.conf

...
Listen 81
...


## save and restart

[root@rhel7server1 conf]# systemctl restart httpd


## we still can load the default web page

[root@rhel7server1 conf]# elinks http://localhost:81


## if we change the Listen port to 82

[root@rhel7server1 conf]# cd /etc/httpd/conf
[root@rhel7server1 conf]# vi httpd.conf

...
Listen 82
...


## save and restart

root@rhel7server1 conf]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.


## if we check the error

[root@rhel7server1 conf]# journalctl -xe

....
Mar 14 10:14:56 rhel7server1 setroubleshoot[17289]: SELinux is preventing /usr/sbin/httpd from name_bind access
Mar 14 10:14:56 rhel7server1 python[17289]: SELinux is preventing /usr/sbin/httpd from name_bind access on the t
...


## fix it by

[root@rhel7server1 conf]# semanage port -a -t http_port_t -p tcp 82

[root@rhel7server1 conf]# semanage port -l  | grep ^http_port
http_port_t                    tcp      82, 80, 81, 443, 488, 8008, 8009, 8443, 9000


## now we can start httpd service

[root@rhel7server1 conf]# systemctl restart httpd


## and we can load the website at port 82

[root@rhel7server1 conf]# elinks http://localhost:82
 

back to Objectives

 

 

Configure the Service to Start when the system is booted


### e.g. httpd Services

# to check status
systemctl status httpd

# to enable (auto start on reboot)
# if the service is not running, this will not start it, but will start at next reboot
systemctl enable httpd

# to start the service now
systemctl start httpd

# to disable (autostart on reboot)
# if the service is already running, it remains running, but will not start at next reboot
systemctl disable httpd

# to prevent from being started by systemctl start <servicename>
# or by systemctl restart <servicename> e.g.

[root@rhel7server1 ~]# systemctl mask httpd
Created symlink from /etc/systemd/system/httpd.service to /dev/null.

[root@rhel7server1 ~]# systemctl start httpd
Failed to start httpd.service: Unit is masked

# to undo mask
systemctl unmask httpd

# to list services that are enabled

systemctl list-unit-files --state=enabled --type=service

# to list services that are disabled

systemctl list-unit-files --state=disabled --type=service

 back to Objectives

 

 

Configure the Service for Basic Operation

### eg. for httpd service

# check service status
# note the process is /usr/bin/httpd

[root@rhel7server1 ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2020-03-15 05:29:46 EDT; 9min ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 3437 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
 Main PID: 3441 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─3441 /usr/sbin/httpd -DFOREGROUND
           ├─3443 /usr/sbin/httpd -DFOREGROUND
           ├─3445 /usr/sbin/httpd -DFOREGROUND
           ├─3446 /usr/sbin/httpd -DFOREGROUND
           ├─3447 /usr/sbin/httpd -DFOREGROUND
           └─3448 /usr/sbin/httpd -DFOREGROUND

# check process status
ps aux | grep httpd

# to start
systemctl start httpd

## after making configuration change,

# Either, reload
systemctl reload httpd

# root process id stays the same, but the child process will change
# does not force terminate any existing connections

[root@rhel7server1 ~]# systemctl reload httpd
[root@rhel7server1 ~]# ps -ef | grep httpd
root      3441     1  0 05:29 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3672  3441  0 05:43 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3673  3441  0 05:43 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3674  3441  0 05:43 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3676  3441  0 05:43 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3677  3441  0 05:43 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
root      3684  2848  0 05:43 pts/0    00:00:00 grep --color=auto httpd

# Or, restart

[root@rhel7server1 ~]# systemctl restart httpd
[root@rhel7server1 ~]# ps -ef | grep httpd
root      3725     1  5 05:45 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3726  3725  0 05:45 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3727  3725  0 05:45 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3728  3725  0 05:45 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3729  3725  0 05:45 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3730  3725  0 05:45 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
root      3738  2848  0 05:45 pts/0    00:00:00 grep --color=auto httpd

# in this case process id gets changed for the root and child processes
# existing connections are terminated

# check dependency
[root@rhel7server1 ~]# systemctl list-dependencies httpd
httpd.service
● ├─-.mount
● ├─system.slice
● └─basic.target
●   ├─alsa-restore.service
   ├─alsa-state.service
●   ├─microcode.service
   ├─rhel-autorelabel-mark.service
   ├─rhel-autorelabel.service
   ├─rhel-configure.service
●   ├─rhel-dmesg.service
   ├─rhel-loadmodules.service
   ├─selinux-policy-migrate-local-changes@targeted.service
●   ├─paths.target
●   ├─slices.target
●   │ ├─-.slice
●   │ └─system.slice
●   ├─sockets.target
●   │ ├─avahi-daemon.socket
●   │ ├─cups.socket
●   │ ├─dbus.socket
●   │ ├─dm-event.socket
●   │ ├─iscsid.socket
●   │ ├─iscsiuio.socket
●   │ ├─rpcbind.socket
●   │ ├─systemd-initctl.socket
●   │ ├─systemd-journald.socket
●   │ ├─systemd-shutdownd.socket
●   │ ├─systemd-udevd-control.socket
●   │ ├─systemd-udevd-kernel.socket
●   │ ├─virtlockd.socket
●   │ └─virtlogd.socket
●   ├─sysinit.target
●   │ ├─dev-hugepages.mount
●   │ ├─dev-mqueue.mount
   │ ├─dmraid-activation.service
   │ ├─iscsi.service
●   │ ├─kmod-static-nodes.service
●   │ ├─lvm2-lvmetad.socket
●   │ ├─lvm2-lvmpolld.socket
●   │ ├─lvm2-monitor.service
   │ ├─multipathd.service
   │ ├─plymouth-read-write.service
   │ ├─plymouth-start.service
●   │ ├─proc-sys-fs-binfmt_misc.automount
●   │ ├─sys-fs-fuse-connections.mount
●   │ ├─sys-kernel-config.mount
●   │ ├─sys-kernel-debug.mount
   │ ├─systemd-ask-password-console.path
   │ ├─systemd-binfmt.service
   │ ├─systemd-firstboot.service
   │ ├─systemd-hwdb-update.service
●   │ ├─systemd-journal-catalog-update.service
●   │ ├─systemd-journal-flush.service
●   │ ├─systemd-journald.service
   │ ├─systemd-machine-id-commit.service
   │ ├─systemd-modules-load.service
●   │ ├─systemd-random-seed.service
●   │ ├─systemd-sysctl.service
●   │ ├─systemd-tmpfiles-setup-dev.service
●   │ ├─systemd-tmpfiles-setup.service
●   │ ├─systemd-udev-trigger.service
●   │ ├─systemd-udevd.service
   │ ├─systemd-update-done.service
●   │ ├─systemd-update-utmp.service
●   │ ├─systemd-vconsole-setup.service
●   │ ├─cryptsetup.target
●   │ ├─local-fs.target
●   │ │ ├─-.mount
●   │ │ ├─boot.mount
●   │ │ ├─home.mount
●   │ │ ├─rhel-import-state.service
●   │ │ ├─rhel-readonly.service
●   │ │ └─systemd-remount-fs.service
●   │ └─swap.target
●   │   └─dev-mapper-rhel\x2dswap.swap
●   └─timers.target
●     ├─systemd-tmpfiles-clean.timer
●     └─unbound-anchor.timer

back to Objectives

 

Configure host-based and user-based security for the service


### Host based Security

## SSH

# open firewall on the server

firewall-cmd --permanent --add-service=ssh

# deny specific client by their hostname, address

/etc/hosts.deny
sshd: someserver.hackernet.net
sshd: .hacker.net
sshd: 131.155.72.0/255.255.255.0
sshd: 131.155.72.0/24
sshd: 131.155.

# for more help : man hosts.deny

# allow specific client(s) by their hostname, address

/etc/hosts.alow
sshd: someserver.whitehat.net
sshd: .whitehat.net
sshd: 131.155.73.0/255.255.255.0
sshd: 131.155.73.0/24
sshd: 131.155.

# for more help : man hosts.allow

# Precedence : /etc/hosts.allow first and then /etc/hosts.deny.  First matching ACL applies



## HTTP/HTTPS

# open firewall on the server

firewall-cmd --permanent --add-service=http

firewall-cmd --permanent --add-service=https

# deny, allow specific client(s)

# first check to confirm that authz_core_module is loaded

[root@rhel7server1 conf]# httpd -M | grep authz_core
 authz_core_module (shared)

add the following to /etc/httpd/conf/httpd.conf

## within <Directory /var/www/html> .. </Directory>

<RequireAll>
  Require all granted
  Require not host someserver.hacker.net
  Require not ip 192.168.0.20
</RequireAll>

## create a test.html file in /var/www/html directory
## test by accessing http://rhel7server1/test.html before and after adding the "Require not ip" directive


## DNS

# open firewall on the server

firewall-cmd --permanent --add-service=dns

# allow specific clients

/etc/unbound/unbound.conf
access-control: 131.155.72.0/24 allow

# by default everyhing is refused


## NFS

# open firewall on the server

firewall-cmd --permanent --add-service=nfs

# allow specific clients

/etc/exports
/nfsshare *.rhce.local(ro)


## SMB

# open firewall on the server

firewall-cmd --permanent --add-service=samba


# allow specific clients

/etc/samba/smb.conf
hosts allow = 10.8.8.


## SMTP (Postfix)

# open firewall on the server

firewall-cmd --permanent --add-service=smtp

# allow specific clients

/etc/postfix/access
rhce.local            OK
someserver.hacker.net REJECT

# run postmap
postmap /etc/postfix/access

# edit postfix config

/etc/postfix/main.cf
smtpd_client_restrictions = check_client_access hash:/etc/postfix/accessq



### User based Security

## SSH

/etc/ssh/sshd_config
AllowUsers sandy
DenyUsers root


## HTTP/HTTPS

/etc/httpd/conf/httpd.conf
<Directory "/var/www/html">
   AuthType Basic
   AuthName "Login Required"
   AuthUserFile "/etc/httpd/conf/htpasswd"
   Require valid-user
</Directory>

htpasswd -c /etc/httpd/conf/htpasswd sandy

systemctl restart httpd



## SMB

/etc/samba/smb.conf
valid users = sandy, alice
write list = alice
read list = sandy

## SMTP

/etc/postfix/access
user@domain   REJECT

# run postmap
postmap /etc/postfix/access

# edit postfix config

/etc/postfix/main.cf
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access

 back to Objectives