Find knowledge base article(s) by searching for keywords in the title e.g. type linux in the search box below
Find knowledge base article(s) by browsing the subject categories of articles
Technology quick references, cheatsheets, user manuals etc.
Shop Online through ShopifyLite
Tutorials on various IT applications.
Search Title    (UL:0 |SS:f)

Software >> OS >> Unix >> Linux >> RHEL >> 7 >> RHCE >> Section 3 - Network Services

Install the Packages Needed to Provide the Service

 
# to list all installed packages
yum list installed

# to install a package
yum install telnet

# download only, use yumdownloader
# will download the telnet rpm file
yumdownloader telnet

# install using the rpm
yum localinstall package.rpm

# search if package available in the repo
yum search packagename

# which package provide a feature
yum provides tcsd.conf

# check if update available
yum check-update

# update all packages
yum update

# update specific package
yum update telnet

# if there is full revision update
yum upgrade

# update about the package
yum info telnet

back to Objectives

 

 

Configure SELinux to support the Service

 
# check current stattus
getenforce

# set for the current running session
setenforce 1

# more details of the status
sestatus

back to Objectives

 

 

Use SELinux Port Labelling to Allow Services to use non-standard port


### Example for apache httpd service


## install the httpd service and the elinks browser

[root@rhel7server1 ~]# yum install -y httpd elinks


## enable and start the service

[root@rhel7server1 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

[root@rhel7server1 conf]# systemctl start httpd


## Check the current list of ports labelled for httpd

[root@rhel7server1 conf]# semanage port -l  | grep ^http_port
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000


## if we change the Listen port to 81

[root@rhel7server1 conf]# cd /etc/httpd/conf
[root@rhel7server1 conf]# vi httpd.conf

...
Listen 81
...


## save and restart

[root@rhel7server1 conf]# systemctl restart httpd


## we still can load the default web page

[root@rhel7server1 conf]# elinks http://localhost:81


## if we change the Listen port to 82

[root@rhel7server1 conf]# cd /etc/httpd/conf
[root@rhel7server1 conf]# vi httpd.conf

...
Listen 82
...


## save and restart

root@rhel7server1 conf]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.


## if we check the error

[root@rhel7server1 conf]# journalctl -xe

....
Mar 14 10:14:56 rhel7server1 setroubleshoot[17289]: SELinux is preventing /usr/sbin/httpd from name_bind access
Mar 14 10:14:56 rhel7server1 python[17289]: SELinux is preventing /usr/sbin/httpd from name_bind access on the t
...


## fix it by

[root@rhel7server1 conf]# semanage port -a -t http_port_t -p tcp 82

[root@rhel7server1 conf]# semanage port -l  | grep ^http_port
http_port_t                    tcp      82, 80, 81, 443, 488, 8008, 8009, 8443, 9000


## now we can start httpd service

[root@rhel7server1 conf]# systemctl restart httpd


## and we can load the website at port 82

[root@rhel7server1 conf]# elinks http://localhost:82
 

back to Objectives

 

 

Configure the Service to Start when the system is booted


### e.g. httpd Services

# to check status
systemctl status httpd

# to enable (auto start on reboot)
# if the service is not running, this will not start it, but will start at next reboot
systemctl enable httpd

# to start the service now
systemctl start httpd

# to disable (autostart on reboot)
# if the service is already running, it remains running, but will not start at next reboot
systemctl disable httpd

# to prevent from being started by systemctl start <servicename>
# or by systemctl restart <servicename> e.g.

[root@rhel7server1 ~]# systemctl mask httpd
Created symlink from /etc/systemd/system/httpd.service to /dev/null.

[root@rhel7server1 ~]# systemctl start httpd
Failed to start httpd.service: Unit is masked

# to undo mask
systemctl unmask httpd

# to list services that are enabled

systemctl list-unit-files --state=enabled --type=service

# to list services that are disabled

systemctl list-unit-files --state=disabled --type=service

 back to Objectives

 

 

Configure the Service for Basic Operation

### eg. for httpd service

# check service status
# note the process is /usr/bin/httpd

[root@rhel7server1 ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2020-03-15 05:29:46 EDT; 9min ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 3437 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
 Main PID: 3441 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─3441 /usr/sbin/httpd -DFOREGROUND
           ├─3443 /usr/sbin/httpd -DFOREGROUND
           ├─3445 /usr/sbin/httpd -DFOREGROUND
           ├─3446 /usr/sbin/httpd -DFOREGROUND
           ├─3447 /usr/sbin/httpd -DFOREGROUND
           └─3448 /usr/sbin/httpd -DFOREGROUND

# check process status
ps aux | grep httpd

# to start
systemctl start httpd

## after making configuration change,

# Either, reload
systemctl reload httpd

# root process id stays the same, but the child process will change
# does not force terminate any existing connections

[root@rhel7server1 ~]# systemctl reload httpd
[root@rhel7server1 ~]# ps -ef | grep httpd
root      3441     1  0 05:29 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3672  3441  0 05:43 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3673  3441  0 05:43 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3674  3441  0 05:43 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3676  3441  0 05:43 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3677  3441  0 05:43 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
root      3684  2848  0 05:43 pts/0    00:00:00 grep --color=auto httpd

# Or, restart

[root@rhel7server1 ~]# systemctl restart httpd
[root@rhel7server1 ~]# ps -ef | grep httpd
root      3725     1  5 05:45 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3726  3725  0 05:45 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3727  3725  0 05:45 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3728  3725  0 05:45 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3729  3725  0 05:45 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
apache    3730  3725  0 05:45 ?        00:00:00 /usr/sbin/httpd -DFOREGROUND
root      3738  2848  0 05:45 pts/0    00:00:00 grep --color=auto httpd

# in this case process id gets changed for the root and child processes
# existing connections are terminated

# check dependency
[root@rhel7server1 ~]# systemctl list-dependencies httpd
httpd.service
● ├─-.mount
● ├─system.slice
● └─basic.target
●   ├─alsa-restore.service
   ├─alsa-state.service
●   ├─microcode.service
   ├─rhel-autorelabel-mark.service
   ├─rhel-autorelabel.service
   ├─rhel-configure.service
●   ├─rhel-dmesg.service
   ├─rhel-loadmodules.service
   ├─selinux-policy-migrate-local-changes@targeted.service
●   ├─paths.target
●   ├─slices.target
●   │ ├─-.slice
●   │ └─system.slice
●   ├─sockets.target
●   │ ├─avahi-daemon.socket
●   │ ├─cups.socket
●   │ ├─dbus.socket
●   │ ├─dm-event.socket
●   │ ├─iscsid.socket
●   │ ├─iscsiuio.socket
●   │ ├─rpcbind.socket
●   │ ├─systemd-initctl.socket
●   │ ├─systemd-journald.socket
●   │ ├─systemd-shutdownd.socket
●   │ ├─systemd-udevd-control.socket
●   │ ├─systemd-udevd-kernel.socket
●   │ ├─virtlockd.socket
●   │ └─virtlogd.socket
●   ├─sysinit.target
●   │ ├─dev-hugepages.mount
●   │ ├─dev-mqueue.mount
   │ ├─dmraid-activation.service
   │ ├─iscsi.service
●   │ ├─kmod-static-nodes.service
●   │ ├─lvm2-lvmetad.socket
●   │ ├─lvm2-lvmpolld.socket
●   │ ├─lvm2-monitor.service
   │ ├─multipathd.service
   │ ├─plymouth-read-write.service
   │ ├─plymouth-start.service
●   │ ├─proc-sys-fs-binfmt_misc.automount
●   │ ├─sys-fs-fuse-connections.mount
●   │ ├─sys-kernel-config.mount
●   │ ├─sys-kernel-debug.mount
   │ ├─systemd-ask-password-console.path
   │ ├─systemd-binfmt.service
   │ ├─systemd-firstboot.service
   │ ├─systemd-hwdb-update.service
●   │ ├─systemd-journal-catalog-update.service
●   │ ├─systemd-journal-flush.service
●   │ ├─systemd-journald.service
   │ ├─systemd-machine-id-commit.service
   │ ├─systemd-modules-load.service
●   │ ├─systemd-random-seed.service
●   │ ├─systemd-sysctl.service
●   │ ├─systemd-tmpfiles-setup-dev.service
●   │ ├─systemd-tmpfiles-setup.service
●   │ ├─systemd-udev-trigger.service
●   │ ├─systemd-udevd.service
   │ ├─systemd-update-done.service
●   │ ├─systemd-update-utmp.service
●   │ ├─systemd-vconsole-setup.service
●   │ ├─cryptsetup.target
●   │ ├─local-fs.target
●   │ │ ├─-.mount
●   │ │ ├─boot.mount
●   │ │ ├─home.mount
●   │ │ ├─rhel-import-state.service
●   │ │ ├─rhel-readonly.service
●   │ │ └─systemd-remount-fs.service
●   │ └─swap.target
●   │   └─dev-mapper-rhel\x2dswap.swap
●   └─timers.target
●     ├─systemd-tmpfiles-clean.timer
●     └─unbound-anchor.timer

back to Objectives

 

Configure host-based and user-based security for the service


### Host based Security

## SSH

# open firewall on the server

firewall-cmd --permanent --add-service=ssh

# deny specific client by their hostname, address

/etc/hosts.deny
sshd: someserver.hackernet.net
sshd: .hacker.net
sshd: 131.155.72.0/255.255.255.0
sshd: 131.155.72.0/24
sshd: 131.155.

# for more help : man hosts.deny

# allow specific client(s) by their hostname, address

/etc/hosts.alow
sshd: someserver.whitehat.net
sshd: .whitehat.net
sshd: 131.155.73.0/255.255.255.0
sshd: 131.155.73.0/24
sshd: 131.155.

# for more help : man hosts.allow

# Precedence : /etc/hosts.allow first and then /etc/hosts.deny.  First matching ACL applies



## HTTP/HTTPS

# open firewall on the server

firewall-cmd --permanent --add-service=http

firewall-cmd --permanent --add-service=https

# deny, allow specific client(s)

# first check to confirm that authz_core_module is loaded

[root@rhel7server1 conf]# httpd -M | grep authz_core
 authz_core_module (shared)

add the following to /etc/httpd/conf/httpd.conf

## within <Directory /var/www/html> .. </Directory>

<RequireAll>
  Require all granted
  Require not host someserver.hacker.net
  Require not ip 192.168.0.20
</RequireAll>

## create a test.html file in /var/www/html directory
## test by accessing http://rhel7server1/test.html before and after adding the "Require not ip" directive


## DNS

# open firewall on the server

firewall-cmd --permanent --add-service=dns

# allow specific clients

/etc/unbound/unbound.conf
access-control: 131.155.72.0/24 allow

# by default everyhing is refused


## NFS

# open firewall on the server

firewall-cmd --permanent --add-service=nfs

# allow specific clients

/etc/exports
/nfsshare *.rhce.local(ro)


## SMB

# open firewall on the server

firewall-cmd --permanent --add-service=samba


# allow specific clients

/etc/samba/smb.conf
hosts allow = 10.8.8.


## SMTP (Postfix)

# open firewall on the server

firewall-cmd --permanent --add-service=smtp

# allow specific clients

/etc/postfix/access
rhce.local            OK
someserver.hacker.net REJECT

# run postmap
postmap /etc/postfix/access

# edit postfix config

/etc/postfix/main.cf
smtpd_client_restrictions = check_client_access hash:/etc/postfix/accessq



### User based Security

## SSH

/etc/ssh/sshd_config
AllowUsers sandy
DenyUsers root


## HTTP/HTTPS

/etc/httpd/conf/httpd.conf
<Directory "/var/www/html">
   AuthType Basic
   AuthName "Login Required"
   AuthUserFile "/etc/httpd/conf/htpasswd"
   Require valid-user
</Directory>

htpasswd -c /etc/httpd/conf/htpasswd sandy

systemctl restart httpd



## SMB

/etc/samba/smb.conf
valid users = sandy, alice
write list = alice
read list = sandy

## SMTP

/etc/postfix/access
user@domain   REJECT

# run postmap
postmap /etc/postfix/access

# edit postfix config

/etc/postfix/main.cf
smtpd_client_restrictions = check_client_access hash:/etc/postfix/access

 back to Objectives

 

 

 
[ © 2008-2021 myfaqbase.com - A property of WPDC Consulting ]