Friday, March 22, 2013

File Encryption with GPG

File Encryption with GPG

1. Installation and generating public/private key pair
Encription method:
It uses asysmmetric encription, what that mean is encription is using a matched pair of encripted
private and public keys. They are mathmetically created algorithm at the same time. The public
key is given to the end user who wants to have a secure transfer of information with the creator
of the public key. End user encript the information with the public key and sends over the
network on the other end where ower of the key will decript the information using his/her private
key. Sometimes, owner can use symetric key (kind of password) to create a public key where end
user has to use it while encripting the messag/file.
Package need to install
crypto-util
Create users and install packages

a. login as a root and create three accounts.
# useradd jay; useradd surya;useradd chandra

b. Install crypto-util paclage
# yum install crypt* -y

c. Now, log out and login as jay and generate a key using pgp -gen-key command.
$ gpg --gen-key
Note: gpg can create different types of keypairs.
just go through and select the default options for practice.

d. List your keys
$ gpg -list-keys

e. Export your public key
$ pgp -armor -export >/var/tmp/jay.key
Note: public key extention should be .key
f. Now, login as a user surya and import the public key generated by Jay.
$ gpg -import /tmp/jay.key; gpg -list-keys

2. Encripting/decripting a file.
Plan: now, surya will encript a file using jay's public key and jay will decript the message that surya sends to jay using the private key.
a. Encript your file.
$ tail -2000 /var/log/messages >/var/tmp/myfile.txt
b. Now, encript the file myfile.txt with jay's public key.
$ gpg -encript -armor -recipient jay@sama.expanor.local myfile.txt

just follow the prompt and your message is encripted.the extenstion is now myfile.txt.asc.
now, copy the message file with proper permission so that jay can access it.

c. login as user jay and decript the message. It will prompt you for password.
$ gpg -decrypt myfile.txt.asc
d. Now, login as chandra and see if you can read the message.
Of course you can't read it because you are now the owner of the private key and you don't have it. to encript the message, you should be owner or should have private key to decript the key.
 

Sunday, March 17, 2013

Route add on Linux (Redhat)

Route add on Linux

1. Adding route the network.
# route add -net network/mask gw default_gateway

# route add -net 192.168.10.0/24 gw 192.168.10.1

2. Using default gateway
# route add default gw default_gateway

# route add default gw 192.168.0.1

3. Add a route to a specific host
# route add -host hostname gw default_gateway

# rotue add -host 192.168.0.8 gw 192.168.0.1

4. Delete a route
# route del -network network/subnet default-gateway

# route del -net 192.168.10.0/24 gw 192.168.10.1

5. Delete the default gateway
# route del default gw default-gatway

# route del default gw 192.168.0.1

6. Remove a specific host from routing table
#route del -host ip-add gw default-gateway

# route del -host 192.168.0.8 gw 192.168.0.1

7. Print your routing table
# netstat -rn
# ip route

Note: Use -p flag on your route command to make the route permanent or add entry to /etc/sysconfig/static-routes.

-----------------------------------------------------------

Configuring a Network Interface Using ifcfg Files

Interface configuration files control the software interfaces for individual network devices. As the system boots, it uses these files to determine what interfaces to bring up and how to configure them. These files are usually named ifcfg-name, where the suffix name refers to the name of the device that the configuration file controls. By convention, the ifcfg file's suffix is the same as the string given by the DEVICE directive in the configuration file itself.

Static Network Settings

To configure an interface with static network settings using ifcfg files, for an interface with the nameeth0, create a file with name ifcfg-eth0 in the /etc/sysconfig/network-scripts/ directory as follows:
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
PREFIX=24
IPADDR=10.0.1.27
Optionally specify the hardware or MAC address using the HWADDR directive. Note that this may influence the device naming procedure as explained in Chapter 8, Consistent Network Device Naming. You do not need to specify the network or broadcast address as this is calculated automatically byipcalc.

Dynamic Network Settings

To configure an interface with dynamic network settings using ifcfg files, for an interface with nameem1, create a file with name ifcfg-em1 in the /etc/sysconfig/network-scripts/ directory as follows:
DEVICE=em1
BOOTPROTO=dhcp
ONBOOT=yes
Optionally specify the hardware or MAC address using the HWADDR directive. Note that this may influence the device naming procedure as explained in Chapter 8, Consistent Network Device Naming.
To configure an interface to send a different host name to the DHCP server, add the following line to the ifcfg file.
DHCP_HOSTNAME=hostname
To configure an interface to ignore routes sent by a DHCP server, add the following line to the ifcfg file.
PEERDNS=no
This will prevent network service from updating /etc/resolv.conf with the DNS servers received from a DHCP server.
To configure an interface to use particular DNS servers, set PEERDNS=no as described above and add lines as follows to the ifcfg file:
DNS1=ip-address
DNS2=ip-address
where ip-address is the address of a DNS server. This will cause the network service to update /etc/resolv.conf with the DNS servers specified.
NetworkManager will by default call the DHCP client, dhclient, when a profile has been set to obtain addresses automatically, or when an interface configuration file has BOOTPROTO set to dhcp. Where DHCP is required, an instance of dhclient is started for every Internet protocol, IPv4 and IPv6, on an interface. Where NetworkManager is not running, or not managing an interface, then the legacy network service will call instances of dhclient as required.

Configuring a DHCP Client

2.4.2. Configuring a Network Interface Using ip Commands

The ip utility can be used to assign IP addresses to an interface. The command takes the following form:
ip addr [ add | del ] address dev ifname

 Assigning a Static Address Using ip Commands

To assign an IP address to an interface, issue a command as root as follows:
~]# ip address add 10.0.0.3/24 dev eth0
The address assignment of a specific device can be viewed as follows:
~]# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether f0:de:f1:7b:6e:5f brd ff:ff:ff:ff:ff:ff
    inet 10.0.0.3/24 brd 10.0.0.255 scope global global eth0
       valid_lft 58682sec preferred_lft 58682sec
    inet6 fe80::f2de:f1ff:fe7b:6e5f/64 scope link 
       valid_lft forever preferred_lft forever
Further examples and command options can be found in the ip-address(8) manual page.

 Configuring Multiple Addresses Using ip Commands

As the ip utility supports assigning multiple addresses to the same interface it is no longer necessary to use the alias interface method of binding multiple addresses to the same interface. The ip command to assign an address can be repeated multiple times in order to assign multiple address. For example:
~]# ip address add 192.168.2.223/24 dev eth1
~]# ip address add 192.168.4.223/24 dev eth1
~]# ip addr
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:fb:77:9e brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.223/24 scope global eth1
    inet 192.168.4.223/24 scope global eth1
The commands for the ip utility are documented in the ip(8) manual page.
NOTE
ip commands given on the command line will not persist after a system restart.

2.4.3. Static Routes and the Default Gateway

Static routes are for traffic that must not, or should not, go through the default gateway. Routing is often handled by devices on the network dedicated to routing (although any device can be configured to perform routing). Therefore, it is often not necessary to configure static routes on Red Hat Enterprise Linux servers or clients. Exceptions include traffic that must pass through an encrypted VPN tunnel or traffic that should take a specific route for reasons of cost or security. The default gateway is for any and all traffic which is not destined for the local network and for which no preferred route is specified in the routing table. The default gateway is traditionally a dedicated network router.

 Configuring Static Routes Using the Command Line

If static routes are required, they can be added to the routing table by means of the ip route addcommand and removed using the ip route del command. The more frequently used ip routecommands take the following form:
ip route [ add | del | change | append | replace ] destination-address
See the ip-route(8) man page for more details on the options and formats.
Use the ip route command without options to display the IP routing table. For example:
~]$ ip route
default via 192.168.122.1 dev ens9  proto static  metric 1024
192.168.122.0/24 dev ens9  proto kernel  scope link  src 192.168.122.107
192.168.122.0/24 dev eth0  proto kernel  scope link  src 192.168.122.126
To add a static route to a host address, in other words to a single IP address, issue a command as root:
ip route add 192.0.2.1 via 10.0.0.1 [dev ifname]
Where 192.0.2.1 is the IP address of the host in dotted decimal notation, 10.0.0.1 is the next hop address and ifname is the exit interface leading to the next hop.
To add a static route to a network, in other words to an IP address representing a range of IPaddresses, issue the following command as root:
ip route add 192.0.2.0/24 via 10.0.0.1 [dev ifname]
where 192.0.2.0 is the IP address of the destination network in dotted decimal notation and /24 is the network prefix. The network prefix is the number of enabled bits in the subnet mask. This format of network address slash network prefix length is sometimes referred to as classless inter-domain routing(CIDR) notation.
Static route configuration can be stored per-interface in a /etc/sysconfig/network-scripts/route-interface file. For example, static routes for theeth0 interface would be stored in the /etc/sysconfig/network-scripts/route-eth0 file. The route-interface file has two formats: ip command arguments and network/netmask directives. These are described below.
See the ip-route(8) man page for more information on the ip route command.

 Configuring The Default Gateway

The default gateway is determined by the network scripts which parse the /etc/sysconfig/networkfile first and then the network interface ifcfg files for interfaces that are up. The ifcfg files are parsed in numerically ascending order, and the last GATEWAY directive to be read is used to compose a default route in the routing table.
The default route can thus be indicated by means of the GATEWAY directive and can be specified either globally or in interface-specific configuration files. Specifying the gateway globally has certain advantages in static networking environments, especially if more than one network interface is present. It can make fault finding simpler if applied consistently.
In dynamic network environments, where mobile hosts are managed by NetworkManager, gateway information is likely to be interface specific and is best left to be assigned by DHCP. In special cases where it is necessary to influence NetworkManager's selection of the exit interface to be used to reach a gateway, make use of the DEFROUTE=no command in the ifcfg files for those interfaces which do not lead to the default gateway.
Global default gateway configuration is stored in the /etc/sysconfig/network file. This file specifies gateway and host information for all network interfaces. .

2.4.4. Configuring Static Routes in ifcfg files

Static routes set using ip commands at the command prompt will be lost if the system is shutdown or restarted. To configure static routes to be persistent after a system restart, they must be placed in per-interface configuration files in the /etc/sysconfig/network-scripts/ directory. The file name should be of the format route-ifname. There are two types of commands to use in the configuration files; ip commands as explained in Section 2.4.4.1, “Static Routes Using the IP Command Arguments Format” and the Network/Netmask format as explained in Section 2.4.4.2, “Network/Netmask Directives Format”.

2.4.4.1. Static Routes Using the IP Command Arguments Format

If required in a per-interface configuration file, for example /etc/sysconfig/network-scripts/route-eth0, define a route to a default gateway on the first line. This is only required if the gateway is not set via DHCP and is not set globally in the /etc/sysconfig/network file:
default via 192.168.1.1 dev interface
where 192.168.1.1 is the IP address of the default gateway. The interface is the interface that is connected to, or can reach, the default gateway. The dev option can be omitted, it is optional. Note that this setting takes precedence over a setting in the /etc/sysconfig/network file.
If a route to a remote network is required, a static route can be specified as follows. Each line is parsed as an individual route:
10.10.10.0/24 via 192.168.1.1 [dev interface]
where 10.10.10.0/24 is the network address and prefix length of the remote or destination network. The address 192.168.1.1 is the IP address leading to the remote network. It is preferably the next hop address but the address of the exit interface will work. The next hop means the remote end of a link, for example a gateway or router. The dev option can be used to specify the exit interface interface but it is not required. Add as many static routes as required.
The following is an example of a route-interface file using the ip command arguments format. The default gateway is 192.168.0.1, interface eth0 and a leased line or WAN connection is available at 192.168.0.10. The two static routes are for reaching the 10.10.10.0/24 network and the 172.16.1.10/32 host:
default via 192.168.0.1 dev eth0
10.10.10.0/24 via 192.168.0.10 dev eth0
172.16.1.10/32 via 192.168.0.10 dev eth0
In the above example, packets going to the local 192.168.0.0/24 network will be directed out the interface attached to that network. Packets going to the 10.10.10.0/24 network and 172.16.1.10/32 host will be directed to 192.168.0.10. Packets to unknown, remote, networks will use the default gateway therefore static routes should only be configured for remote networks or hosts if the default route is not suitable. Remote in this context means any networks or hosts that are not directly attached to the system.
Specifying an exit interface is optional. It can be useful if you want to force traffic out of a specific interface. For example, in the case of a VPN, you can force traffic to a remote network to pass through a tun0 interface even when the interface is in a different subnet to the destination network.
IMPORTANT
If the default gateway is already assigned by DHCP and if the same gateway with the same metric is specified in a configuration file, an error during start-up, or when bringing up an interface, will occur. The follow error message may be shown: "RTNETLINK answers: File exists". This error may be ignored.

2.4.4.2. Network/Netmask Directives Format

You can also use the network/netmask directives format for route-interface files. The following is a template for the network/netmask format, with instructions following afterwards:
ADDRESS0=10.10.10.0
NETMASK0=255.255.255.0
GATEWAY0=192.168.1.1
  • ADDRESS0=10.10.10.0 is the network address of the remote network or host to be reached.
  • NETMASK0=255.255.255.0 is the netmask for the network address defined with ADDRESS0=10.10.10.0.
  • GATEWAY0=192.168.1.1 is the default gateway, or an IP address that can be used to reach ADDRESS0=10.10.10.0
The following is an example of a route-interface file using the network/netmask directives format. The default gateway is 192.168.0.1 but a leased line or WAN connection is available at 192.168.0.10. The two static routes are for reaching the 10.10.10.0/24 and 172.16.1.0/24networks:
ADDRESS0=10.10.10.0
NETMASK0=255.255.255.0
GATEWAY0=192.168.0.10
ADDRESS1=172.16.1.10
NETMASK1=255.255.255.0
GATEWAY1=192.168.0.10
Subsequent static routes must be numbered sequentially, and must not skip any values. For example, ADDRESS0ADDRESS1ADDRESS2, and so on.

2.4.5. Configuring a VPN

IPsec, provided by Libreswan, is the preferred method for creating a VPN in Red Hat Enterprise Linux 7. Configuring an IPsec VPN using the command line is documented in the Red Hat Enterprise Linux 7 Security Guide.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-Using_the_Command_Line_Interface.html