Linux

Operating System..................................................................................................................................3
Disk Operations.....................................................................................................................................4
File Operations......................................................................................................................................6
Users......................................................................................................................................................9
Network Operations............................................................................................................................10
Important Files....................................................................................................................................14
Shell Scripts.........................................................................................................................................15
SSH, IP-Sec & SSL.................................................................................................................................16
Operating System
Red Hat/ Fedora/ CentOS  from same initial distribution
rpm –ivh <filename>.rpm (to install packages)

rpm –qa (list rpms) (modules also come as rpms)

ldconfig –p (list libraries)

ps -ef | grpe -i oam (list running processes)(e-all process f-full format)

UID PID PPID C STIME TTY TIME CMD
root 3911 3888 0 Oct10 ? 00:14:12 oampAgent

-e - List information about every process now running.

-f - Generates a full listing.

top (list running processes)(It is dynamic and interactive)

htop (Human friendly output)
top - 16:24:55 up 96 days, 1:32, 1 user, load average: 0.23, 0.42, 0.48
Tasks: 395 total, 2 running, 393 sleeping, 0 stopped, 0 zombie
Cpu(s): 0.6%us, 0.1%sy, 0.0%ni, 99.3%id, 0.0%wa, 0.0%hi, 0.0%si, 0.0%st
Mem: 65837456k total, 24705324k used, 41132132k free, 927608k buffers
Swap: 0k total, 0k used, 0k free, 12496556k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND

7244 root 15 0 241m 105m 101m S 1.0 0.2 1717:30 cmha
7260 root 15 0 523m 107m 92m S 0.7 0.2 891:23.46 inetrep

Load Average (5/10/15 min avg)

CUP in load average and Cpu(S)  Max load =100%
CPU in PIDs
In Irix mode
Max load =100%*number of processers
Press Shift+i to turn off Irix mode
Then Max load =100%

Press 1 to view separate CPU loading

q – quit top display
k – to kill a process
d – change refresh time
Shift+O – Sort display in a field
Shift+P – Sort display in by cpu usage
Shift+W – Save top result
top –u <user> - display processes by user

uptime – command will also display the uptime

lscpu or cat /proc/cpuinfo – to display number of cpus

kill -9 3991
kill -9 oampAgent

service --status-all (List all Services)

Cat /proc/sys/kernel/core_pattern (tells core file location)

uptimev(Current time and up time)
08:11:22 up 74 days, 34 min, 2 users, load average: 0.40, 0.36, 0.36

which <command> (To get the directory of the command)

nohup <command> & (To run a command in background)(Even after logout)

Shutdown -h now (to shutdown linux gracefully)

Init 0

Shutdown -r (to restart linux gracefully)

Init 6
reboot
Disk Operations
ls –ltr /dev
brw-rw---- 1 root disk 3, 0 May 5 1998 hda (IDE disks)
brw-rw---- 1 root disk 8, 0 May 5 1998 sda (SCASI/USB disks/u)
brw-rw---- 1 root cdrom 11, 0 Mar 15 2002 scd0 (CD)
crw------- 1 root tty 4, 64 May 5 1998 ttyS0 (Serial)

mount|grep “/dev”
/dev/sda2 on / type ext3
/dev/sda1 on /media/Windows-XP-x64 type fuseblk
/dev/scd0 on /media/cdrom0 type iso9660 (or /mnt/cdrom)

drive name drive controller drive number

(IDE1/IDE2) (Master/Slave)
/dev/hda 1 1
/dev/hdb 1 2
/dev/hdc 2 1
/dev/hdd 2 2

Partitions are represented by a number.

drive name drive controller drive number partition type partition number
/dev/hda1 1 1 primary 1
/dev/hda2 1 1 primary 2
/dev/hda4 1 1 swap NA
/dev/hdb1 1 2 primary 1
/dev/hdb2 1 2 extended NA
/dev/hdb3 1 2 logical 2

/usr
/var For mail, printing, error log.
Server computers ought to have /var in a different partition.
/bin This is where most executable binaries go.
/tmp Some programs write temporary data files here.
/home This is where users home directories go.
/boot This is where your kernel images go.
/etc Configuration files

mount -t ext3 /dev/sda1 /opt

(Destination directory has to be created first)

mount –t iso9660 /dev/cdrom /mnt/cdrom

mount -o loop /media/sdb1/872-2161-115-2.2.2_10.28.0.iso /mnt/upgrade

mount -B /home/user1 /opt/u1 (Bind a directory)

mount –bind /home/user1 /opt/u1

umount /mnt/upgrade

File system type. Other types you are likely to use are:
ext3 journaling sile system based on ext2
msdos DOS
hfs mac
iso9660 CDROM
nfs network file system

Default mounts are in /etc/fstab

df -h
Filesystem Size Used Available Use% Mounted on
/dev/sda5 4.6G 2.8G 1.8G 60% /
/dev/sda6 3.8G 1.7G 2.1G 44% /mydata
/dev/sda1 1.5G 540M 1.1G 33% /boot

/etc/fstab – For mount locations to be used

(Only used if not specified in the command)

du –h /<path> (Give the folder and subfolder size)

du --max-depth=1 –h (list all sub directory size)

fdisk /dev/sda (To create a partition)(Interactive Session)

fdisk -l (List disk partition details)

mkfs (make file system - Format a disk)

fsck /dev/ada1 (file system check)

Better to unmounts or mount as a read only before fsck
File Operations
ls -ltr
-rwxrwxrwx 1 owner group 9275204 Jun 13 15:27 mthesaur.txt.gz

First character specifies the type of the file.

- normal file
d directory
s socket file
l link file
b block device (hard disk)
c character device (tty)

Read, write, execute permissions for user, group and others.

Number of links for that file.
Owner of the file.
Group of the file.
Size of file. (in Bytes)
Last modified date & time.
File name.

ls -l |more (To display page by page)

ls sep* (List all files start with sep) (Same like using grep)

ls > <file name> (overwrite output to a file)

ls >> <file name> (amend output to a file)

head <file name> (list the first few lines of a file)

tail -20 <file name> (list the last few lines of a file)

tail -f <file name> (Continuously view last few lines of a file)

ctrl c - exit

more <file name> (list page by page. Spacebar to navigate)

less <file name> (Possible to go up and down)
spacebar - next page
b - previous page
q - quit

cat-vet <file name> (display the hidden characters)

cat <file name> (no page by page)
cat <file name> | grep -i -A5 "System Information"
-i - ignore case
-A – Pint number of lines after

cat <file name> | more (page by page)

cat file1.txt file2.txt > file3.txt (Join two files)
>Override
>>Append

grep “key” <filename>

grep –v “key” <filename> (Invert Match)

grep -r "modules" . (search all files in that directory)

grep -rl "modules" . (Only list the files)
grep -lr "mod.*" ./DpC* (Search all files starting with DpC)
grep -r –B 1 ‘req="mod"’ ./DpC* (-B before –A after –C both)

grep -r "drupal\|joomla\|wordpress" . (Search multiple files)

find / -name <filename> (To find a file)

find / | grep 20130719

wc -l <filename> (To count the number of lines)

wc -w <filename> (To count the number of words)

cat <filename> | egrep “apple|banana|orange”

diff <file1> <file2> (list different lines)

< only in file1
< only in file2

zip –r filename.zip file*.* (To compress a file into .zip)

unzip -j filename.zip (To un-compress a .zip file)
unzip –l (To list files in a zip file)

gzip <filename> (will gz the original file)

gunzip file.gz (To un-compress a .gz file)
gzip -d file.gz (To un-compress a .gz file)

cd ~ Home directory
cd .. Parent directory

rmdir <directory name> (delete a empty directory)

rm –r <directory name> (delete a directory with files)

cp -p <filename> <newfilename> (p-preserve all properties)

chown <user>:<group> <filename>

chmod 777 <filename>

SFTP
!ls -ltr (list the files in the local folder)
lcd /root (change the local folder)
vi <File Name>
vim <file Name>
x Delete a character
dd Delete a line
o Open a new line
p Paste
yy Copy line
Shift+g go to last line
:wq Save and exit
:q! Exit without Saving
Esc Command mode
Esc+i Edit mode
/<key> Search a key
n - Search next
N - Search previous

screen
screen -S <name> -L
(Screen commands are not stored under history. But it will be saves in
putty log)

“Ctrl-A” and “?” (For help menu)

“Ctrl-A” and “d” (To detach the screen)
“Ctrl-A” and “K” (To terminate a screen)
“Ctrl-A” and “H” (To start loggin)

screen –list (List running screens)

There is a screen on:
4491.pts-2.FC547 (detached)

screen –r 7849 (To re-attach)

man ls (manual page)

CTRL + B - Page Up
CTRL + F - Page Down
/<word> - enter to search. n to search next.
q - Quite

man –k <word> (list all commands with that word)

hostname --h (help on hostname command)

hostname <hostname> will change the host name till reboot

To change host name permanently
vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=myserver.example.com
GATEWAY=10.10.10.1
Users

su - (to change to root user) (- change environment also)

su - <user> (to change the user)
useradd <username> (create user)

groupadd <groupname>
useradd -G <group-name> <username>
usermod -aG <group-name> <username>

passwd <username>
passwd (will change current user password)

id <username> (Display user details)

users (list the currently connected users)
whoami (display current user)

cat /etc/passwd (list all the users configured in the system)

cat /etc/shadow

userdel -r <username> (Delete a user)

cat /etc/group (List all groups)

env | more (List the user environmental variables)

Network Operations

Define IPs
netconfig (start a menu to configure network) (Only in Red hat)
ifconfig eth0 up 192.168.0.5 mask 255.255.255.0 (IP)
ifconfig eth0 down
vi /etc/sysconfig/network-scripts/ifcfg-eth0 (Permanently)
DEVICE=eth0
BOOTPROTO=static
DHCPCLASS=
HWADDR=00:30:48:56:A6:2E
IPADDR=10.10.10.15
NETMASK=255.255.255.192
ONBOOT=yes
service network restart

Define Default GW
route add default gw 10.10.10.1 (Default Gateway)
vi /etc/sysconfig/network (Permanently)
NETWORKING=yes
HOSTNAME=myserver.example.com
GATEWAY=10.10.10.1

Define Routes
route add -net 172.22.31.160/27 gw 172.22.31.129 dev eth5.1514

route add default gw 192.168.1.10

vi /etc/sysconfig/network-scripts/route-eth0 (Permanently)
service network restart

route –n (Print the IP routing table)

netstat -rn (Print the IP routing table)
ip route show (Print the IP routing table)

netstat –a (Print listening ports and established connections)

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:7710 *:* LISTEN
tcp 0 0 mpe2a:56402 mpe2b:7710 ESTABLISHED

Active UNIX domain sockets (servers and established)

Proto RefCnt Flags Type State I-Node Path
unix 2 [ACC] STREAM LISTENING 199525502 /var/agentx/master
unix 3 [ ] STREAM CONNECTED 467911122
unix 2 [ ] DGRAM 2218680

netstat -na | grep 10.29.62.214 (Check connections to/from the host)

netstat -an|egrep 386[89]|sort

tcpkill host 192.168.1.2 (To kill all TPC connections to/from the host)

ip -f inet addr (to check all IPs including VIPs)

vi /etc/resolv.conf (for DNS server)
search <Local Domain Name>
nameserver 202.54.1.10
nameserver 202.54.1.11

vi /ect/hosts (for Hostnames)

IPAddress Hostname Alias
127.0.0.1 localhost deep.openna.com
208.164.186.1 deep.openna.com deep
208.164.186.2 mail.openna.com mail
208.164.186.3 web.openna.com web

vi /etc/snmp (SNMP configuration)

FireWall (iptables)
iptables –L (list firewall configuration)
iptable –S (list firewall configuration)
service iptables stop (to Stop firewall)

Adding a rule (After that save and restart the network services may be requires)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
-A - Add to the end of chain “INPUT”
-I - Add to the begining of chain “INPUT”
-R - Replace a rule

Add a rule (complete steps)

iptables -I SIGTRAN1 -p sctp --match multiport --dports 1024:65535 -j ACCEPT
service iptables save
service network restart

Removing a rule
iptables -D INPUT 5

Save the rules

service iptables save

Backup/Restore
iptables-save > iptables.dump
iptables-restore < iptables.dump

cat /sys/devices/.....eth11/operstate (To check the interface status)

cat /sys/class/net/eth0/operstate

ifdown eth0
ifup eth0 or ifconfig eth0 up (to make interface up)

ethtool eth0 (View network card properties)

ethtool -s eth0 autoneg off (Change network interface setting temporarily)
ethtool –i eth0 (Display FW info)
ethtool -S eth0 (Display statistics)
ethtool -p eth0 (Blink LED)

mii-tool

dmesg | grep eth (Display kernel messages related to interfaces)

dmesg > kernel_msgs.txt (save kernal messages)

cat /proc/net/bonding/bond1 (See the bonding info)

ping 10.239.130.89 -I 10.59.226.4

traceroute 10.239.130.89 -I 10.59.226.4
(First entry is the gateway IP/ If some devices don’t support traceroute it will be shown as * * *)

telnet 10.239.130.89 443 (To check the connectivity when only a specific port is open)

ntpq -p(list NTP status)

cat /etc/ntp.conf
service ntpd stop
ntpdate ntpserver1
service ntpd start

ssh-keygen -R 10.249.15.200 (to remove a known host SSH Key)

nslookup <FQDN>

TCP Dump

-C <file size> A new file will be created with a different number to the end (Mb)
-c Number of packets to display
-i <interface> Interface to monitor
-n Don't convert addresses to names
-s Set the max packet size. 0 mean 65535 (Default is also 65535) (Bytes)
-r Read a file
-w Write to a file
-W Number of files (Files will be overwritten)
-Z User
host <IP>
port <Port>
–vvv Display the details of the packet

tcpdump -r MP.cap (To read a file)

tcpdump -ni eth01 -w /tpm/trace1.pcap port 3868 -c 100

tcpdump -i any host 62.93.153.5

tcpdump -i bond0.5 host 62.93.153.5 -w /tmp/ixptrace.cap -c 1000

nohup tcpdump -Z root -n -C 150 -W 50 -i any -s 0 -w /dev/shm/prov.pcap &

Will run in backgroubd
-C File count
-W File size

use ps –ef | grep –i tcp to list

kill -9 to stop

T Shark

-R Read Filter (packets that pass the read filter will be displayed or saved to the output file)
-f Capture Filter
-S Set a line seperator

tshark -i any -R ‘snmp’ -w /tmp/test.pcap

tshark -i any -R ‘diameter or sctp’ -w /tmp/27022014.pcap

tshark -i bond0.6 -w mp1_sctp3.pcap -R 'sctp'

tshark -w output.cap -R "ip.addr==10.82.23.x" (doesn’t filter the IP)

tethereal -i any -R "diameter.cmd.code==265||diameter.cmd.code==272" -S -

w /tmp/Trace.pcap

cat /proc/memoryinfo

free -m |grep mem

service httpd stop

service ntpd stop

ntpdate ntpserver1
Important Files

cat /etc/passwd (list all the users configured in the system)

cat /etc/shadow
cat /etc/group (List all groups)

Cat proc/sys/kernel/core_pattern (tells core file location)

Shell Scripts
Name of Command
Description
shell name
Bourne shell sh The most basic shell available on all UNIX systems
Korn Shell ksh / pdksh Based on the Bourne shell with enhancements
C Shell csh Similar to the C programming language in syntax
Bourne Again Shell combines the advantages of the Korn Shell and
Bash Shell bash
the C Shell. The default on most Linux distributions.
tcsh tcsh Similar to the C Shell

Cat Display.sh
#! /bin/bash
# This a sample script
echo "Date and time is:"
date
echo
echo "Your username is: `whoami` \n"
echo "Your current directory is: \c"
pwd
echo
echo “Your Name is $1”

N1=10
N2=20
Let N3=$N1+$N2
echo “Value of N3 is $N3”

./Display.sh Mahinda (To execute the script)

(Mahinda is passed as a command line argument $1) $0 is the script name

Run a script in background

bash /export/TAC/newchkwebci > checkwebciout.log &

use kill –ef <PID> to stop it

\n New line
\c Continue on the same line
Clear Clear the screen
echo $USERNAME (System Variables are in Block Caps)
n=10 (Define UDV with value 10)

echo $((1 + 3 + 4)) - Arithmetic expansion

echo `expr 1 + 3` (` is not ‘) – Command substitution

echo $(expr 1 + 3)
echo "Today is $(date)"
; more commands in same line

>> Append to a file

> Redirect to a file
< to get an input from a file (grep searchterm < file)

msg1=one
msg2="$msg1 two" (if string has spaces include it in “”)

Exit Value of a command or script (if 0, it was successful)

ls
echo $? (will give 0)

read fname (will wait till variable is input)

ls [a-c]* ls [abc]* (Will display files stating with a, b or c)

ls [!abc] ls [^abc] (Will display files not stating with a, b and c)
CronTab

crontab -e Edit your crontab file, or create one if it doesn’t already exist.
crontab -l Display your crontab file.
crontab -r Remove your crontab file.
crontab –v

Eg:
0,15,30,45 * * * * /mjayasun/check_syscheck.sh
Will run check_syscheck.sh in every 15 min
SSH
TL: Identification
String Exchange

TL: Algorithm Negotiation

(Public keys are sent)
(Client can use CA to verify
the server key)
(Both parties compute
Shared Key and Hash)

UA: User Authentication

Method = Public Key,
Password, Host Based)

Connection: Data is
encrypted using Shared
Key (K) and verified using
Hash (H).

Symmetrical encryption: Encrypt the entire connection ("shared secret" encryption or "secret key"
encryption). Prior to Authentication.

Asymmetrical encryption: During the initial key exchange process used to set up the symmetrical
encryption (used to encrypt the session), asymmetrical encryption is used. In this stage, both parties
produce temporary key pairs and exchange the public key in order to produce the shared secret that
will be used for symmetrical encryption. The public and private key pairs used for this part of the
procedure are completely separate from the SSH keys used to authenticate a client to the server.

Also, it is used in SSH key-based authentication. SSH key pairs can be used to authenticate a client
to a server. The client creates a key pair and then uploads the public key to any remote server it
wishes to access. This is placed in a file called authorized_keys within the ~/.ssh directory in the user
account's home directory on the remote server.
After the symmetrical encryption is established to secure communications between the server and
client, the client must authenticate to be allowed access. The server can use the public key in this file
to encrypt a challenge message to the client. If the client can prove that it was able to decrypt this
message, it has demonstrated that it owns the associated private key. The server then can set up the
environment for the client.

Hashing: Another form of data manipulation that SSH takes advantage of is cryptographic hashing.
Cryptographic hash functions are methods of creating a succinct "signature" or summary of a set of
information. Their main distinguishing attributes are that they are never meant to be reversed, they
are virtually impossible to influence predictably, and they are practically unique.
Given these properties, hashes are mainly used for data integrity purposes and to verify the
authenticity of communication. The main use in SSH is with HMAC, or hash-based message
authentication codes. These are used to ensure that the received message text is intact and
unmodified. SSH use MAC (Message Authentication Code) for hashing.

Algorithm Negotiation

Both parties agree on a large prime number, which will serve as a seed value.

 Both parties agree on an encryption generator (typically AES), which will be used to
manipulate the values in a predefined way.
 Independently, each party comes up with another prime number which is kept secret from the
other party. This number is used as the private key for this interaction (different than the
private SSH key used for authentication).
 The generated private key, the encryption generator, and the shared prime number are used
to generate a public key that is derived from the private key, but which can be shared with the
other party.
 Both participants then exchange their generated public keys.
 The receiving entity uses their own private key, the other party's public key, and the original
shared prime number to compute a shared secret key. Although this is independently
computed by each party, using opposite private and public keys, it will result in
the same shared secret key.
 The shared secret is then used to encrypt all communication that follows.
SSH - Public key authentication

On the client machine, the user must generate a public / private keys.

If key is password protected, user will be prompted for the password every time he is going to
use the key.

Use ssh-copy-id from client

Or server admin can add the public key to ~/.ssh/authorized_keys

Generate the authentication key

To generate the key pair

fabio@morpheus:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/fabio/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/fabio/.ssh/id_rsa.
Your public key has been saved in /home/fabio/.ssh/id_rsa.pub.
The key fingerprint is:
44:3e:ef:58:94:15:52:c2:88:ca:ab:21:43:53:3d:42 fabio@morpheus
fabio@morpheus:~$

If you need to change the password or add one, do:

fabio@morpheus:~$ ssh-keygen -p
Enter file in which the key is (/home/fabio/.ssh/id_rsa):
Key has comment '/home/fabio/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.
fabio@morpheus:~$
In this case, a new password was added. Note that this operation does not change the public /
private key pair. It only changes its encryption.

Install the public key on the servers

SSH comes with an utility called ssh-copy-id that simply adds the contents of client’s
~/.ssh/id_rsa.pub to the server’s ~/.ssh/authorized_keys:

fabio@morpheus:~$ ssh-copy-id -i .ssh/id_rsa.pub [email protected] 15

[email protected]'s password:

Note that at this point password access is needed

Now try logging into the server, with "ssh '[email protected]'", and
check in:

.ssh/authorized_keys

Or
cat id_rsa.pub >> .ssh/authorized_keys

Access

At this point, user’s account on the server can be locked for password authentication. On
Linux systems, one can make:

[email protected]:~# passwd -l ornellas

Now, try to access the server:

fabio@morpheus:~$ ssh [email protected]

Enter passphrase for key '/home/fabio/.ssh/id_rsa':
ornellas@pound:~$

On this case, the client’s key was encrypted and its password was asked. If it had no
password, nothing would have been asked, and access would be direct:

fabio@morpheus:~$ ssh [email protected]

ornellas@pound:~$
For Windows
Download putty.zip

Create your ssh key

Run the puttygen.exe utility to generate a pair of private/public keys.

Make sure the SSH-2 RSA parameter is selected at the bottom of the window and click on the
Generate button.

Once you have accumulated enough entropy, the application generates the key.
Make sure you enter a lengthy passphrase in the Key passphrase field and confirm it in the
Confirm passphrase field.
Click on the Save private key button to save your private key in a file.

With your mouse, select the content of the box labeled Public key for pasting into OpenSSH
authorized_keys file, copy it (that is, hit Control-C).
Make it available for PuTTY-compliant applications
1. Under Session , enter the hostname of the Unix machine, and choose the SSH
protocol
2. Under Connection > Data , enter your login name for the Unix machine in Auto-login
username

3. Under Connection > SSH > Auth , select the filename of the private key that you
saved out of PuTTYGen

4. Back under Session , enter the hostname again in the box under Saved Sessions and
click Save
This is now added into the registry and all PuTTY applications are aware of it.
Load your key

Pageant is a utility that loads ssh keys in memory. If you load your ssh key with pageant, you
won't have to type your ssh key passphrase again and again.

First, run pageant.exe. Then load your ssh key by right-clicking on the pageant icon in the
system tray bar as shown below.

Click on the Add key menu item: a file dialog pops up.

Select the private key file you saved while running puttygen.exe and click on the Open
button: a new dialog pops up. Its title is Pageant: enter passphrase.

Type in your passphrase and click on the ok button.

Your key is now loaded in pageant.

On Linux

Create the RSA Key Pair in client

#ssh-keygen -t rsa

With more options

#ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa -C "Enter an optional
comment about your key"

Copy public key to server

id_rsa.pub to /home/<user>/.ssh/id_rsa.pub

#ls /home/<user>/.ssh
id_rsa.pub
known_hosts (public keys of other known servers)
authorized_keys

Include the public key in authorized_keys file

In ther server
#mv id_rsa.pub authorized_keys

Or
In the client.
#cat ~/.ssh/id_rsa.pub | ssh [email protected] 'cat - >>
~/.ssh/authorized_keys'

In the server. Change the permission for authorized_keys file

#chmod 600 ~/.ssh/authorized_keys && chmod 700 ~/.ssh/

To remove a public key from known hosts

ssh-keygen -R 10.249.15.200
RSA Token

First provide the RSA sw device serial number to the access administrator.

Then import the RSA token file

Passcode=PIN + tokencode

If your token requires a PIN, you normally create your PIN during your first RSA SecurID
authentication
Use the following procedure if the SecurID desktop application displays the Tokencode screen and your VPN
client application requests a passcode (or a PIN and tokencode).
Note: Your user name is normally the user name that you use to log on to your desktop.
To complete first-time authentication:
1.Start the SecurID desktop application on your desktop.
The Tokencode screen is displayed.
2.Connect to your VPN client.
3.In the User Name field, enter the user name that your administrator assigned.
You are prompted for a passcode.
4.In the SecurID desktop application, click the Copy button to copy the tokencode.
5.Return to the VPN client and paste the tokencode in the Passcode field.
You are prompted to create a PIN.
6.Follow the prompts to create and confirm your PIN.
Use the PIN format that your administrator specified. Memorize your PIN. After you create your PIN,
you are prompted for a new passcode.
7.Enter your PIN in the Passcode field.
8.Return to the SecurID desktop application and wait for the tokencode to change. After the tokencode
changes, click the Copy button to copy the tokencode.
9.Return to the VPN client. Paste the tokencode next to your PIN. Click OK to submit your passcode.
IP sec (Internet Protocol Security)
https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security

Creating a tunnel
IKE (Internet Key Exchange)
IKE phase 1 – For setting up the IKE phase 2 tunnel
Use Internet Security Association and Key Management Protocol (ISAKMP)
IKE phase 2 – IPSec Tunnel

During IKE phases below are decided

 IPsec Protocol: do we use AH or ESP?
 Encapsulation Mode: transport or tunnel mode?
 Encryption: what encryption algorithm do we use? DES, 3DES or AES?
 Authentication: what authentication algorithm do we use? MD5 or SHA?
 Lifetime: how long is the IKE phase 2 tunnel valid? When the tunnel is about to expire, we will
refresh the keying material.
 (Optional) DH exchange: used for PFS (Perfect Forward Secrecy).

Authentication and Encryption

AH - Authentication Header (Authentication and Integrity only)
ESP - Encapsulating Security Payload (Authentication, Integrity and Encryption)

Both protocols can operate in two modes

Transport Mode
Tunnel Mode
AS and ESP can work together also
SSL/TLS

SSL - Secure Socket layer (“https” and use port 443 by default)

TLS – Transport Layer Security

How to check if certificates are working.

mr0pgw01:~ # curl -ivs https://172.30.167.6:30600

* About to connect() to 172.30.167.6 port 30600 (#0)
* Trying 172.30.167.6... connected
* Connected to 172.30.167.6 (172.30.167.6) port 30600 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs/
* TLSv1.0, TLS handshake, Client hello (1):
* TLSv1.0, TLS handshake, Server hello (2):
* TLSv1.0, TLS handshake, CERT (11):
* TLSv1.0, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0

Also Connected to 172.30.167.6 (172.30.167.6) port 30600 (#0) will verify the IP path is ok on that
port
Digital Signatures