Why and How to telnet without telnet?

  Why ?

Since most of security has not allowing to use a telnet tool as it is considered as a non-security tool , we have to find an alternative command to perform the testing of communication between host and client , “nc” will do this for us. Too many use case for it , here is just a simple use case.

How ?

Below are simple commands for using “nc” command

1- to test connection from client to host(server):

nc -zv <host> <port>

example:

nc -zv 10.1.100.10 1521

2- To check if server(host) is listening for specific port on the host itself :

nc -l -p 1521

Why and How to iperf3 tools in Linux to test network performance?

 Why ?

To test the network performance between two different parties, you need to have a tool, iperf3 package needs to be installed on both server and client, accordingly, you will be able to send package from client to server and analyze the network performance, it is too important tools that will give a clear picture about the network performance.

How ?

Below are simple commands for setting and user the commands

1- on server side, you can simply run the below command to let this machine listening as server on to of default network card and default port and/or non default :

iperf -s

iperf3 -s -B <nic_ip>

2- connect to the server from client using default ports as well :

iperf3 -c <server_ip>

iperf3 -c <server_ip> -t 60  -- for 60 second keep testing

 

** Note: man iperf3 is the main reference and examples as usual .

Why and How to create a SAN SSL certificate request?

Why ?

The purpose of SAN is to have multiple CN and this will be used instead of wild card (*.domain.com) CN if same certificate will be used for multiple subdomain.

How ?

1- create a configuration file as below.

vi req.conf

 

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

prompt = no

[req_distinguished_name]

C = BH

ST = MANAMA

L = MANAMA

O = <companyName>

OU = IT

CN = CN.Domain

[v3_req]

keyUsage = keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

DNS.1 = CN1.Domain

DNS.2 = CN2.Domain

2- Create CSR file along with the key and keep a copy of this private key that you may use it if needed:

openssl req -new -out certificate.csr -newkey rsa:2048 -nodes -sha256 -keyout certificate.key -config req.conf

Submit the certificate to CA to be singed , you may want to verify the CSR file information, use the below :

openssl req -text -noout -verify -in certificate.csr

Below are pem file certificate sequence for a reference in case needed:

-----BEGIN CERTIFICATE-----

(Your Primary SSL certificate: your_domain_name.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Your Intermediate certificate: DigiCertCA.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Your Root certificate: TrustedRoot.crt)

-----END CERTIFICATE-----

Why and How to generate self-singed or public singed certificate ?

Why ?

Certificate can be self-singed or publicly singed , self-singed is singed by your server only and no public trusted authority know this certificate, it is good to be used for testing only, production servers/website services that may need a certificate , you have to generate a request file to be signed by public known authority and load the singed in your public website or service that may need this certificate.

How ?

1- generate a private key that will be used to generate a certificate request, this key is important to be kept with you for future needed in case .

 ## with password:

openssl genrsa -des3 -out private.key 2048

## without password:

openssl genrsa -out VISA_ACS1_PROD_Signing.key 2048

2- Create the Certificate Singed Request:

openssl req -new -key privkey.key -sha256  -out server.csr

If this certificate will be singed by public authority , you have to share “server.csr” and they will provide you a singed certiticate (mainly .csr or .crt ) file

3- For Selef-Singed Certificate do the below, First generate a server certificate that will act like private authority to singe the csr:

openssl x509 -req -days 1825 -in server.csr -signkey server.key -out server.crt

4- In many cases you may need to convert crt to PEM format, use the below:

openssl x509 -in server.crt -out server.pem -outform PEM

Why and How to setup the xdisplay parameter after switch user in Linux ?

Why ?

Display on ssh session that is support X11-forwarding  (remote display forwarded through SSH) will appeared for the first login user only , if -X -Y used the display will be transferred as well however if just switch user only using ‘su’ this will lead to lose the display from server to client , use the below steps to move the display from first to the second switched user

How ?

1- After login with first user before switching take the details of display .

$ xuath list $DISPLAY

<output1>

$ echo $DISPLAY

<output2>

2- Switch to the user:

$ xauth add <output1>

$ export DISPLAY=<output2>

Why and How to fix Red hat Linux library issue?

Why ?

For any reason you may discover an issue with library like the below issue , where you will not be able even to access the server with emergency mode/target , use the below to fix it, for example , I got the below error.

/usr/sbin/sulogin: error while loading shared libraries: libcrypt.so.1: cannot open shared object file: permission denied

 

How ?

1- First it needs to boot the system into the rescue mode using DVD/CD ISO on the installation media:

How to boot Red Hat Enterprise Linux to Rescue Mode for Data Collection (sosreport, vmcore, etc.)

https://access.redhat.com/articles/3405661

2- Check the rpm package that is behind this library as below:

# rpm -qf /usr/lib64/libcrypt.so.1

libxcrypt-4.1.1-4.el8.x86_64

3- re-install the package using the below and reboot the system to disk boot again:

yum reinstall libxcrypt

Why and How to create a logrotate in Linux?

Why ?

In Linux one of the great feature that you can manage and organize any log file to be rotated on any criteria , for example if you have web service that will create a file.log and you want to have instead a daily file and nominated with that date , or/and have a specify size and/or number of files ..etc , you may use logrotate feature to achieve this.

How ?

Below are sample script to rotate a catalina.out file which is the main tomcat log file in daily bases and compress it and keep it for one year, the new file will be date only and orginal file will be kept same as it  ,:

1- may use man to check all features of logrotate:

man logrotate

2- create the configuration file under logrotate.d :

vi /etc/logrotate.d/tomcat

/<path_to_logs>/catalina.out

{

su user group

copytruncate

compress

daily

missingok

delaycompress

dateext

maxage 365

}

3- You may force the logrotate to run immediately instead of wait for next day.

logrotate –fv /etc/logrotate.d/tomcat

 

Why and How to create a core dump file of crashed process ?

  Why ?

If a process got crashed then creating a crash dump files that is contains everything occur to analysis it to find the source cause of this issue, below is steps to create this dump files.

How ?

Below is steps to create a dump file for a specific process :

1- As a root user find and change directory to that process :

cd /path/of/process/fle

ps aux | grep process

2- To make sure parameter files allow any size of dump  :

prlimit --pid <PID process> --core=unlimited

3- To create the core dump file

gdb process <PID>

(gdb) generate-core-file

(gdb) detach

4- To create an analysis file of that core dump to read it as well

 python lib_extractor.py process /path/to/file/core.<PID process>

Why and How I do manage a certificate (cer, jks..etc) files or keystore things ?

 Why ?

In certain cases I do need to use or configure a certificates files , I do use the below tools and/or commands to manage my things .

How ?

Below is name of utilities  :

1- On Windows based host install and user this :

KeyStore Explorer

KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner

https://keystore-explorer.org/

2- On Linux/Unix  :

Openssl

openssl - OpenSSL cryptographic and Secure Sockets Layer toolkit

3- On Linux / Unix

keytool

Key and Certificate Management Tool

Why and How to check network traffic in Linux ?

  Why ?

To check the network traffic in your Linux server for certain cases , you may use tcpdump or Wireshark as a GUI of it, this will help you to monitor and filter the network traffic in the OS level .

How ?

Below are commands for port and all ports as a sample example  :

1- The traffic for all income for specific port:

tcpdump -ni <net_dev> -s0 -w /path/to/"$HOSTNAME"_"$(date +%d-%m-%y)".pcap host <ip_host>

 2- To check traffic for specific or all traffics port in specific network device:

tcpdump -ni <net_dev>  host <host_ip> -l > /path/to/"$HOSTNAME"_"$(date +%d-%m-%y)".pcap

3- To check traffic for specific network device and source/destination :

ifconfig -a

tcpdump -i <device name>

tcpdump -i <device name> dst <IP>

tcpdump -i <device name> src <IP>

Why and How to hard the RHEL OS

 Why ?

In Linux Red-hat OS system in order to comply to the certain policies you will need to configure the password in certain levels , in RHCSA it doesn’t covered all kind of these aspects to reach all kind of hardening , below are the main password things I think you may be need to set all required aspects in the matter.

How ?

Below are commands in CLI to configure the:

1- To check telnet server is not installed ( only client is allowed) :

rpm -qa telnet

telnet-0.17-73.el8_1.1.x86_64

 2- To disable the Root SSH login directly (change or check) parameter “PermitRootLogin” is no:

# vim /etc/ssh/sshd_config

PermitRootLogin no

 3- To set the SSH maximum concurrent sessions for all and specific user , for example all users 2 maximum and admin 5 sessions  :

# vim /etc/security/limits.conf

*                -       maxlogins       2

admin            -       maxlogins       5

 

4- To set the password’s strength against a set of rules, Red-hat have the “pam_pwquality” module to be used for this matter, the PAM-aware (Pluggable Authentication Modules) will affect passwd command while user change the password.

 

To set minimum length of password as example :

Length not less than 8 + have upper case + lowercase + other character

minlen = minum length of password

dcredit = credit for having required digits in password

ucredit =  credit for having uppercase characters in password .

lcredit = credit for having lowercase characters in password

# vim /etc/security/pwquality.conf

# The new password is rejected if it fails the check and the value is not 0.

enforcing = 1

ucredit = -1

lcredit = -1

minlen = 8

dcredit = -1

 

5- To setup the lock account after 6 failed tried and unlock it after 30 minutes or success login rest these number as below :

 

vi /etc/pam.d/system-auth

## After this line :

auth        [default=1 ignore=ignore success=ok]         pam_localuser.so

 

auth        required      pam_faillock.so preauth silent unlock_time=1800 deny=6

auth        sufficient                                   pam_unix.so  try_first_pass

auth        [default=die] pam_faillock.so authfail unlock_time=1800 deny=6

auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular

# make sure to pam_faillok.so

account     required      pam_faillock.so

account     required                                     pam_unix.so

## to remember password last 4 times:

password    requisite                                    pam_pwquality.so try_first_pass local_users_only

password    requisite                                    pam_pwhistory.so remember=4 use_authtok

password    sufficient                                   pam_unix.so sha512 shadow  try_first_pass use_authtok remember=4

## another file is :

vi /etc/pam.d/password-auth

auth        required      pam_faillock.so preauth silent unlock_time=1800 deny=6

auth        sufficient                                   pam_unix.so  try_first_pass

auth        [default=die] pam_faillock.so authfail unlock_time=1800 deny=6

auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular

auth        sufficient                                   pam_sss.so forward_pass

auth        required                                     pam_deny.so

 

account     required      pam_faillock.so

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     required                                     pam_permit.so

 

password    requisite                                    pam_pwquality.so try_first_pass local_users_only

password    requisite                                    pam_pwhistory.so remember=4 use_authtok

password    sufficient                                   pam_unix.so sha512 shadow  try_first_pass use_authtok remember=4

6- If you use 8.2 and above use the new recommended approach as per RHEL article as below (from RHEL article) :

1. List available profiles:

# authselect list

2. List current profile and features enabled:

# authselect current

3. Backup the current profile/changes:

# authselect apply-changes -b --backup=sssd.backup

4. Create new custom profile name password-policy copied from existing profile sssd:

#  authselect create-profile password-policy -b sssd

Newly created profile will be available at location: /etc/authselect/custom/password-policy/

5. Set new custom profile as current profile:

# authselect select custom/password-policy

# authselect current

6. To enable features for example, to create home directory on user login if not already present and to enable account lockout using faillock, run these commands:

# authselect enable-feature with-mkhomedir

# authselect enable-feature with-faillock

7. Make desired/custom changes in global PAM config files system-auth and password-auth available under custom profile directory /etc/authselect/custom/password-policy/. Once changes are made apply them with command:

# authselect apply-changes

Confirm if changes are written to the files.

1. Keep history of used passwords (the number of previous passwords which cannot be reused).

• Insert the following line in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files (after pam_pwquality.so line:

password    requisite     pam_pwhistory.so remember=5 use_authtok

2. Enforce root for password complexity.

• Insert/append the following option in pam_pwquality.so line under password section in /etc/authselect/custom/password-policy/system-auth and /etc/authselect/custom/password-policy/password-auth files:

enforce_for_root

Note: After making the changes, authselect apply-changes needs to be run so that changes can take effect.