Projects

• You can run multiple commands in one single command by using the “;” to separate them. For example Command1; Command2; Command3. Or use && if you only want the next command to run when the first one is successful.

• sudo apt update

• upgrade all packages sudo apt full-upgrade

• Uname get details of your system

• Du -h check how big a file is

• check the available space on your device df -h

• free generate information about memory usage. It calculates for both the main Random Access Memory (RAM) and swap memory. For example free -h

• traceroute determining the route a network packet takes on its way from one machine to another

• iptables see incoming and outgoing internet traffic

• dig (website)

• Cp copy files ex(cp scenery.jpg /home/username/Pictures would create a copy of scenery.jpg (from your current directory) into the Pictures directory.)

• Mv move files ex(mv file.txt /home/username/Documents.)

• Rm remove

• Mkdir make directory

• Rmdir remove directory

• Touch create a file

• Locate find a file ( For example, locate -i school*note command will search for any file that contains the word “school” and “note”, whether it is uppercase or lowercase.)

• Find specific locate command (find /home/ -name notes.txt command will search for a file called notes.txt within the home directory and its subdirectories.)

• Grep find in a file (grep blue notepad.txt will search for the word blue in the notepad file. Lines that contain the searched word will be displayed fully)

• Job display current jobs with status

• Kill end a program use ps ux to find its pid (kill [signal option] PID)

1. OS Images https://www.raspberrypi.org/software/operating-systems/

2. Create bootable image https://rufus.ie/en/ or raspberry pi launcher

3. sudo apt update

4. check the available space on your device df -h

5. upgrade all packages sudo apt full-upgrade

Diskpart is a disk management tool snap-in Windows. Different with Disk Management, it uses the command line( CMD) to execute tasks. Diskpart delete partition command lline is a good way to delete partition with syntax.

1. Open the Command prompt, type: diskpart

2. At the diskpart prompt, type:list disk

Then, all the disks on your computer will be list, you should figure out the disk number of the disk from which you want to delete the partition.

3. Type:select disk n

n is the disk number. Select the disk which contains the partition you want to delete.

4. Type:list partition

5. Then, type: select partition n

n is the partition number. Here you need to select the partition which you want to delete.

6. Type:delete partition

7. delete partition override

Objective: Configure a Catalyst Switch with a baseline configuration consistent with one found in a production network

Goals:

Clear existing configuration

Set passwords for admin access

Set SSH for remote configuration

Configure VLANs

Set PortFast on Access Ports

Set PortSecurity on specific ports

Each student will configure their own switch - and the switches will be used for subsequent labs

Task 1 - Reset Switch to Default

Use "sudo minicom" to console into switch

If you are able to boot the switch and access without password

"erase startup-config" will remove the saved config file

To delete vlans

"delete flash:vlan.dat" will delete the VLAN database

"reload" will then boot to factory defaults

do not run the set-up wizard

If a password is set - you will need to use the MODE button and erase the config and vlan.dat files. SHould be in Tech Journal

Task 2 - Set up Basic Configuration

Set hostname (use SW-#) where # is the number of your Foster workstation

Set banner (MOTD) that says "unauthorized access is prohibited"

Set "secret" password

Make sure to document password

set ip domain name to "Foster202.com"

Task 3 - Set up SSH Access for Remote Administration

Again, should be in Tech Journal

Set up and admin user

username a_name_you_want privilege 15 secret 0 a_password_you_want

Make sure to document name and password

generate rsa keys (hint: crypto key...) with size 1024

Configure to use SSH v2 (ip ssh version 2)

"sh ip ssh" or "do sh ip ssh" should show that version 2.0 is enabled

Configure "line vty 0 4" this will bring you to line configuration setting up remote access

Use the "transport input ssh" command to ensure that only SSH is allowed - and not telnet

Use "login local" to use the username you created above

Task 4 - Set IP for Switch Management

Assign the IP address of 192.168.202.X 255.255.255.0 to your VLAN 1 virtual interface

X is your Foster Workstation #

Remember - the VLAN 1 interface is shutdown by default!

Now is a good time to make sure you are saving your config (copy running-config startup-config)

Task 5 - Set up a VLAN on your switch

Add a VLAN with the id# of your Foster 202 workstation # - and a name you choose

Make ports 10 through 20 on your switch Access ports in that VLAN

Configure port fast for those access ports (10 to 20)

Task 6 Port Security

Setup Port Security on the ports in VLAN # (from Task 5 - where # is your workstation #)

Dynamic security and set to "sticky"

Set maximum MAC addresses to 1

Set violation mode to shutdown the port

Configure switch so that ports 21 to 24 cannot be used without an administrator activating them (hint - shut them down!)

As you are wrapping up, test SSH by connecting your switch to a neighbors switch on port 1 (which are both in VLAN 1). From the CLI, try and SSH into each others switches.

Make sure to save your configuration before powering off!

copy running-config startup-config

Remember to make a note of the switch you used as you will use it again.

This is the Basic Operation of Firewalld.

The definition of services is set to zones on Firewalld.

To enable Firewall, assosiate a zone to a NIC with related commands.

[1] To use Firewalld, start the Service.

[root@dlp ~]# systemctl enable --now firewalld

[2] By default, [public] zone is applied with a NIC, and cockpit, dhcpv6-client, ssh are allowed. When operating with [firewall-cmd] command, if you input the command without [--zone=***] specification, then, configuration is set to the default zone.

# display the default zone

[root@dlp ~]# firewall-cmd --get-default-zone

public

# display current settings

[root@dlp ~]# firewall-cmd --list-all

public (active)

target: default

icmp-block-inversion: no

interfaces: enp1s0 enp7s0

sources:

services: cockpit dhcpv6-client ssh

ports:

protocols:

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

# display all zones defined by default

[root@dlp ~]# firewall-cmd --list-all-zones

block

target: %%REJECT%%

icmp-block-inversion: no

interfaces:

sources:

services:

ports:

protocols:

masquerade: no

forward-ports:

source-ports:

icmp-blocks:

rich rules:

.....

.....

# display allowed services on a specific zone

[root@dlp ~]# firewall-cmd --list-service --zone=external

ssh

# change default zone

[root@dlp ~]# firewall-cmd --set-default-zone=external

success

# change zone for an interface (*note)

[root@dlp ~]# firewall-cmd --change-interface=enp1s0 --zone=external

success

[root@dlp ~]# firewall-cmd --list-all --zone=external

external (active)

target: default

icmp-block-inversion: no

interfaces: enp1s0

sources:

services: ssh

ports:

protocols:

masquerade: yes

forward-ports:

source-ports:

icmp-blocks:

rich rules:

# *note : it's not changed permanently with [change-interface] even if added [--permanent] option

# if change permanently, use [nmcli] command like follows

[root@dlp ~]# nmcli connection modify enp1s0 connection.zone external

[root@dlp ~]# firewall-cmd --get-active-zone

external

interfaces: enp1s0

public

interfaces: enp7s0

[3] Display services defined by default.

[root@dlp ~]# firewall-cmd --get-services

RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

# definition files are placed under the directory like follows

# if you'd like to add your original definition, add XML file on there

[root@dlp ~]# ls /usr/lib/firewalld/services

amanda-client.xml isns.xml redis-sentinel.xml

amanda-k5-client.xml jenkins.xml redis.xml

amqps.xml kadmin.xml RH-Satellite-6.xml

amqp.xml kdeconnect.xml rpc-bind.xml

apcupsd.xml kerberos.xml rquotad.xml

audit.xml kibana.xml rsh.xml

.....

.....

ipp.xml pulseaudio.xml xmpp-server.xml

ipsec.xml puppetmaster.xml zabbix-agent.xml

ircs.xml quassel.xml zabbix-server.xml

irc.xml radius.xml

iscsi-target.xml rdp.xml

[4] Add or Remove allowed services.

The change will be back after rebooting the system.

If you change settings permanently, add the [--runtime-to-permanent] or [--permanent] option.

# for example, add [http] (the change will be valid at once)

[root@dlp ~]# firewall-cmd --add-service=http

success

# for example, remove [http] (the change will be valid at once)

[root@dlp ~]# firewall-cmd --remove-service=http

success

# for example, add [http] permanently (--runtime-to-permanent)

# add setting to the runtime config and the change will be valid at once

[root@dlp ~]# firewall-cmd --add-service=http

success

# add settings in runtime config to permanent config

# however in this case, if some settings which are only in permanent config but

# not in runtime config, those are lost

[root@dlp ~]# firewall-cmd --runtime-to-permanent

success

# for example, add [http] permanently (--permanent)

# if using [--permanent] option, setting is not added to runtime config,

# so the change is not valid at once

[root@dlp ~]# firewall-cmd --add-service=http --permanent

success

# enable the setting above to reload permanent config

# however in this case, if some settings which are only in runtime config but

# not in permanent config, those are lost

[root@dlp ~]# firewall-cmd --reload

success

# show allowed services in runtime config

[root@dlp ~]# firewall-cmd --list-service

cockpit dhcpv6-client http pop3 ssh

# show allowed services in permanent config

[root@dlp ~]# firewall-cmd --list-service --permanent

cockpit dhcpv6-client http ntp ssh

[5] Add or remove allowed ports.

# for example, add [TCP 465]

[root@dlp ~]# firewall-cmd --add-port=465/tcp

success

[root@dlp ~]# firewall-cmd --list-port

465/tcp

# for example, remove [TCP 465]

[root@dlp ~]# firewall-cmd --remove-port=465/tcp

success

[root@dlp ~]# firewall-cmd --list-port

[6] Add or remove prohibited ICMP types.

# for example, add [echo-request] to prohibit it

[root@dlp ~]# firewall-cmd --add-icmp-block=echo-request

success

[root@dlp ~]# firewall-cmd --list-icmp-blocks

echo-request

# for example, remove [echo-request]

[root@dlp ~]# firewall-cmd --remove-icmp-block=echo-request

success

[root@dlp ~]# firewall-cmd --list-icmp-blocks

# display available ICMP types

[root@dlp ~]# firewall-cmd --get-icmptypes

address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option