LinuxCBT feat. SUSE 10 Enterprise Edition Training Notes
LinuxCBT feat. SUSE 10 Enterprise Edition Training Notes
LinuxCBT feat. SUSE 10 Enterprise Edition
Training Notes – 20061002.01
Table of Contents
Boot Process 4
Basic GNU/Linux/UNIX Command Line Interface (CLI) Utilities 4
Standard Linux Shell Rules 5
Secure Shell (SSH) 5
Virtual Network Computing (VNC) 6
RDesktop Client (RDP) 6
Name Resolution Utilities 7
NETSTAT 7
IFCONFIG 8
RPM 8
User & Group Creation/Management 8
File Permissions 8
Symbolic Links (Shortcuts) 10
Provisioning of additional file systems/mount points 10
RAID Partitions 11
Logical Volume Management - Disk Aggregation Mechanism 11
SWAP Storage Provisioning 12
SYSLOG-NG Implementation 12
Log Rotation 13
Cron - System Scheduler 13
Network Time Protocol (NTP) 14
BIND DNS Configuration 14
DHCPD - Server 15
Samba Services - Integrates Windows with Unix/Linux 16
Samba Web Administration Tool (SWAT) 16
Network File System (NFS) 17
Remote Synchronization (RSYNC) 18
Apache HTTPD - Web Server 18
Apache Logging 21
Virtual Hosts (VHOSTS) 21
MySQL Implementation 22
PHPMyAdmin - Implementation 25
Postfix MTA 25
Courier-MTA - IMAP 26
SquirrelMail - Web-based Mail integration 27
Pure-FTPD 27
Xen Virtualization 28
XINETD - Super Server 28
TCP Wrappers - tcpd 29
IPTables Implementation & Operation 30
IPTables Usage 30
Network Mapper (Nmap) 31
Nessus - Vulnerability Scanner 31
TCPDump - Packet Sniffer 32
Ethereal - Network Analysis Tool 32
Snort Network Intrusion Detection System (NIDS) 33
BASE Installation 34
Boot Process
1. BIOS - Initializes hardware
2. Grand Unified Boot Loader (GRUB) - Stage 1(Master Boot Record - 512 bytes) -> Stage 1.5(File system drivers (XFS,EXT2,EXT3,ReiserFS))
3. OS (Linux) Kernel - Initializes/Detects/provides support for hardware
4. INIT(PID=1) - Loads services for various run levels (cumulative)
###INIT - The First User-mode Process###
/etc/inittab
Runlevel (0-6) Definitions:
0 - shutdown
1 - single user mode - NO Networking
2 - Multi-user, minus NFS & networking
3 - Multi-user
4 - Unused, reserved for ISVs, or for customization
5 - Multi-user with graphics (X11/X.org)
/etc/init.d/runlevel directory (/etc/init.d/rc5.d)
- Contains symlinks to programs in /etc/init.d
+ prefixed with K(Kill) or S(Started)
- Each service/daemon is started/killed in numerical order; i.e. K01acpid, K09apmd
Basic GNU/Linux/UNIX Command Line Interface (CLI) Utilities
tty = reveals current Teletype Terminal (TTY)
w = reveals currently logged-in sessions
ls/dir(alias to ls -l)
ls -lF - returns long format and '/' at the end of directories
ls -lF | grep /
touch - creates empty files / updates time stamps(atime/mtime) on objects
rm - removes objects (files/directories/etc.)
echo - echoes values and variables
echo $? - returns exit status of previously-executed command
set || env - reveals current shell variables
pwd - returns working directory
cd - changes directories; with no options, places us in HOME directory
mkdir - creates a directory
whoami - returns currently logged-in user
su - switches users
BASH communicates user-status (privilged/non-privileged) via the prompt:
1. prompt that terminates with '#' reflects 'root' user
2. non '#' prompt indicates non-root user
id - reveals id information (uid,gid,groups)
cp - copies files(files/directories)
mv - moves/renames files, and tries to preserve timestamp
stat - returns properties (size,inode,atime,mtime,ctime,perms,etc.) of files
Standard Linux Shell Rules
STDIN - Standard In - Default = Keyboard - '<'
STDOUT - Standard Out - Default = Monitor - '>'
STDERR - Standard Error - Default = STDOUT - '2>'
ls deano.txt 2> error.txt
grep linuxcbt 2>&1
File Descriptors:
0 = STDIN
1 = STDOUT
2 = STDERR
Piping - permits the connection of STDOUT & STDIN
cat test2.txt | grep directories | grep removes
Command Chaining - permits execution of multiple commands
command1 && command2 - runs command2 IF command1 is successful (logical AND)
command1 || command2 - runs command2 IF command1 fails
command1 ; command2 ; command2 - all commands execute
###More Key Shell Commands###
file - determines the type of file queried
which - identifies location in path of queried program
history - returns list of recently-run commands up to $HISTSIZE=1000
~/.bash_history - stores the user's history of commands
ps -ef - returns ALL running programs - UID,PID,PPID,STIME,etc.
top - returns top running programs
Common Clients - FTP,LFTP,Wget,SSH
FTP - interactive client used to connect to FTP servers
LFTP - supports many protocols (HTTP/FTP/HTTPS/etc.) and runs interactively/non-interactively(scripted)
Wget - supports many protocols, however, runs non-interactively
wget http://192.168.1.197/SUSE10/suse/i586/MozillaFirefox-1.5.0.4-1.9.i586.rpm
wget ftp://linuxcbt:abc123@linuxcbtmedia1/1million.txt
###Other basic utilities###
tar with gzip & bzip2 support
tar -czvf 1million.tgz 1million.txt
tar -cjvf 1million.bz2 1million.txt
Secure Shell (SSH)
SSH - provides encrypted communications for Telnet/FTP-like sessions
First outbound SSH connection yields ~/.ssh/known_hosts (lists trusted hosts)
File is appended as new connections are established
PKI - Password-less Login
Must generate RSA/DSA PKI (Public/Private) keys - 'ssh-keygen'
Note: public key is used to encrypt information to recipient
Note: private key is used decrypt information received
Note: keys are user and host specific
ssh-copy-id -i ~/.ssh/id_rsa.pub linuxcbtsuse2
SCP - SFTP - SSH
SCP - performs non-interactive, LFTP/Wget-like, file transfers
scp source_file destination_file:
scp linuxcbtsuse2:path_to_file local_path (.//tmp)
SFTP - performs interactive, FTP-like transfers
sftp linuxcbtsuse2 - connects as 'linuxcbt' to remote system
sftp root@linuxcbtsuse2 - connects as 'root' to remote system
ALL sessions/transports are encrypted
Virtual Network Computing (VNC)
Note: Cross-platform capable
- client (Windows/MAC OS X/Linux/Solaris/Unix)
- client can differ from server
vncviewer - primary VNC client application
RDesktop Client (RDP)
- Permits easy connections to Windows 2000/2003/TS4/XP Boxes
rdesktop -g 640x480 -a 16 192.168.1.102
Other key network utilities/clients
PING - uses ICMP to probe hosts on local and/or remote subnets
- Default in Linux is to PING continuously
- Default PING size = 64 bytes
- Default interval = 1 second
- Default Time To Live (TTL) = 64
- PING sends ICMP(Echo) Packets & expects ICMP(Echo Reply) in return
- ping linuxcbtsuse2
Traceroute - maps the network between 2 hosts by displaying routers
Note: traceroute determines that host is router when the TTL is decremented,
and, indicates as such in its output
traceroute destination - traceroute 192.168.1.102
Note: some firewalls will NOT decrement the TTLs in ICMP packets
Matt's Traceroute (MTR)
Address Resolution Protocol (ARP) - reveals ARP table - layer-2 addresses
arp
ARP resolution example:
linuxcbtsuse2 (Layer-4) -> 192.168.1.197 (Layer-3) -> 00:12:3F:10:C6:93 (Layer-2)
www.insecure.org - Nmap - to find list of security utilities
Name Resolution Utilities
/etc/nsswitch.conf - controls the resolution source/order
ping linuxcbtsuse2 -> hosts(/etc/hosts) -> DNS
/etc/nsswitch.conf
-hosts: files(/etc/hosts) dns(/etc/resolv.conf)
DIG - dig
- queries standard DNS servers
- dig linuxcbtsuse2.linuxcbt.internal
- dig www.linuxcbt.com - queries local DNS server for this forward record
- dig linuxcbt.com mx - returns MX record type
- dig -x 192.168.1.100 - performs reverse query
- dig @ns1.linuxgenius.com www.linuxcbt.com
- host www.linuxcbt.com - returns A|CNAME records & IP address
- hostname - returns local short hostname
- hostname -f returns Fully-Qualified Domain Name (FQDN)
NETSTAT
- displays open sockets - client(1)SYN -> server(2)SYN-ACK -> client(3)ACK -> ESTABLISHED
Usage:
- netstat - displays open sockets with name resolution
- netstat -n displays open sockets without name resolution
Note: names are resolved using a combination of /etc/hosts & DNS
Note: services(ftp/http/etc.) are resolved via /etc/services
Note: protocols(tcp/ip/udp/unix/etc.) are resolved via /etc/protocols
client <-> server
man netstat - explore socket states
Important states:
- ESTABLISHED
- LISTEN
- SYN_SENT - waiting for SYNACK from remote system
- SYN_RECV - unable to respond to SYN_SENT
- FIN_WAIT1 - awaiting shutdown of socket
-netstat -a - reveals ALL protocols
-netstat -i - displays network interfaces
-netstat -s - displays protocol stats
-netstat -rn
-netstat -nl - netstat -ntl - netstat -nul
IFCONFIG
-ifconfig eth2 down - downs the eth2 interface
-ifconfig -a - displays ALL(active/inactive) interfaces
-ifconfig eth2 172.20.10.1
Note: changes to inactive interfaces usually activates the interface
Note: ommitting the subnet mask when defining an interface will cause Linux to derive both subnet mask and broadcast addresses based on class rules.
-ifconfig eth2 172.20.10.1 netmask 255.255.255.0
Alias/sub-interface configuration:
-ifconfig eth0:1 192.168.1.41 /24 - 255.255.255.0
-ifconfig eth0:2 192.168.1.42
Note: /etc/sysconfig/network - stores interface and global network configuration files
RPM
- permits the categorization/installation/upgrade/freshen/removal of packages
Query existing packages:
-rpm -qa - lists ALL installed packages
- rpm -ql name_of_package; i.e. rpm -ql rdesktop
- rpm -qpl package_name - queries package on file system
Install packages:
-rpm -ivh - installs packages
-rpm -Uvh - upgrades/installs packages
Remove packages:
-rpm -e - removes package
Freshen packages:
- package will be updated ONLY if it already exists
-rpm -Fvh package_name
User & Group Creation/Management
Note: /etc/passwd is the default user database
-linuxcbt:x:1000:100:linuxcbt:/home/linuxcbt:/bin/bash
-username:shadow_file(x):UID:GID(Primary):Description/Full Name:Home Directory:Shell
Note: /etc/skel houses template files to be copied to ALL newly-created users using YaST
Manual user creation:
-useradd username
Manual group creation:
-groupadd groupname
Note: create group(s) first, then create user, assigning user to group(s)
usermod/groupmod
File Permissions
10-bits represent permissions and file type
Directory = drwxrwxrwx = 777 = FULL permissions
File = - rwx rwxrwx = 777 = FULL permissions
bit 1 = placeholder for object type (file/directory/character/block device/etc.)
bits 2,3,4 = placeholder for permissions for the owner of the object
bits 5,6,7 = placeholder for permissions associated with group owner of the object
bits 8,9,10 = placeholder for ALL else
drwxr-xr-x 2 linuxcbt users 168 2006-09-08 11:22 temp2
rwx=7, r-x=5, r-x=5 = 755
-rw-r--r-- 1 linuxcbt users 1736 2006-09-06 12:01 test2.txt
rw-=6, r--=4, r--=4 = 644
Note: As per the default umask, default for directories = 755, and files = 644
Note: directories require 'x' permission to permit entry
umask = 0022
Effective default permissions = Total permissions(777) - umask(0022)
777 = 0777
0777
0022
0755 = effective default directory permissions
0644 = rw, r, r
The 'x' bit applied to files means the file is executable, however, applied to directories, permits entry into the directory.
Octal values for permissions:
r = 4
w = 2
x = 1
Total = 7
Change permissions using 'chmod'
-rw-r--r-- 1 linuxcbt users 588895 2006-09-08 15:27 Salaries.xls
rw,r = 640
chmod 640 Sal* && ls -l Sal*
Note: root ALWAYS has access to ALL files
chmod 600 Sal* && ls -l Sal*
chmod 744 temp2
ls -ld temp2 - enumerates permissions, ownership, etc. associated with 'temp2' directory
chmod u+rw,g+r,o+r = 644
u = user/owner of object
g = group ""
o = other ""
a = u,g,o
chmod a-r Salaries.txt
Change Ownership of objects (files & directories) using 'chown'
chown linuxcbt test.txt
chown user.group object
chown linuxcbt.project1 test.txt
SETUID
Used to impersonate another user; usually root
test_script.pl, test_script.sh
-rw-r--r-- 1 linuxcbt users 588895 2006-09-08 15:27 Salaries.xls
0644
Note: leading bit can represent SETUID(4) & SETGID(2)
chmod 4644 Salaries.xls
SETUID FILE:
-rwSr--r-- 1 linuxcbt project1 588895 2006-09-08 15:27 Salaries.xls
i.e. /bin/su = SETUID executable
stat object name - returns permissions/metadata about the object
SETGID
Used to force permissions on directories
chmod 2770 project1 && ls -ld project1
Sticky
Used to allow users to share a directory but ONLY manipulate their files: /tmp
'chgrp' is used to change group ownership
Symbolic Links (Shortcuts)
Note: 2-types exist; Soft & Hard
Soft Links:
- Ability to reference objects(files & directories) withing & across file system
ln -s source destination
Note: Soft links reference human-readable file names
Note: Hard links reference distinct Inodes
ln source destination - within the SAME file system, creates a HARD link
Provisioning of additional file systems/mount points
new mount point = /app1
2 - shell utilities can be used to create partitions:
1. fdisk -l
2. parted - defaults to first disk
Note: Extended partitions occupy the remaining space on disk
Note: You may create an extended partition without 3 primary partitions
Typical disk layout on i386-compatible systems:
1. Primary
2. Primary
3. Primary
4. Extended - occupies remaining cylinders on disk
- n number of logical partitions begining with #5; i.e. /dev/sdb5
Note: newly-created mount points need NOT exist off the root of the file system
Note: every file system contains a 'lost+found' directory to house orphaned files
RAID Partitions
/, /boot = standard(ext3/reiserfs) non-LVM, non-RAID partitions
All other partitions/mount points should be RAID/LVM
RAID-0 - Partitions - Offers speed, but NO REDUNDANCY
- Requires at least 2 partitions/disks
- Creates a partition that spans 2 partitions/disks
Note: Create RAID/LVM partitions using separate disks to realize performance benefits
- Must create unformatted partition types of 0xFD(Linux RAID) or 0x83(Linux)
- RAID-0 partitions need NOT be identical in size
Note: DO NOT format individual RAID component partitions
RAID-0 (10GB) - /raidvolumes/app2
-/dev/sdb6 (5GB)
-/dev/sdc7 (5GB)
Note: first RAID volume is created @ /dev/md0 (/raidvolumes/app2)
RAID-1 - Partition (5GB) - /raidvolumes/app3
-/dev/sdb7 (5GB)
-/dev/sdc8 (5GB)
/dev/md1
RAID-5 Partition (10GB) - /raidvolumes/app4
-/dev/sda3 (5GB)
-/dev/sdb8 (5GB)
-/dev/sdc9 (5GB)
/dev/md2
Logical Volume Management - Disk Aggregation Mechanism
- Facilitates the aggregation of various sized volumes into usable storage
- Allows dynamic resizing volumes
- Use LVM/RAID for non-root (/) and non-boot (/boot) mount points
Create LVM, underlying/supporting partitions(0x8e/0x83) and DO NOT FORMAT
LVM-VOL1 - 27GB
-/dev/sda3 (10GB)
-/dev/sdb5 (5GB)
-/dev/sdc7 (12GB)
Volume Group(system) - Consists of n volumes
-n logical volumes (typically 1-to-1)
Volume groups facilitate the aggregation of partitions/disks
Logical volumes facilitate the segmentation of volume groups
File system structure for LVM-managed volumes:
/dev/Volume Group Name(represents all partitions/disk)/Logical Volumes(user-accessible)
SWAP Storage Provisioning
free -m
swapon -s - displays current swap space(file(s)/partition(s))
Swap Files
- dd if=/dev/zero of=/swapfile1 bs=1024 count=524288
- mkswap /swapfile1
- swapon /swapfile1
- update /etc/fstab
+ /swapfile1 swap swap defaults 0 0
SYSLOG-NG Implementation
Extends traditional Syslog capabilities
Note: Facilities and Levels are supported to route messages
- Facility - identifies unique source of message
- Levels - identifies the severity of the message
+Debug
+Info
+Notice
+Warning
+Error
+Crit
+Alert
+Emerg
Note: Standard SYSLOG-NG message consists of the following components:
1. Source - where to get messages (Unix Syslog socket/UDP(514))
2. Filtering rules (facilities/levels/pattern matching)
3. Destination (file/other syslog/syslog-ng hosts(UDP/TCP)/Console(TTYs), Unix Datagrams)
Note: Network listening using UDP is disabled by default
level(error..emerg)
Note: 'log' directive combines the 3 important components of Syslog-NG:
1. source
2. filter
3. destination
Note: edit /etc/syslog-ng/syslog-ng.conf to enable UDP listener
###Filter to receive info. from Local2###
filter f_cisco_pix { facility(local2); };
###Destination for info. sent to facility local2###
destination d_cisco_pix { file("/var/log/ciscopix.log"); };
###Log Statement to invoke the routing of messages to facility local2###
log { source(src); filter(f_cisco_pix); destination(d_cisco_pix); };
###Log to remote host###
destination d_cisco_pix { file("/var/log/ciscopix.log"); udp("192.168.1.197"); };
Log Rotation
/etc/logrotate.conf - includes all files in /etc/logrotate.d
man logrotate
/var/log/ciscopix.log {
daily
compress
dateext
#maxage 365
rotate 1000
#size=+2048k
notifempty
missingok
copytruncate
postrotate
/etc/init.d/syslog reload
endscript
}
logrotate -f /etc/logrotate.conf - forces log rotation
Cron - System Scheduler
1. Schedule using global scheduler - /etc/crontab (hourly,daily,weekly,monthly)
2. Schedule on a per-user basis - /var/spool/cron (root,linuxcbt,etc.) - crontab
Note: Cron checks the modification time of global and per-user file/directory every minute
Note: /etc/cron.allow and cron.deny are used to control access to cron
m(0-59) h(0-23) dom(1-31) m(1-12) dow(Sun,Mon,Tue or 0-7) user_to_run_job_as command_to_run
Note: for Day of Week (dow) field 0 & 7 are both Sunday
###Global Contab Entry###
#m h dom m dow user command
*/1 * * * * root ping -c 3 linuxcbtsuse2 >> /root/ping_linuxcbtsuse2.txt
*/5 12-16 * * * root ping -c 3 linuxcbtsuse2 >> /root/ping_linuxcbtsuse2.txt
###Per-user Crontabs:###
m(0-59) h(0-23) dom(1-31) m(1-12) dow(Sun,Mon,Tue or 0-7) command_to_run
*/1 * * * * ping -c 3 linuxcbtsuse2 >> /home/linuxcbt/ping_linuxcbtsuse2.txt
Network Time Protocol (NTP)
1. Synchronizes your SUSE box
2. creates a hierarchy of synchronizations hosts
There are 16 Strata
1 - most accurate - external time sources (GPS/Radio) are connected
2 - relies upon 1 for synch.
3 - relies upon 2 ...
Note: Try to synch with at least 3 clocks
1 - Externally-connected time source
+2 - 0.pool.ntp.or, 1.pool.ntp.org, ntp0.cornell.edu
-3 Our Clock
+4 Internal hosts relying upon our Stratum-3 clock
chkconfig ntp on - enables upon subsequent reboots NTP service
Note: NTP defaults to localhost for time synchronization
ntpq -np - returns current servers used to synch time
BIND DNS Configuration
Not installed by default
/etc/named.conf - primary configuration file of BIND(caching-only/Primary/Secondary)
BIND runs in the following modes:
1. Caching-only - resolves Internet queries
2. Primary - authoritative for 1 or more zones
3. Secondary - authoritative secondary server for 1 or more zones
client -> linuxcbtsuse1 -> /etc/resolv.conf - > perform query -> return results
Configured linuxcbtsuse2 with BIND and started as a caching-only server
/etc/named.conf
Note: configure 'forwarders' directive to influence named servers used to resolve queries. Otherwise, name servers listed in /etc/resolv.conf will be used.
. = root - top-level domain
com = 2nd-level domain
edu
mil
gov
0.0.127.in-addr.arpa
1.168.192.in-addr.arpa
zone "linuxcbt.internal" in {
type master;
file "linuxcbt.internal.zone";
};
zone "1.168.192.in-addr.arpa" in {
type master;
file "master/192.168.1.zone";
};
###Slave configuration - linuxcbtsuse2(.197)
zone "linuxcbt.internal" in {
type slave;
masters { 192.168.1.40; };
file "slave/linuxcbt.internal.zone";
};
zone "1.168.192.in-addr.arpa" in {
type slave;
masters { 192.168.1.40; };
file "slave/192.168.1.zone";
};
Note: Zone information from primary is stored by default in-memory, slave
DHCPD - Server
Note: Automatic configuration of Layer-3 IP-address information
Uses broadcasts and UDP to exchange configuration information
DORA
D = Discovery - client broadcasts(All FFFFs) for DHCP server on subnet
O = Offer (IP Address configuration information)
R = Response
A = Acknowledgement from server that client accepted offer
DHCP Configuration includes global, subnet-specific and optionally host-specific info
Use YaST2 or configure manually
YaST requires the specification of DHCP interfaces, in order to service the subnet connected to the interface
Note: Default SuSE DHCP Server runs in chrooted environment
DHCPD's root = /var/lib/dhcp
host linuxcbtwin2 {
hardware ethernet 00:10:a4:ed:a0:4d; # appears in DORA process
fixed-address 192.168.1.102;
}
###Very Secure File Transfer Protocol Daemon (VSFTPD)###
Note: Current version of SUSE Enterprise does not supply a YaST object for management
Note: VSFTPD can be invoked with/without XINETD
Note: Default authentication permits 'anonymous' access only
Note: '/srv/ftp' is default 'anonymous' location as per home directory for 'ftp' in /etc/passwd
Note: FTP supports PASSIVE & ACTIVE connections. VSFTPD supports both, by default
Note: FTP connections consist of Control and Data channels
Passive - client -> server(21), then client instructs server to listen to high port for data connection
Active - client -> server(21), then server makes connection to port on client to construct data connections, which is generally denied by most firewalls
Disable anonymous access by setting appropriate /etc/vsftpd.conf directives
Samba Services - Integrates Windows with Unix/Linux
Note: /home shares are dynamically generated for users who connect successfully
Note: /etc/samba/smb.conf - default configuration file for Samba
Note: Samba authenticates users using 2 authentication sources:
1. /etc/samba/smbpasswd - contains Windows-encrypted users/passwords, and, maps Samba users to local Linux users
2. /etc/passwd - stores Linux users
Note: File/directory access rests with Linux OS
Flow of permissions:
1. Samba client(Windows/Linux/Unix) submits Samba User
2. Samba Server attempts to equate submitted user to local Linux user
a. if successful, Samba server performs I/O as mapped user
b. if unsuccessful, Samba server attempts to map submitted user as guest
c. if guest mapping fails, access is denied
Note: /etc/samba/smbusers - maps Samba users to Linux users
Note: use 'smbpasswd -a username' to add Samba users, whom are mapped to Linux users
###Samba Authentication Modes###
1. User - uses /etc/samba/smbpasswd - maintained with 'smbpasswd' utility
2. Server - authentication via a Windows server
3. Domain - authenticates against an NT-style domain (PDC/BDC)
4. ADS - authenticates against Active Directory (AD) Domain controllers
5. Share - authenticates per-share - passwords are tied to shares
###Other Samba Clients###
-smbclient - facilitates puts/gets from Samba shares and other features
smbclient -U administrator //linuxcbtwin2/public1
smbclient -U administrator -L linuxcbtwin2
-smbtar - facilitates tarring/backup of remote shares
smbtar -s linuxcbtwin2 -x public1 -t public1.tar
-smbtree - enumerates remote shares
Samba Web Administration Tool (SWAT)
- Facilitates web-based administration of Samba via TCP:901
- Provides its own HTTPD server
- Controlled by XINETD - /etc/xinetd.d/swat, rcxinetd restart
- Must authenticate as 'root' after restarting XINETD with SWAT enabled
- SWAT defaults to BASIC HTTP authentication, which is passed in the clear
- optionally, install 'samba-doc' package
###Active Directory (AD) Installation and Integration with Samba###
-use 'dcpromo' from Windows to promote it to an AD server
- Setup Microsoft's DNS on AD server for simplicity
- Optionally, configure appropriate BIND zones
- Define FQDN for AD root 'ad.linuxcbt.internal'
- Define NETBIOS name of workgroup for legacy systems 'LINUXGENIUS'
- Configure AD server to consult itselft for DNS '127.0.0.1'
Join SUSE Enterprise box to AD domain using YaST2
1. Network Services
2. Windows Domain Membership
3. Confirm ability to use remote (AD) users using 'getent passwd'
Note: winbind daemon facilitates enumeration and usage of remote AD users
/etc/nsswitch.conf
###Samba File System (SMBFS) Driver##
-facilitates transparent mounting of remote SMB/CIFS shares
\\linuxcbtwin2\public1 - /LINUXGENIUS/linuxcbtwin2/public1
use 'mount' to mount remote SMB/CIFS shares:
mount -t smbfs -o username=administrator,password=abc123,rw //linuxcbtwin2/public1 /LINUXGENIUS/linuxcbtwin2/public1
mount -t cifs -o user=administrator,password=abc123,rw //linuxcbtwin2/public1 /LINUXGENIUS/linuxcbtwin2/public1
Hide CIFS credentials in /root
nano .cifs_creds
user = administrator
password = abc123
mount -t cifs -o credentials=/root/.cifs_creds,rw //linuxcbtwin2/public1 /LINUXGENIUS/linuxcbtwin2/public1
Network File System (NFS)
Note: NFS is managed by the 'portmap' service; use 'rcportmap to control'
Note: YaST/YaST2, can be used to import/export NFS shares
Note: NFS with Linux 2.6, supports versions 2,3,4, and, TCP & UDP
Note: Use NFS on LANs
Note: Specify subnets/IPs in Hosts field to restrict hosts that may connect to your NFS share
Note: The default '*' Hosts value, permits ALL connected users with privileges to mount NFS-exported shares
Note: 'root_squash' option for NFS-shares, equates remote 'root' user to local 'nobody' user
Note: 'sync' option reduces likelihood of data-corruption by ensuring that file I/O has completed on NFS server before rendering result/exit status to NFS client
Confirm NFS status using the following:
1. ps -ef | grep -i nfs
2. rcportmap status - portmap controls NFS/NIS, and allows dynamic allocation of ports
3. rpcinfo -p
Note: server-exported share '/app1', need NOT be the same name of the mount point on NFS client
###Mount remote share on NFS client###
mount linuxcbtsuse1:/app1 /app1
Note: YaST/YaST2 NFS-exported directories are stored in '/etc/exports'
Note: use 'exportfs -a' to re-export items listed in '/etc/exports'
Remote Synchronization (RSYNC)
Installed by default
Synchronizes remote and optionally local directories and or files
rsync operates in 2 modes:
1. uses transport such as SSH to sync data. - requires rsync on target system
2. uses 'rsyncd' to authenticate and facilitate transfer of files
1-client, 'rsync' is used to connect to both modes
rsync -bazv
-b(backup - preserves existing files with ~ suffix or deletes), -a(archives stat info.)
-z(compression), -v(verbose)
Note: rsync client is required on both client and server when using SSH transport
rsync -bazv -e ssh source destination
rsync -bazv -e ssh /app2 root@linuxcbtsuse2: - syncs local /app2 with remote system and backs-up target files as necessary
rsync -bazv -e ssh /app2 root@linuxcbtsuse2:/
###Synch local with remote system###
rsync -azv -e ssh root@linuxcbtsuse2:/app2 /
#!/bin/bash
###Synchronizes local /app2 with remote /app2
rsync -azv -e ssh root@linuxcbtsuse2:/app2 /
###END
###rsyncd server - /etc/rsyncd.conf - binds to TCP:873###
Note: to contact rsyncd server using rsync client, specify '::' in host field
Note: rsync currently does NOT support synchronization between 2 remote hosts
rsync -azv -e ssh /app2 root@linuxcbtsuse2::/
Apache HTTPD - Web Server
>70% of ALL web servers run Apache
Apache is cross-platform capable; available for Linux/Solaris/AIX/Windows/MAC OSX/etc.
Install via YaST - Patterns - Select 'Web and LAMP Server' - (Apache/MySQL/PHP/Python Modules)
###Apache2.2 Directory Layout###
/etc/apache2 - primary apache2.2 configuration directory
/etc/apache2/default-server.conf - config file for main HTTP server (NON-Virtual-Host)
/etc/apache2/errors.conf - error-handling
/etc/apache2/httpd.conf - Main Apache configuration file (includes other files)
/etc/apache2/uid.conf - controls credentials used by subsequent Apache processes
/etc/apache2/vhosts.d - houses Virtual Hosts files *.conf
/etc/apache2/vhosts.d/vhost-ssl.template - Sample SSL template
/etc/apache2/listen.conf - houses TCP-related bindings
/usr/lib/apache - houses dynamically-loaded modules *.so files
/usr/share/apache2/error - houses default error messages
/etc/apache2/mod_log_config.conf - houses variables to be expanded in Apache's log files
it maps log formats(on the left) to nicknames(on the right)
Nicknames can be referenced wherever a virtual host is defined
Difference between 'common(CLF)' and 'combined' is that combined provides everything provided by common + 'User Agent' and 'Referrer'.
/etc/apache2/default-server.conf - config file for main HTTP server (NON-Virtual-Host)
DocumentRoot "/srv/www/htdocs" - maps web space to file system space for default pages
i.e. http://linuxcbtsuse2.linuxcbt.internal -> /srv/www/htdocs
<Directory "/srv/www/htdocs"> - describes attributes of document root
Applicable Directives
</Directory>
Aliases - are like symlinks in the web space. They map a web space location to another location in the file system that is usually outside of the web root
alias /temp /srv/www/temp
<Directory "/srv/www/temp"> - describes attributes of document root
Applicable Directives
</Directory>
Note: Apache's Directory/File permissions flow downward
ScriptAlias - specifies the location where CGI scripts may be executed safely
ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
mod_userdir = http://linuxcbtsuse1.linuxcbt.internal/~linuxcbt/index.html - /home/linuxcbt/public_html/index.html
Note: Apache, in prefork mode, spawns 6 processes:
1. Apache manager, which runs as 'root'
2. 2-6 (5-child processes), run as non-privileged, 'wwwrun' user - these child processes service HTTP connections
http://localhost/manual - returns manual with appropriate (browser-driven)
### Key Apache Directives - Directory, Alias, Files, Location ###
Note: These directives influence Apache's permissions to serve content
<Directory "physical_directory_location /srv/www/htdocs">
</Directory>
DirectoryIndex index.html index.html.var - influences default document to be served
Note: Changes made to *.conf files require at least a 'reload' of the 'rcapache2' services and sometimes a full 'restart'
Note: IP address(es), short name, FQDN(linuxcbtsuse1.linuxcbt.internal) all lead to the default server referenced in /etc/apache2/default-server.conf, unless overidden via VHOST
###Order of evaluation when permitting/denying access to directory###
Order allow,deny
Allow from all
Order allow,deny
Allow from 172.20.20.0/255.255.255.0 192.168.1.0/255.255.255.0 127.0.0.1
Deny from all
Alias fakename physical_location
Alias /htdocs2 /srv/www/htdocs2
<Directory "/srv/www/htdocs2">
Options Indexes
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<files noaccess.html>
</files>
Note: <files> applied within <directory> block affects the directory and below
Note: <files> applied outside of <directory> block impacts the ENTIRE server
<files noaccess.html>
Order allow,deny
Deny from all
</files>
<Location /templocation> - webspace directory permissions
Order allow,deny
Deny from all
</Location>
i.e. /status
###Redirect Directive - sends traffic to alternate location###
HTTP error messages are grouped into the following categories:
1. 200 - Good errors - no problems - content has been served
2. 300 - Redirect errors - used to indicate that content has been moved
3. 400 - Client errors
4. 500 - Server errors
If users access oursite/htdocs2, send them to /htdocs3
Redirect /htdocs2 http://linuxcbtsuse1.linuxcbt.internal/htdocs3
Redirect 301 /htdocs2 http://linuxcbtsuse1.linuxcbt.internal/htdocs3
Redirect permanent /htdocs2 http://linuxcbtsuse1.linuxcbt.internal/htdocs3
Note: Directory directives supports basic wildcards; i.e. '*', '?'
###.htaccess files###
/srv/www/htdocs/temp1/.htaccess
Note: Update primary *.conf file to permit 'AllowOverride ALL'
Note: There is a slight performance hit when using .htaccess, because Apache parses the file each time content is requested from the directory
Apache Logging
/var/log/apache2
-rcapache2.out - yields the results of testing the configuration file(httpd.conf)
-error_log - stores errors, usually 200-500 and other
-access_log - stores hits to the server
Note: Apache defaults to default files for Virtual Hosts that do not have log routing defined
/etc/apache2/mod_log_config.conf
LogFormat is used to concatenate and associate Apache log variables with nicknames
Nicknames are referenced in server/host configurations
LogFormat "%h %l %u %t \"%r\" %>s %b" common
Note: Values that return empty, are reflected with the '-' character
%h - connecting host's address
%l - uses ident to return information about the connecting client/user
%u - connected/attempted HTTP-authenticated user
%t - timestamp of connection -
day(2-digit)/Month(3-letters)/Year(4-digits):Hour:Minute:Second -TimeZone
%r - reflects request method (GET/POST/etc.)
%>s - represents status code returned to client - 200-500
%b - size of the returned content to the client - this represents zero bytes with '-'
%B - returns the same as %b but returns '0' for zero bytes
LogFormat "%h %l %u %t \"%r\" %>s %b \(signifies continuing line)
\"%{Referer}i\" \"%{User-Agent}i\"" combined
%{Referer} - returns site that referred this content (page/image/PDF/etc.)
%{User-Agent} - Connecting browser; i.e. (Blackberry/IE/Firefox/Safari/etc.)
172.20.20.1 - - [15/Sep/2006:16:18:15 -0400] "GET /index2.html HTTP/1.1" 404 1045 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060527 SUSE/1.5.0.4-1.9 Firefox/1.5.0.4"
Virtual Hosts (VHOSTS)
2-Types of VHosts:
1. IP-based - require 1-IP/site and can facilitate SSL/site
2. Name-based - requires 1-IP/ALL Sites but only 1 SSL site may operate
IP1 - 192.168.1.40 - default server
ifconfig eth0:1 192.168.1.41
IP2 - 192.168.1.41 - site1 - maps(DocumentRoot) to /srv/www/site1
IP2 - 172.20.20.1 - site2 - maps(DocumentRoot) to /srv/www/site2
IP3 - 192.168.1.42 - site3 - maps(DocumentRoot) to /srv/www/site3
Modify /etc/apache2/listen.conf to listen to the new IP address(es)
Note: logio is NOT loaded by default. Use YaST to add module.
Name-based Virtual Hosts
- permits the sharing of IP addresses across VHosts
Requirements:
1. Listen 192.168.1.40:80 - Listen 80(ALL IPs, Port 80)
2. NameVirtualHost 192.168.1.40:80
3. DNS MUST be properly configured
###SSL Configuration###
Requirements:
1. /etc/sysconfig/apache2 - APACHE_SERVER_FLAGS '-DSSL'
2. restart apache
3. Generate appropriate certificates (private/public key pair)
a. /usr/bin/gensslcert - creates keys based on system's FQDN and generic info
b. /usr/share/doc/packages/apache2/certificate.sh - prompts for values
4. restart apache and test connectivity using HTTPS
5. cp /etc/apache2/vhosts.d/vhost-ssl-template to working file
Key SSL files:
1. server.crt (Server's certificate - public key)
2. server.key (Server's private key)
3. server.csr (Certificate Signing Request - sent to CA(CACert.org, Verisign, Thawte, GoDaddy)
###Webalizer - Log analysis of Apache###
Note: Default /etc/webalizer.conf, parses standard 'access_log' file
Note: Move /etc/webalizer.conf to /etc/webalizer/webalizer.conf
Note: Copy webazlier.conf to something that reflects the site being processed
Note: Log files should be processed chronologically
Note: Webalizer is limited to a 12-month history
Setup Basic HTTP AUTH
1. Configure /etc/apache2/default-server.conf
<Location /webalizer>
AuthType Basic
AuthName "Restricted"
AuthUserFile /etc/apache2/webalizer_passwords
Require valid-user
</Location>
2. Generate password file using 'htpasswd2 -c webalizer_passwords linuxcbt'
###Redirect /webalizer to SSL-protected site###
Redirect /webalizer https://linuxcbtsuse1.linuxcbt.internal/webalizer
###PHP Scripts Integration###
Create PHP script in Document Root of web site:
MUST include opening '<?' and closing '?>' PHP tags in PHP scripts
Note: PHP scripts, served by Apache, do NOT need the 'x' permissions
Note: use '<? phpinfo(); ?>' - to return usefule PHP/Apache/Linux info
Note: consult '/etc/php5/apache2/php.ini' to tweak PHP Module settings (memory/etc.)
Note: install 'php5-mysql' package to allow PHP to talk to MySQL.
MySQL Implementation
/etc/my.cnf - global MySQL configuration file
/usr/sbin/mysqld - Main daemon
/var/lib/mysql - Primary root directory for DBs
-Below /var/lib/mysql are directories representing DBs
/usr/bin/mysql - primary client(interactive/non-interactive) used to connect to MySQLD
mysql - connects the currently-logged-in Linux/Unix user to the server
mysqld - supports, by default:
1. passwordless root(DBMS super-user) authentication
2. anonymous, passwordless, authentication
Note: Change both 'root' accounts' password and remove anonymous access
Note: A proper MySQL username consists of the following:
1. username
2. hostname
i.e. root@localhost, root@linuxcbtsuse1.linuxcbt.internal
###Alternate way for DBA to change user's password###
set password for 'root'@'localhost' = password('abc123');
###Disable anonymous access###
delete from mysql.user where user = '';
Note: Flush Privileges after dropping and changing accounts or risk permitting access based on former credentials until the server(mysqld) is restarted
Use: 'flush privileges;'
Note: in standard MySQL installations, non-privileged Linux/Unix users are aliased to 'anonymous'
###Delete superfluous DBs###
drop database test;
###Privileges scope###
mysql - DB used to manage system settings and credentials
mysql.user - Global level permissions table
mysql.host - impacts the host
mysql.tables_priv - impacts table-level permissions
mysql.columns_priv - effects column-level permissions
###Create new user###
1. Create DB - 'create database contacts;'
2. Create user with permissions associated with DB
grant all on contacts.* to 'linuxcbt'@'localhost' identified by 'abc123';
3. CREATE USER username;
###Drop/Delete Users###
1. DROP USER username;
Note: MySQL evaluates credentials based on 3 components:
1. user
2. hostname
3. password
###Define users who may login to MySQL from a remote system###
1. grant all on contacts.* to 'linuxcbt'@'%' identified by 'abc123';
2. grant all on *.* to 'root'@'%' identified by 'abc123';
Note: '%' is a wildcard to mean 'ANY', similar to '*' in the shell environment
Note: '%' is permitted in the 'host' field/column and NOT in the 'user' column of the privileges tables
###Key Show Commands###
show grants; - reveal permissions
show databases; - enumerates Databases that you have privileges to see
use DB; show tables; - lists tables in a given database
show engines; - returns list of supported(compiled-in) table storage engines
show status; - returns key running variables
show processlist; - returns running queries and connections
Note: MySQL binaries search for configuration files in a specific order:
1. Global config file - /etc/my.cnf
2. Per-user config file - ~/.my.cnf
3. Command-line - overrides ALL previously-set directives
Note: each program(MySQL binary) searches for distinct blocks in the config files
mysqld --verbose --help - returns options and variables that can be set in global and per-user configuration files
name=value - defines how variables are set in config files
###Execute MySQL query, returning results to STDOUT (batch-run/non-interactive invocation)
mysql -pabc123 -e 'show databases' - returns list of DBs to STDOUT
###Backup databases###
mysqldump -p all-databases
mysqldump -p --all-databases > all_dbs.sql - dump ALL DBs in ASCII text format to a file
mysqldump -p --database mysql - returns code to recreate 'mysql' DB & tables
###Creation of 'people' table to store contacts###
DB(Contacts)
- Table(people)
-first_name
-last_name
-bus_phone1
-PRIMARY KEY
CREATE TABLE `people` (
`first_name` char(30), `last_name` char(30), bus_phone1 char(20), email char(40),
PRIMARY KEY (`email`)
);
Note: use 'describe people' to return the structure of the 'people' table
###Import contacts into 'people' table from externally-created text file###
Note: Create file named 'people.txt'. mysqlimport strips '.txt' suffix and matches file name to table name.
Note: Import using 'mysqlimport'
mysqlimport -pabc123 --local -d contacts people.txt
###PHP code to query 'contacts.people' and dump info to HTML###
Steps:
1. Create connection object (host,user,password,DB)
2. Define query
3. Define result set variable
4. loop through result-set and return results to the browser
<?
#Step 1:
$conn1 = new mysqli(localhost, linuxcbt, abc123, contacts);
#Step 2:
$query1 = "select first_name, last_name, email FROM people";
#Step3:
$result1 = $conn1->query($query1);
#Step 4:
###Execute if result-set is NOT empty###
if ( $result1=$conn1->query($query1)) {
###Echo column headers###
echo "Full Name ", "E-Mail", "<br>";
###Loop through Result Set###
While ($obj1 = $result1->fetch_object()) {
echo $obj1->first_name, " ", $obj1->last_name , " ", $obj1->email, "<br>";
} #Terminates loop-through result-set
} #Terminates conditional check for result-set
?>
PHPMyAdmin - Implementation
Used to graphically, via a browser, manage MySQL instances
www.phpmyadmin.net
Note: Requires PHP-MySQL support on your Apache server
tar -xjvf phpMyAdmin-2.8.2.4.tar.bz2
Note: create symlink or alias to link to the current version PHPMyAdmin. This provides a consistent URL. i.e. http://linuxcbtsuse1.linuxcbt.internal/phpmyadmin
ln -s phpMyAdmin-2.8.2.4 phpmyadmin
Postfix MTA
Note: is a distributed, non-monolithic MTA (many binaries)
Note: Postfix does NOT permit outside network relaying by default
/etc/postfix/main.cf - Primary Postfix config file
/etc/postfix/master.cf - houses config for Postfix daemons
/etc/postfix/transport - governs message routing based on domain/etc.
/etc/postfix/virtual - houses virtual mappings for Virtual domains
/usr/bin/mailq - enumerates the contents of the mail queue
/usr/bin/newaliases - updates the aliases DB (/etc/aliases)
/usr/sbin/sendmail - drop-in replacement for 'Sendmail's' 'sendmail' binary
Key directives:
$myhostname = linuxcbtsuse1.linuxcbt.internal (Default FQDN)
user@linuxcbtsuse1.linuxcbt.internal - i.e. linuxcbt@linuxcbtsuse1.linuxcbt.internal
$mydomain = linuxcbt.internal (Default derivative of FQDN)
$myorigin = FQDN - sets the outbound domain in e-mails
$mydestination = controls domains that are considered local - i.e. root@linuxcbtsuse1.linuxcbt.internal
$mynetworks - permits relaying from trusted hosts/subnets - Default accepts messages from localhost and local subnet
$home_mailbox = Mailbox || Maildir - controls local delivery using either protocol
Mailbox - /var/spool/mail/user
Maildir = ~/Maildir/
Note: Most Mail User Agents (MUAs) such as Mutt, send messages using 'sendmail' binary
Note: when using 'su' the 'MAIL' shell variable does NOT change
Note: Postfix defaults to SysLog for logging using the mail facility: /var/log/mail
Note: If DNS fails, Postfix fails, unless routing has been configured in /etc/postfix/transport
Note: postconf dumps running Postfix configuration
Note: After modifying lookup files such as /etc/postfix/transport, update the DB file using 'postmap filename' i.e. 'postmap /etc/postfix/transport'
Courier-MTA - IMAP
Requirements:
1. Courier Authlib - Authentication library for ALL Courier application
2. Courier IMAP
3. GNU C Compiler
AuthLib Installation:
http://courier-mta.org/authlib
Steps:
1. ./configure
2. make
3. make install (as root) - /usr/local/sbin
4. make install-configure (as root)
5. /usr/local/sbin/authdaemond start
IMAP Installation:
http://courier-mta.org/imap
Steps:
1. ./configure
2. make (produces binaries)
3. make install (as root) - copies files to /usr/lib/courier-imap
4. make install-configure (as root)
5. /usr/lib/courier-imap/libexec/imapd.rc start - starts IMAPD
Note: Courier IMAP requires Maildir/ directory in user's $HOME
###Postfix - Maildir/ config###
nano /etc/postfix/main.cf
couriertcpd - analagous to XINETD because it is a super-server
Note: Courier IMAP provides the following daemons:
1. IMAPD - TCP:143 - Clear-text access
2. IMAPD-SSL - TCP:993 - Encrypted access
3. POP3 - TCP:110 - Clear-text access to download messages
4. POP3-SSL - TCP:995 - Encrypted access to download messages
5. SYSV INIT Scripts - source code directory
chkconfig courier-authlib on
chkconfig courier-imap on
SquirrelMail - Web-based Mail integration
Steps:
1. Download from www.squirrelmail.org
2. Extract and untar: tar -xjvf squirrelmail-1.4.8...
3. Configure to use Courier - using squirrelmail/config/conf.pl
4. Change permissions on squirrelmail/data sub-directory to be owned by 'wwwrun'
4. Symlink 'squirrelmail' to 'squirrelmail-1.4.8...' directory
5. Test logging into mail
###Connection logic to mailbox from client###
Browser -> SquirrelMail(PHP) -> Courier IMAP -> ~/Maildir/
###Moved Default SquirrelMail 'data' directory outside of WebRoot###
mkdir /var/squirrelmail/data
chown -R wwwrun /var/squirrelmail
Pure-FTPD
Features:
1. Lightweight
2. Fast
3. Secure
4. SSL/TLS on the control connection
5. Bandwidth throttling
6. Runs in standalone and XINETD modes
/etc/pure-ftpd/pure-ftpd.conf - Primary configuration files
/usr/sbin/pure-ftpd - primary binary
Note: pure-ftpd defaults users to their home directories (chroot)
Note: by default, ONLY 'anonymous' connections are permitted
Note: 'anonymous' access works like VSFTPD; it is based on the 'ftp' user in /etc/passwd
Note: by default, pure-ftpd logs ONLY using 'syslog'
Note: the CLF/W3C/Stats log files do NOT log verbose FTP activity, however, 'syslogd' does
###Enable FTP support in Syslog###
Requires: filter, destination, and, log directives
###Syslog-NG Configuration###
filter f_ftp { facility(ftp); };
destination d_ftp { file("/var/log/pure-ftp-syslog.log"); };
log { source(src); filter(f_ftp); destination(d_ftp); };
FTP Client -> FTP Server(21 - Control Connection - Clear Text)
Note: TLS Encryption applies solely to Control Connection - typically TCP:21
Note: TLS does NOT protect the Active/Passive data connection
Requirements:
1. Generate(use notes from docs) or use existing PEM file or certificate
2. modify pure-ftpd.conf file to permit TLS
Xen Virtualization
Features:
1. Provides a Virtual Machine Server (VM Server) - Hosts VMs - domain(0)
2. Virtual Machines (VMs) - instances of Operating Systems
3. Virtual Machine Monitor - Software layer running between SUSE(domain 0) & Hardware
Hardware <- VM Server -> VMM -> Virtual Machines (1..n)
Note: ample hardware (CPU power, RAM, Disk) is necessary to use Xen
Xen Supports 2 Modes:
1. Fully Virtual - runs slower - Supports most OSs, requires Hardware-assisted virtualization (AMD & Intel VT) - devices are emulated and requires more resources
2. Paravirtual - runs faster - Only SUSE Products (10.1 & higher, SUSE Ent. 10) - special 'Xen drivers' are used to emulate hardware, resulting in faster performance
Note: this mode is considered 'VM-Aware' Mode
Note: Installation of Xen, modifies /boot/grub/menu.lst - to include Xen boot option
###Post VM Server Installation Checks###
xm list - returns domain 0 - confirms if Xen is operable
xm shutdown vm1 - shuts the VM server 'vm1'
xm destroy vm1 - destroys configuration of 'vm1'
XINETD - Super Server
Note: Successor to traditional 'INETD' with extensions
Client -> TCP:901(SWAT) -> XINETD -> SWAT
Features:
1. Spawns managed daemons(SWAT, pure-ftpd, VNC, etc.) when necessary
2. Access-time ACLS - restricting connectivity to managed services during specifc periods
3. Connections per second (CPS) - limits rush of traffic/flooding
4. Limits number of instances of spawned process
/etc/xinetd.conf - primary config file
/etc/xinetd.d - includes contents of the directory
Note: scope-level config files override directives discovered in global /etc/xinetd.conf
/usr/sbin/itox && /usr/sbin/xconv.pl - converts INETD files/entries to XINETD format
XINETD
-/etc/xinetd.conf
-INCLUDES contents of /etc/xinetd.d/*
XINETD config block resembles the following:
service_name
{
n number of directives (name = value pairs)
}
service2_name
{
name = value pairs
}
'man xinetd.conf' to examine all possible directives
XINETD - interacts natively with TCP Wrappers
Note: increase security of XINETD-protected services by usin the following directives:
1. interface = 127.0.0.1
2. only_from = 127.0.0.1
TCP Wrappers - tcpd
Controls access to protected services, inluding XINETD and non-XINETD-controlled services
Note: TCP Wrappers provides protection dynamically
TCP Wrappers order of processing:
1. /etc/hosts.allow
- swat:127.0.0.1 192.168.1.40 - daemon:client_list combo - GRANT ACCESS
2. /etc/hosts.deny
- swat:127.0.0.1 192.168.1.40 - DENY ACCESS
- IF NO MATCH - GRANT ACCESS
Note: TCP Wrappers uses the name of the daemon as its token
Note: TCP Wrappers permits placing ALL rules in one file(/etc/hosts.allow) providing we use the following syntax:
- daemon_name(swat) : client_list(127.0.0.1,192.168.1.0) : ALLOW | DENY
- daemon_list(swat,pure-ftpd,etc.) : client_list... : ALLOW | DENY
Note: The 3rd field of a TCP Wrappers rule may optionally contain a reference to invoke a shell script
Note: TCP Wrappers rules are executed immediately without having to reload/restart services
###Security Strategy###
1. Application Security - User authentication, port-bindings, etc.
2. XINETD - Wraps your application - Connection throttling, access times, logging, etc.
3. TCP Wrappers - Dynamic, kernel-based filtration to applications
4. Netfilter/IPTables - Stateful firewall
Netfilter is the firewall compiled into the Linux kernel
IPTables is a front-end, user-space utility used to manage Netfilter
Kernel -> Netfilter -IPTables - User
IPTables Implementation & Operation
Features:
1. Operates primarily @ Layers 3(Network) & 4(Transport) of the OSI model
a. IP = 192.168.1.40(Layer-3) - Note: 2^32 IPv4 addresses are available
a1. Mutexed into 2^16 ports = 1-65535 - Layer-4 ports (80, 901, 22, 23, 21, ...)
2. Modular - it is extended via plug-ins/modules
3. Provides '/usr/sbin/iptables' - primary utility, used to manage Netfilter
4. '/usr/sbin/iptables-save & restore' to backup and restore rules for reuse
5. Changes made happen instantly/dynamically
Note: IPTables consists of tables & chains
Table - 3 default tables
NAT
-Chains
Mangle
-Chains
Filter(Default Table)
-Chains
-INPUT - focuses on traffic inbound to a process
-OUTPUT - focuses on traffic outbound/leaving the system
-FORWARD - focuses on traffic being routed through the system (1 interface to another)
IPTables Usage
iptables -L - lists the current rule-set for the default chain(Filter)
Default policy applied to chains is 'ACCEPT' - this permits traffic to flow uninhibited
iptables -L -t nat
Note: You cannot remove the default tables (Filter, NAT, Mangle)
Note: The 'Forward' chain of the 'Filter' table does not work unless IP forwarding has been enbaled
iptables -A chain_name - appends rule to bottom of the list
iptables -D chain_name rule_num - deletes rule at number
iptables -F chain_name - flushes rules in chain
iptables -P chain_name DROP - changes the policy to DROP
iptables -N new_chain_name - defines a new chain
iptables -E old_chain_name new_chain_name - renames a chain
iptables -Z chain_name - zeroes counters
###Rule to deny inbound access to Samba SWAT###
i.e. iptables -A INPUT --protocol --dport -s Jump Target(ACCEPT/DROP/DENY/LOG)
iptables -A INPUT -p tcp --dport 901 -s 192.168.1.102 -j DROP
iptables -A INPUT -p tcp --dport ssh -s 192.168.1.102 -j DROP
iptables -F INPUT
###Save/Restore Rules###
iptables-save > `date +%F`.iptables.rules - saves rules to disk
iptables-restore 2006-09-21.iptables.rules - reinstates rules
###Filter inbound ICMP echo-request traffic###
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP
###Filter outbound ICMP echo-request traffic###
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP
###SuSE Firewall2 - Graphical IPTables/Netfilter Management###
Note: SuSE Firewall2 changes default policies to 'DROP'
Network Mapper (Nmap)
Note: http://www.insecure.org
rpm -Uvh nmap-version*
/usr/bin/nmap - primary utility - available to ALL users
Note: non-privileged users can use Nmap in a limited capacity (TCP-connect scans), with no stealth, in comparison to 'root'
NmapFE - GUI front-end, which executes Nmap via the shell
###Nmap usage###
nmap
nmap localhost - scans localhost using SYN(if 'root') TCP-Connect(if 'non-root') - performs TCP-scan
nmap 192.168.1.40
nmap -v 192.168.1.40
nmap -v -sU 192.168.1.0/24
nmap -v -sU -p 67 192.168.1.0/24
nmap -v -O 192.168.1.197
nmap -v -oN nmap.scan.1 192.168.1.0/24
Nessus - Vulnerability Scanner
Nessus scans hosts, determines available services, and, vulnerabilities
www.nessus.org
Note: Nessus is Client/Server App. NessusD runs on Linux Server, client runs on: Windows/Linux/Mac/Solaris/etc.
Note: place Nessus server in location on network that has access to entire network
Register with Tenable Networks:
rpm -Uvh Nessus-3.0.3-suse10.0.i586.rpm
Note: Must apply activation code in order to receive feeds(definitions)
/opt/nessus//sbin/nessus-add-first-user - adds first user to Nessus
/opt/nessus//sbin/nessus-add-user - adds additional users to Nessus
0.0.0.0:1241 - Nessus binds to TCP:1241 by default on ALL IP addresses
Nessus Client can be used to connect to multiple NessusD back-end servers via scopes
TCPDump - Packet Sniffer
Note: TCPDump produces, optionally, a TCPDump-compliant file, which is readable by many clients, including:
1. TCPDump
2. Ethereal
3. Snort NIDS
/usr/sbin/tcpdump - is the single binary used to sniff on interfaces
###Usage###
tcpdump
control-C to kill
tcpdump -v - executes in verbose mode and returns capture synopsis
tcpdump -v -n - disables name resolution
tcpdump -vv - increases verbosity
tcpdump -v -i eth2
tcpdump -D - returns possible sniffing interfaces
tcpdump -v -i any - listens to ALL interfaces, non-promiscuous mode
tcpdump -v -c 5 - captures 5 packets and exits
tcpdump -q - runs in quiet mode
tcpdump -v -e - returns link header(MAC info) info
tcpdump -v -w capture.out - writes to capture.out file
tcpdump -v -r capture.out - replays packets in file
Note: 3 Qualifiers can be used to filter traffic:
1. Type - host|net|port
2. Dir - src, dst, src or dst, src and dst
3. Proto - ip, tcp, udp, etc.
tcpdump -v host 192.168.1.102
tcpdump -v src 192.168.1.102
tcpdump -v -r capture.out
Ethereal - Network Analysis Tool
Features:
1. Sniffer
2. Saves sniffed traffic in TCPDump format
3. Analyzes TCPDump-formatted data
4. Correlates streams of packets
/usr/bin/ethereal - primary utility
Snort Network Intrusion Detection System (NIDS)
Features/Modes:
1. Sniffer - i.e. TCPDump
2. Packet Logger - i.e. TCPDump
3. NIDS
Requires:
1. pcre-devel*
2. libpcap
3. mysql-devel* (optional to support DBMS logging with MySQL)
Download GPG signature and MD5 checksum files
gpg --verify snort-2.6.0.2.tar.gz.sig
###Compilation process###
1. ./configure --
2. make
3. make install
Snort - Sniffer Mode
snort -v - dumps basic headers - timestamp, and, IP header
snort -vd - dumps application layer
snort -ve - dumps layer-2 info (MAC)
snort -vde - dumps layers 2-7
Snort - Logger Mode - Sniffer Mode with output sent to Screen and/or file
snort -v -L - dumps ALL layers, minus physical to a TCPDump-compliant file
snort -v -l ./ - creates snort.log.timestamp in current directory
snort -v -b -l ./ - Binary Logging
snort -b -l ./ - Binary logging with NO ASCII output to STDOUT - drops less data
Snort - NIDS Mode with BASE
Steps:
1. Reconfigure Snort with --enable-dynamicplugin option
2. groupadd snort && useradd -g snort snort
3. Setup /etc/snort directory tree with config files and rules
4. Configure MySQL
5. Invoke Snort in NIDS mode
6. Download & configure BASE
1. make clean && ./configure --with-mysql --enable-dynamicplugin
2. make && make install
$HOME_NET 192.168.1.0/24
$RULE_PATH /etc/snort/rules
ouput database: log, mysql...
mysql
- create database snort;
- grant ALL on snort.* to snort@localhost identified by 'snortabc123';
- grant ALL on snort.* to snort identified by 'snortabc123';
mysql -pabc123 < create_mysql snort
NIDS Mode Invocation
/usr/local/bin/snort -c /etc/snort.conf -i eth0 -g snort -D -daemonizes
Download and extract rules files to /etc/snort/rules
BASE Installation
Requirements:
1. php support for MySQL
2. php gd support - optional
3. adodb - sourceforge.net - /srv/www/adodb
Note: BASE extends 'snort' DB schema
评论暂时关闭