</LINUX> Michael Art Rebultan, SecSysOps Engineer (L3/L4)

Equinix Asia Pacific Pte Ltd

</About Michael> • Experience

• Organization

</Linux Life> • What others think of Linux SysAdmin?

</What is Linux> • TUX the Mascot, not the Logo

• Torvald UniX

• Tuxedo

• Open Source OS by Linus Torvald from Minix

• Linus + Unix = Linux

• Unix (by Dennis Ritchie) vs Linux

</Why Linux> • Free as a Beer!

• The Power is given back to the User!

• What is Life without Linux?

</Distro> Workstation

• ?

Server

• ?

PenTesting

• ?

</Installation> Planning and Design

• Is it a server?

• If so, what does it serve?

• HW Inventory | Storage, CPU, RAM, NIC

• Basic Math

- /root = ?mb

- Swap = ?gb

- /opt = ?gb

- /var = ?gb

- /usr = ?gb

</NetConfig> • Vi or Vim Text Editor

• /etc/hosts Your_IP localhost_name localhost_name.com

• /etc/resolv.conf search linux.org

nameserver 192.168.0.2

• /etc/sysconfig/network NETWORKING=yes

HOSTNAME=localhost_name

• /etc/sysconfig/network-scripts/ifcfg-<interface-name> NAME=eth0

GATEWAY=192.168.0.1

DOMAIN= linux.org

DEVICE=eth0

ONBOOT=yes

USERCTL=no

BOOTPROTO=static

NETMASK=255.255.255.0

IPADDR=192.168.0.21

PEERDNS=no

check_link_down() {

return 1;

}

</Sys/NetConfig> • DEBIAN BASED (Ubuntu)

• /etc/hosts

Your_IP localhost_name localhost_name.com

• /etc/resolv.conf

search linux_meetup.sg

nameserver 192.168.0.2

• /etc/network/interfaces

auto eth0

iface eth0 inet static

address 192.168.0.21

netmask 255.255.255.0

network 192.168.0.1

broadcast 192.168.1.255

gateway 192.168.0.1

• /etc/init.d/networking restart

</SECURITY> • IPTABLES

TOOL main command CHAIN common option/switches tcp option "-j" ACTION

iptables "-A" Input "--dport" tcp 22 "j" ACCEPT

CHAIN Keywords

Input Incoming connection

Output Outgoing connectionn

Forward Gateways

MAIN COMMAND

* -A --append : Add the rule a the end of the specified chain

* -R --replace : Allow to replace the specified chain

* -I --insert : Allow to add a chain in a specific area of the global chain

* -L --list : Display the rules

* -F --flush : Delete all the rules of a chain

* -N --new-chain : Allow to create a new chain

* -X --delete-chain : Allow to delete a chain

* -P --policy : Allow to specify to the kernel the default policy of a chain ACCEPT,

REJECT, DROP ...

ACTION

DROP

ACCEPT

COMMON OPTION AND SWITCHES

-A -- adds a rule at the end of the chain

-I -- inserts the rule at the given rule number. If no rule number is given the rule is inserted at the head of the chain.

-p -- protocol of the rule

--dport the destination port to check on the rule

-i -- interface on which the packet was received.

-j -- what to do if the rule matches

-s -- source IP address of packet

-d -- destination IP address of packet

</SECURITY> • SELinux [root@hostname mike]# setenforce

usage: setenforce [ Enforcing | Permissive | 1 | 0 ]

</SECURITY> • IPTABLES

• SELinux

• SSH Login – Root

• No Empty Password

• Complex Password

• Password Expiration

• Malware / Rootkit Detection

</Beware> • :(){ :|: & };: also known as Fork Bomb is a denial-of-service attack against a Linux System. :(){ :|: & };: is a bash function. Once executed, it repeats itself multiple times until the system freezes.

To get ride of this you need to restart or reboot your server. So be careful when executing this command on your Linux shell.

• rm –rf

• dd

• Tar Bomb • It is an archive file which explodes into thousands or millions of files

with names similar to the existing files into the current directory rather than into a new directory when untarred.

• mkfs

• fsck

</Best Practices> • LVM to be or not to be

• Dual Boot Installation with Windows

• Server Lockdown (CIS Template)

• Disable Unwanted Services / Ports

• Performance Tuning

• Performance Monitoring

• NIC Bonding

</IoT Devices>

Criteria of IoT devices must be: • Scalable, to accommodate a wide range of different

classes of devices

• Modular, so you can choose only the components you need to meet tight RAM requirements

• Connected, so you can move data in and out of the device via Wi-Fi, Ethernet, USB, or Bluetooth.

• Reliable, so your device can be certified for safety-critical applications

• Conclusion – You need RTOS (Real-Time OS) for this.

</Linux Power> • Linux-Powered Rifle - Bullseye from 1,000 yards

- $17,000

</Linux Power> • Raspberry Pi The Raspberry Pi is a low cost, credit-card sized computer that plugs into a computer monitor or

TV, and uses a standard keyboard and mouse. It is a capable little device that enables people of all

ages to explore computing, and to learn how to program in languages like Scratch and Python. It’s

capable of doing everything you’d expect a desktop computer to do, from browsing the internet

and playing high-definition video, to making spreadsheets, word-processing, and playing games.

</Linux Power> • Linux/Android Watches – smart watch

</Linux Power> • Linksys WRT54G - wireless router

</Linux Users> • Government Users of Linux

- Federal Aviation Administration (FAA)

- U.S. Department of Defense (DoD)

- U.S. Navy Submarine Fleet

- The City of Munich, Germany - migrate its 14,000 desktops to a free Linux distribution

- State-Owned Industrial and Commercial Bank of China

• Educational Users of Linux

- Russian Schools

- German Universities

- The Philippines

- The Indian State of Tamil Nadu

• Business Users of Linux

- Novell

- Google

- IBM

- Amazon

- New York Stock Exchange

Ref: http://www.comparebusinessproducts.com/fyi/50-places-linux-running-you-might-not-expect

</Job> • REF: http://www.jobstreet.com.sg/en/job-search/job-vacancy.php?key=linux&specialization=&area=&salary=&src=12

• REF: http://www.cheatsheet.com/money-career/10-of-the-most-in-demand-jobs-in-2016.html/?a=viewall

</Open Discussion> • Email: amacutarlac@yahoo.com

• URL: http://mrebultan.simplesite.com/

•Thank you!!!