LinuxCBT feat. SUSE 10 Enterprise EditionTraining Notes – 20061002.01

Table of ContentsBoot Process....................................................................................................................... 4Basic GNU/Linux/UNIX Command Line Interface (CLI) Utilities...................................4Standard Linux Shell Rules................................................................................................ 5Secure Shell (SSH)............................................................................................................. 5Virtual Network Computing (VNC)...................................................................................6RDesktop Client (RDP) .....................................................................................................6Name Resolution Utilities.................................................................................................. 7NETSTAT.......................................................................................................................... 7IFCONFIG..........................................................................................................................8RPM....................................................................................................................................8User & Group Creation/Management................................................................................ 8File Permissions..................................................................................................................8Symbolic Links (Shortcuts)..............................................................................................10Provisioning of additional file systems/mount points...................................................... 10RAID Partitions................................................................................................................ 11Logical Volume Management - Disk Aggregation Mechanism.......................................11SWAP Storage Provisioning............................................................................................ 12SYSLOG-NG Implementation......................................................................................... 12Log Rotation.....................................................................................................................13Cron - System Scheduler.................................................................................................. 13Network Time Protocol (NTP).........................................................................................14BIND DNS Configuration................................................................................................14DHCPD - Server...............................................................................................................15Samba Services - Integrates Windows with Unix/Linux................................................. 16Samba Web Administration Tool (SWAT)......................................................................16Network File System (NFS)............................................................................................. 17Remote Synchronization (RSYNC)................................................................................. 18Apache HTTPD - Web Server..........................................................................................18Apache Logging............................................................................................................... 21Virtual Hosts (VHOSTS)................................................................................................. 21MySQL Implementation...................................................................................................22PHPMyAdmin - Implementation..................................................................................... 25Postfix MTA.....................................................................................................................25Courier-MTA - IMAP...................................................................................................... 26SquirrelMail - Web-based Mail integration..................................................................... 27Pure-FTPD........................................................................................................................27Xen Virtualization............................................................................................................ 28XINETD - Super Server................................................................................................... 28TCP Wrappers - tcpd........................................................................................................ 29IPTables Implementation & Operation............................................................................ 30IPTables Usage.................................................................................................................30Network Mapper (Nmap)................................................................................................. 31Nessus - Vulnerability Scanner........................................................................................ 31TCPDump - Packet Sniffer...............................................................................................32Ethereal - Network Analysis Tool....................................................................................32Snort Network Intrusion Detection System (NIDS).........................................................33

BASE Installation.............................................................................................................34

Boot Process

1. BIOS - Initializes hardware2. Grand Unified Boot Loader (GRUB) - Stage 1(Master Boot Record - 512 bytes) -> Stage 1.5(File system drivers (XFS,EXT2,EXT3,ReiserFS))3. OS (Linux) Kernel - Initializes/Detects/provides support for hardware 4. INIT(PID=1) - Loads services for various run levels (cumulative)

###INIT - The First User-mode Process### /etc/inittab

Runlevel (0-6) Definitions:0 - shutdown1 - single user mode - NO Networking2 - Multi-user, minus NFS & networking3 - Multi-user4 - Unused, reserved for ISVs, or for customization5 - Multi-user with graphics (X11/X.org)

/etc/init.d/runlevel directory (/etc/init.d/rc5.d) - Contains symlinks to programs in /etc/init.d + prefixed with K(Kill) or S(Started) - Each service/daemon is started/killed in numerical order; i.e. K01acpid, K09apmd

Basic GNU/Linux/UNIX Command Line Interface (CLI) Utilities tty = reveals current Teletype Terminal (TTY) w = reveals currently logged-in sessions ls/dir(alias to ls -l) ls -lF - returns long format and '/' at the end of directories ls -lF | grep / touch - creates empty files / updates time stamps(atime/mtime) on objects rm - removes objects (files/directories/etc.) echo - echoes values and variables echo $? - returns exit status of previously-executed command set || env - reveals current shell variables pwd - returns working directory cd - changes directories; with no options, places us in HOME directory mkdir - creates a directory whoami - returns currently logged-in user su - switches users

BASH communicates user-status (privilged/non-privileged) via the prompt: 1. prompt that terminates with '#' reflects 'root' user 2. non '#' prompt indicates non-root user

id - reveals id information (uid,gid,groups) cp - copies files(files/directories) mv - moves/renames files, and tries to preserve timestamp stat - returns properties (size,inode,atime,mtime,ctime,perms,etc.) of files

Standard Linux Shell RulesSTDIN - Standard In - Default = Keyboard - '<'STDOUT - Standard Out - Default = Monitor - '>'STDERR - Standard Error - Default = STDOUT - '2>'ls deano.txt 2> error.txtgrep linuxcbt 2>&1

File Descriptors:0 = STDIN1 = STDOUT2 = STDERR

Piping - permits the connection of STDOUT & STDINcat test2.txt | grep directories | grep removes

Command Chaining - permits execution of multiple commandscommand1 && command2 - runs command2 IF command1 is successful (logical AND)command1 || command2 - runs command2 IF command1 failscommand1 ; command2 ; command2 - all commands execute

###More Key Shell Commands### file - determines the type of file queried which - identifies location in path of queried program history - returns list of recently-run commands up to $HISTSIZE=1000 ~/.bash_history - stores the user's history of commands ps -ef - returns ALL running programs - UID,PID,PPID,STIME,etc. top - returns top running programs

Common Clients - FTP,LFTP,Wget,SSH FTP - interactive client used to connect to FTP servers LFTP - supports many protocols (HTTP/FTP/HTTPS/etc.) and runs interactively/non-interactively(scripted) Wget - supports many protocols, however, runs non-interactivelywget http://192.168.1.197/SUSE10/suse/i586/MozillaFirefox-1.5.0.4-1.9.i586.rpm

wget ftp://linuxcbt:abc123@linuxcbtmedia1/1million.txt

###Other basic utilities###tar with gzip & bzip2 supporttar -czvf 1million.tgz 1million.txttar -cjvf 1million.bz2 1million.txt

Secure Shell (SSH)SSH - provides encrypted communications for Telnet/FTP-like sessions

First outbound SSH connection yields ~/.ssh/known_hosts (lists trusted hosts)File is appended as new connections are established

PKI - Password-less LoginMust generate RSA/DSA PKI (Public/Private) keys - 'ssh-keygen'Note: public key is used to encrypt information to recipientNote: private key is used decrypt information received

Note: keys are user and host specific

ssh-copy-id -i ~/.ssh/id_rsa.pub linuxcbtsuse2

SCP - SFTP - SSH

SCP - performs non-interactive, LFTP/Wget-like, file transfers

scp source_file destination_file:scp linuxcbtsuse2:path_to_file local_path (.//tmp)

SFTP - performs interactive, FTP-like transferssftp linuxcbtsuse2 - connects as 'linuxcbt' to remote systemsftp root@linuxcbtsuse2 - connects as 'root' to remote system

ALL sessions/transports are encrypted

Virtual Network Computing (VNC)Note: Cross-platform capable - client (Windows/MAC OS X/Linux/Solaris/Unix) - client can differ from server

vncviewer - primary VNC client application

RDesktop Client (RDP) - Permits easy connections to Windows 2000/2003/TS4/XP Boxes

rdesktop -g 640x480 -a 16 192.168.1.102

Other key network utilities/clients

PING - uses ICMP to probe hosts on local and/or remote subnets - Default in Linux is to PING continuously - Default PING size = 64 bytes - Default interval = 1 second - Default Time To Live (TTL) = 64 - PING sends ICMP(Echo) Packets & expects ICMP(Echo Reply) in return - ping linuxcbtsuse2

Traceroute - maps the network between 2 hosts by displaying routersNote: traceroute determines that host is router when the TTL is decremented,and, indicates as such in its output

traceroute destination - traceroute 192.168.1.102Note: some firewalls will NOT decrement the TTLs in ICMP packets

Matt's Traceroute (MTR)

Address Resolution Protocol (ARP) - reveals ARP table - layer-2 addressesarp

ARP resolution example:linuxcbtsuse2 (Layer-4) -> 192.168.1.197 (Layer-3) -> 00:12:3F:10:C6:93 (Layer-2)

www.insecure.org - Nmap - to find list of security utilities

Name Resolution Utilities

/etc/nsswitch.conf - controls the resolution source/order

ping linuxcbtsuse2 -> hosts(/etc/hosts) -> DNS

/etc/nsswitch.conf -hosts: files(/etc/hosts) dns(/etc/resolv.conf)

DIG - dig - queries standard DNS servers - dig linuxcbtsuse2.linuxcbt.internal - dig www.linuxcbt.com - queries local DNS server for this forward record - dig linuxcbt.com mx - returns MX record type - dig -x 192.168.1.100 - performs reverse query - dig @ns1.linuxgenius.com www.linuxcbt.com

- host www.linuxcbt.com - returns A|CNAME records & IP address - hostname - returns local short hostname - hostname -f returns Fully-Qualified Domain Name (FQDN)

NETSTAT - displays open sockets - client(1)SYN -> server(2)SYN-ACK -> client(3)ACK -> ESTABLISHEDUsage: - netstat - displays open sockets with name resolution - netstat -n displays open sockets without name resolution

Note: names are resolved using a combination of /etc/hosts & DNSNote: services(ftp/http/etc.) are resolved via /etc/servicesNote: protocols(tcp/ip/udp/unix/etc.) are resolved via /etc/protocolsclient <-> serverman netstat - explore socket statesImportant states: - ESTABLISHED - LISTEN - SYN_SENT - waiting for SYNACK from remote system - SYN_RECV - unable to respond to SYN_SENT - FIN_WAIT1 - awaiting shutdown of socket

-netstat -a - reveals ALL protocols -netstat -i - displays network interfaces -netstat -s - displays protocol stats -netstat -rn -netstat -nl - netstat -ntl - netstat -nul

IFCONFIG -ifconfig eth2 down - downs the eth2 interface -ifconfig -a - displays ALL(active/inactive) interfaces -ifconfig eth2 172.20.10.1Note: changes to inactive interfaces usually activates the interfaceNote: ommitting the subnet mask when defining an interface will cause Linux to derive both subnet mask and broadcast addresses based on class rules. -ifconfig eth2 172.20.10.1 netmask 255.255.255.0Alias/sub-interface configuration: -ifconfig eth0:1 192.168.1.41 /24 - 255.255.255.0 -ifconfig eth0:2 192.168.1.42

Note: /etc/sysconfig/network - stores interface and global network configuration files

RPM - permits the categorization/installation/upgrade/freshen/removal of packagesQuery existing packages: -rpm -qa - lists ALL installed packages - rpm -ql name_of_package; i.e. rpm -ql rdesktop - rpm -qpl package_name - queries package on file system

Install packages: -rpm -ivh - installs packages -rpm -Uvh - upgrades/installs packages

Remove packages: -rpm -e - removes package

Freshen packages: - package will be updated ONLY if it already exists -rpm -Fvh package_name

User & Group Creation/ManagementNote: /etc/passwd is the default user database -linuxcbt:x:1000:100:linuxcbt:/home/linuxcbt:/bin/bash -username:shadow_file(x):UID:GID(Primary):Description/Full Name:Home Directory:ShellNote: /etc/skel houses template files to be copied to ALL newly-created users using YaST

Manual user creation: -useradd username

Manual group creation: -groupadd groupname

Note: create group(s) first, then create user, assigning user to group(s)

usermod/groupmod

File Permissions10-bits represent permissions and file typeDirectory = drwxrwxrwx = 777 = FULL permissionsFile = - rwx rwxrwx = 777 = FULL permissions

bit 1 = placeholder for object type (file/directory/character/block device/etc.)bits 2,3,4 = placeholder for permissions for the owner of the objectbits 5,6,7 = placeholder for permissions associated with group owner of the objectbits 8,9,10 = placeholder for ALL else

drwxr-xr-x 2 linuxcbt users 168 2006-09-08 11:22 temp2rwx=7, r-x=5, r-x=5 = 755-rw-r--r-- 1 linuxcbt users 1736 2006-09-06 12:01 test2.txtrw-=6, r--=4, r--=4 = 644

Note: As per the default umask, default for directories = 755, and files = 644Note: directories require 'x' permission to permit entry

umask = 0022Effective default permissions = Total permissions(777) - umask(0022)

777 = 0777077700220755 = effective default directory permissions0644 = rw, r, r

The 'x' bit applied to files means the file is executable, however, applied to directories, permits entry into the directory.

Octal values for permissions:r = 4w = 2x = 1Total = 7

Change permissions using 'chmod'-rw-r--r-- 1 linuxcbt users 588895 2006-09-08 15:27 Salaries.xlsrw,r = 640

chmod 640 Sal* && ls -l Sal*

Note: root ALWAYS has access to ALL fileschmod 600 Sal* && ls -l Sal*chmod 744 temp2

ls -ld temp2 - enumerates permissions, ownership, etc. associated with 'temp2' directory

chmod u+rw,g+r,o+r = 644

u = user/owner of objectg = group ""o = other ""a = u,g,o

chmod a-r Salaries.txt

Change Ownership of objects (files & directories) using 'chown'chown linuxcbt test.txtchown user.group objectchown linuxcbt.project1 test.txt

SETUIDUsed to impersonate another user; usually roottest_script.pl, test_script.sh

-rw-r--r-- 1 linuxcbt users 588895 2006-09-08 15:27 Salaries.xls0644Note: leading bit can represent SETUID(4) & SETGID(2)

chmod 4644 Salaries.xls

SETUID FILE:-rwSr--r-- 1 linuxcbt project1 588895 2006-09-08 15:27 Salaries.xls

i.e. /bin/su = SETUID executable

stat object name - returns permissions/metadata about the object

SETGIDUsed to force permissions on directorieschmod 2770 project1 && ls -ld project1

StickyUsed to allow users to share a directory but ONLY manipulate their files: /tmp

'chgrp' is used to change group ownership

Symbolic Links (Shortcuts)Note: 2-types exist; Soft & Hard

Soft Links: - Ability to reference objects(files & directories) withing & across file system

ln -s source destination

Note: Soft links reference human-readable file namesNote: Hard links reference distinct Inodes

ln source destination - within the SAME file system, creates a HARD link

Provisioning of additional file systems/mount pointsnew mount point = /app1

2 - shell utilities can be used to create partitions: 1. fdisk -l 2. parted - defaults to first disk

Note: Extended partitions occupy the remaining space on diskNote: You may create an extended partition without 3 primary partitions

Typical disk layout on i386-compatible systems:

1. Primary 2. Primary 3. Primary 4. Extended - occupies remaining cylinders on disk - n number of logical partitions begining with #5; i.e. /dev/sdb5

Note: newly-created mount points need NOT exist off the root of the file systemNote: every file system contains a 'lost+found' directory to house orphaned files

RAID Partitions/, /boot = standard(ext3/reiserfs) non-LVM, non-RAID partitionsAll other partitions/mount points should be RAID/LVM

RAID-0 - Partitions - Offers speed, but NO REDUNDANCY - Requires at least 2 partitions/disks - Creates a partition that spans 2 partitions/disksNote: Create RAID/LVM partitions using separate disks to realize performance benefits

- Must create unformatted partition types of 0xFD(Linux RAID) or 0x83(Linux) - RAID-0 partitions need NOT be identical in sizeNote: DO NOT format individual RAID component partitions

RAID-0 (10GB) - /raidvolumes/app2 -/dev/sdb6 (5GB) -/dev/sdc7 (5GB)Note: first RAID volume is created @ /dev/md0 (/raidvolumes/app2)

RAID-1 - Partition (5GB) - /raidvolumes/app3 -/dev/sdb7 (5GB) -/dev/sdc8 (5GB)/dev/md1

RAID-5 Partition (10GB) - /raidvolumes/app4 -/dev/sda3 (5GB) -/dev/sdb8 (5GB) -/dev/sdc9 (5GB)/dev/md2

Logical Volume Management - Disk Aggregation Mechanism - Facilitates the aggregation of various sized volumes into usable storage - Allows dynamic resizing volumes - Use LVM/RAID for non-root (/) and non-boot (/boot) mount points

Create LVM, underlying/supporting partitions(0x8e/0x83) and DO NOT FORMAT

LVM-VOL1 - 27GB -/dev/sda3 (10GB) -/dev/sdb5 (5GB) -/dev/sdc7 (12GB)

Volume Group(system) - Consists of n volumes -n logical volumes (typically 1-to-1)

Volume groups facilitate the aggregation of partitions/disksLogical volumes facilitate the segmentation of volume groups

File system structure for LVM-managed volumes:/dev/Volume Group Name(represents all partitions/disk)/Logical Volumes(user-accessible)

SWAP Storage Provisioningfree -mswapon -s - displays current swap space(file(s)/partition(s))

Swap Files - dd if=/dev/zero of=/swapfile1 bs=1024 count=524288 - mkswap /swapfile1 - swapon /swapfile1 - update /etc/fstab + /swapfile1 swap swap defaults 0 0

SYSLOG-NG ImplementationExtends traditional Syslog capabilities

Note: Facilities and Levels are supported to route messages - Facility - identifies unique source of message - Levels - identifies the severity of the message +Debug +Info +Notice +Warning +Error +Crit +Alert +Emerg

Note: Standard SYSLOG-NG message consists of the following components: 1. Source - where to get messages (Unix Syslog socket/UDP(514)) 2. Filtering rules (facilities/levels/pattern matching) 3. Destination (file/other syslog/syslog-ng hosts(UDP/TCP)/Console(TTYs), Unix Datagrams)

Note: Network listening using UDP is disabled by default

level(error..emerg)

Note: 'log' directive combines the 3 important components of Syslog-NG: 1. source 2. filter 3. destination

Note: edit /etc/syslog-ng/syslog-ng.conf to enable UDP listener

###Filter to receive info. from Local2###filter f_cisco_pix { facility(local2); };

###Destination for info. sent to facility local2###destination d_cisco_pix { file("/var/log/ciscopix.log"); };

###Log Statement to invoke the routing of messages to facility local2###log { source(src); filter(f_cisco_pix); destination(d_cisco_pix); };

###Log to remote host###

destination d_cisco_pix { file("/var/log/ciscopix.log"); udp("192.168.1.197"); };

Log Rotation/etc/logrotate.conf - includes all files in /etc/logrotate.dman logrotate/var/log/ciscopix.log { daily compress dateext #maxage 365 rotate 1000 #size=+2048k notifempty missingok copytruncate postrotate /etc/init.d/syslog reload endscript}

logrotate -f /etc/logrotate.conf - forces log rotation

Cron - System Scheduler 1. Schedule using global scheduler - /etc/crontab (hourly,daily,weekly,monthly) 2. Schedule on a per-user basis - /var/spool/cron (root,linuxcbt,etc.) - crontab

Note: Cron checks the modification time of global and per-user file/directory every minute

Note: /etc/cron.allow and cron.deny are used to control access to cron

m(0-59) h(0-23) dom(1-31) m(1-12) dow(Sun,Mon,Tue or 0-7) user_to_run_job_as command_to_runNote: for Day of Week (dow) field 0 & 7 are both Sunday

###Global Contab Entry####m h dom m dowuser command*/1 * * * * root ping -c 3 linuxcbtsuse2 >> /root/ping_linuxcbtsuse2.txt*/5 12-16 * * * root ping -c 3 linuxcbtsuse2 >> /root/ping_linuxcbtsuse2.txt

###Per-user Crontabs:###m(0-59) h(0-23) dom(1-31) m(1-12) dow(Sun,Mon,Tue or 0-7) command_to_run

*/1 * * * * ping -c 3 linuxcbtsuse2 >> /home/linuxcbt/ping_linuxcbtsuse2.txt

Network Time Protocol (NTP) 1. Synchronizes your SUSE box 2. creates a hierarchy of synchronizations hosts

There are 16 Strata 1 - most accurate - external time sources (GPS/Radio) are connected 2 - relies upon 1 for synch. 3 - relies upon 2 ...

Note: Try to synch with at least 3 clocks

1 - Externally-connected time source +2 - 0.pool.ntp.or, 1.pool.ntp.org, ntp0.cornell.edu -3 Our Clock +4 Internal hosts relying upon our Stratum-3 clock

chkconfig ntp on - enables upon subsequent reboots NTP serviceNote: NTP defaults to localhost for time synchronization

ntpq -np - returns current servers used to synch time

BIND DNS ConfigurationNot installed by default

/etc/named.conf - primary configuration file of BIND(caching-only/Primary/Secondary)

BIND runs in the following modes: 1. Caching-only - resolves Internet queries 2. Primary - authoritative for 1 or more zones 3. Secondary - authoritative secondary server for 1 or more zones

client -> linuxcbtsuse1 -> /etc/resolv.conf - > perform query -> return results

Configured linuxcbtsuse2 with BIND and started as a caching-only server

/etc/named.conf

Note: configure 'forwarders' directive to influence named servers used to resolve queries. Otherwise, name servers listed in /etc/resolv.conf will be used.

. = root - top-level domain com = 2nd-level domain edu mil gov

0.0.127.in-addr.arpa1.168.192.in-addr.arpa

zone "linuxcbt.internal" in { type master;

file "linuxcbt.internal.zone";};

zone "1.168.192.in-addr.arpa" in { type master; file "master/192.168.1.zone";};

###Slave configuration - linuxcbtsuse2(.197)zone "linuxcbt.internal" in { type slave; masters { 192.168.1.40; };

file "slave/linuxcbt.internal.zone";};

zone "1.168.192.in-addr.arpa" in { type slave; masters { 192.168.1.40; };

file "slave/192.168.1.zone";};

Note: Zone information from primary is stored by default in-memory, slave

DHCPD - Server

Note: Automatic configuration of Layer-3 IP-address informationUses broadcasts and UDP to exchange configuration informationDORAD = Discovery - client broadcasts(All FFFFs) for DHCP server on subnetO = Offer (IP Address configuration information)R = ResponseA = Acknowledgement from server that client accepted offer

DHCP Configuration includes global, subnet-specific and optionally host-specific info

Use YaST2 or configure manually

YaST requires the specification of DHCP interfaces, in order to service the subnet connected to the interface

Note: Default SuSE DHCP Server runs in chrooted environment

DHCPD's root = /var/lib/dhcp

host linuxcbtwin2 { hardware ethernet 00:10:a4:ed:a0:4d; # appears in DORA process fixed-address 192.168.1.102;}

###Very Secure File Transfer Protocol Daemon (VSFTPD)###Note: Current version of SUSE Enterprise does not supply a YaST object for managementNote: VSFTPD can be invoked with/without XINETDNote: Default authentication permits 'anonymous' access onlyNote: '/srv/ftp' is default 'anonymous' location as per home directory for 'ftp' in /etc/passwdNote: FTP supports PASSIVE & ACTIVE connections. VSFTPD supports both, by default

Note: FTP connections consist of Control and Data channelsPassive - client -> server(21), then client instructs server to listen to high port for data connection

Active - client -> server(21), then server makes connection to port on client to construct data connections, which is generally denied by most firewalls

Disable anonymous access by setting appropriate /etc/vsftpd.conf directives

Samba Services - Integrates Windows with Unix/LinuxNote: /home shares are dynamically generated for users who connect successfullyNote: /etc/samba/smb.conf - default configuration file for SambaNote: Samba authenticates users using 2 authentication sources: 1. /etc/samba/smbpasswd - contains Windows-encrypted users/passwords, and, maps Samba users to local Linux users 2. /etc/passwd - stores Linux usersNote: File/directory access rests with Linux OS

Flow of permissions: 1. Samba client(Windows/Linux/Unix) submits Samba User 2. Samba Server attempts to equate submitted user to local Linux user a. if successful, Samba server performs I/O as mapped user b. if unsuccessful, Samba server attempts to map submitted user as guest c. if guest mapping fails, access is denied

Note: /etc/samba/smbusers - maps Samba users to Linux usersNote: use 'smbpasswd -a username' to add Samba users, whom are mapped to Linux users

###Samba Authentication Modes### 1. User - uses /etc/samba/smbpasswd - maintained with 'smbpasswd' utility 2. Server - authentication via a Windows server 3. Domain - authenticates against an NT-style domain (PDC/BDC) 4. ADS - authenticates against Active Directory (AD) Domain controllers 5. Share - authenticates per-share - passwords are tied to shares

###Other Samba Clients### -smbclient - facilitates puts/gets from Samba shares and other features smbclient -U administrator //linuxcbtwin2/public1 smbclient -U administrator -L linuxcbtwin2

-smbtar - facilitates tarring/backup of remote shares smbtar -s linuxcbtwin2 -x public1 -t public1.tar

-smbtree - enumerates remote shares

Samba Web Administration Tool (SWAT) - Facilitates web-based administration of Samba via TCP:901 - Provides its own HTTPD server - Controlled by XINETD - /etc/xinetd.d/swat, rcxinetd restart - Must authenticate as 'root' after restarting XINETD with SWAT enabled - SWAT defaults to BASIC HTTP authentication, which is passed in the clear - optionally, install 'samba-doc' package

###Active Directory (AD) Installation and Integration with Samba###

-use 'dcpromo' from Windows to promote it to an AD server - Setup Microsoft's DNS on AD server for simplicity - Optionally, configure appropriate BIND zones - Define FQDN for AD root 'ad.linuxcbt.internal' - Define NETBIOS name of workgroup for legacy systems 'LINUXGENIUS' - Configure AD server to consult itselft for DNS '127.0.0.1'

Join SUSE Enterprise box to AD domain using YaST2 1. Network Services 2. Windows Domain Membership 3. Confirm ability to use remote (AD) users using 'getent passwd'

Note: winbind daemon facilitates enumeration and usage of remote AD users

/etc/nsswitch.conf

###Samba File System (SMBFS) Driver## -facilitates transparent mounting of remote SMB/CIFS shares

\\linuxcbtwin2\public1 - /LINUXGENIUS/linuxcbtwin2/public1

use 'mount' to mount remote SMB/CIFS shares:mount -t smbfs -o username=administrator,password=abc123,rw //linuxcbtwin2/public1 /LINUXGENIUS/linuxcbtwin2/public1

mount -t cifs -o user=administrator,password=abc123,rw //linuxcbtwin2/public1 /LINUXGENIUS/linuxcbtwin2/public1

Hide CIFS credentials in /rootnano .cifs_credsuser = administratorpassword = abc123

mount -t cifs -o credentials=/root/.cifs_creds,rw //linuxcbtwin2/public1 /LINUXGENIUS/linuxcbtwin2/public1

Network File System (NFS)Note: NFS is managed by the 'portmap' service; use 'rcportmap to control'Note: YaST/YaST2, can be used to import/export NFS sharesNote: NFS with Linux 2.6, supports versions 2,3,4, and, TCP & UDPNote: Use NFS on LANsNote: Specify subnets/IPs in Hosts field to restrict hosts that may connect to your NFS shareNote: The default '*' Hosts value, permits ALL connected users with privileges to mount NFS-exported shares

Note: 'root_squash' option for NFS-shares, equates remote 'root' user to local 'nobody' userNote: 'sync' option reduces likelihood of data-corruption by ensuring that file I/O has completed on NFS server before rendering result/exit status to NFS client

Confirm NFS status using the following: 1. ps -ef | grep -i nfs 2. rcportmap status - portmap controls NFS/NIS, and allows dynamic allocation of ports 3. rpcinfo -p

Note: server-exported share '/app1', need NOT be the same name of the mount point on NFS client

###Mount remote share on NFS client###

mount linuxcbtsuse1:/app1 /app1Note: YaST/YaST2 NFS-exported directories are stored in '/etc/exports'Note: use 'exportfs -a' to re-export items listed in '/etc/exports'

Remote Synchronization (RSYNC)Installed by defaultSynchronizes remote and optionally local directories and or files

rsync operates in 2 modes: 1. uses transport such as SSH to sync data. - requires rsync on target system 2. uses 'rsyncd' to authenticate and facilitate transfer of files

1-client, 'rsync' is used to connect to both modes

rsync -bazv-b(backup - preserves existing files with ~ suffix or deletes), -a(archives stat info.)-z(compression), -v(verbose)

Note: rsync client is required on both client and server when using SSH transport

rsync -bazv -e ssh source destinationrsync -bazv -e ssh /app2 root@linuxcbtsuse2: - syncs local /app2 with remote system and backs-up target files as necessary

rsync -bazv -e ssh /app2 root@linuxcbtsuse2:/

###Synch local with remote system###rsync -azv -e ssh root@linuxcbtsuse2:/app2 /

#!/bin/bash###Synchronizes local /app2 with remote /app2 rsync -azv -e ssh root@linuxcbtsuse2:/app2 /###END

###rsyncd server - /etc/rsyncd.conf - binds to TCP:873###Note: to contact rsyncd server using rsync client, specify '::' in host fieldNote: rsync currently does NOT support synchronization between 2 remote hosts

rsync -azv -e ssh /app2 root@linuxcbtsuse2::/

Apache HTTPD - Web Server>70% of ALL web servers run ApacheApache is cross-platform capable; available for Linux/Solaris/AIX/Windows/MAC OSX/etc.

Install via YaST - Patterns - Select 'Web and LAMP Server' - (Apache/MySQL/PHP/Python Modules)

###Apache2.2 Directory Layout###/etc/apache2 - primary apache2.2 configuration directory/etc/apache2/default-server.conf - config file for main HTTP server (NON-Virtual-Host)/etc/apache2/errors.conf - error-handling/etc/apache2/httpd.conf - Main Apache configuration file (includes other files)/etc/apache2/uid.conf - controls credentials used by subsequent Apache processes

/etc/apache2/vhosts.d - houses Virtual Hosts files *.conf/etc/apache2/vhosts.d/vhost-ssl.template - Sample SSL template/etc/apache2/listen.conf - houses TCP-related bindings/usr/lib/apache - houses dynamically-loaded modules *.so files/usr/share/apache2/error - houses default error messages/etc/apache2/mod_log_config.conf - houses variables to be expanded in Apache's log filesit maps log formats(on the left) to nicknames(on the right)Nicknames can be referenced wherever a virtual host is definedDifference between 'common(CLF)' and 'combined' is that combined provides everything provided by common + 'User Agent' and 'Referrer'.

/etc/apache2/default-server.conf - config file for main HTTP server (NON-Virtual-Host)

DocumentRoot "/srv/www/htdocs" - maps web space to file system space for default pagesi.e. http://linuxcbtsuse2.linuxcbt.internal -> /srv/www/htdocs

<Directory "/srv/www/htdocs"> - describes attributes of document root Applicable Directives</Directory>

Aliases - are like symlinks in the web space. They map a web space location to another location in the file system that is usually outside of the web root

alias /temp /srv/www/temp<Directory "/srv/www/temp"> - describes attributes of document root Applicable Directives</Directory>

Note: Apache's Directory/File permissions flow downward

ScriptAlias - specifies the location where CGI scripts may be executed safelyScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"

mod_userdir = http://linuxcbtsuse1.linuxcbt.internal/~linuxcbt/index.html - /home/linuxcbt/public_html/index.html

Note: Apache, in prefork mode, spawns 6 processes: 1. Apache manager, which runs as 'root' 2. 2-6 (5-child processes), run as non-privileged, 'wwwrun' user - these child processes service HTTP connections

http://localhost/manual - returns manual with appropriate (browser-driven)

### Key Apache Directives - Directory, Alias, Files, Location ###Note: These directives influence Apache's permissions to serve content

<Directory "physical_directory_location /srv/www/htdocs">

</Directory>DirectoryIndex index.html index.html.var - influences default document to be servedNote: Changes made to *.conf files require at least a 'reload' of the 'rcapache2' services and sometimes a full 'restart'

Note: IP address(es), short name, FQDN(linuxcbtsuse1.linuxcbt.internal) all lead to the default server referenced in /etc/apache2/default-server.conf, unless overidden via VHOST

###Order of evaluation when permitting/denying access to directory###Order allow,denyAllow from all

Order allow,denyAllow from 172.20.20.0/255.255.255.0 192.168.1.0/255.255.255.0 127.0.0.1Deny from all

Alias fakename physical_locationAlias /htdocs2 /srv/www/htdocs2

<Directory "/srv/www/htdocs2"> Options Indexes AllowOverride None Order allow,deny Allow from all</Directory>

<files noaccess.html>

</files>

Note: <files> applied within <directory> block affects the directory and belowNote: <files> applied outside of <directory> block impacts the ENTIRE server

<files noaccess.html>Order allow,deny

Deny from all</files>

<Location /templocation> - webspace directory permissionsOrder allow,deny

Deny from all</Location>i.e. /status

###Redirect Directive - sends traffic to alternate location###HTTP error messages are grouped into the following categories: 1. 200 - Good errors - no problems - content has been served 2. 300 - Redirect errors - used to indicate that content has been moved 3. 400 - Client errors 4. 500 - Server errors

If users access oursite/htdocs2, send them to /htdocs3Redirect /htdocs2 http://linuxcbtsuse1.linuxcbt.internal/htdocs3Redirect 301 /htdocs2 http://linuxcbtsuse1.linuxcbt.internal/htdocs3Redirect permanent /htdocs2 http://linuxcbtsuse1.linuxcbt.internal/htdocs3

Note: Directory directives supports basic wildcards; i.e. '*', '?'

###.htaccess files###/srv/www/htdocs/temp1/.htaccessNote: Update primary *.conf file to permit 'AllowOverride ALL'Note: There is a slight performance hit when using .htaccess, because Apache parses the file each time content is requested from the directory

Apache Logging/var/log/apache2 -rcapache2.out - yields the results of testing the configuration file(httpd.conf) -error_log - stores errors, usually 200-500 and other -access_log - stores hits to the server

Note: Apache defaults to default files for Virtual Hosts that do not have log routing defined

/etc/apache2/mod_log_config.conf

LogFormat is used to concatenate and associate Apache log variables with nicknamesNicknames are referenced in server/host configurationsLogFormat "%h %l %u %t \"%r\" %>s %b" common

Note: Values that return empty, are reflected with the '-' character %h - connecting host's address %l - uses ident to return information about the connecting client/user %u - connected/attempted HTTP-authenticated user %t - timestamp of connection - day(2-digit)/Month(3-letters)/Year(4-digits):Hour:Minute:Second -TimeZone %r - reflects request method (GET/POST/etc.) %>s - represents status code returned to client - 200-500 %b - size of the returned content to the client - this represents zero bytes with '-' %B - returns the same as %b but returns '0' for zero bytes

LogFormat "%h %l %u %t \"%r\" %>s %b \(signifies continuing line)\"%{Referer}i\" \"%{User-Agent}i\"" combined

%{Referer} - returns site that referred this content (page/image/PDF/etc.)%{User-Agent} - Connecting browser; i.e. (Blackberry/IE/Firefox/Safari/etc.)

172.20.20.1 - - [15/Sep/2006:16:18:15 -0400] "GET /index2.html HTTP/1.1" 404 1045 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060527 SUSE/1.5.0.4-1.9 Firefox/1.5.0.4"

Virtual Hosts (VHOSTS)2-Types of VHosts: 1. IP-based - require 1-IP/site and can facilitate SSL/site 2. Name-based - requires 1-IP/ALL Sites but only 1 SSL site may operate

IP1 - 192.168.1.40 - default server

ifconfig eth0:1 192.168.1.41IP2 - 192.168.1.41 - site1 - maps(DocumentRoot) to /srv/www/site1IP2 - 172.20.20.1 - site2 - maps(DocumentRoot) to /srv/www/site2IP3 - 192.168.1.42 - site3 - maps(DocumentRoot) to /srv/www/site3

Modify /etc/apache2/listen.conf to listen to the new IP address(es)Note: logio is NOT loaded by default. Use YaST to add module.

Name-based Virtual Hosts - permits the sharing of IP addresses across VHosts

Requirements: 1. Listen 192.168.1.40:80 - Listen 80(ALL IPs, Port 80) 2. NameVirtualHost 192.168.1.40:80

3. DNS MUST be properly configured

###SSL Configuration###Requirements: 1. /etc/sysconfig/apache2 - APACHE_SERVER_FLAGS '-DSSL' 2. restart apache 3. Generate appropriate certificates (private/public key pair) a. /usr/bin/gensslcert - creates keys based on system's FQDN and generic info b. /usr/share/doc/packages/apache2/certificate.sh - prompts for values 4. restart apache and test connectivity using HTTPS 5. cp /etc/apache2/vhosts.d/vhost-ssl-template to working file

Key SSL files: 1. server.crt (Server's certificate - public key) 2. server.key (Server's private key) 3. server.csr (Certificate Signing Request - sent to CA(CACert.org, Verisign, Thawte, GoDaddy)

###Webalizer - Log analysis of Apache###Note: Default /etc/webalizer.conf, parses standard 'access_log' fileNote: Move /etc/webalizer.conf to /etc/webalizer/webalizer.confNote: Copy webazlier.conf to something that reflects the site being processedNote: Log files should be processed chronologicallyNote: Webalizer is limited to a 12-month history

Setup Basic HTTP AUTH 1. Configure /etc/apache2/default-server.conf<Location /webalizer> AuthType Basic AuthName "Restricted" AuthUserFile /etc/apache2/webalizer_passwords Require valid-user</Location>

2. Generate password file using 'htpasswd2 -c webalizer_passwords linuxcbt'

###Redirect /webalizer to SSL-protected site###Redirect /webalizer https://linuxcbtsuse1.linuxcbt.internal/webalizer

###PHP Scripts Integration###Create PHP script in Document Root of web site:MUST include opening '<?' and closing '?>' PHP tags in PHP scriptsNote: PHP scripts, served by Apache, do NOT need the 'x' permissions

Note: use '<? phpinfo(); ?>' - to return usefule PHP/Apache/Linux info

Note: consult '/etc/php5/apache2/php.ini' to tweak PHP Module settings (memory/etc.)

Note: install 'php5-mysql' package to allow PHP to talk to MySQL.

MySQL Implementation

/etc/my.cnf - global MySQL configuration file

/usr/sbin/mysqld - Main daemon/var/lib/mysql - Primary root directory for DBs

-Below /var/lib/mysql are directories representing DBs

/usr/bin/mysql - primary client(interactive/non-interactive) used to connect to MySQLD

mysql - connects the currently-logged-in Linux/Unix user to the server

mysqld - supports, by default: 1. passwordless root(DBMS super-user) authentication 2. anonymous, passwordless, authentication

Note: Change both 'root' accounts' password and remove anonymous accessNote: A proper MySQL username consists of the following: 1. username 2. hostnamei.e. root@localhost, root@linuxcbtsuse1.linuxcbt.internal

###Alternate way for DBA to change user's password###set password for 'root'@'localhost' = password('abc123');

###Disable anonymous access###delete from mysql.user where user = '';

Note: Flush Privileges after dropping and changing accounts or risk permitting access based on former credentials until the server(mysqld) is restartedUse: 'flush privileges;'Note: in standard MySQL installations, non-privileged Linux/Unix users are aliased to 'anonymous'

###Delete superfluous DBs###drop database test;

###Privileges scope###mysql - DB used to manage system settings and credentialsmysql.user - Global level permissions tablemysql.host - impacts the hostmysql.tables_priv - impacts table-level permissionsmysql.columns_priv - effects column-level permissions

###Create new user### 1. Create DB - 'create database contacts;' 2. Create user with permissions associated with DB grant all on contacts.* to 'linuxcbt'@'localhost' identified by 'abc123'; 3. CREATE USER username;

###Drop/Delete Users### 1. DROP USER username;

Note: MySQL evaluates credentials based on 3 components: 1. user 2. hostname 3. password

###Define users who may login to MySQL from a remote system###

1. grant all on contacts.* to 'linuxcbt'@'%' identified by 'abc123'; 2. grant all on *.* to 'root'@'%' identified by 'abc123';

Note: '%' is a wildcard to mean 'ANY', similar to '*' in the shell environmentNote: '%' is permitted in the 'host' field/column and NOT in the 'user' column of the privileges tables

###Key Show Commands###show grants; - reveal permissionsshow databases; - enumerates Databases that you have privileges to seeuse DB; show tables; - lists tables in a given database

show engines; - returns list of supported(compiled-in) table storage enginesshow status; - returns key running variablesshow processlist; - returns running queries and connections

Note: MySQL binaries search for configuration files in a specific order: 1. Global config file - /etc/my.cnf 2. Per-user config file - ~/.my.cnf 3. Command-line - overrides ALL previously-set directives

Note: each program(MySQL binary) searches for distinct blocks in the config filesmysqld --verbose --help - returns options and variables that can be set in global and per-user configuration files

name=value - defines how variables are set in config files

###Execute MySQL query, returning results to STDOUT (batch-run/non-interactive invocation)mysql -pabc123 -e 'show databases' - returns list of DBs to STDOUT

###Backup databases###mysqldump -p all-databasesmysqldump -p --all-databases > all_dbs.sql - dump ALL DBs in ASCII text format to a filemysqldump -p --database mysql - returns code to recreate 'mysql' DB & tables

###Creation of 'people' table to store contacts###DB(Contacts) - Table(people) -first_name -last_name -bus_phone1 -email -PRIMARY KEY

CREATE TABLE `people` (`first_name` char(30), `last_name` char(30), bus_phone1 char(20), email char(40),PRIMARY KEY (`email`));

Note: use 'describe people' to return the structure of the 'people' table

###Import contacts into 'people' table from externally-created text file###Note: Create file named 'people.txt'. mysqlimport strips '.txt' suffix and matches file name to table name.Note: Import using 'mysqlimport'

mysqlimport -pabc123 --local -d contacts people.txt

###PHP code to query 'contacts.people' and dump info to HTML###Steps: 1. Create connection object (host,user,password,DB) 2. Define query 3. Define result set variable 4. loop through result-set and return results to the browser

<?

#Step 1:$conn1 = new mysqli(localhost, linuxcbt, abc123, contacts);

#Step 2:$query1 = "select first_name, last_name, email FROM people";

#Step3:$result1 = $conn1->query($query1);

#Step 4: ###Execute if result-set is NOT empty###if ( $result1=$conn1->query($query1)) {

###Echo column headers### echo "Full Name ", "E-Mail", "<br>";

###Loop through Result Set### While ($obj1 = $result1->fetch_object()) { echo $obj1->first_name, " ", $obj1->last_name , " ", $obj1->email, "<br>"; } #Terminates loop-through result-set

} #Terminates conditional check for result-set

?>

PHPMyAdmin - ImplementationUsed to graphically, via a browser, manage MySQL instanceswww.phpmyadmin.netNote: Requires PHP-MySQL support on your Apache servertar -xjvf phpMyAdmin-2.8.2.4.tar.bz2

Note: create symlink or alias to link to the current version PHPMyAdmin. This provides a consistent URL. i.e. http://linuxcbtsuse1.linuxcbt.internal/phpmyadminln -s phpMyAdmin-2.8.2.4 phpmyadmin

Postfix MTANote: is a distributed, non-monolithic MTA (many binaries)Note: Postfix does NOT permit outside network relaying by default/etc/postfix/main.cf - Primary Postfix config file/etc/postfix/master.cf - houses config for Postfix daemons/etc/postfix/transport - governs message routing based on domain/etc./etc/postfix/virtual - houses virtual mappings for Virtual domains

/usr/bin/mailq - enumerates the contents of the mail queue/usr/bin/newaliases - updates the aliases DB (/etc/aliases)/usr/sbin/sendmail - drop-in replacement for 'Sendmail's' 'sendmail' binary

Key directives:$myhostname = linuxcbtsuse1.linuxcbt.internal (Default FQDN)user@linuxcbtsuse1.linuxcbt.internal - i.e. linuxcbt@linuxcbtsuse1.linuxcbt.internal

$mydomain = linuxcbt.internal (Default derivative of FQDN)

$myorigin = FQDN - sets the outbound domain in e-mails

$mydestination = controls domains that are considered local - i.e. root@linuxcbtsuse1.linuxcbt.internal

$mynetworks - permits relaying from trusted hosts/subnets - Default accepts messages from localhost and local subnet

$home_mailbox = Mailbox || Maildir - controls local delivery using either protocolMailbox - /var/spool/mail/userMaildir = ~/Maildir/

Note: Most Mail User Agents (MUAs) such as Mutt, send messages using 'sendmail' binaryNote: when using 'su' the 'MAIL' shell variable does NOT change

Note: Postfix defaults to SysLog for logging using the mail facility: /var/log/mailNote: If DNS fails, Postfix fails, unless routing has been configured in /etc/postfix/transport

Note: postconf dumps running Postfix configuration

Note: After modifying lookup files such as /etc/postfix/transport, update the DB file using 'postmap filename' i.e. 'postmap /etc/postfix/transport'

Courier-MTA - IMAP

Requirements: 1. Courier Authlib - Authentication library for ALL Courier application 2. Courier IMAP 3. GNU C Compiler

AuthLib Installation:http://courier-mta.org/authlib Steps: 1. ./configure 2. make 3. make install (as root) - /usr/local/sbin 4. make install-configure (as root) 5. /usr/local/sbin/authdaemond start

IMAP Installation:http://courier-mta.org/imap Steps: 1. ./configure 2. make (produces binaries) 3. make install (as root) - copies files to /usr/lib/courier-imap 4. make install-configure (as root) 5. /usr/lib/courier-imap/libexec/imapd.rc start - starts IMAPD

Note: Courier IMAP requires Maildir/ directory in user's $HOME

###Postfix - Maildir/ config###nano /etc/postfix/main.cf

couriertcpd - analagous to XINETD because it is a super-server

Note: Courier IMAP provides the following daemons: 1. IMAPD - TCP:143 - Clear-text access 2. IMAPD-SSL - TCP:993 - Encrypted access 3. POP3 - TCP:110 - Clear-text access to download messages 4. POP3-SSL - TCP:995 - Encrypted access to download messages 5. SYSV INIT Scripts - source code directory

chkconfig courier-authlib onchkconfig courier-imap on

SquirrelMail - Web-based Mail integrationSteps: 1. Download from www.squirrelmail.org 2. Extract and untar: tar -xjvf squirrelmail-1.4.8... 3. Configure to use Courier - using squirrelmail/config/conf.pl 4. Change permissions on squirrelmail/data sub-directory to be owned by 'wwwrun' 4. Symlink 'squirrelmail' to 'squirrelmail-1.4.8...' directory 5. Test logging into mail

###Connection logic to mailbox from client###Browser -> SquirrelMail(PHP) -> Courier IMAP -> ~/Maildir/

###Moved Default SquirrelMail 'data' directory outside of WebRoot###mkdir /var/squirrelmail/datachown -R wwwrun /var/squirrelmail

Pure-FTPDFeatures: 1. Lightweight 2. Fast 3. Secure 4. SSL/TLS on the control connection 5. Bandwidth throttling 6. Runs in standalone and XINETD modes

/etc/pure-ftpd/pure-ftpd.conf - Primary configuration files/usr/sbin/pure-ftpd - primary binaryNote: pure-ftpd defaults users to their home directories (chroot)Note: by default, ONLY 'anonymous' connections are permittedNote: 'anonymous' access works like VSFTPD; it is based on the 'ftp' user in /etc/passwd

Note: by default, pure-ftpd logs ONLY using 'syslog'Note: the CLF/W3C/Stats log files do NOT log verbose FTP activity, however, 'syslogd' does

###Enable FTP support in Syslog###Requires: filter, destination, and, log directives

###Syslog-NG Configuration###filter f_ftp { facility(ftp); };destination d_ftp { file("/var/log/pure-ftp-syslog.log"); };log { source(src); filter(f_ftp); destination(d_ftp); };

FTP Client -> FTP Server(21 - Control Connection - Clear Text)Note: TLS Encryption applies solely to Control Connection - typically TCP:21Note: TLS does NOT protect the Active/Passive data connection

Requirements: 1. Generate(use notes from docs) or use existing PEM file or certificate 2. modify pure-ftpd.conf file to permit TLS

Xen VirtualizationFeatures: 1. Provides a Virtual Machine Server (VM Server) - Hosts VMs - domain(0) 2. Virtual Machines (VMs) - instances of Operating Systems 3. Virtual Machine Monitor - Software layer running between SUSE(domain 0) & Hardware

Hardware <- VM Server -> VMM -> Virtual Machines (1..n)

Note: ample hardware (CPU power, RAM, Disk) is necessary to use Xen

Xen Supports 2 Modes: 1. Fully Virtual - runs slower - Supports most OSs, requires Hardware-assisted virtualization (AMD & Intel VT) - devices are emulated and requires more resources

2. Paravirtual - runs faster - Only SUSE Products (10.1 & higher, SUSE Ent. 10) - special 'Xen drivers' are used to emulate hardware, resulting in faster performance

Note: this mode is considered 'VM-Aware' Mode

Note: Installation of Xen, modifies /boot/grub/menu.lst - to include Xen boot option

###Post VM Server Installation Checks###xm list - returns domain 0 - confirms if Xen is operable

xm shutdown vm1 - shuts the VM server 'vm1'xm destroy vm1 - destroys configuration of 'vm1'

XINETD - Super ServerNote: Successor to traditional 'INETD' with extensionsClient -> TCP:901(SWAT) -> XINETD -> SWAT Features:

1. Spawns managed daemons(SWAT, pure-ftpd, VNC, etc.) when necessary 2. Access-time ACLS - restricting connectivity to managed services during specifc periods 3. Connections per second (CPS) - limits rush of traffic/flooding 4. Limits number of instances of spawned process

/etc/xinetd.conf - primary config file/etc/xinetd.d - includes contents of the directoryNote: scope-level config files override directives discovered in global /etc/xinetd.conf

/usr/sbin/itox && /usr/sbin/xconv.pl - converts INETD files/entries to XINETD format

XINETD -/etc/xinetd.conf -INCLUDES contents of /etc/xinetd.d/*

XINETD config block resembles the following:service_name{

n number of directives (name = value pairs)

}

service2_name{

name = value pairs}

'man xinetd.conf' to examine all possible directives

XINETD - interacts natively with TCP WrappersNote: increase security of XINETD-protected services by usin the following directives: 1. interface = 127.0.0.1 2. only_from = 127.0.0.1

TCP Wrappers - tcpdControls access to protected services, inluding XINETD and non-XINETD-controlled servicesNote: TCP Wrappers provides protection dynamically

TCP Wrappers order of processing:1. /etc/hosts.allow - swat:127.0.0.1 192.168.1.40 - daemon:client_list combo - GRANT ACCESS

2. /etc/hosts.deny - swat:127.0.0.1 192.168.1.40 - DENY ACCESS - IF NO MATCH - GRANT ACCESS

Note: TCP Wrappers uses the name of the daemon as its token

Note: TCP Wrappers permits placing ALL rules in one file(/etc/hosts.allow) providing we use the following syntax: - daemon_name(swat) : client_list(127.0.0.1,192.168.1.0) : ALLOW | DENY - daemon_list(swat,pure-ftpd,etc.) : client_list... : ALLOW | DENY

Note: The 3rd field of a TCP Wrappers rule may optionally contain a reference to invoke a shell script

Note: TCP Wrappers rules are executed immediately without having to reload/restart services

###Security Strategy### 1. Application Security - User authentication, port-bindings, etc. 2. XINETD - Wraps your application - Connection throttling, access times, logging, etc. 3. TCP Wrappers - Dynamic, kernel-based filtration to applications 4. Netfilter/IPTables - Stateful firewall

Netfilter is the firewall compiled into the Linux kernelIPTables is a front-end, user-space utility used to manage Netfilter

Kernel -> Netfilter -IPTables - User

IPTables Implementation & OperationFeatures: 1. Operates primarily @ Layers 3(Network) & 4(Transport) of the OSI model a. IP = 192.168.1.40(Layer-3) - Note: 2^32 IPv4 addresses are available a1. Mutexed into 2^16 ports = 1-65535 - Layer-4 ports (80, 901, 22, 23, 21, ...) 2. Modular - it is extended via plug-ins/modules 3. Provides '/usr/sbin/iptables' - primary utility, used to manage Netfilter 4. '/usr/sbin/iptables-save & restore' to backup and restore rules for reuse 5. Changes made happen instantly/dynamically

Note: IPTables consists of tables & chains Table - 3 default tables NAT -Chains Mangle -Chains Filter(Default Table) -Chains -INPUT - focuses on traffic inbound to a process -OUTPUT - focuses on traffic outbound/leaving the system -FORWARD - focuses on traffic being routed through the system (1 interface to another)

IPTables Usageiptables -L - lists the current rule-set for the default chain(Filter)Default policy applied to chains is 'ACCEPT' - this permits traffic to flow uninhibited

iptables -L -t natNote: You cannot remove the default tables (Filter, NAT, Mangle)Note: The 'Forward' chain of the 'Filter' table does not work unless IP forwarding has been enbaled

iptables -A chain_name - appends rule to bottom of the listiptables -D chain_name rule_num - deletes rule at numberiptables -F chain_name - flushes rules in chainiptables -P chain_name DROP - changes the policy to DROPiptables -N new_chain_name - defines a new chainiptables -E old_chain_name new_chain_name - renames a chainiptables -Z chain_name - zeroes counters

###Rule to deny inbound access to Samba SWAT###i.e. iptables -A INPUT --protocol --dport -s Jump Target(ACCEPT/DROP/DENY/LOG)iptables -A INPUT -p tcp --dport 901 -s 192.168.1.102 -j DROP

iptables -A INPUT -p tcp --dport ssh -s 192.168.1.102 -j DROPiptables -F INPUT

###Save/Restore Rules###iptables-save > `date +%F`.iptables.rules - saves rules to diskiptables-restore 2006-09-21.iptables.rules - reinstates rules

###Filter inbound ICMP echo-request traffic###iptables -A INPUT -p icmp --icmp-type echo-request -j DROPiptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

###Filter outbound ICMP echo-request traffic###iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

###SuSE Firewall2 - Graphical IPTables/Netfilter Management###Note: SuSE Firewall2 changes default policies to 'DROP'

Network Mapper (Nmap)Note: http://www.insecure.orgrpm -Uvh nmap-version*/usr/bin/nmap - primary utility - available to ALL usersNote: non-privileged users can use Nmap in a limited capacity (TCP-connect scans), with no stealth, in comparison to 'root'

NmapFE - GUI front-end, which executes Nmap via the shell

###Nmap usage###nmapnmap localhost - scans localhost using SYN(if 'root') TCP-Connect(if 'non-root') - performs TCP-scan

nmap 192.168.1.40nmap -v 192.168.1.40nmap -v -sU 192.168.1.0/24nmap -v -sU -p 67 192.168.1.0/24nmap -v -O 192.168.1.197nmap -v -oN nmap.scan.1 192.168.1.0/24

Nessus - Vulnerability ScannerNessus scans hosts, determines available services, and, vulnerabilitieswww.nessus.org

Note: Nessus is Client/Server App. NessusD runs on Linux Server, client runs on: Windows/Linux/Mac/Solaris/etc.

Note: place Nessus server in location on network that has access to entire network

Register with Tenable Networks:rpm -Uvh Nessus-3.0.3-suse10.0.i586.rpmNote: Must apply activation code in order to receive feeds(definitions)/opt/nessus//sbin/nessus-add-first-user - adds first user to Nessus/opt/nessus//sbin/nessus-add-user - adds additional users to Nessus

0.0.0.0:1241 - Nessus binds to TCP:1241 by default on ALL IP addresses

Nessus Client can be used to connect to multiple NessusD back-end servers via scopes

TCPDump - Packet SnifferNote: TCPDump produces, optionally, a TCPDump-compliant file, which is readable by many clients, including: 1. TCPDump 2. Ethereal 3. Snort NIDS

/usr/sbin/tcpdump - is the single binary used to sniff on interfaces

###Usage###tcpdumpcontrol-C to kill

tcpdump -v - executes in verbose mode and returns capture synopsistcpdump -v -n - disables name resolution

tcpdump -vv - increases verbosity

tcpdump -v -i eth2tcpdump -D - returns possible sniffing interfacestcpdump -v -i any - listens to ALL interfaces, non-promiscuous mode

tcpdump -v -c 5 - captures 5 packets and exitstcpdump -q - runs in quiet modetcpdump -v -e - returns link header(MAC info) info

tcpdump -v -w capture.out - writes to capture.out filetcpdump -v -r capture.out - replays packets in file

Note: 3 Qualifiers can be used to filter traffic: 1. Type - host|net|port 2. Dir - src, dst, src or dst, src and dst 3. Proto - ip, tcp, udp, etc.

tcpdump -v host 192.168.1.102tcpdump -v src 192.168.1.102tcpdump -v -r capture.out

Ethereal - Network Analysis ToolFeatures: 1. Sniffer 2. Saves sniffed traffic in TCPDump format 3. Analyzes TCPDump-formatted data 4. Correlates streams of packets

/usr/bin/ethereal - primary utility

Snort Network Intrusion Detection System (NIDS)Features/Modes: 1. Sniffer - i.e. TCPDump 2. Packet Logger - i.e. TCPDump 3. NIDS

Requires: 1. pcre-devel* 2. libpcap 3. mysql-devel* (optional to support DBMS logging with MySQL)

Download GPG signature and MD5 checksum filesgpg --verify snort-2.6.0.2.tar.gz.sig

###Compilation process### 1. ./configure -- 2. make 3. make install

Snort - Sniffer Modesnort -v - dumps basic headers - timestamp, and, IP headersnort -vd - dumps application layersnort -ve - dumps layer-2 info (MAC)snort -vde - dumps layers 2-7

Snort - Logger Mode - Sniffer Mode with output sent to Screen and/or filesnort -v -L - dumps ALL layers, minus physical to a TCPDump-compliant file snort -v -l ./ - creates snort.log.timestamp in current directorysnort -v -b -l ./ - Binary Loggingsnort -b -l ./ - Binary logging with NO ASCII output to STDOUT - drops less data

Snort - NIDS Mode with BASESteps: 1. Reconfigure Snort with --enable-dynamicplugin option 2. groupadd snort && useradd -g snort snort 3. Setup /etc/snort directory tree with config files and rules 4. Configure MySQL 5. Invoke Snort in NIDS mode 6. Download & configure BASE

1. make clean && ./configure --with-mysql --enable-dynamicplugin2. make && make install

$HOME_NET 192.168.1.0/24$RULE_PATH /etc/snort/rulesouput database: log, mysql...

mysql - create database snort; - grant ALL on snort.* to snort@localhost identified by 'snortabc123'; - grant ALL on snort.* to snort identified by 'snortabc123';

mysql -pabc123 < create_mysql snort

NIDS Mode Invocation/usr/local/bin/snort -c /etc/snort.conf -i eth0 -g snort -D -daemonizes

Download and extract rules files to /etc/snort/rules

BASE InstallationRequirements: 1. php support for MySQL 2. php gd support - optional 3. adodb - sourceforge.net - /srv/www/adodb

Note: BASE extends 'snort' DB schema