unix server tools guntis barzdins girts folkmanis juris krūmiņš artūrs lavrenovs
If you can't read please download the document
TRANSCRIPT
- Slide 1
Unix Server Tools Guntis Barzdins Girts Folkmanis Juris Krmi Artrs Lavrenovs Slide 2 Unix Server Tools IP connectivity, routing Daemons Syslog Inetd etc. Cron Security Slide 3 Networking Software Good free implementations for: DNS BIND v8/9, djbdns SMTP sendmail, qmail, postfix, exim POP/IMAP qpopper, uwimapd, dovecot HTTP Apache, nginx PHP, MySQL If it was hard to develop, it should be hard to install! Slide 4 Two IP processing modes: host or router Manual change # more /proc/sys/net/ipv4/ip_forward 0 # echo 1 > /proc/sys/net/ipv4/ip_forward # more /proc/sys/net/ipv4/ip_forward 1 # Use of sysctl (modify kernel parameters /proc/sys/ at runtime) Eg: #/sbin/sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 Eg: #/sbin/sysctl -w net.ipv4.ip_forward=0 net.ipv4.ip_forward = 0 Record changes in /etc/sysctl.conf (to activate after reboot) Slide 5 unix sbin # sysctl -a abi.fake_utsname = 0 abi.trace = 0 abi.defhandler_libcso = 68157441 abi.defhandler_lcall7 = 68157441 abi.defhandler_elf = 0 abi.defhandler_coff = 117440515 dev.rtc.max-user-freq = 64 net.unix.max_dgram_qlen = 10 net.ipv4.ip_conntrack_max = 8184 net.ipv4.netfilter.ip_conntrack_generic_timeout = 600 net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30 net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180 net.ipv4.netfilter.ip_conntrack_udp_timeout = 30 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000 net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120 net.ipv4.netfilter.ip_conntrack_buckets = 1023 net.ipv4.netfilter.ip_conntrack_max = 8184 net.ipv4.conf.eth0.force_igmp_version = 0 net.ipv4.conf.eth0.arp_ignore = 0 net.ipv4.conf.eth0.arp_announce = 0 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.tag = 0 net.ipv4.conf.eth0.log_martians = 0 net.ipv4.conf.eth0.bootp_relay = 0 net.ipv4.conf.eth0.medium_id = 0 net.ipv4.conf.eth0.proxy_arp = 0 net.ipv4.conf.eth0.accept_source_route = 1 net.ipv4.conf.eth0.send_redirects = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.eth0.shared_media = 1 net.ipv4.conf.eth0.secure_redirects = 1 net.ipv4.conf.eth0.accept_redirects = 1 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.conf.eth0.forwarding = 0 net.ipv4.conf.lo.force_igmp_version = 0 net.ipv4.conf.lo.arp_ignore = 0 net.ipv4.conf.lo.arp_announce = 0 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.tag = 0 net.ipv4.conf.lo.log_martians = 0 net.ipv4.conf.lo.bootp_relay = 0 net.ipv4.conf.lo.medium_id = 0 net.ipv4.conf.lo.proxy_arp = 0 net.ipv4.conf.lo.accept_source_route = 1 net.ipv4.conf.lo.send_redirects = 1 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.lo.shared_media = 1 net.ipv4.conf.lo.secure_redirects = 1 net.ipv4.conf.lo.accept_redirects = 1 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.default.force_igmp_version = 0 net.ipv4.conf.default.arp_ignore = 0 net.ipv4.conf.default.arp_announce = 0 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.tag = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.bootp_relay = 0 net.ipv4.conf.default.medium_id = 0 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.default.accept_source_route = 1 net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.shared_media = 1 net.ipv4.conf.default.secure_redirects = 1 net.ipv4.conf.default.accept_redirects = 1 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.all.force_igmp_version = 0 net.ipv4.conf.all.arp_ignore = 0 net.ipv4.conf.all.arp_announce = 0 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.tag = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.all.bootp_relay = 0 net.ipv4.conf.all.medium_id = 0 net.ipv4.conf.all.proxy_arp = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.shared_media = 1 net.ipv4.conf.all.secure_redirects = 1 net.ipv4.conf.all.accept_redirects = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.forwarding = 0 net.ipv4.neigh.eth0.locktime = 100 net.ipv4.neigh.eth0.proxy_delay = 80 net.ipv4.neigh.eth0.anycast_delay = 100 net.ipv4.neigh.eth0.proxy_qlen = 64 net.ipv4.neigh.eth0.unres_qlen = 3 net.ipv4.neigh.eth0.gc_stale_time = 60 net.ipv4.neigh.eth0.delay_first_probe_time = 5 net.ipv4.neigh.eth0.base_reachable_time = 30 net.ipv4.neigh.eth0.retrans_time = 100 net.ipv4.neigh.eth0.app_solicit = 0 net.ipv4.neigh.eth0.ucast_solicit = 3 net.ipv4.neigh.eth0.mcast_solicit = 3 net.ipv4.neigh.lo.locktime = 100 net.ipv4.neigh.lo.proxy_delay = 80 net.ipv4.neigh.lo.anycast_delay = 100 net.ipv4.neigh.lo.proxy_qlen = 64 net.ipv4.neigh.lo.unres_qlen = 3 net.ipv4.neigh.lo.gc_stale_time = 60 net.ipv4.neigh.lo.delay_first_probe_time = 5 net.ipv4.neigh.lo.base_reachable_time = 30 net.ipv4.neigh.lo.retrans_time = 100 net.ipv4.neigh.lo.app_solicit = 0 net.ipv4.neigh.lo.ucast_solicit = 3 net.ipv4.neigh.lo.mcast_solicit = 3 net.ipv4.neigh.default.gc_thresh3 = 1024 net.ipv4.neigh.default.gc_thresh2 = 512 net.ipv4.neigh.default.gc_thresh1 = 128 net.ipv4.neigh.default.gc_interval = 30 net.ipv4.neigh.default.locktime = 100 net.ipv4.neigh.default.proxy_delay = 80 net.ipv4.neigh.default.anycast_delay = 100 net.ipv4.neigh.default.proxy_qlen = 64 net.ipv4.tcp_keepalive_probes = 9 net.ipv4.tcp_keepalive_time = 7200 net.ipv4.ipfrag_time = 30 net.ipv4.ip_dynaddr = 0 net.ipv4.ipfrag_low_thresh = 196608 net.ipv4.ipfrag_high_thresh = 262144 net.ipv4.tcp_max_tw_buckets = 16384 net.ipv4.tcp_max_orphans = 8192 net.ipv4.tcp_synack_retries = 5 net.ipv4.tcp_syn_retries = 5 net.ipv4.ip_nonlocal_bind = 0 net.ipv4.ip_no_pmtu_disc = 0 net.ipv4.ip_autoconfig = 0 net.ipv4.ip_default_ttl = 64 net.ipv4.ip_forward = 0 net.ipv4.tcp_retrans_collapse = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_timestamps = 1 net.core.somaxconn = 128 net.core.hot_list_length = 128 net.core.optmem_max = 10240 net.core.message_burst = 50 net.core.message_cost = 5 net.core.mod_cong = 290 net.core.lo_cong = 100 net.core.no_cong = 20 net.core.no_cong_thresh = 10 net.core.netdev_max_backlog = 300 net.core.dev_weight = 64 net.core.rmem_default = 106496 net.core.wmem_default = 106496 net.core.rmem_max = 106496 net.core.wmem_max = 106496 vm.block_dump = 0 vm.laptop_mode = 0 vm.max_map_count = 65536 vm.max-readahead = 31 vm.min-readahead = 3 vm.page-cluster = 3 vm.pagetable_cache = 25 50 vm.kswapd = 512 32 8 vm.overcommit_memory = 0 vm.bdflush = 50 500 0 0 500 3000 60 20 0 vm.vm_passes = 60 vm.vm_lru_balance_ratio = 2 vm.vm_mapped_ratio = 100 vm.vm_cache_scan_ratio = 6 vm.vm_vfs_scan_ratio = 6 vm.vm_gfp_debug = 0 kernel.lowlatency = 0 kernel.overflowgid = 65534 kernel.overflowuid = 65534 kernel.random.uuid = 5784cebf-b4c1-4e2d-b60c-c8ed66b10136 kernel.random.boot_id = 65fcbb7e-b4c3-452f-8d98-dc7ac3d67ea6 kernel.random.write_wakeup_threshold = 128 kernel.random.read_wakeup_threshold = 8 kernel.random.entropy_avail = 772 kernel.random.poolsize = 512 kernel.threads-max = 2047 kernel.cad_pid = 1 kernel.sysrq = 1 net.ipv4.neigh.default.unres_qlen = 3 net.ipv4.neigh.default.gc_stale_time = 60 net.ipv4.neigh.default.delay_first_probe_time = 5 net.ipv4.neigh.default.base_reachable_time = 30 net.ipv4.neigh.default.retrans_time = 100 net.ipv4.neigh.default.app_solicit = 0 net.ipv4.neigh.default.ucast_solicit = 3 net.ipv4.neigh.default.mcast_solicit = 3 net.ipv4.tcp_westwood = 0 net.ipv4.ipfrag_secret_interval = 600 net.ipv4.tcp_low_latency = 0 net.ipv4.tcp_frto = 0 net.ipv4.tcp_tw_reuse = 0 net.ipv4.icmp_ratemask = 6168 net.ipv4.icmp_ratelimit = 100 net.ipv4.tcp_adv_win_scale = 2 net.ipv4.tcp_app_win = 31 net.ipv4.tcp_rmem = 4096 87380 174760 net.ipv4.tcp_wmem = 4096 16384 131072 net.ipv4.tcp_mem = 23552 24064 24576 net.ipv4.tcp_dsack = 1 net.ipv4.tcp_ecn = 0 net.ipv4.tcp_reordering = 3 net.ipv4.tcp_fack = 1 net.ipv4.tcp_orphan_retries = 0 net.ipv4.inet_peer_gc_maxtime = 120 net.ipv4.inet_peer_gc_mintime = 10 net.ipv4.inet_peer_maxttl = 600 net.ipv4.inet_peer_minttl = 120 net.ipv4.inet_peer_threshold = 65664 net.ipv4.igmp_max_msf = 10 net.ipv4.route.secret_interval = 600 net.ipv4.route.min_adv_mss = 256 net.ipv4.route.min_pmtu = 552 net.ipv4.route.mtu_expires = 600 net.ipv4.route.gc_elasticity = 8 net.ipv4.route.error_burst = 500 net.ipv4.route.error_cost = 100 net.ipv4.route.redirect_silence = 2048 net.ipv4.route.redirect_number = 9 net.ipv4.route.redirect_load = 2 net.ipv4.route.gc_interval = 60 net.ipv4.route.gc_timeout = 300 net.ipv4.route.gc_min_interval = 0 net.ipv4.route.max_size = 8192 net.ipv4.route.gc_thresh = 512 net.ipv4.route.max_delay = 10 net.ipv4.route.min_delay = 2 net.ipv4.icmp_ignore_bogus_error_responses = 0 net.ipv4.icmp_echo_ignore_broadcasts = 0 net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.ip_local_port_range = 1024 4999 net.ipv4.tcp_max_syn_backlog = 256 net.ipv4.tcp_rfc1337 = 0 net.ipv4.tcp_stdurg = 0 net.ipv4.tcp_abort_on_overflow = 0 net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_syncookies = 0 net.ipv4.tcp_fin_timeout = 60 net.ipv4.tcp_retries2 = 15 net.ipv4.tcp_retries1 = 3 net.ipv4.tcp_keepalive_intvl = 75 kernel.sem = 250 32000 32 128 kernel.msgmnb = 16384 kernel.msgmni = 16 kernel.msgmax = 8192 kernel.shmmni = 4096 kernel.shmall = 2097152 kernel.shmmax = 33554432 kernel.rtsig-max = 1024 kernel.rtsig-nr = 0 kernel.hotplug = /sbin/hotplug kernel.modprobe = /sbin/modprobe kernel.printk = 1 4 1 7 kernel.ctrl-alt-del = 0 kernel.real-root-dev = 256 kernel.cap-bound = -257 kernel.tainted = 0 kernel.core_pattern = core kernel.core_setuid_ok = 0 kernel.core_uses_pid = 0 kernel.panic = 0 kernel.domainname = (none) kernel.hostname = unix kernel.version = #1 Thu Sep 23 14:41:14 EEST 2004 kernel.osrelease = 2.4.26-gentoo-r9 kernel.ostype = Linux fs.lease-break-time = 45 fs.dir-notify-enable = 1 fs.leases-enable = 1 fs.overflowgid = 65534 fs.overflowuid = 65534 fs.dentry-state = 1640 1438 45 0 0 0 fs.file-max = 13100 fs.file-nr = 140 37 13100 fs.inode-state = 1443 18 0 0 0 0 0 fs.inode-nr = 1443 18 unix sbin # Slide 6 ifconfig ifconfig eth0 192.168.99.35 netmask 255.255.255.0 up ifconfig eth0 Link encap:Ethernet HWaddr 00:80:C8:F8:4A:51 inet addr:192.168.99.35 Bcast:192.168.99.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:190312 errors:0 dropped:0 overruns:0 frame:0 TX packets:86955 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:30701229 (29.2 Mb) TX bytes:7878951 (7.5 Mb) Interrupt:9 Base address:0x5000 Obsolete in Linux for many (10+) years but still heavily used everywhere because of muscle memory (and compatibility with other UNIX versions) Slide 7 ip ifconfig replacement in Linux Many new features Developed Replaces many networking commands arp, iptunnel, nameif, netstat, route More cisco-ish syntax ip link set eth0 up ip addr add 192.168.99.35/24 dev eth0 ip addr show dev eth0 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:12:33:44:55:66 brd ff:ff:ff:ff:ff:ff inet 192.168.99.35/24 brd 192.168.99.255 scope global eth0 valid_lft forever preferred_lft forever Slide 8 Netstat: routing, sockets Routing table: [root@morgan]# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.98.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 192.168.98.254 0.0.0.0 UG 40 0 0 eth0 [root@newlinuxway]# ip routeroot@newlinuxway default via 192.168.99.1 dev eth0 proto static 192.168.99.0/24 dev eth0 proto kernel scope link src 192.168.99.35 metric 1 IP socket status: [root@morgan]# netstat --inet -n Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 192 192.168.98.82:22 192.168.99.35:40991 ESTABLISHED tcp 0 0 192.168.98.82:42929 192.168.100.17:993 ESTABLISHED tcp 96 0 127.0.0.1:40863 127.0.0.1:6010 ESTABLISHED tcp 0 0 127.0.0.1:6010 127.0.0.1:40863 ESTABLISHED tcp 0 0 127.0.0.1:38502 127.0.0.1:6010 ESTABLISHED tcp 0 0 127.0.0.1:6010 127.0.0.1:38502 ESTABLISHED tcp 0 0 192.168.98.82:53733 209.10.26.51:80 SYN_SENT tcp 0 0 192.168.98.82:44468 192.168.100.17:993 ESTABLISHED tcp 0 0 192.168.98.82:44320 192.168.100.17:139 TIME_WAIT [root@newlinuxway]# ss -f inet -nroot@newlinuxway Slide 9 route [root@newlinuxway]# ip route {add | del} 193.1.9.0/24 via 193.1.9.1root@newlinuxway Slide 10 Security Hardening Recommended IP/ICMP Settings Disable Ping # sysctl w net.ipv4.icmp_echo_ignore_all=1 Disable ICMP Echo Requests # sysctl w net.ipv4.icmp_echo_ignore_broadcasts=1 Disable IP Source Routing # sysctl w net.ipv4.conf.all.accept_source_route=0 Disable ICMP Redirects # sysctl w net.ipv4.conf.all.accept_redirects=0 Enable TCP SYN Cookie Protection # sysctl w net.ipv4.tcp_syncookies=1 Disable Bogus Error Logging # sysctl w net.ipv4.icmp_ignore_bogus_error_responses=1 Enable Bogus Packet Logging # sysctl w net.ipv4.conf.all.log_martians=1 Create blackhole # sysctl net.inet.tcp.blackhole=1 # sysctl net.inet.udp.blackhole=1 Slide 11 configure domain name resolver In Linux resolver has 2 config files /etc/hosts specifies static mappings 185.300.10.1 host1 185.300.10.2 host2 185.300.10.3 host3 185.300.10.4 host4 merlin 185.300.10.5 host5 arthur king 185.300.10.5 timeserver 128.114.1.15 name1.xyz.aus.century.com name1 /etc/resolv.conf specifies the nameservers and the default domain domain abc.aus.century.com nameserver 192.9.201.1 nameserver 192.9.201.2 Slide 12 resolvconf resolv.conf replacement Some software dynamically manages network connections (in some of newer UNIX) cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN Nameserver 127.0.1.1 ps aux | grep dns nobody 1481 0.0 0.0 31004 988 ? S Oct22 6:51 /usr/sbin/dnsmasq --no-resolv -- keep-in-foreground --no-hosts --bind-interfaces --pid- file=/var/run/ NetworkManager /dnsmasq.pid --listen-address=127.0.1.1 --conf- file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec --enable- dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d Slide 13 Popular Routing Protocols Slide 14 Quagga (previously GNU Zebra) Slide 15 Quagga Slide 16 Setting Up Network Interface Cards FreeBSD Configuring the Network Card Once the right driver is loaded for the network card, the card needs to be configured. As with many other things, the network card may have been configured at installation time by sysinstall. To display the configuration for the network interfaces on your system, enter the following command: juriskr >ifconfig fxp0: flags=8843 mtu 1500 options=40 inet 10.1.2.6 netmask 0xffffff00 broadcast 10.1.2.255 inet 10.1.2.4 netmask 0xffffffff broadcast 10.1.2.4 inet 10.1.2.7 netmask 0xffffffff broadcast 10.1.2.7 inet 10.1.2.12 netmask 0xffffffff broadcast 10.1.2.12 inet 10.1.2.9 netmask 0xffffffff broadcast 10.1.2.9 ether 00:02:55:c8:45:aa media: Ethernet autoselect (100baseTX ) status: active ppp0: flags=8010 mtu 1500 sl0: flags=c010 mtu 552 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 To configure your card, you need root privileges. The network card configuration can be done from the command line with ifconfig(8) but you would have to do it after each reboot of the system. The file /etc/rc.conf is where to add the network card's configuration.ifconfig(8) juriskr >cat /etc/rc.conf | grep ifconfig ifconfig_fxp0="inet 10.1.2.6 netmask 255.255.255.0" ifconfig_fxp0_alias0="inet 10.1.2.4 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet 10.1.2.7 netmask 255.255.255.255" ifconfig_fxp0_alias2="inet 10.1.2.9 netmask 255.255.255.255" ifconfig_fxp0_alias3="inet 10.1.2.12 netmask 255.255.255.255" Slide 17 Setting Up Network Interface Cards FreeBSD Virtual Hosts A very common use of FreeBSD is virtual site hosting, where one server appears to the network as many servers. This is achieved by assigning multiple network addresses to a single interface. A given network interface has one real address, and may have any number of alias addresses. These aliases are normally added by placing alias entries in /etc/rc.conf. An alias entry for the interface fxp0 looks like: ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx Note that alias entries must start with alias0 and proceed upwards in order, (for example, _alias1, _alias2, and so on). The configuration process will stop at the first missing number. ifconfig_fxp0_alias0="inet 10.1.2.4 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet 10.1.2.7 netmask 255.255.255.255" ifconfig_fxp0_alias2="inet 10.1.2.9 netmask 255.255.255.255" ifconfig_fxp0_alias3="inet 10.1.2.12 netmask 255.255.255.255" Slide 18 Setting Up Network Interface Cards FreeBSD Testing and Troubleshooting Testing the Ethernet Card To verify that an Ethernet card is configured correctly, you have to try two things. First, ping the interface itself, and then ping another machine on the LAN. First test the local interface: juriskr >ping -c 3 10.1.2.6 PING 10.1.2.6 (10.1.2.6): 56 data bytes 64 bytes from 10.1.2.6: icmp_seq=0 ttl=64 time=0.054 ms 64 bytes from 10.1.2.6: icmp_seq=1 ttl=64 time=0.050 ms 64 bytes from 10.1.2.6: icmp_seq=2 ttl=64 time=0.066 ms --- 10.1.2.6 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.050/0.057/0.066/0.007 ms Now we have to ping another machine on the LAN: juriskr >ping 10.1.2.5 PING 10.1.2.5 (10.1.2.5): 56 data bytes 64 bytes from 10.1.2.5: icmp_seq=0 ttl=64 time=0.381 ms 64 bytes from 10.1.2.5: icmp_seq=1 ttl=64 time=0.188 ms 64 bytes from 10.1.2.5: icmp_seq=2 ttl=64 time=0.178 ms ^C --- 10.1.2.5 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.178/0.249/0.381/0.093 ms You could also use the machine name instead of IP address if you have set up the /etc/hosts file. Slide 19 Ifconfig output RHEL [juris@ns1 ~]$ ifconfig eth0 Link encap:Ethernet HWaddr 00:0B:CD:41:F4:93 inet addr:81.xxx.xxx.xxx Bcast:81.xxx.xxx.xxx Mask:255.255.255.224 inet6 addr: fe80::20b:cdff:fe41:f493/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:473091457 errors:0 dropped:0 overruns:0 frame:0 TX packets:488547237 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3458689275 (3.2 GiB) TX bytes:3985927941 (3.7 GiB) Interrupt:193 eth0:1 Link encap:Ethernet HWaddr 00:0B:CD:41:F4:93 inet addr:10.xxx.xxx.xxx Bcast:10.xxx.xxx.xxx Mask:255.255.252.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:193 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6004400 errors:0 dropped:0 overruns:0 frame:0 TX packets:6004400 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:645400309 (615.5 MiB) TX bytes:645400309 (615.5 MiB) [juris@ns1 ~]$ Slide 20 Daemons A daemon is a process that: runs in the background not associated with any terminal output doesn't end up in another session. terminal generated signals (^C) aren't received. Slide 21 Unix and Daemons Unix systems typically have many daemon processes. Most servers run as a daemon process. Slide 22 Common Daemons Web server (httpd) Mail server (sendmail) SuperServer (inetd) System logging (syslogd) Print server (lpd) router process (routed, gated) Slide 23 Daemon Output No terminal - must use something else: file system central logging facility Syslog is often used - provides central repository for system logging. Slide 24 Syslog service syslogd daemon provides system logging services to "clients". Simple API for "clients" A library provided by O.S. Slide 25 Sending a message to syslogd Standard programming interface provided by syslog () function: #include void syslog( int priority, const char *message,... ); Works like printf() Slide 26 syslogd UDP socket port 514 Unix domain socket /dev/log /dev/klog Filesystem /var/log/messages Remote syslogd Console Slide 27 Syslog messages Think of syslog as a server that accepts messages. Each message includes a number of fields, including: a level indicating the importance (8 levels) LOG_EMERG 0 kernel panic LOG ALERT 1 condition needing immediate attention LOG_CRIT 2 critical conditions LOG_ERR 3 errors LOG_WARNING 4 warning messages LOG_NOTICE 5 not an error, but may need attention LOG_INFO 6 informational messages LOG_DEBUG 7 when debugging a system Slide 28 Syslog message fields (cont.) a facility that indicates the type of process that sent the message: LOG_MAIL, LOG_AUTH, LOG_USER, LOG_KERN, LOG_LPR,... Timestamp (added by syslogd) uname n (added by syslogd) A text string. Slide 29 Logfile example Dec 27 02:45:00 moet.colorado.edu netinfod [71]: cannt lookup child Dec 27 02:50:00 bruno ftpd [27876]: open of pid file failed: not a directory Dec 27 02:50:47 anchor vmunix: spurious VME interrupt at processor level 5 Dec 27 02:52:17 bruno pingem[107]: moose.cs.colorado.edu has not answered 34 times Dec 27 02:55:33 bruno sendmail [28040] : host name/address mismatch: 192.93.110.26 != bull.bull..fr Slide 30 / * c program: syslog using openlog and closelog */ #include main ( ) { openlog ( SA-BOOK, LOG_PID, LOG_USER); syslog ( LOG_WARNING, Testing . ); closelog ( ); } On the host, this code produce the following log entry: Dec 28 17:23:49 moet.colorado.edu SA-BOOK [84]: Testing... Slide 31 Log files Log files are normally kept in /var/log (setings in /etc/syslog.conf /etc/init.d/syslog restart) Read them Syslog logs the system and what is happening on it Logcheck is a handy utility which checks the contents of logs and mails anything unusual http://www.psionic.com/abacus/logcheck/ Slide 32 rsyslog Replaces syslog in many newer Linux distros Configuration and old input backwards compatible with syslog Anonymization, Encryption, Signatures Speed Rate-Limiting New inputs - systemd New outputs DB, compressed files Slide 33 Back to daemons To force a process to run in the background, just fork() and have the parent exit. There are a number of ways to disassociate a process from any controlling terminal. Call fork() and then setsid() Slide 34 Daemon initialization Daemons should close all unnecessary descriptors often including stdin, stdout, stderr. Get set up for using syslog Call openlog() Often change working directory. OR take a risk Many POSIX-based operating systems provide a function called daemon() which performs some or all of the steps listed above. Unfortunately it has three significant drawbacks: It is not available on all systems. Its behaviour is not standardised (or necessarily well-documented). Its behaviour is more difficult to customise. Slide 35 Too many daemons? There can be many servers running as daemons - and idle most of the time. Much of the startup code is the same for these servers. Most of the servers are asleep most of the time, but use up space in the process table. Slide 36 Internet Daemon Daemon inetd started at boot time Configuration file /etc/inetd.conf Name (service name=port), type, protocol, wait-status, uid, server, arguments # ftp stream tcp6 nowait root /usr/sbin/tcpd in.ftpd telnet stream tcp6 nowait root /usr/sbin/tcpd in.telnetd # # Mail is a useful thing... pop3 stream tcp nowait root /etc/mail/popper popper -s imap stream tcp nowait root /etc/mail/imapd imapd Slide 37 Slide 38 Internet Daemon When to modify inetd.conf Disable a service Add a # at the beginning of the entry Send hang-up to inetd kill HUP processid Enable a service Change the path Modify arguments Slide 39 inetd The SuperServer is named inetd. This single daemon creates multiple sockets and waits for (multiple) incoming requests. inetd typically uses select to watch multiple sockets for input. When a request arrives, inetd will fork and the child process handles the client. Slide 40 inetd children The child process closes all unnecessary sockets. The child dup s the client socket to descriptors 0,1 and 2 ( stdin, stdout, stderr ). The child exec s the real server program, which handles the request and exits. Slide 41 Output file descriptor used for default 0 standard input keyboard 1 standard output screen 2 standard error screen Slide 42 inetd based servers Servers that are started by inetd assume that the socket holding the request is already established (descriptors 0,1 or 2). TCP servers started by inetd dont call accept, so they must call getpeername if they need to know the address of the client. Slide 43 /etc/inetd.conf inetd reads a configuration file that lists all the services it should handle. inetd creates a socket for each listed service, and adds the socket to a fd_set given to select(). Slide 44 inetd service specification For each service, inetd needs to know: the port number and transport protocol wait/nowait flag. login name the process should run as. pathname of real server program. command line arguments to server program. Slide 45 # comments start with # echo stream tcp nowait root internal echo dgram udp wait root internal chargen stream tcp nowait root internal chargen dgram udp wait root internal ftp stream tcp nowait root /usr/sbin/ftpd ftpd -l telnet stream tcp nowait root /usr/sbin/telnetd telnetd finger stream tcp nowait root /usr/sbin/fingerd fingerd # Authentication auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o # TFTP tftp dgram udp wait root /usr/sbin/tftpd tftpd -s /tftpboot example /etc/inetd.conf Slide 46 ftp 21/tcp # File Transfer Protocol telnet 23/tcp # Telnet smtp 25/tcp # Simple Mail Transfer Protocol tftp 69/udp # Trivial File Transfer Protocol www 80/tcp # World Wide Web ntp 123/tcp # Network Time Protocol ntp 123/udp # Network Time Protocol example /etc/services Slide 47 wait/nowait Specifying WAIT means that inetd should not look for new clients for the service until the child (the real server) has terminated. TCP servers usually specify nowait - this means inetd can start multiple copies of the TCP server program - providing concurrency! Slide 48 UDP & wait/nowait Most UDP services run with inetd told to wait until the child server has died. Some UDP servers hang out for a while, handling multiple clients before exiting. inetd was told to wait so it ignores the socket until the UDP server exits. Slide 49 Super inetd Some versions of inetd have server code to handle simple services such as echo server, daytime server, chargen, Slide 50 Servers Servers that are expected to deal with frequent requests are typically not run from inetd: mail, web, NFS. Many servers are written so that a command line option can be used to run the server from inetd. Slide 51 xinetd Some versions of Unix provide a service very similar to inetd called xinetd. configuration scheme is different basic idea (functionality) is the same Slide 52 # typical xinetd.conf defaults { instances = 60 log_type = SYSLOG daemon log_on_success = HOST PID log_on_failure = HOST cps = 25 30 } includedir /etc/xinetd.d root# ls /etc/xinetd.d chargen daytime-udp finger shell time-udp chargen-udp echo ftp telnet root# cat /etc/xinetd.d/telnet service telnet { disable = yes socket_type = stream wait = no user = root server = /usr/libexec/telnetd groups = yes flags = REUSE access_times = 8:00-18:00 only_from = 128.138.12.0/24 } example /etc/xinetd.d Slide 53 53 The Superservers Superservers listen on multiple network ports and start the appropriate service when a client connection arrives for that port. xinetd is a superserver gaining popularity It is a revised version of inetd that creates a more secure environment Shipped with Red Hat Linux xinetd lately is the most widely used superserver Application level security is provided via TCP Wrappers - the tcpd program Slide 54 Managing Services Network Services - Stand alone vs Inetd The Inetd Model - Network Super Daemon - /etc/services : Maps the name of the service to a port number. eg: ulistserv 372/tcp ulistproc - /etc/inetd.conf : Main Configuration file for inetd. eg: ftp stream tcp nowait root /usr/sbin/tcpd proftpd The Xinetd Model - Advanced Replacement for inetd - More Secure and flexible with Advanced Access Control Mechanisms - /etc/xinetd.conf : Main Configuration file for xinetd - /etc/xinetd.d/ : Contains files for services managed by xinetd Slide 55 Managing Services Managing Services in Inetd and Xinetd - For Inetd : Comment out corresponding service from inetd.conf - Restart Inetd # pkill HUP inetd - For Xinetd : Make changes in xinetd.conf and xinetd.d - Access control Mechanisms for services can be specified # /etc/rc.d/init.d/xinetd restart Typical Services to be Blocked - Finger, rwho, rsh, rlogin, rexec, echo, ntalk - FTP, Telnet - Use ssh, scp, sftp Slide 56 Ports There are 65535 ports available Services tend to use Masquerading Modem connections/DHCP Doesnt drop connections when address changes Makes all packets from internal look like they are coming from the modem machine/DHCP address (outgoing interfaces address): echo 1 > /proc/sys/net/ipv4/ip_forward modprobe iptable_nat iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE Slide 85 Configuring NAT with iptable First example: iptables t nat A POSTROUTING s 10.0.1.2 j SNAT --to-source 128.143.71.21 Pooling of IP addresses: iptables t nat A POSTROUTING s 10.0.1.0/24 j SNAT --to-source 128.128.71.0 128.143.71.30 ISP migration: iptables t nat R POSTROUTING s 10.0.1.0/24 j SNAT --to-source 128.195.4.0128.195.4.254 IP masquerading: iptables t nat A POSTROUTING s 10.0.1.0/24 o eth1 j MASQUERADE Load balancing: iptables -t nat -A PREROUTING -i eth1 -j DNAT --to- destination 10.0.1.2-10.0.1.4 Slide 86 Configuring NAT in Linux Linux uses the Netfilter/iptable package to add filtering rules to the IP module Slide 87 Source NAT Translate source address iptables t nat A POSTROUTING \ o -j SNAT \ -to-source [- ][:port-port] iptables t nat A POSTROUTING o eth1 \ -J SNAT -to-source 10.252.49.231 Slide 88 Destination NAT Translate destination address iptables t nat A PREROUTING \ i -j DNAT \ --to-destination [- ][:port-port] iptables t nat A PREROUTING -i eth0 p tcp \ -d 10.252.49.77 dport 80 j DNAT \ --to-destination 10.252.49.231 iptables t nat A PREROUTING -i eth0 p tcp \ -d 10.252.49.77 dport 80 j REDIRECT Slide 89 Load Balancing Source Policy Routing: Make sure Person A, who pays the lower rate, gets routed over the house modem instead of the DSL Split Access for Multiple Uplinks: Packets coming in from ISP A go back out ISP A Load Balancing: default route becomes a multipath path route, balance routes over 2 providers iptables t nat A PREROUTING i eth0 d 10.252.49.231 p tcp -dport 80 j DNAT -to-destination 10.252.50.4-10.252.50.8 Slide 90 Slide 91 Slide 92 Hacked WebServer Slide 93 Queuing Disciplines First-In-First-Out (FIFO) no classes fast, easy to implement Priority Queuing all traffic in a high-priority class is sent before any in a lower priority one Class-based Queuing (CBQ) a number of bytes is sent from each class before going to the next class Slide 94 Unix Traffic Shaping CBQ is an interface to the Linux tc command tc (traffic control) Other queuing systems besides CBQ are available HBQ, TBF, SFQ Slide 95 Link Sharing between CBQ Traffic Classes Slide 96 Link Sharing Goal Over appropriate time-intervals, each interior or leaf class should receive its allocated bandwidth (given sufficient demand) Slide 97 CBQ Class Based Queue eth0 TRIUMF 10Mpbs Linux Bwmgr UBC 10Mbps 142.90.0.0/16 eth3 Internet 2Mbps If you want to control traffic in both directions, you must set up CBQ for both interfaces Imagine you want to shape traffic from Internet to the TRIUMF to 10Mbit and traffic in the opposite direction to 2Mbit. You need to setup CBQ on both eth0 and eth3 interfaces, thus you need two config files 142.103.0.0/16 Slide 98 QOS Outgoing Packets (Classless) pfifo_fast first in first out 3 bands, packets in Band 0 get handled, then Band 1, etc. Token Bucket Filter Rate does not exceed some limit, but bursting is possible with enough tokens Allows uploading without killing interactive sessions: tc qdisc add dev ppp0 root tbf rate 220kbit latency 50ms burst 1540 Stochastic Fairness Queueing less accurate but promotes fairness so no one conversation drowns out the others tc qdisc add dev ppp0 root sfq perturb 10 red - Random Early Detection simulates physical congestion by randomly dropping packets when nearing configured bandwidth allocation. Well suited to very large bandwidth applications. Slide 99 Bridging Linux 2.4 kernel (2.4.21) bridging support built into 2.4 kernels If you also want iptables support on the bridge must also install the ebtables-brnf patch for your kernel Bridge is configured using tools from bridge-utils brctl addbr br0; brctl addif br0 eth0; brctl addif br0 eth3 iplink set br0 up; ifconfig eth0 up ifconfig eth3 up ip addr add 142.103.66.4/24 brd + dev br0 Slide 100 Build the Bridge ifconfig eth0 0.0.0.0 up ifconfig eth1 0.0.0.0 up brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1 No Spanning Tree Protocol: brctl stp br0 off Turn it on: ifconfig br0 0.0.0.0 up Or give the bridge an IP address and turn it on: ifconfig br0 10.252.49.231 netmask 255.255.255.0 up route add default gw 10.252.49.1 Slide 101 Networking Software Good free implementations for: DNS BIND v8/9, djbdns SMTP sendmail, qmail, postfix, exim POP/IMAP qpopper, uwimapd HTTP Apache, nginx PHP, mySQL If it was hard to develop, it should be hard to install! Slide 102 Setting Up a Basic Name Server Later versions of BIND use the configuration file /etc/named.conf This file is divided into five sections: options, controls, three different zones and an include line, which refers to the rndc security file A zone is a part of the DNS domain tree for which the DNS server has authority to provide information Zone information is contained in files referred to in named.conf Slide 103 DNS Using DNS system Before Internet network started use DNS system there was hosts files. However there are one main disadvantage of using host file - search time increase exponentially. This is the main reason why Internet network started use DNS system. By the way, DNS system let you use distributed administrative model in order to delegate administrative rights to other people. Slide 104 DNS You can imagine DNS system structure using image below: net "." (root) com eduau ru.ru domain msu wsu.wsu.ru domain gw gw1 host gw.wsu.ru host gw1.wsu.ru host wsu.ru Slide 105 DNS DNS zones terra flora www com edu gov mfg ntserver Terraflora.com domain mfg.terraflora.com zone terraflora.com zone servers Slide 106 DNS DNS request: Required information for DNS requests Making DNS requests DNS requests types: Recursive requests Iterative requests Slide 107 DNS ada.wsu.ruIP(crypt.iae.nsk.su) = ? Root servers IP(crypt.iae.nsk.su) = ? Authoritative server for nsk.su - ns.nsk.su server ns.nsk.su iaebox.iae.nsk.su ada.wsu.ru IP(crypt.iae.nsk.su) = ? IP(crypt.iae.nsk.su) = 193.124.169.58 Authoritative server for iae.nsk.su - iaebox.iae.nsk.su IP(crypt.iae.nsk.su) = 193.124.169.58 212.16.195.98 ns.wsu.ru Slide 108 DNS DNS system planning factors. Number of servers and system platforms Server types: Primary server Secondary servers Cache servers Forward servers Stealth servers Slide 109 DNS DNS database resource records (RR) DNS database RR forms and types Standard RR DNS database file structure IN-ADDR.ARPA zone for reverse address-to- name translation Slide 110 DNS RR format TYPE contain RR type code CLASS contain RR class code TTL contain Time to Live value RDLENGTH data length RDATA data NAME TYPE CLASS TTL RDLENGTH RDATA 0123456789101112131415 Slide 111 DNS DNS RR types A NS MX MD MF CNAME SOA WKS SRV TXT PTR DNS CLASS types IN CS CH HS Slide 112 DNS BIND server configuration acl define access control list in order to control access to server resources Controls define control channel for rndc control utility. Include - can be used to merge a lot of configuration file in one. Key use information to check identity using TSIG technology. Logging use to control logging options of DNS server. Options - different DNS server options. Use mainly for global server configuration. Server - certain server configuration options. trusted-keys - used for DNSSEC protocol to hold trusted keys. View - define view options. Zone define zone option. Slide 113 DNS Split DNS example: view "internal" { match-clients { 10.0.0.0 / 8 ; }; recursion yes; zone "example.com" { type master; file "example-internal.db"; }; view "external" { match-clients { any; }; recursion no; zone "example.com" { type master; file "example-external.db"; }; . Slide 114 DNS DNS configuration file example: logging { category lame-servers { null; }; }; options { directory "/var/named"; allow-transfer { 195.13.160.52; 195.244.128.2; 10.196.5.130; }; recursive-clients 2000; notify yes; }; acl "internals" { 127.0.0.1; 10.196.0.0/16; 10.1.72.0/24; 10.129.24.0/24; 10.130.24.0/24; }; view "internal" { match-clients { "internals"; }; recursion yes; zone "." IN { type hint; file "named.ca"; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.local"; allow-update { none; }; }; zone "test.lv" { type master; file "test.lv.zone"; }; view "external" { match-clients { any; }; recursion no; zone "." IN { type hint; file "named.ca"; }; zone "test.lv" { type master; file "test.lv.public.zone"; }; Slide 115 DNS DNS server database file: $ORIGIN. $TTL 3600 ; 1 hour test.lv IN SOA ns1.test.lv. jurisk.test.lv. ( 2006040301 ; serial 28800 ; refresh (8 hours) 1800 ; retry (5 minutes) 1209600 ; expire (2 weeks) 28800 ; minimum (1 hour) ) NS ns1.test.lv. A 10.196.5.131 MX 10 eproxy.test.lv. MX 20 eproxy1.test.lv. MX 30 eproxy2.test.lv. $ORIGIN test.lv. router A 10.196.5.1 eproxy A 10.196.5.187 eproxy1 A 10.196.5.188 eproxy2 A 10.196.5.189 ns1 A 10.196.5.131 mail CNAME ns1 nais A 10.196.2.11 ; ; test WWW on Lattelekom servers ; www A 81.198.40.10 admin A 81.198.40.10 editor A 81.198.40.10 www A 81.198.40.11 tavro A 81.198.40.10 tekno A 81.198.40.11 $ORIGIN it.test.lv. router A 10.196.5.1 $ORIGIN test.lv. proxy2 A 10.196.5.8 help A 10.196.5.10 ssiahq01 A 10.196.5.31 nw1 A 10.196.5.58 Slide 116 DNS Reverse DNS zone in-addr.arpa $ORIGIN. $TTL 3600 ; 1 hour 5.196.10.in-addr.arpa IN SOA ns1.test.lv. root.ns1.test.lv. ( 2006012401 ; serial 3600 ; refresh (1 hour) 300 ; retry (5 minutes) 3600000 ; expire (5 weeks 6 days 16 hours) 3600 ; minimum (1 hour) ) NS ns1.test.lv. $ORIGIN 5.196.10.in-addr.arpa. 1 PTR router.it.test.lv. 7 PTR instructor.it2.test.lv. 8 PTR proxy2.test.lv. 10 PTR help.test.lv. 31 PTR ssiahq01.test.lv. 58 PTR nw1.test.lv. 60 PTR sandbox.test.lv. 77 PTR rs6000f50.test.lv. 119 PTR risc6000f30.test.lv. Slide 117 sudo /sbin/service named restart Password: Stopping named: Starting named: [ OK ] Restart named $ sudo tail /var/log/messages Jan 28 22:36:22 womnibook named[11333]: loading configuration from '/etc/named.conf' Jan 28 22:36:22 womnibook named[11333]: no IPv6 interfaces found Jan 28 22:36:22 womnibook named[11333]: listening on IPv4 interface lo, 127.0.0.1#53 Jan 28 22:36:22 womnibook named[11333]: listening on IPv4 interface eth0, 192.168.1.74#53 Jan 28 22:36:22 womnibook named[11333]: listening on IPv4 interface eth1, 192.168.2.5#53 Jan 28 22:36:22 womnibook named[11333]: command channel listening on 127.0.0.1#953 Jan 28 22:36:22 womnibook named[11333]: zone johannes.org/IN: loaded serial 142 Jan 28 22:36:22 womnibook named[11333]: running Jan 28 22:36:22 womnibook named[11333]: zone johannes.org/IN: sending notifies (serial 142) Jan 28 22:36:22 womnibook named: named startup succeeded Slide 118 DNS Usefull utilities: Dig Host Nslookup Rndc Named-checkzone Name-checkconfig Slide 119 Using Command-line Utilities Slide 120 Mailservers MaturitySecurityFeaturesPerformance qmail mediumhigh Sendmail highlowhighlow Postfix mediumhighmediumhigh exim mediumlowhighmedium Courier lowmediumhighmedium Bron: Life with qmail, p. 5 Slide 121 Configuring a Basic Email Server Sendmail is the most widely used email server The sendmail package contains the sendmail daemon Sendmail is started using a script in /etc/rc.d/init.d Sendmail is configured using the file /etc/sendmail.cf Most email administrators prefer to use the m4 program to configure sendmail Slide 122 Email basics Workstation MUA Mail Server MTA Email database Mail Server MTA Email database MDA Workstation MUA POP3/IMAP SMTP Slide 123 Simplified Mail Transactions mbox Mail User Agent Mail Delivery Agent Mail Transport Agent Mail User Agent Message composed using an MUA MUA gives message to MTA for delivery If local, the MTA gives it to the local MDA If remote, transfer to another MTA Slide 124 Watching sendmail Work Slide 125 Slide 126 Structure of qmail qmail-smtpd qmail-localqmail-remote qmail-lspawnqmail-rspawn qmail-send qmail-inject qmail-queue Incoming SMTP mail Other incoming mail Slide 127 Installation qmail and qmail-pop3d tux:~# apt-get update tux:~# apt-get install qmail sh -c "start-stop-daemon --start --quiet --user root \ --exec /usr/bin/tcpserver -- \ 0 pop-3 /usr/sbin/qmail-popup `hostname`.`dnsdomainname` \ /usr/bin/checkpassword /usr/sbin/qmail-pop3d Maildir & Slide 128 Configuration of qmail Configuration stored in /var/qmail/control/ Configure: Relaying Multiple host names Virtual domains Aliases qmail-users Blackhole lists Mailbox formaat Slide 129 The qmail security guarantee In March 1997, I offered $500 to the first person to publish a verifiable security hole in the latest version of qmail: for example, a way for a user to exploit qmail to take over another account. My offer still stands. Nobody has found any security holes in qmail. D.J.Bernstein On November 1, 2007, Bernstein raised the reward to US$1000. Slide 130 Principles, sendmail vs qmail Do as little as possible in setuid programs Of 20 recent sendmail security holes, 11 worked only because the entire sendmail system is setuid Only qmail-queue is setuid Its only function is add a new message to the queue Do as little as possible as root The entire sendmail system runs as root Operating system protection has no effect Only qmail-start and qmail-lspawn run as root. Slide 131 Principles, sendmail vs qmail Programs and files are not addresses sendmail treats programs and files as addresses sendmail goes through horrendous contortions trying to keep track of whether a local user was responsible for an address. This has proven to be an unmitigated disaster (DJB) qmail programs and files are not addresses The local delivery agent, qmail-local, can run programs or write to files as directed by ~user/.qmail, but it's always running as that user. Security impact:.qmail, like.cshrc and.exrc and various other files, means that anyone who can write arbitrary files as a user can execute arbitrary programs as that user. That's it. (DJB) Slide 132 Keep it simple Parsing Limited parsing of strings Minimizes risk of security holes from configuration errors Libraries Avoid standard C library, stdio Write bug-free code (DJB) Slide 133 Webmail system (SquirreMail) Web server Mail Server Workstation Webmail client (Squirre Mail) browser MUA Email database MTA Slide 134 Slide 135 Slide 136 Slide 137 Apache what is Apache? Apaches functionality installing Apache directory structure configuration tools Slide 138 Outline Apache Dynamic Content CGI PHP MySQL Slide 139 If you request an HTML file Browser Webserver HTML 1 2 3 4 Slide 140 Web server ...is a software program that does the following Accepts requests for web pages from a browser. Looks for the requested pages on the server hard drive. Sends a copy of the the requested web page to the browser. A web server can only serve HTML and jpg/gif files In our case, we use a very popular web server called Apache. Slide 141 Apache open-source very popular (more than 67% of the web sites) highly configurable and extensible with third- party modules runs on many operating systems (most of the Unix) is actively being developed Slide 142 Apache functionality DBM databases for authentication customized responses to errors and problems unlimited flexible URL rewriting and aliasing Virtual Hosts Configurable Reliable Piped Logs Slide 143 Apache modules (1) mod_access Access control based on client hostname or IP address mod_alias Mapping different parts of the host filesystem in the document tree, and URL redirection mod_auth User authentication using text files mod_autoindex Automatic directory listings mod_cgi Invoking CGI scripts Slide 144 Apache modules (2) mod_include Server-parsed documents mod_mime Determining document types using file extensions mod_proxy Caching proxy abilities mod_rewrite Powerful URI-to-filename mapping using regular expressions mod_usertrack User tracking using Cookies mod_vhost_alias Support for dynamically configured mass virtual hosting Slide 145 Apache modules (3) mod_ssl This module provides strong cryptography for the Apache 1.3 webserver via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols by the help of the Open Source SSL/TLS toolkit OpenSSL. Requires Apache 1.3.x and OpenSSL 0.9.x Private and Public keys Thawte (www.thawte.com), Versisign (www.verisign.com) Slide 146 Installing Apache Unix binary package RPM DEB Source Windows (MSI Installer) Slide 147 Installing Apache $./configure --prefix=/usr/local/apache $ make $ make install $ /usr/local/apache/bin/apachectl start Slide 148 Installing Apache ./configure help --show-layout show GNU style directory layout --with-layout=GNU Use GNU style directory layout --enable-suexec Enable suEXEC support for CGI and SSI --add-module=/path/to/mod_foo.c compiles, installs and adds module as a Dynamic Shared Object Slide 149 Testing Apache installation arnis@perkons:~$ ps aux | grep apache root 289 0.0 0.2 8400 2564 ? Ss Nov15 0:02 /usr/local/apache/bin/httpd root 307 0.0 0.1 8764 1480 ? Ss Nov15 0:00 /usr/local/apache- ssl/bin/httpd -DSSL apache- 315 0.0 0.1 14768 1580 ? S Nov15 0:27 /usr/local/apache- ssl/bin/httpd -DSSL apache- 13822 0.0 0.2 15224 2644 ? S Nov15 0:26 /usr/local/apache- ssl/bin/httpd -DSSL apache 11290 0.0 0.3 16856 3112 ? S Nov17 0:31 /usr/local/apache/bin/httpd apache 498 0.2 0.8 12596 8484 ? S Nov18 8:54 /usr/local/apache/bin/httpd.... Slide 150 Testing Apache installation Slide 151 Apache directory layout Debian /etc/init.d/apache Apache control script /etc/apache Apache configuration files /var/www Default Document Root /usr/lib/cgi-bin Default script directory Slide 152 Apache directory layout (2) /var/log/apache log files (access.log, error.log) /usr/sbin rotatelogs, ab (Apache Benchmark) /usr/bin htpasswd, htdigest, dbmmanage /usr/lib/apache/1.3 Apache modules /usr/lib/apache/suexec Slide 153 Apache directory layout (3) Slackware /usr/local/apache /usr/local/apache/conf /usr/local/apache/htdocs /usr/local/apache/cgi-bin /var/log/apache /usr/local/apache/bin Slide 154s %b" common CustomLog /usr/local/apache/logs/access_log common %v virtual host %h remote hos"> s %b" common CustomLog /usr/local/apache/logs/access_log common %v virtual host %h remote host %u user %t - time %r HTTP request %>s status code %b size www.atlants.lv 159.148.85.46 - - [21/Nov/2004:17:23:36 +0200] "GET /index.php?m=5 HTTP/1.1" 200 32257"> s %b" common CustomLog /usr/local/apache/logs/access_log common %v virtual host %h remote hos" title="Apache access log LogFormat "%v %h %l %u %t \"%r\" %>s %b" common CustomLog /usr/local/apache/logs/access_log common %v virtual host %h remote hos"> Apache access log LogFormat "%v %h %l %u %t \"%r\" %>s %b" common CustomLog /usr/local/apache/logs/access_log common %v virtual host %h remote host %u user %t - time %r HTTP request %>s status code %b size www.atlants.lv 159.148.85.46 - - [21/Nov/2004:17:23:36 +0200] "GET /index.php?m=5 HTTP/1.1" 200 32257 Slide 155 Apache error log ErrorLog /usr/local/apache/logs/error_log LogLevel warn [Sun Nov 21 09:13:42 2004] [error] PHP Fatal error: Call to undefined function PN_DBMsgError() in /home/msaule/public_html/referer. php on line 85 [Sun Nov 21 12:41:09 2004] [error] [client 81.198.145.117] File does not exist: /home/sms/public_html/favicon.ico php on line 85 [Sun Nov 21 13:02:50 2004] [error] [client 66.249.66.173] File does not exist: /home/code/public_html/robots.txt [Sun Nov 21 13:08:26 2004] [error] [client 81.198.176.114] File does not exist: /home/refuser2/public_html/_vti_bin/owssvr.dll [Sun Nov 21 13:08:26 2004] [error] [client 81.198.176.114] File does not exist: /home/refuser2/public_html/MSOffice/cltreq.asp [Sun Nov 21 13:09:07 2004] [error] [client 81.198.176.114] File does not exist: /home/refuser2/public_html/_vti_bin/owssvr.dll [Sun Nov 21 13:09:07 2004] [error] [client 81.198.176.114] File does not exist: /home/refuser2/public_html/MSOffice/cltreq.asp Slide 156 Apache configuration Edit httpd.conf Check configuration apachectl configtest Restart Apache Check changes http://httpd.apache.org/docs/ Slide 157 Apache configuration Virtual host ServerName www.jrt.lv ServerAlias www.jrt.com CustomLog /usr/local/apache/logs/jrt_access_log common ErrorLog /usr/local/apache/logs/jrt_error_log DocumentRoot /home/jrt/public_html Slide 158 Apache configuration .htaccess AuthType Basic AuthUserFile /home/someuser/passwd AuthName "Admin" require valid-user htpasswd htpasswd -c user1:Y90u499mUj6xE user2:DOrWgcNwzaQUQ Slide 159 Slide 160 Slide 161 Slide 162 Slide 163 Apache2 Unix Threading New Build System Multiprotocol Support New Apache API IPv6 Support Filtering Multilanguage Error Responses Regular Expression Library Updated Slide 164 Dynamic content Script Engine (PHP, Perl,...) Browser Webserver HTML & Scripts 12 3 4 5 6 Slide 165 Dynamic content Scripting engine CGI PHP Apache module vs. CGI Slide 166 Dynamic content Apache only sends content to the user What if I need some resources/information from server Send e-mail Store some information in file (guestbook) Execute unix applications And much more... We need programming language Slide 167 Dynamic content Script engine is a software program that does the following: Accepts scripts passed along from the web server that are of the non-HTML type. Processes these scripts. Returns the result of this processing to the web server. Slide 168 Dynamic content Two ways how to server dynamic content CGI Apache module Many programming languages to use PHP, Perl, Python, C, C++, shell scripts... Slide 169 Common gateway interface (CGI) A standard for running external programs from a World- Wide Web HTTP server. CGI specifies how to pass arguments to the executing program as part of the HTTP request. It also defines a set of environment variables. Commonly, the program will generate some HTML which will be passed back to the browser but it can also request URL redirection. Slide 170 CGI example Shell script #!/bin/bash echo "Content-type: text/plain" echo "" echo "Hello world!" echo "Today is:" `date` Slide 171 CGI example (2) Perl script #!/usr/bin/perl print "Content-type: text/plain\n\n"; print "Hello world!\n"; print "Today is: ". localtime(). "\n"; Slide 172 Apache modules mod_perl mod_perl brings together the full power of the Perl programming language and the Apache HTTP server. You can use Perl to manage Apache, respond to requests for web pages and much more. mod_php PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML mod_python, OpenASP Module,... Slide 173 PHP What is PHP? Installing PHP Configuring PHP Slide 174 PHP: Hypertext Preprocessor ( PHP) Example Slide 175 PHP Pros easy to learn ideal for small projects widely used no strong typing Cons no strong typing code maintenance interpreted language executes in the Web server process Slide 176 Installing PHP Server-side scripting Command line scripting Client-side GUI applications Slide 177 Installing PHP Gentoo # emerge \ Slide 178 Installing PHP Source instalation Install PHP./configure --with-mysql --with-apxs=/www/bin/apxs make make install cp php.ini-dist /usr/local/lib/php.ini Edit your httpd.conf to load the PHP module. LoadModule php4_module libexec/libphp4.so AddModule mod_php4.c AddType application/x-httpd-php.php.phtml Restart Apache Slide 179 PHP Configuration php.ini read once at web server startup ; any text on a line after an unquoted semicolon (;) is ignored [php] ; section markers (text within square brackets) are also ignored ; Boolean values can be set to either: ; true, on, yes ; or false, off, no, none register_globals = off track_errors = yes ; you can enclose strings in double-quotes include_path = ".:/usr/local/lib/php" Slide 180 PHP Configuration php.ini directives max_execution_time = 30 ; Maximum execution time of each script, in seconds max_input_time = 60 ; Maximum amount of time each script may spend parsing request data memory_limit = 8M ; Maximum amount of memory a script may consume (8MB) ; - Show all errors except for notices and coding standards warnings error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT display_errors = Off log_errors = On error_log = filename Slide 181 PHP Configuration Apache configuration file DocumentRoot /home/someuser/public_html ServerName www.somesite.lv php_admin_value open_basedir /home/someuser/:/tmp/:/usr/share/pear/ php_value auto_prepend_file /home/someuser/includes/default.inc php_value upload_max_filesize 10M Slide 182