My Knowledge Base | Lalantha Madhushan

Red Hat Enterprise Linux (RHEL) is a popular enterprise-level Linux operating system that is used by many organizations around the world. To get the most out of RHEL, it's important to register your system with the Red Hat Customer Portal. This will give you access to the latest updates, security patches, and other benefits that are only available to registered users.

Here's how to register and subscribe a RHEL system to the Red Hat Customer Portal using the Red Hat Subscription-Manager:

Install Red Hat Subscription-Manager: The first step is to install the Red Hat Subscription-Manager. This tool allows you to manage your Red Hat subscriptions and products, including registering your RHEL system. You can install the Subscription-Manager by running the following command:

dnf install subscription-manager

Register the System: Once the Subscription-Manager is installed, you can register your system with the Red Hat Customer Portal by running the following command:

subscription-manager register

Verify Registration: After registering the system, you can verify the registration by running the following command:

subscription-manager identity

Attach a Subscription: To get access to the latest updates, security patches, and other benefits, you need to attach a subscription to your system. You can do this by running the following command:

subscription-manager attach --auto

Enable Required Repositories: To ensure that you have access to the latest updates and security patches, you need to enable the required repositories. You can do this by running the following command:

subscription-manager repos --list-enabled

Update the System: Finally, you should update your system to get the latest updates and security patches. You can do this by running the following command:

dnf update

By following these steps, you can register and subscribe your RHEL system to the Red Hat Customer Portal using the Red Hat Subscription-Manager. This will give you access to the latest updates, security patches, and other benefits that are only available to registered users. It's a straightforward process that will help keep your RHEL system secure and up-to-date.

In this guild, we will see how we can enable logging on OCI Load Balancer WAF that includes collecting Access logs. Furthermore, We can create dashboards for analyse logs easily.

Enable Logging on OCI Load Balancer WAF

• Go to the WAF policy -> Firewalls
• Enable Logs by creating seperate log group

Configure Log Ingestion from Load Balancer WAF to Logging Analytics

• Create Logging Analytics Group
• Create Service Connectors
  • Source: Logging
  • Target: Logging Analytics
  • Logging Analytics group as target

Analyze Logs using Logging Analytics

To analyze logs using Logging Analytics, go to OCI Navigation Menu >> Observability & Management >> Logging Analytics >> Log Explorer

Import Dashboards

• Download JSON Files. Click Here
• Open each individual file, find all occurrences of "compartment-id": "COMPARTMENT_ID" and replace "Compartment_ID" with your compartment ocid. In the end it should look like "compartment-id": "ocid1.compartment.oc1..xxxxxxxxxx"
• Open up an OCI CLI and run:

  oci management-dashboard dashboard import --from-json file://WAF_Access_rule_and_Rate_limiting.json
  

OpenSSH is a powerful and widely-used tool for secure communication over networks. However, like any software, it has its vulnerabilities and weaknesses. One such weakness is the use of weak key exchange algorithms that can be exploited by attackers to intercept and decrypt sensitive data.

In Oracle Linux, the OpenSSH package is pre-installed and configured to use a variety of key exchange algorithms. However, some of these algorithms are considered weak and should be disabled to improve the security of your system.

The most common weak key exchange algorithm is the diffie-hellman-group1-sha1, cbc. This algorithm is vulnerable to a man-in-the-middle (MITM) attack, where an attacker can intercept the key exchange process and intercept sensitive data.

To disable the use of weak key exchange algorithms in Oracle Linux, you will need to edit the OpenSSH configuration file, located at /etc/ssh/sshd_config.

Check whether key exchange algorithm diffie-hellman-group1-sha1 is currently enabled:

sshd -T | egrep -i ^kexalgorithms | grep diffie-hellman-group1-sha1; echo $?

or

nmap --script ssh2-enum-algos -sV -p 22 127.0.0.1 | grep diffie-hellman-group1-sha1; echo $?

Backup original SSH server configuration file e.g.:

cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.orig

Generate and output the default list of supported key exchange algorithms to the SSH server configuration file excluding the diffie-hellman-group1-sha1 algorithm e.g.:

ssh -Q kex | grep -v 'diffie-hellman-group1-sha1' | tr '\n' ',' >> /etc/ssh/sshd_config

Correctly format the newly added entry to the SSH server configuration file i.e.:

• prepend the resultant kex list with 'KexAlgorithms '
• remove already deprecated algorithms from the list i.e. gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-, cbc
• remove any trailing comma (,) from the last entry in the list

Restart the SSH server

systemctl restart sshd

If still issue not fixed, remove OpenSSH from System Crypto Policies. Edit this file /etc/sysconfig/sshd and uncomment following line.

CRYPTO_POLICY=

By disabling weak key exchange algorithms in Oracle Linux, you can greatly improve the security of your system and protect against potential attacks. It is important to keep your system up-to-date and monitor for any vulnerabilities to ensure that your system remains secure.

Run levels or Targets in Linux determine the system's state and the services that are available. In Oracle Linux, there are 7 run levels available, each with a specific purpose. Understanding the different run levels and how to change between them can be useful for system administrators and developers.

Run Levels vs Targets

Run levels refer to the traditional method of specifying the system's state in Linux. There are 7 run levels available in traditional Linux systems, each with a specific purpose such as multiuser mode, single-user mode, and reboot.

Targets, on the other hand, are a more modern method of specifying the system's state that was introduced in recent versions of Linux. Targets provide a more flexible and modular approach to system state management, as opposed to the traditional run level approach.

In recent versions of Linux, run levels are being phased out in favor of targets. The target approach allows for greater customization and more granular control over the system's state, making it the preferred method for modern Linux systems.

Here are the 7 run levels in Oracle Linux:

0 - Halt: This run level is used to shut down the system. No services are started, and all running processes are stopped.

1 - Single-user mode: This run level is used for system maintenance. Only a minimal number of services are started, and the system runs in a single-user mode.

2 - Multiuser mode without network services: This run level is used for multiuser mode without network services. The system runs in multiuser mode, but network services are not started.

3 - Full multiuser mode: This run level is used for a full multiuser mode with networking. All services and network services are started.

4 - Not used: This run level is not used in Oracle Linux.

5 - Full multiuser mode with graphical user interface: This run level is used for a full multiuser mode with networking and a graphical user interface. All services, network services, and the graphical user interface are started.

6 - Reboot: This run level is used to reboot the system.

Working with Run levels or Targets

Get current target or run level information

systemctl get-default
runlevel

List available targets

systemctl list-units --type target

Changing between run levels in Oracle Linux

init <runlevel>

For example, to change to run level 5

init 5

Change default target

systemctl set-default [new target]

It's important to note that changing between run levels or targets can have a significant impact on the system, and should be done with caution. It's recommended to always backup your data before changing run levels or targets.

In conclusion, understanding run levels or targets in Oracle Linux is important for system administrators and developers. By being familiar with the different run levels or targets and how to change between them, you can maintain and troubleshoot your system with ease.

These are some of the issues that come across when I work. Noted down for future reference.

Issue 01

Problem: Route IPSec Tunnel Traffic via Local Peering Gateways

Solution

https://blog.lalantha.xyz/?action=view&url=oci-11

Issue 02

Problem: Fortigate Ipsec tunnel down when its idl

Solution

Enable Auto Negotiation in firewall

Issue 03

Problem: No Required SSL Certificate Was Sent in LB

Solution

Disable Peer level verification on listner

Issue 04

Problem: Inatace up but No Network Connection

Solution

check dhcp
manualy start dhcp " dhclient -v eth0 "

Issue 05

Problem: DHClient not auto start

Solution

comment hwid and uuid

Issue 06

Problem: Add SSL Cert to Oracle Load Balancer

Solution

in the certificate: first certificate then intermediate certificate
CA: CA Cert
Key: Private Key

Issue 07

Problem: OCI CLI 401 Authentication Error

Solution

Check the time on server. Not be more than 5 min different.