December 2, 2019

How to Watch TCP and UDP Ports in Real-time

In software terms, especially at the operating system level, a port is a logical construct that identifies a specific process/application or a type of network service and each network service running on a Linux system uses a particular protocol (the most common being the TCP (Transmission Control Protocol) and UDP (User Datagram Protocol)) and a port number for communicating with other processes or services.
In this short article, we will show you how to list and monitor or watch running TCP and UDP ports in real-time with a socket summary on a Linux system.

List All Open Ports in Linux

To list all open ports on a Linux system, you can use the netstat command or ss utility as follows.
It is also crucial to mention that netstat command has been deprecated and instead ss command has taken its place in showing more detailed network statistics.
$ sudo netstat -tulpn
OR
$ sudo ss -tulpn
From the output of the above command, the State column shows whether a port is in a listening state (LISTEN) or not.
In the above command, the flag:
  • -t – enables listing of TCP ports.
  • -u – enables listing of UDP ports.
  • -l – prints only listening sockets.
  • -n – shows the port number.
  • -p – show process/program name.

Watch TCP and UDP Open Ports in Real-Time

However, to watch TCP and UDP ports in real-time, you can run the netstat or ss tool with the watch utility as shown.
$ sudo watch netstat -tulpn
OR
$ sudo watch ss -tulpn
To exit, press Ctrl+C.

November 26, 2019

How to list all users with root


To list all users:
cat /etc/passwd | awk -F: '{print $ 1}'
To list all groups:
cat /etc/group | awk -F: '{print $ 1}'
Don't forget to change the root password. If any user has UID 0 besides root, they shouldn't. Bad idea. To check:
grep 'x:0:' /etc/passwd
Again, you shouldn't do this but to check if the user is a member of the root group:
grep root /etc/group
To see if anyone can execute commands as root, check sudoers:
cat /etc/sudoers
To check for SUID bit, which allows programs to be executed with root privileges:
find / -perm -04000
To see who is UID 0:
getent passwd 0
To see who is in groups rootwheel adm and admin:
getent group root wheel adm admin
To list all users and the groups they are members of:
getent passwd | cut -d : -f 1 | xargs groups
Pure root is user id "0".
All the users in the system are in the /etc/passwd file:
less /etc/passwd
Those who are root have "0" as the user id, which is the 3rd column. Those with "0" as the group (4th column) may also have some root privileges.
Next, you'll want to look at the groups, and see who is an additional member of the "root" or "wheel" or "admin" groups:
less /etc/group
Users listed in those groups could have some root privileges, especially via the "sudo" command.
The final thing you will want to check is the "sudo" config and see who is listed as having authorisation to run this command. This file itself is well documented so I won't reproduce it here:
less /etc/sudoers
To print all users
perl -n -e '@user = split /:/ ; print "@user[0]\n";' < /etc/passwd
To print only those users with UID 0, being as others have said, the users with implicit root privileges:
perl -n -e '@user = split /:/ ; print "@user[0]\n" if @user[2] == "0";' < /etc/passwd

How to Disable SELinux on CentOS 8

SELinux or Security-Enhanced Linux is a mechanism or security module that provides access control security policies. In simple terms, it’s a feature or service used for restricting users to certain policies and rules set by the systems administrator.
In this topic, you will learn how to disable SELinux temporarily and later permanently on CentOS 8 Linux.

How to Temporarily Disable SELinux on CentOS 8

Before you start disabling SELinux on CentOS 8, it’s prudent that you first check the status of SELinux.
To do so, run the command:
# sestatus
Check SELinux Status in CentOS 8
Check SELinux Status in CentOS 8
This shows that SELinux is up and running.
To temporarily disable SELinux run the command.
# setenforce 0
Also, you can run the command.
# setenforce Permissive
Either of these commands will temporarily disable SELinux only until the next reboot.

How to Permanently Disable SELinux on CentOS 8

Now, let’s see how we can permanently disable SELinux. The configuration file for SElinux is located at /etc/selinux/config. Therefore, we need to make a few modifications to the file.
# vi /etc/selinux/config
Set the SELinux attribute to disabled as shown below:
SELINUX=disabled
Disable SELinux in CentOS 8
Disable SELinux in CentOS 8

Save and exit the configuration file and reboot your CentOS 8 Linux system using any of the commands below.
# reboot
# init 0
# telinit 0
Now check the status of SELinux using the command.
# sestatus
Verify SELinux Status in CentOS 8
Verify SELinux Status in CentOS 8
SELinux is a very crucial feature on CentOS 8 and helps in restricting unauthorized users from accessing certain services on the system.
In this guide, we demonstrated how you can disable SELinux on CentOS 8. Ideally, it’s always recommended to keep SELinux enabled with the exception of instances where you are configuring services that require SELinux to be disabled.

August 20, 2019

How To Create a Sudo User on CentOS

Introduction

The sudo command provides a mechanism for granting administrator privileges, ordinarily only available to the root user, to normal users. This guide will show you the easiest way to create a new user with sudo access on CentOS, without having to modify your server's sudoers file. If you want to configure sudo for an existing user, simply skip to step 3.

Steps to Create a New Sudo User

  1. Log in to your server as the root user.
    • ssh root@server_ip_address
  2. Use the adduser command to add a new user to your system.
    Be sure to replace username with the user that you want to create.
    • adduser username
    • Use the passwd command to update the new user's password.
      • passwd username
    • Set and confirm the new user's password at the prompt. A strong password is highly recommended!
      Set password prompts:
      Changing password for user username. New password: Retype new password: passwd: all authentication tokens updated successfully.
  3. Use the usermod command to add the user to the wheel group.
    • usermod -aG wheel username
    By default, on CentOS, members of the wheel group have sudo privileges.
  4. Test sudo access on new user account
    • Use the su command to switch to the new user account.
      • su - username
    • As the new user, verify that you can use sudo by prepending "sudo" to the command that you want to run with superuser privileges.
      • sudo command_to_run
    • For example, you can list the contents of the /root directory, which is normally only accessible to the root user.
      • sudo ls -la /root
    • The first time you use sudo in a session, you will be prompted for the password of the user account. Enter the password to proceed.
      Output:
      [sudo] password for username:
      If your user is in the proper group and you entered the password correctly, the command that you issued with sudo should run with root privileges.

August 14, 2019

Tester les relations d’approbations Active Directory avec NLTEST

Dans un environnement Active Directory constitué de plusieurs domaines, les administrateurs doivent parfois mettre en place des relations d’approbations entre les domaines afin d’autoriser l’accès à des ressources communes. NLTEST, un outil en ligne de commande intégré à Windows Server permet de vérifier l’état des canaux de communications entre les domaines et donc des relations d’approbations.
S’applique à : Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016
Documentation officielle : Technet Microsoft

Afficher les options de NLTEST

C:\>nltest /?
 Usage: nltest [/OPTIONS]

Tester une relation d’approbation entre deux domaines Active Directory

Dans cet exemple nous allons vérifier les domaines approuvés. Pour cela il suffit de lancer cette commande depuis une machine membre du domaine.
C:\nltest /trusted_domains

Lister tous les contrôleurs d’un domaine

Nous souhaitons lister tous les DC du domaine 
C:\nltest /dclist:nom_domain

Trouver à quel domaine un compte utilisateur appartient

Cet exemple permet de rechercher à quel domaine appartient un compte donné. Seul les domaines approuvés vont répondre bien évidement.
   C:\>nltest /finduser:Alex
   Domain Name: nom_domain
   Trusted DC Name \\SRV-D02
   The command completed successfully



Windows Server 2016 Active Directory Administrative Center

A lesser known feature in Windows Server beginning with Windows Server 2008 R2 is the Active Directory Administrative Center that allows administrators what basically looks like Server Manager to administer Active Directory environments. The Active Directory Administrative Center or ADAC is built on Windows PowerShell and provides an enhanced Active Directory data management experience. It is more task-oriented in the navigation scheme.  Windows Server 2016 Active Directory Administrative Center continues with the same features and functionality in managing AD including but not limited to the following.
  • Create new/manage user accounts
  • Create new/manage groups
  • Create new/manage computer accounts
  • Create new/manage OU’s
  • Configure and manage DAC
  • Configure manage Authentication Policies
Let’s take a look at a few screenshots of the ADAC in Windows Server 2016.

Windows Server 2016 Active Directory Administrative Center

To launch Active Directory Administrative Center, you can type the command dsac.exe.  The ADAC will launch.
After launching, as mentioned, it has the same look and feel of Server Manager.  Take a look on the left the menus that we have highlighted here.  Again, it is very task driven in the layout.  In the middle we have a welcome center type layout that have links to read more information about the various aspects of the ADAC.  Also, very common functions are already included in this dashboard – Reset Password, and Global Search.
dsac16_02 Windows Server 2016 Active Directory Administrative Center

July 31, 2019

How to change DNS server in CentOS 7

IP and Gateway configuration
With this 2 commands you can see centos network configurations

     nano /etc/sysconfig/network-scripts/ifcfg-eth0
     vi /etc/sysconfig/network-scripts/ifcfg-eth0

the result of this commands should be sommthing like this

DEVICE=eth0
TYPE=Ethernet
UUID=281a600c-aaba-4297-bf51-15b18d2d8619
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=none
IPADDR=23.227.x.x
PREFIX=26
GATEWAY=23.227.x.x
DNS1=4.2.2.4
DOMAIN=8.8.8.8
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"
HWADDR=00:50:56:B0:4D:D6
LAST_CONNECT=1410687738

2 important element that you should change are IPADDR &  GATEWAY
to change the ip address change the value of IPADDR and to change gateway change the value of GATEWAY

Gateway Configuration
With this 2 commands you can see centos Gateway configurations

        nano /etc/sysconfig/network
        vi /etc/sysconfig/network
the result of this commands should be sommthing like this

NETWORKING=yes
HOSTNAME=server.domain.com
GATEWAY=23.227.x.x
you can change the Gateway by editing the value of GATEWAY

Configure DNS Server
With this 2 commands you can see centos Gateway configurations

         nano /etc/resolv.conf
         vi /etc/resolv.conf
the result of this commands should be sommthing like this
nameserver 8.8.8.8
nameserver 192.168.1.1
you can change the values for dns servers


July 16, 2019

Installer et configurer le module ssl pour Apache2

Vérifier que les paquets nécessaires sont déjà installés (libssl0.9.8, openssl, ssl-cert) :

  1. dpkg -l | grep ssl
Chaque paquet doit apparaitre avec les deux lettres ii en suffixe si c’est déjà le cas. Il sont normalement sensés déjà être installés.
Dans le cas contraire, installer openSSL
  1. sudo apt-get install openssl

Création d’un certificat auto-signé

Afin de pouvoir utiliser une connexion ssl, il est nécessaire d’avoir un certificat signé qui peut coûter très cher. Dans notre cas nous allons créer un certificat auto-signé, considéré comme non sûr par les navigateurs mais suffisant pour obtenir une connexion SSL au serveur.
On va créer le certificat nécessaire dans le répertoire /etc/apache2/ssl que l’on crée s’il n’existe pas :
  1. sudo mkdir /etc/apache2/ssl
Puis nous allons y créer notre certificat :
  1. sudo /usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.pem
Il faut alors répondre à une question demandant le nom d’hôte du serveur.
Votre certificat se trouve donc à l’emplacement /etc/apache2/ssl/apache.pem.

Configuration spécifique d’apache

Dans un premier temps il est nécessaire que le serveur apache écoute sur le port 443. Pour cela il suffit d’éditer le ficher /etc/apache2/ports.conf et vérifier que la ligne Listen 443 y soit présente.
La meilleur manière de l’intégrer est de l’écrire de la sorte :
  1. <IfModule mod_ssl.c>
  2. Listen 443
  3. </IfModule>
Ainsi, lors de la désactivation (volontaire ou non) du module SSL d’Apache, la configuration restera correcte et ne plantera pas le serveur.
Dans un second temps il est nécessaire de créer un virtualhost Apache prenant en compte notre certificat ssl. Debian et Ubuntu en fournisse un par défaut (/etc/apache2/sites-available/default-ssl) que nous allons modifier pour tester.
  1. sudo nano /etc/apache2/sites-available/default-ssl
On vérifie que le contenu suivant au moins y soit présent (commentez avec le caractère dièse "#" toute référence à d’autres certificats :
  1. <IfModule mod_ssl.c>
  2. <VirtualHost _default_:443>
  3. ServerAdmin webmaster@localhost
  4. DocumentRoot /var/www
  5. <Directory />
  6. Options FollowSymLinks
  7. AllowOverride None
  8. </Directory>
  9. <Directory /var/www/>
  10. Options Indexes FollowSymLinks MultiViews
  11. AllowOverride None
  12. Order allow,deny
  13. allow from all
  14. </Directory>
  15. ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
  16. <Directory "/usr/lib/cgi-bin">
  17. AllowOverride None
  18. Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
  19. Order allow,deny
  20. Allow from all
  21. </Directory>
  22. ErrorLog /var/log/apache2/error.log
  23. # Possible values include: debug, info, notice, warn, error, crit,
  24. # alert, emerg.
  25. LogLevel warn
  26. CustomLog /var/log/apache2/ssl_access.log combined
  27. # SSL Engine Switch:
  28. # Enable/Disable SSL for this virtual host.
  29. SSLEngine on
  30. SSLCertificateFile /etc/apache2/ssl/apache.pem
  31. </VirtualHost>
  32. </IfModule>

Activation finale et redémarrage du serveur apache

Puis vous pouvez activer le module ssl pour Apache, le virtualhost ssl et redémarrer Apache :
  1. a2enmod ssl
  2. a2ensite default-ssl
  3. sudo /etc/init.d/apache2 restart
Il est ensuite possible de tester que cela fonctionne en allant à l’adresse : https://www.domaine.tld:443 ou https://www.domaine.tld.
Votre navigateur devrait spécifier que le certificat n’est pas considéré comme sûr mais vous permettre de voir et d’accepter le certificat afin de pouvoir avoir accès à la page en question (qui devrait être la même sans le "s" à http et sans le :443 en fin d’adresse).


How to Install Docker CE on CentOS 8 and RHEL 8

  Docker  is a daemon-based container engine which allows us to deploy applications inside containers.  Docker is available in two versions,...