contentsatshare.weebly.com/uploads/1/0/8/9/10891690/chapter_1a_v2_pdf.pdf · directory, represented...

CLOUD INFRASTRUCTURE AND OPERATIONS IT3202FP - CHAPTER 1A/8

CONTENTS CHAPTER

1. Linux OS, Server System maintenance and deployment. 2. Cloud Layer setup and maintenance. 3. Automation: Self-service and catalogue service. 4. Cloud Security. 5. Backup and recovery for Cloud Infrastructure. 6. Performance and tracking of resources. 7. Business continuity plan. 8. IT service management.


Chapter 1: Server System maintenance and deployment

Topics covered:

1.1 Linux OS Concept

1.2 Linux Command line Interface

1.3 Linux Server Security Concept 1.4 Internal and External Threats

1.5 Different Types of Attacks 1.6 Concept of Network Storage

1.7 Scripting


1.1: Linux Operating System Concept:

Unix is an operating system developed by Ken Thompson and Dennis Ritchie at AT&T Bell Laboratories in the late 1960's.

In 1978 AT&T's Unix seventh edition was split off into Berkeley Software Distribution (BSD).

AT&T SVR5 spawned several other commercial versions of Unix including:

1. Oracle Solaris 2. HP-UX (Hewlett-Packard) 3. AIX (IBM) 4. IRIX (Silicon Graphics) 5. Digital Unix / Tru64 Unix (Digital Equipment

Corporation)

Based on Unix, Linux was born.

Linux is a freely available version of the UNIX operating system Started by Linus Torvalds in 1991 Programmers from around the world contributed codes Main portion of Linux is the Linux Kernel It can be downloaded from a number of sites (www.linux.org) as well as

purchased in packages (called distributions) from companies such as RedHat (www.redhat.com) and Suse (www.suse.com).

Runs on old Intel 486, Pentium (and better) processors, as well as Oracle Sparc, DEC Alpha and dozens of other processors.

Ways of installing/using Linux: Install Linux on a separate drive or hard drive partition Boot up and use Linux from a CD-ROM or USB Drive Run Linux from within another operating system (like Windows) using

VMware player, workstation or Microsoft Virtual PC.

Linux Advantages

Linux is free: It can be downloaded from the Internet completely for free. No registration fees, no costs per user, free updates, and freely available source code in case you want to change the behaviour of your system.

Linux is portable to any hardware platform and its documentation freely available.

Linux can run without rebooting. This property allows for Linux to be applicable also in environments where people don’t have the time or the possibility to control their systems night and day.

Linux is secure and versatile. The security model used in Linux is based on the UNIX idea of security, which is known to be robust and of proven quality.

Linux is scalable. It can be expanded. Errors are usually discovered quickly. Technical support are easily available. Open Source products are trustworthy.


Linux Disadvantages

• There are too many different distributions.

• Linux is not very user-friendly, and confusing for beginners:

Linux File system

Every OS needs a file system to manage program files, data files, etc. Linux maintains a hierarchical file system, similar to what you are used to with

Windows or Mac OS. Hierarchical because directories (or folders) can be created inside other directories to create a hierarchical treelike structure.

Unlike Windows and Mac OS, this tree has only one root, called the root directory, represented by / (a forward slash).

An example of a hierarchical file system is shown in Figure 1. Each boxed name represents a directory, while the unboxed names are files.

Figure 1

Linux file names are case sensitive

File names extension like .txt or .cc or html are optional.

Extensions are rarely required for a file to be opened by a particular application. However, it is good to include an extension for a file so it is easier for you to figure out what kind of file it is. By convention, executable programs in Linux usually have no extension.

Any directory that is not the root is usually called a subdirectory. The directory above a subdirectory is known as its parent. For example, in Figure 1, - usr is a subdirectory of /, - doc is a subdirectory of usr. - usr is the parent directory of doc - / is the parent directory of usr. The root directory is the only directory without a parent; the root directory is its own parent.


In a Linux file system,

- the bin subdirectory contains programs that correspond to core Linux commands. - The usr subdirectory contains many other parts of the basic Linux system. - The home subdirectory contains the home directories of all the users with accounts on the system. If your username were joe, you could store your files in the joe subdirectory of home.

The pathname of a file contains a sequence of directories to follow to reach the file. For example, the pathname of the joe subdirectory is /home/joe. The pathname of the file myfile.txt in the joe subdirectory is /home/joe/myfile.txt. The pathnames above are called absolute pathnames because they contain all the information needed to find a file. It begins with a leading forward slash. On the other hand, a relative pathname gives the information necessary to find a file from a particular point in the tree. For example, from the directory /home, the relative pathname of myfile.txt is just joe/myfile.txt. A relative pathname does not begin with a leading forward slash.

Linux Disks and Partitions

Disks: Linux treats its devices as files. The special directory where these "files" are maintained is "/dev".


A standard IDE disk is "hdx", ‘hda’ - if the disk is connected to the primary IDE controller as master “hdb" if the disk is connected to the primary IDE controller as a slave device. ‘hdc’ - if the disk is connected to the secondary IDE controller as master “hdd" if the disk is connected to the secondary IDE controller as a slave device.

Before a file system on devices can be used, they must be mounted. The mount command attaches a filesystem, located on a device, to the file tree.

Linux File Permissions

Every file or folder in Linux has access permissions. There are three types of permissions:

• read access • write access • execute access

Permissions are defined for three types of users:

• the owner of the file • the group that the owner belongs to • other users

Linux file permissions are nine bits of information (3 types x 3 type of users), each of them may have just one of two values: allowed or denied.

It is used in Linux long directory listings. It consists of 10 characters. The first character shows the file type. Next 9 characters are permissions, consisting of three groups: owner, group, others. Each group consists of three symbols: rwx (in this order)

a dash "-" is used to show permission denied, eg, r—rwx,r-x

Symbols in positions 1 to 3 ("rwx") are permissions for the owner of the file. Symbols in positions 4 to 6 ("rwx") are permissions for the group. Symbols in positions 7 to 9 ("rwx") are permissions for others.

Example:

d rwx rwx rwx

0123 456 789

owner others

group


(r=read, w=write & x=execute d=directory)

The first letter can be:

“d” = directory, eg, d rwx,rwx,rwx “-“ = regular file, eg, - rwx,rwx,rwx “l” = symbolic link, eg, l rwx,rwx,rwx “s” = Unix domain socket, eg, s rwx,rwx,rwx “p” = named pipe, eg, p rwx,rwx,rwx “c” = character device file, eg, c rwx,rwx,rwx “b” = block device file, eg, b rwx,rwx,rwx

In the above example, “chem” is a directory with the following permission:

Owner = rwx, group=rwx and others=r-x

r Read access is allowed

w Write access is allowed

x Execute access is allowed

- Replaces "r", "w" or "x" if according access type is denied


With 3 binary bits, the corresponding binary value of the file permissions are shown:

Text equivalent Binary value Meaning

0 --- 000 All types of access are denied

1 --x 001 Execute access is allowed only

2 -w- 010 Write access is allowed only

3 -wx 011 Write and execute access are allowed

4 r-- 100 Read access is allowed only

5 r-x 101 Read and execute access are allowed

6 rw- 110 Read and write access are allowed

7 rwx 111 Everything is allowed

Linux Users and Groups

Linux is a multi-user operating system. This means more than one "users" can make use of the system's resources at the same time

Resources include: Disk, memory, processing time on the CPU, etc. resources are shared among the users

Linux Username

Each user has an associated Linux username.

This Linux username is also given a unique identifier called the user id (or uid for short).

Files and directories on disk, and processes (executing programs) are stamped with their owner's uid.

The uid is also used for security purposes. To see what your uid is enter the command,

‘$ id username’ It will reveal uid=500(username) gid=500(username) groups=500(username).


Root User or Super user

There is a special user on each Linux system called the root user. Also called the "Super user".

The root user acts as the system administrator and has the authority (and privileges) to create users, directories, modify any file, and so on.

Two ways to user root privileges: - Log in as root user, or - use the sudo program ("Super User Do")

Groups in Linux

In Linux, a group is a collection of users. Each user belongs to one or more groups. A group is identified by a Group id (gid for short). The gid of the owner (user) is also stamped on each file and process. To see what your gid is, try the id program: ‘$ id username’

Directories

Linux "folders" are called directories. The top-level, root directory is called /. Your home directory is /home/username. From anywhere you can get back there by typing simply “cd” command.

Some frequently used command is as follows:

Command Function Examples

cd Change directory cd, cd .., cd /home/catyp

pwd Print working directory

pwd

mkdir Make a new subdirectory

mkdir newdirectory

rmdir Remove a directory rmdir emptydirectory

ls List files in a directory

ls, ls –l

mv Rename (move) a file

mv oldname newname


cp Copy a file cp oldname newname cp oldname dirname/

rm Delete (remove) a file

rm filename rm file1 file2 file3 rm -r dirname

cat Output the contents of a file to the screen

cat filename

file Identify the type of file

file filename

chmod Change access permissions on file(s)

chmod mode filename

passwd Change your password.

Passwd

kill Stop a process by passing its process-id (shown by ps as PID).

kill –TERM process-id kill -9 process-id

tar Create / expand / query archives.

tar cfv arch.tar somedir/ tar xfv arch.tar

mount Make a device visible in the filesystem. For users, this is typically used to access CD-ROMs or USB drive or floppies.

mount /mnt/floppy

umount Un-mount a device from a given point in the filesystem.

umount floppy

df Reports on used disk space on the partition containing file.

df file

find Find files in the file system hierarchy

find path expression

grep Print lines in file containing the search pattern.

grep PATTERN file

ifconfig Configures a network interface

ifconfig

exit or logout Leave this session Exit


Using the vi Editor

vi (pronounced " v - i”) is short for "vi"sual editor. It displays a window into the file being edited that shows 24 lines of text. vi is a text editor, not a "what you see is what you get" word processor. vi lets you add, change, and delete text, but does not provide such formatting capabilities as centring lines or indenting paragraphs The following explains the basics of vi:

Open an existing file - vi filename, where "filename" is the name of the existing file.

To create a new file : vi newname, where "newname" is the name you wish to give the new file.

On-screen, you will see blank lines, each with a tilde (~) at the left, and a line at the bottom giving the name and status of the new file:

~ "newname" [New file]


Text editing command keys

Press “i” = insert mode Press “esc” = command mode Press “esc” then “j” = move cursor down Press “esc” then “K” = move cursor up Press “esc” then “l” = move cursor right Press “esc” then “h” = move cursor left Press “esc” then “x” = delete one character Press “esc” then “dw” = delete one word Press “esc” then “dd” = delete one line Press “esc” then “a” = append text after the cursor Press “esc” then “o” = insert a blank line below the current line Press “esc” then “u” = undo your most recent edit Press “esc” then “:w” = save changes you have made Press “esc” then “:wq” = save changes and exit vi Press “esc” then “:q” = exit vi without saving the changes

Linux system configuration and setting

Every Linux program is an executable file. It holds a the list of opcodes the CPU executes. For instance, the ls executable file is provided by the file /bin/ls. It holds the list of machine instructions needed to display the list of files in the current directory onto the screen.

Is there a standard configuration file format in Linux? No. Each programmer is free to choose the configuration file format he or she prefers. One example is the /etc/shells file, which contains a list of possible shells separated by a newline.

What are system configuration files? The kernel needs to know the list of users and groups in the system, and manage file permissions. These files are read by a function provided by a system library, and used by the kernel. For instance, a program needing the (encrypted) password of a user should call the system library function getpw(). This kind of function is also known as a system call.

Most of the configuration files in the Red Hat Linux system are in the /etc directory unless otherwise specified. The configuration files can be classified into the following categories.


Cat 1 : Access files

Example:

/etc/host.conf Tells the network domain server how to look up hostnames. (Normally /etc/hosts, then name server; it can be changed through netconf.)

/etc/hosts

Contains a list of known hosts (in the local network). Can be used if the IP of the system is not dynamically generated. For simple hostname resolution (to dotted notation), /etc/hosts.conf normally tells the resolver to look here before asking the network nameserver, DNS or NIS.

Cat 2 : Dummy File system

The kernel provides an interface to display some of its data structures is provided as a ummy filesystem known as the /proc filesystem. Many system utilities use the values present in this filesystem or displaying the system statistics.

/etc/mtab

This change continuously as the file /proc/mount changes. In other words, when filesystems are mounted and unmounted, the change is immediately reflected in this file.

/etc/fstab

Lists the filesystems currently "mountable" by the computer. This is important because when the computer boots, it runs the command mount -a, which takes care of mounting every file system marked with a "1" in the next-to-last column of fstab.

/etc/mtools.conf Configuration for all the operations (mkdir, copy, format, etc.) on a DOS-type filesystem.

Cat 3 : System administration Files

/etc/group

Contains the valid group names and the users included in the specified groups. A single user can be present in more than one group if he performs multiple tasks. For example, is a "user" is the administrator as well as a member of the project group "project 1", then his entry in the group file will look like: user: * : group-id : project1

/etc/nologin If the file /etc/nologin exists, login(1) will allow access only to root. Other users will be shown the contents of this file and their logins refused.


etc/passwd See "man passwd". Holds some user account info including passwords (when not "shadowed").

/etc/usertty /etc/shadow

Contains the encrypted password information for users' accounts and optionally the password aging information. Included fields are:

Login name Encrypted password Days since Jan 1, 1970 that password was last changed Days before password may be changed Days after which password must be changed Days before password is to expire that user is warned Days after password expires that account is disabled Days since Jan 1, 1970 that account is disabled

/etc/shells Holds the list of possible "shells" available to the system.

/etc/motd Message Of The Day; used if an administrator wants to convey some message to all the users of a Linux server.

Cat 4 : Networking Files

/etc/networks Lists names and addresses of networks accessible from the network to which the machine is connected. Used by route command. Allows use of name for network.

/etc/resolv.conf Tells the kernel which name server should be queried when a program asks to "resolve" an IP Address.

/etc/exports The file system to be exported (NFS) and permissions for it.

/etc/services Translates network service names to port number/protocol. Read by inetd, telnet, tcpdump, and some other programs. There are C access routines.


Cat 5 : System commands

System commands are meant to control the system, and make everything work properly. Examples are login (performing the authentication phase of a user on the console and bash (providing the interaction between a user and the computer) are system commands. The files associated with them are therefore particularly important. This category has the following files of interest to users and administrators.

/etc/lilo.conf

Contains the system's default boot command line parameters and also the different images to boot with. You can see this list by pressing Tab at the LILO prompt.

/etc/logrotate.conf Maintains the log files present in the /var/log directory.

/etc/inittab

This is chronologically the first configuration file in UNIX. The first program launched after a UNIX machine is switched on is init, which knows what to launch, thanks to inittab. It is read by init at run level changes, and controls the startup of the main process.

Cat 6 : Daemons

A daemon is a program running in non-interactive mode. Typically, daemon tasks are related to the networking area: they wait for connections, so that they can provide services through them. Many daemons are available for Linux, ranging from Web servers to FTP servers.

Common ones are in.ftpd (ftp server daemon) in.telnetd (telnet server daemon), syslogd (system logging daemon).

Some daemons, while running, and reload configuration files automatically when they change, but most don’t. Some services must be used to manually restart the files.

Cat 7 : The kernel

When any configuration file is changed, the whole Linux system it affected. For example, changing the passwd file to add a user immediately enables that user.

Cat 8 : User programs

A user or system program reads its configuration file every time it is launched. So, the first time a user program is started, the default configuration is read from the files


present in the /etc/ directory. Later, the user can customise the programs by using rc and . (dot) files as explained in the next section.

Basic Server Security Concept

A firewall is a network device with two or more network interfaces —one connected to the protected internal network and the other connected to unprotected networks, such as the Internet. The firewall controls access to and from the protected internal network.

The firewall runs software that examines the network packets arriving at its network interfaces and takes appropriate action based on a set of rules. It allows only authorized network traffic to flow between the two interfaces. Configuring the firewall involves setting up the rules properly. A configuration strategy is to reject all network traffic and then enable only a limited set of network packets to go through the firewall. The authorized network traffic would include the connections necessary to enable internal users to do things such as visit Web sites and receive electronic mail. To be useful, a firewall has the following general characteristics:

It must control the flow of packets between the Internet and the internal network.

It must not provide dynamic routing because dynamic routing tables are subject to route spoofing — the use of fake routes by intruders. Instead, the firewall uses static routing tables (which you can set up with the route command on Linux systems).

It must not allow any external user to log in as root. That way, even if the firewall system is compromised, the intruder is blocked from using root privileges from a remote login.

It must be kept in a physically secure location.

It must distinguish between packets that come from the Internet and packets that come from the internal protected network. This feature allows the firewall to reject packets that come from the Internet but have the IP address of a trusted system on the internal network.

Its user accounts are limited to a few user accounts for those internal users who need access to external systems. External users who need access to the internal network should use SSH for remote.


It keeps a log of all system activities, such as successful and unsuccessful login attempts.

It provides DNS name-lookup service to the outside world to resolve any hostnames that are known to the outside world.

It provides good performance so that it doesn’t hinder the internal users’ access to specific Internet services (such as HTTP and FTP).

A firewall can take many different forms. Here are three common forms of a firewall: Form 1 : Packet filter firewall: This simple firewall uses a router capable of filtering (blocking or allowing) packets according to a number of their characteristics, including, - the source and destination IP addresses, - the network protocol (TCP or UDP), - and the source and destination port numbers. Packet filter firewalls, - are usually placed at the outermost boundary with an untrusted network. They form the first line of defence. - are fast and flexible, but they can’t prevent attacks that exploit application-specific vulnerabilities or functions. - can log only a minimal amount of information, such as source IP address, destination IP address, and traffic type. - are vulnerable to attacks and exploits that take advantage of flaws within the TCP/IP protocol, such as IP address spoofing. Form 2 : Stateful inspection firewall: This type of firewall, - keeps track of the network connections that network applications are using. When an application on an internal system uses a network connection to create a session with a remote system, a port is also opened in the internal system. Opening up many ports to incoming traffic creates a risk of intrusion by unauthorized users. - creats a state table of outbound network connections, along with each session’s corresponding internal port. This “state table” is then used to validate any inbound packets. - more secure than a packet filter because it tracks internal ports individually rather than opening all internal ports for external access. Form 3 : Application-proxy gateway firewall: This firewall acts as an intermediary between internal applications that attempt to communicate with external servers such as a Web server. No direct network connection is ever made from the inside client host to the external Web server. - are better than packet filter and stateful inspection firewalls - spends more time reading and interpreting each packet. Not well suited to high bandwidth or real-time applications.


Choice of firewall Most firewalls implement a combination of these firewall functionalities. For example, many vendors of packet filter firewalls or stateful inspection firewalls have also implemented basic application-proxy functionality to offset some of the weaknesses associated with their firewalls. In most cases, these vendors implement application proxies to provide better logging of network traffic and stronger user authentication. Nearly all major firewall vendors have introduced multiple firewall functions into their products in some manner.

Linux system security best practices

Practice 1 : Scanning for malware

To keep your system safe and healthy, you should consider using a scanner to probe your system for nefarious changes. There are lots of free utilities that can do a decent job to keep your system safe on the internet.

Practice 2 :Anti-virus

Anti-virus software will act as another layer of protection for your system. In Linux, there's ClamAV (including Klam for KDE), as well as a number of commercial products that have started shipping solution for Linux.

With the anti-virus installed, you can scan files that you receive from your friends before forwarding them to other users. That way, you may break the chain of accidental malware spreading.

Practice 3 : Startup applications and services

Some undesired processes might be left running, hogging resources and possibly exposing your machine to threats. By optimizing your startup application and services, you could potentially reduce your system exposure to risk.

Practice 4 : Read your logs > /var/log/messages

This is the system log. Almost everything goes in there. Reading the log will give you an indication of possible system issues, including software errors, as well as possible security-related items.

Practice 5 : /var/log/secure

You can configure your machine to log ssh and sudo attempts to a separate file, like /var/log/secure. Then, you can examine the log for any privilege escalation attempts or remote connection attempts.

Practice 6 : Examine logged in users

There are many ways of doing this. The most accurate one is to parse the output of the ps command. But you can also use w and who and lastlog. Manually dumping utmp and wtmp can also work.


Practice 7 : Other tools

You also have a range of other utilities available, like netstat or nmap, which can help you examine your machine network visibility.

Internal and External threats

Threats to any computer network arise from both external and internal entities.

External threats include unauthorized access by outsiders such as hackers, virus

attacks etc. Among internal threats is exploitation of the network by its users -

knowingly or unknowingly. Internal threats arise due to malicious intentions and/or

ignorance of the users of your computer network. For example, a person can leave

the computer unattended exposing it to others who are not authorized to access the

information. Another example of internal threat can be a person downloading

something from the Internet that results in a malware attack.

Hackers and External threats can disrupt your business by sending a malicious

code or a Trojan horse, which conceals itself inside a known or seemingly safe

program. The user opens the attachment or clicks on the link and in the blink of an

eye a malicious hacker has entered your server, database and network. Disgruntled

ex-employee who wants personal revenge decides to spam every inbox in your

network in another form of an external threat. No matter the reason, if you use the

Internet at all, these “bad guys” have an “in” into your network and the only way to

keep the garbage out is to fully protect your system and network.

Internal threats and accidents are similar in that an employee can unknowingly

misuse secure access privileges and leave important passwords and security

questions open to someone monitoring your system through spyware. This can be a

simple mistake, an accident or an intentional act that occurred when a program re-

starts but either way, important and confidential information is at risk. Employees

have to use the Internet while working and during their searches may enter sites that

are not work-related and can have harmful software on it that needs only a split-

second to gain access into your network and begin a series of chaotic actions that

could in some extreme cases shut the whole network down. Once you know the

dangers that exist, you can take proactive steps to try and prevent them. You should

protect your computers, servers, database and network through a variety of security

solutions. Network monitoring support, managed Microsoft security patches, firewall

installation, intrusion detection programs, managed anti-virus and anti-spyware

software, all take a part in securing your line-of-business applications and in some

cases restricting use of the Internet to only work-related.

http://www.brighthub.com/guides/internet.aspx

contentsatshare.weebly.com/uploads/1/0/8/9/10891690/chapter_1a_v2_pdf.pdf · directory, represented...

Documents