unix server tools
DESCRIPTION
Guntis Barzdins Girts Folkmanis Juris Krūmiņš Artūrs Lavrenovs. Unix Server Tools. Unix Server Tools. IP connectivity, routing Daemons Syslog Inetd etc. Cron Security. Networking Software. G ood free implementations for: DNS BIND v8/9, djbdns SMTP - PowerPoint PPT PresentationTRANSCRIPT
Unix Server Tools
Guntis BarzdinsGirts FolkmanisJuris Krūmiņš
Artūrs Lavrenovs
Unix Server Tools
IP connectivity, routing Daemons Syslog Inetd etc. Cron Security
Networking Software
Good free implementations for: DNS
BIND v8/9, djbdns SMTP
sendmail, qmail, postfix, exim POP/IMAP
qpopper, uwimapd, dovecot HTTP
Apache, nginx PHP, MySQL
“If it was hard to develop, it should be hard to install!”
Two IP processing modes: host or router
Manual change
# more /proc/sys/net/ipv4/ip_forward0# echo 1 > /proc/sys/net/ipv4/ip_forward# more /proc/sys/net/ipv4/ip_forward1#
Use of sysctl (modify kernel parameters /proc/sys/ at runtime)
Eg: #/sbin/sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
Eg: #/sbin/sysctl -w net.ipv4.ip_forward=0 net.ipv4.ip_forward = 0
Record changes in /etc/sysctl.conf (to activate after reboot)
unix sbin # sysctl -a abi.fake_utsname = 0abi.trace = 0abi.defhandler_libcso = 68157441abi.defhandler_lcall7 = 68157441abi.defhandler_elf = 0abi.defhandler_coff = 117440515dev.rtc.max-user-freq = 64net.unix.max_dgram_qlen = 10net.ipv4.ip_conntrack_max = 8184net.ipv4.netfilter.ip_conntrack_generic_timeout = 600net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180net.ipv4.netfilter.ip_conntrack_udp_timeout = 30net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120net.ipv4.netfilter.ip_conntrack_buckets = 1023net.ipv4.netfilter.ip_conntrack_max = 8184net.ipv4.conf.eth0.force_igmp_version = 0net.ipv4.conf.eth0.arp_ignore = 0net.ipv4.conf.eth0.arp_announce = 0net.ipv4.conf.eth0.arp_filter = 0net.ipv4.conf.eth0.tag = 0net.ipv4.conf.eth0.log_martians = 0net.ipv4.conf.eth0.bootp_relay = 0net.ipv4.conf.eth0.medium_id = 0net.ipv4.conf.eth0.proxy_arp = 0net.ipv4.conf.eth0.accept_source_route = 1net.ipv4.conf.eth0.send_redirects = 1net.ipv4.conf.eth0.rp_filter = 1net.ipv4.conf.eth0.shared_media = 1net.ipv4.conf.eth0.secure_redirects = 1net.ipv4.conf.eth0.accept_redirects = 1net.ipv4.conf.eth0.mc_forwarding = 0net.ipv4.conf.eth0.forwarding = 0net.ipv4.conf.lo.force_igmp_version = 0net.ipv4.conf.lo.arp_ignore = 0net.ipv4.conf.lo.arp_announce = 0net.ipv4.conf.lo.arp_filter = 0net.ipv4.conf.lo.tag = 0net.ipv4.conf.lo.log_martians = 0net.ipv4.conf.lo.bootp_relay = 0net.ipv4.conf.lo.medium_id = 0net.ipv4.conf.lo.proxy_arp = 0net.ipv4.conf.lo.accept_source_route = 1net.ipv4.conf.lo.send_redirects = 1net.ipv4.conf.lo.rp_filter = 0net.ipv4.conf.lo.shared_media = 1net.ipv4.conf.lo.secure_redirects = 1net.ipv4.conf.lo.accept_redirects = 1net.ipv4.conf.lo.mc_forwarding = 0net.ipv4.conf.lo.forwarding = 0net.ipv4.conf.default.force_igmp_version = 0net.ipv4.conf.default.arp_ignore = 0net.ipv4.conf.default.arp_announce = 0net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.tag = 0net.ipv4.conf.default.log_martians = 0net.ipv4.conf.default.bootp_relay = 0net.ipv4.conf.default.medium_id = 0net.ipv4.conf.default.proxy_arp = 0net.ipv4.conf.default.accept_source_route = 1net.ipv4.conf.default.send_redirects = 1net.ipv4.conf.default.rp_filter = 0net.ipv4.conf.default.shared_media = 1net.ipv4.conf.default.secure_redirects = 1net.ipv4.conf.default.accept_redirects = 1net.ipv4.conf.default.mc_forwarding = 0net.ipv4.conf.default.forwarding = 0net.ipv4.conf.all.force_igmp_version = 0net.ipv4.conf.all.arp_ignore = 0net.ipv4.conf.all.arp_announce = 0net.ipv4.conf.all.arp_filter = 0net.ipv4.conf.all.tag = 0net.ipv4.conf.all.log_martians = 0net.ipv4.conf.all.bootp_relay = 0net.ipv4.conf.all.medium_id = 0net.ipv4.conf.all.proxy_arp = 0net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.all.send_redirects = 1net.ipv4.conf.all.rp_filter = 0net.ipv4.conf.all.shared_media = 1net.ipv4.conf.all.secure_redirects = 1net.ipv4.conf.all.accept_redirects = 1net.ipv4.conf.all.mc_forwarding = 0net.ipv4.conf.all.forwarding = 0net.ipv4.neigh.eth0.locktime = 100net.ipv4.neigh.eth0.proxy_delay = 80net.ipv4.neigh.eth0.anycast_delay = 100net.ipv4.neigh.eth0.proxy_qlen = 64net.ipv4.neigh.eth0.unres_qlen = 3net.ipv4.neigh.eth0.gc_stale_time = 60net.ipv4.neigh.eth0.delay_first_probe_time = 5net.ipv4.neigh.eth0.base_reachable_time = 30net.ipv4.neigh.eth0.retrans_time = 100net.ipv4.neigh.eth0.app_solicit = 0net.ipv4.neigh.eth0.ucast_solicit = 3net.ipv4.neigh.eth0.mcast_solicit = 3net.ipv4.neigh.lo.locktime = 100net.ipv4.neigh.lo.proxy_delay = 80net.ipv4.neigh.lo.anycast_delay = 100net.ipv4.neigh.lo.proxy_qlen = 64net.ipv4.neigh.lo.unres_qlen = 3net.ipv4.neigh.lo.gc_stale_time = 60net.ipv4.neigh.lo.delay_first_probe_time = 5net.ipv4.neigh.lo.base_reachable_time = 30net.ipv4.neigh.lo.retrans_time = 100net.ipv4.neigh.lo.app_solicit = 0net.ipv4.neigh.lo.ucast_solicit = 3net.ipv4.neigh.lo.mcast_solicit = 3net.ipv4.neigh.default.gc_thresh3 = 1024net.ipv4.neigh.default.gc_thresh2 = 512net.ipv4.neigh.default.gc_thresh1 = 128net.ipv4.neigh.default.gc_interval = 30net.ipv4.neigh.default.locktime = 100net.ipv4.neigh.default.proxy_delay = 80net.ipv4.neigh.default.anycast_delay = 100net.ipv4.neigh.default.proxy_qlen = 64
net.ipv4.tcp_keepalive_probes = 9net.ipv4.tcp_keepalive_time = 7200net.ipv4.ipfrag_time = 30net.ipv4.ip_dynaddr = 0net.ipv4.ipfrag_low_thresh = 196608net.ipv4.ipfrag_high_thresh = 262144net.ipv4.tcp_max_tw_buckets = 16384net.ipv4.tcp_max_orphans = 8192net.ipv4.tcp_synack_retries = 5net.ipv4.tcp_syn_retries = 5net.ipv4.ip_nonlocal_bind = 0net.ipv4.ip_no_pmtu_disc = 0net.ipv4.ip_autoconfig = 0net.ipv4.ip_default_ttl = 64net.ipv4.ip_forward = 0net.ipv4.tcp_retrans_collapse = 1net.ipv4.tcp_sack = 1net.ipv4.tcp_window_scaling = 1net.ipv4.tcp_timestamps = 1net.core.somaxconn = 128net.core.hot_list_length = 128net.core.optmem_max = 10240net.core.message_burst = 50net.core.message_cost = 5net.core.mod_cong = 290net.core.lo_cong = 100net.core.no_cong = 20net.core.no_cong_thresh = 10net.core.netdev_max_backlog = 300net.core.dev_weight = 64net.core.rmem_default = 106496net.core.wmem_default = 106496net.core.rmem_max = 106496net.core.wmem_max = 106496vm.block_dump = 0vm.laptop_mode = 0vm.max_map_count = 65536vm.max-readahead = 31vm.min-readahead = 3vm.page-cluster = 3vm.pagetable_cache = 25 50vm.kswapd = 512 32 8vm.overcommit_memory = 0vm.bdflush = 50 500 0 0 500 3000 60 20 0vm.vm_passes = 60vm.vm_lru_balance_ratio = 2vm.vm_mapped_ratio = 100vm.vm_cache_scan_ratio = 6vm.vm_vfs_scan_ratio = 6vm.vm_gfp_debug = 0kernel.lowlatency = 0kernel.overflowgid = 65534kernel.overflowuid = 65534kernel.random.uuid = 5784cebf-b4c1-4e2d-b60c-c8ed66b10136kernel.random.boot_id = 65fcbb7e-b4c3-452f-8d98-dc7ac3d67ea6kernel.random.write_wakeup_threshold = 128kernel.random.read_wakeup_threshold = 8kernel.random.entropy_avail = 772kernel.random.poolsize = 512kernel.threads-max = 2047kernel.cad_pid = 1kernel.sysrq = 1
net.ipv4.neigh.default.unres_qlen = 3net.ipv4.neigh.default.gc_stale_time = 60net.ipv4.neigh.default.delay_first_probe_time = 5net.ipv4.neigh.default.base_reachable_time = 30net.ipv4.neigh.default.retrans_time = 100net.ipv4.neigh.default.app_solicit = 0net.ipv4.neigh.default.ucast_solicit = 3net.ipv4.neigh.default.mcast_solicit = 3net.ipv4.tcp_westwood = 0net.ipv4.ipfrag_secret_interval = 600net.ipv4.tcp_low_latency = 0net.ipv4.tcp_frto = 0net.ipv4.tcp_tw_reuse = 0net.ipv4.icmp_ratemask = 6168net.ipv4.icmp_ratelimit = 100net.ipv4.tcp_adv_win_scale = 2net.ipv4.tcp_app_win = 31net.ipv4.tcp_rmem = 4096 87380 174760net.ipv4.tcp_wmem = 4096 16384 131072net.ipv4.tcp_mem = 23552 24064 24576net.ipv4.tcp_dsack = 1net.ipv4.tcp_ecn = 0net.ipv4.tcp_reordering = 3net.ipv4.tcp_fack = 1net.ipv4.tcp_orphan_retries = 0net.ipv4.inet_peer_gc_maxtime = 120net.ipv4.inet_peer_gc_mintime = 10net.ipv4.inet_peer_maxttl = 600net.ipv4.inet_peer_minttl = 120net.ipv4.inet_peer_threshold = 65664net.ipv4.igmp_max_msf = 10net.ipv4.route.secret_interval = 600net.ipv4.route.min_adv_mss = 256net.ipv4.route.min_pmtu = 552net.ipv4.route.mtu_expires = 600net.ipv4.route.gc_elasticity = 8net.ipv4.route.error_burst = 500net.ipv4.route.error_cost = 100net.ipv4.route.redirect_silence = 2048net.ipv4.route.redirect_number = 9net.ipv4.route.redirect_load = 2net.ipv4.route.gc_interval = 60net.ipv4.route.gc_timeout = 300net.ipv4.route.gc_min_interval = 0net.ipv4.route.max_size = 8192net.ipv4.route.gc_thresh = 512net.ipv4.route.max_delay = 10net.ipv4.route.min_delay = 2net.ipv4.icmp_ignore_bogus_error_responses = 0net.ipv4.icmp_echo_ignore_broadcasts = 0net.ipv4.icmp_echo_ignore_all = 0net.ipv4.ip_local_port_range = 1024 4999net.ipv4.tcp_max_syn_backlog = 256net.ipv4.tcp_rfc1337 = 0net.ipv4.tcp_stdurg = 0net.ipv4.tcp_abort_on_overflow = 0net.ipv4.tcp_tw_recycle = 0net.ipv4.tcp_syncookies = 0net.ipv4.tcp_fin_timeout = 60net.ipv4.tcp_retries2 = 15net.ipv4.tcp_retries1 = 3net.ipv4.tcp_keepalive_intvl = 75
kernel.sem = 250 32000 32 128kernel.msgmnb = 16384kernel.msgmni = 16kernel.msgmax = 8192kernel.shmmni = 4096kernel.shmall = 2097152kernel.shmmax = 33554432kernel.rtsig-max = 1024kernel.rtsig-nr = 0kernel.hotplug = /sbin/hotplugkernel.modprobe = /sbin/modprobekernel.printk = 1 4 1 7kernel.ctrl-alt-del = 0kernel.real-root-dev = 256kernel.cap-bound = -257kernel.tainted = 0kernel.core_pattern = corekernel.core_setuid_ok = 0kernel.core_uses_pid = 0kernel.panic = 0kernel.domainname = (none)kernel.hostname = unixkernel.version = #1 Thu Sep 23 14:41:14 EEST 2004kernel.osrelease = 2.4.26-gentoo-r9kernel.ostype = Linuxfs.lease-break-time = 45fs.dir-notify-enable = 1fs.leases-enable = 1fs.overflowgid = 65534fs.overflowuid = 65534fs.dentry-state = 1640 1438 45 0 0 0fs.file-max = 13100fs.file-nr = 140 37 13100fs.inode-state = 1443 18 0 0 0 0 0fs.inode-nr = 1443 18unix sbin #
ifconfig ifconfig eth0 192.168.99.35 netmask
255.255.255.0 up ifconfigeth0 Link encap:Ethernet HWaddr 00:80:C8:F8:4A:51
inet addr:192.168.99.35 Bcast:192.168.99.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:190312 errors:0 dropped:0 overruns:0 frame:0
TX packets:86955 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:30701229 (29.2 Mb) TX bytes:7878951 (7.5 Mb)
Interrupt:9 Base address:0x5000
Obsolete in Linux for many (10+) years but still heavily used everywhere because of muscle memory (and compatibility with other UNIX versions)
ip – ifconfig replacement in Linux Many new features Developed Replaces many networking commands –
arp, iptunnel, nameif, netstat, route More cisco-ish syntax ip link set eth0 up ip addr add 192.168.99.35/24 dev eth0 ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:12:33:44:55:66 brd ff:ff:ff:ff:ff:ff inet 192.168.99.35/24 brd 192.168.99.255 scope global eth0 valid_lft forever preferred_lft forever
Netstat: routing, socketsRouting table:
[root@morgan]# netstat -rnKernel IP routing tableDestination Gateway Genmask Flags MSS Window irtt Iface192.168.98.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo0.0.0.0 192.168.98.254 0.0.0.0 UG 40 0 0 eth0
[root@newlinuxway]# ip routedefault via 192.168.99.1 dev eth0 proto static 192.168.99.0/24 dev eth0 proto kernel scope link src 192.168.99.35 metric 1
IP socket status:[root@morgan]# netstat --inet -nActive Internet connections (w/o servers)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 192 192.168.98.82:22 192.168.99.35:40991 ESTABLISHEDtcp 0 0 192.168.98.82:42929 192.168.100.17:993 ESTABLISHEDtcp 96 0 127.0.0.1:40863 127.0.0.1:6010 ESTABLISHEDtcp 0 0 127.0.0.1:6010 127.0.0.1:40863 ESTABLISHEDtcp 0 0 127.0.0.1:38502 127.0.0.1:6010 ESTABLISHEDtcp 0 0 127.0.0.1:6010 127.0.0.1:38502 ESTABLISHEDtcp 0 0 192.168.98.82:53733 209.10.26.51:80 SYN_SENTtcp 0 0 192.168.98.82:44468 192.168.100.17:993 ESTABLISHEDtcp 0 0 192.168.98.82:44320 192.168.100.17:139 TIME_WAIT
[root@newlinuxway]# ss -f inet -n
Security Hardening
Recommended IP/ICMP Settings
Disable Ping # sysctl –w net.ipv4.icmp_echo_ignore_all=1
Disable ICMP Echo Requests # sysctl –w net.ipv4.icmp_echo_ignore_broadcasts=1
Disable IP Source Routing # sysctl –w net.ipv4.conf.all.accept_source_route=0
Disable ICMP Redirects # sysctl –w net.ipv4.conf.all.accept_redirects=0
Enable TCP SYN Cookie Protection # sysctl –w net.ipv4.tcp_syncookies=1
Disable Bogus Error Logging # sysctl –w net.ipv4.icmp_ignore_bogus_error_responses=1
Enable Bogus Packet Logging # sysctl –w net.ipv4.conf.all.log_martians=1
Create blackhole # sysctl net.inet.tcp.blackhole=1 # sysctl net.inet.udp.blackhole=1
configure domain name resolver
In Linux resolver has 2 config files /etc/hosts specifies static mappings
185.300.10.1 host1
185.300.10.2 host2
185.300.10.3 host3
185.300.10.4 host4 merlin
185.300.10.5 host5 arthur king
185.300.10.5 timeserver
128.114.1.15 name1.xyz.aus.century.com name1
/etc/resolv.conf specifies the nameservers and the default domain domain abc.aus.century.com
nameserver 192.9.201.1
nameserver 192.9.201.2
resolvconf – resolv.conf replacement
Some software dynamically manages network connections (in some of newer UNIX)
cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN Nameserver 127.0.1.1
ps aux | grep dns nobody 1481 0.0 0.0 31004 988 ? S Oct22 6:51 /usr/sbin/dnsmasq --no-resolv --
keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d
Popular Routing Protocols
Quagga (previously GNU Zebra)
Quagga
Setting Up Network Interface Cards FreeBSD
Configuring the Network Card Once the right driver is loaded for the network card, the card needs to be configured. As with many other things, the network card may have been configured at installation time by sysinstall. To display the configuration for the network interfaces on your system, enter the following command:
juriskr >ifconfigfxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=40<POLLING> inet 10.1.2.6 netmask 0xffffff00 broadcast 10.1.2.255 inet 10.1.2.4 netmask 0xffffffff broadcast 10.1.2.4 inet 10.1.2.7 netmask 0xffffffff broadcast 10.1.2.7 inet 10.1.2.12 netmask 0xffffffff broadcast 10.1.2.12 inet 10.1.2.9 netmask 0xffffffff broadcast 10.1.2.9 ether 00:02:55:c8:45:aa media: Ethernet autoselect (100baseTX <full-duplex>) status: activeppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000
To configure your card, you need root privileges. The network card configuration can be done from the command line with ifconfig(8) but you would have to do it after each reboot of the system. The file /etc/rc.conf is where to add the network card's configuration.
juriskr >cat /etc/rc.conf | grep ifconfigifconfig_fxp0="inet 10.1.2.6 netmask 255.255.255.0"ifconfig_fxp0_alias0="inet 10.1.2.4 netmask 255.255.255.255"ifconfig_fxp0_alias1="inet 10.1.2.7 netmask 255.255.255.255"ifconfig_fxp0_alias2="inet 10.1.2.9 netmask 255.255.255.255"ifconfig_fxp0_alias3="inet 10.1.2.12 netmask 255.255.255.255"
Setting Up Network Interface Cards FreeBSD
Virtual HostsA very common use of FreeBSD is virtual site hosting, where one server appears to the network as many servers. This is achieved by assigning multiple network addresses to a single interface. A given network interface has one “real” address, and may have any number of “alias” addresses. These aliases are normally added by placing alias entries in /etc/rc.conf. An alias entry for the interface fxp0 looks like:
ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx“
Note that alias entries must start with alias0 and proceed upwards in order, (for example, _alias1, _alias2, and so on). The configuration process will stop at the first missing number.
ifconfig_fxp0_alias0="inet 10.1.2.4 netmask 255.255.255.255"ifconfig_fxp0_alias1="inet 10.1.2.7 netmask 255.255.255.255"ifconfig_fxp0_alias2="inet 10.1.2.9 netmask 255.255.255.255"ifconfig_fxp0_alias3="inet 10.1.2.12 netmask 255.255.255.255"
Setting Up Network Interface Cards FreeBSD Testing and Troubleshooting
Testing the Ethernet Card To verify that an Ethernet card is configured correctly, you have to try
two things. First, ping the interface itself, and then ping another machine on the LAN.
First test the local interface: juriskr >ping -c 3 10.1.2.6PING 10.1.2.6 (10.1.2.6): 56 data bytes64 bytes from 10.1.2.6: icmp_seq=0 ttl=64 time=0.054 ms64 bytes from 10.1.2.6: icmp_seq=1 ttl=64 time=0.050 ms64 bytes from 10.1.2.6: icmp_seq=2 ttl=64 time=0.066 ms
--- 10.1.2.6 ping statistics ---3 packets transmitted, 3 packets received, 0% packet lossround-trip min/avg/max/stddev = 0.050/0.057/0.066/0.007 ms
Now we have to ping another machine on the LAN:juriskr >ping 10.1.2.5PING 10.1.2.5 (10.1.2.5): 56 data bytes64 bytes from 10.1.2.5: icmp_seq=0 ttl=64 time=0.381 ms64 bytes from 10.1.2.5: icmp_seq=1 ttl=64 time=0.188 ms64 bytes from 10.1.2.5: icmp_seq=2 ttl=64 time=0.178 ms^C--- 10.1.2.5 ping statistics ---3 packets transmitted, 3 packets received, 0% packet lossround-trip min/avg/max/stddev = 0.178/0.249/0.381/0.093 ms
You could also use the machine name instead of IP address if you have set up the /etc/hosts file.
Ifconfig output RHEL[juris@ns1 ~]$ ifconfigeth0 Link encap:Ethernet HWaddr 00:0B:CD:41:F4:93 inet addr:81.xxx.xxx.xxx Bcast:81.xxx.xxx.xxx Mask:255.255.255.224 inet6 addr: fe80::20b:cdff:fe41:f493/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:473091457 errors:0 dropped:0 overruns:0 frame:0 TX packets:488547237 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3458689275 (3.2 GiB) TX bytes:3985927941 (3.7 GiB) Interrupt:193
eth0:1 Link encap:Ethernet HWaddr 00:0B:CD:41:F4:93 inet addr:10.xxx.xxx.xxx Bcast:10.xxx.xxx.xxx Mask:255.255.252.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:193
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6004400 errors:0 dropped:0 overruns:0 frame:0 TX packets:6004400 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:645400309 (615.5 MiB) TX bytes:645400309 (615.5 MiB)
[juris@ns1 ~]$
Daemons
A daemon is a process that: runs in the background not associated with any terminal
output doesn't end up in another session.
terminal generated signals (^C) aren't received.
Unix and Daemons
Unix systems typically have many daemon processes.
Most servers run as a daemon process.
Common Daemons
Web server (httpd) Mail server (sendmail) SuperServer (inetd) System logging (syslogd) Print server (lpd) router process (routed, gated)
Daemon Output
No terminal - must use something else:
file system central logging facility
Syslog is often used - provides central repository for system logging.
Syslog service
syslogd daemon provides system logging services to "clients".
Simple API for "clients" A library provided by O.S.
Sending a message to syslogd
Standard programming interface provided by syslog() function:
#include <syslog.h>void syslog( int priority, const char *message, . . . );
Works like printf()
syslogd
syslogdsyslogdUDP socket
port 514
Unix domain socket/dev/log
/dev/klog
Filesystem/var/log/messages
Remote syslogd
Console
Syslog messages
Think of syslog as a server that accepts messages.
Each message includes a number of fields, including: a level indicating the importance (8 levels)
LOG_EMERG 0 kernel panic LOG ALERT 1 condition needing immediate attention LOG_CRIT 2 critical conditions LOG_ERR 3 errors LOG_WARNING 4 warning messages LOG_NOTICE 5 not an error, but may need attention LOG_INFO 6 informational messages LOG_DEBUG 7 when debugging a system
Syslog message fields (cont.)
a facility that indicates the type of process that sent the message: LOG_MAIL, LOG_AUTH, LOG_USER, LOG_KERN, LOG_LPR, . . .
Timestamp (added by syslogd) uname –n (added by syslogd) A text string.
Logfile example
Dec 27 02:45:00 moet.colorado.edu netinfod [71]: cann’t lookup child
Dec 27 02:50:00 bruno ftpd [27876]: open of pid file failed: not a directory
Dec 27 02:50:47 anchor vmunix: spurious VME interrupt at processor level 5
Dec 27 02:52:17 bruno pingem[107]: moose.cs.colorado.edu has not answered 34 times
Dec 27 02:55:33 bruno sendmail [28040] : host name/address mismatch: 192.93.110.26 != bull.bull..fr
/ * c program: syslog using openlog and closelog */
#include <syslog.h>main ( ){
openlog ( “SA-BOOK”, LOG_PID, LOG_USER);syslog ( LOG_WARNING, “Testing …. “);closelog ( );
}
On the host, this code produce the following log entry:
Dec 28 17:23:49 moet.colorado.edu SA-BOOK [84]: Testing...
Log files
Log files are normally kept in /var/log (setings in /etc/syslog.conf “/etc/init.d/syslog restart”)
Read them Syslog logs the system and what is
happening on it Logcheck is a handy utility which checks
the contents of logs and mails anything unusual
http://www.psionic.com/abacus/logcheck/
rsyslog Replaces syslog in many newer Linux
distros Configuration and old input backwards
compatible with syslog Anonymization, Encryption, Signatures Speed Rate-Limiting New inputs - systemd New outputs – DB, compressed files
Back to daemons
To force a process to run in the background, just fork() and have the parent exit.
There are a number of ways to disassociate a process from any controlling terminal.
Call fork()and then setsid()
Daemon initialization Daemons should close all unnecessary
descriptors often including stdin, stdout, stderr.
Get set up for using syslog Call openlog()
• Often change working directory.OR take a risk • Many POSIX-based operating systems
provide a function called daemon() which performs some or all of the steps listed above. Unfortunately it has three significant drawbacks:
It is not available on all systems. Its behaviour is not standardised (or necessarily well-documented). Its behaviour is more difficult to customise.
Too many daemons?
There can be many servers running as daemons - and idle most of the time.
Much of the startup code is the same for these servers.
Most of the servers are asleep most of the time, but use up space in the process table.
Internet Daemon Daemon inetd started at boot time Configuration file /etc/inetd.conf
Name (service name=port), type, protocol, wait-status, uid, server, arguments
#
ftp stream tcp6 nowait root /usr/sbin/tcpd in.ftpd
telnet stream tcp6 nowait root /usr/sbin/tcpd in.telnetd
#
# Mail is a useful thing...
pop3 stream tcp nowait root /etc/mail/popper popper -s
imap stream tcp nowait root /etc/mail/imapd imapd
Internet Daemon
When to modify inetd.conf Disable a service
Add a # at the beginning of the entry Send hang-up to inetd
kill –HUP processid
Enable a service Change the path Modify arguments
inetd
The SuperServer is named inetd. This single daemon creates multiple sockets and waits for (multiple) incoming requests.
inetd typically uses select to watch multiple sockets for input.
When a request arrives, inetd will fork and the child process handles the client.
inetd children The child process closes all
unnecessary sockets.
The child dup’s the client socket to descriptors 0,1 and 2 (stdin, stdout, stderr).
The child exec’s the real server program, which handles the request and exits.
Output
file descriptor used for default
0 standard input keyboard 1 standard output screen 2 standard error screen
inetd based servers Servers that are started by inetd
assume that the socket holding the request is already established (descriptors 0,1 or 2).
TCP servers started by inetd don’t call accept, so they must call getpeername if they need to know the address of the client.
/etc/inetd.conf
inetd reads a configuration file that lists all the services it should handle.
inetd creates a socket for each listed service, and adds the socket to a fd_set given to select().
inetd service specification
For each service, inetd needs to know:
the port number and transport protocol wait/nowait flag. login name the process should run as. pathname of real server program. command line arguments to server program.
# comments start with #
echo stream tcp nowait root internal
echo dgram udp wait root internal
chargen stream tcp nowait root internal
chargen dgram udp wait root internal
ftp stream tcp nowait root /usr/sbin/ftpd ftpd -l
telnet stream tcp nowait root /usr/sbin/telnetd telnetd
finger stream tcp nowait root /usr/sbin/fingerd fingerd
# Authentication
auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o
# TFTP
tftp dgram udp wait root /usr/sbin/tftpd tftpd -s /tftpboot
example /etc/inetd.conf
ftp 21/tcp # File Transfer Protocol
telnet 23/tcp # Telnet
smtp 25/tcp # Simple Mail Transfer Protocol
tftp 69/udp # Trivial File Transfer Protocol
www 80/tcp # World Wide Web
ntp 123/tcp # Network Time Protocol
ntp 123/udp # Network Time Protocol
example /etc/services
wait/nowait
Specifying WAIT means that inetd should not look for new clients for the service until the child (the real server) has terminated.
TCP servers usually specify nowait - this means inetd can start multiple copies of the TCP server program - providing concurrency!
UDP & wait/nowait Most UDP services run with inetd
told to wait until the child server has died.
Some UDP servers hang out for a while, handling multiple clients before exiting.
inetd was told to wait – so it ignores the socket until the UDP server exits.
Super inetd
Some versions of inetd have server code to handle simple services such as
echo server,
daytime server,
chargen,
…
Servers
Servers that are expected to deal with frequent requests are typically not run from inetd: mail, web, NFS.
Many servers are written so that a command line option can be used to run the server from inetd.
xinetd
Some versions of Unix provide a service very similar to inetd called xinetd.
configuration scheme is different basic idea (functionality) is the same…
# typical xinetd.confdefaults{ instances = 60 log_type = SYSLOG daemon log_on_success = HOST PID log_on_failure = HOST cps = 25 30}includedir /etc/xinetd.d
root# ls /etc/xinetd.dchargen daytime-udp finger shell time-udpchargen-udp echo ftp telnet
root# cat /etc/xinetd.d/telnetservice telnet{ disable = yes socket_type = stream wait = no user = root server = /usr/libexec/telnetd groups = yes flags = REUSE
access_times = 8:00-18:00 only_from = 128.138.12.0/24
}
example /etc/xinetd.d
53
The Superservers
Superservers listen on multiple network ports and start the appropriate service when a client connection arrives for that port.
xinetd is a superserver gaining popularity It is a revised version of inetd that creates a more secure environment Shipped with Red Hat Linux
xinetd lately is the most widely used superserver Application level security is provided via TCP Wrappers - the tcpd
program
Managing Services
Network Services - Stand alone vs Inetd
The Inetd Model - Network Super Daemon - /etc/services : Maps the name of the service to a port number. eg: ulistserv 372/tcp ulistproc - /etc/inetd.conf : Main Configuration file for inetd.
eg: ftp stream tcp nowait root /usr/sbin/tcpd proftpd
The Xinetd Model - Advanced Replacement for inetd - More Secure and flexible with Advanced Access Control Mechanisms - /etc/xinetd.conf : Main Configuration file for xinetd - /etc/xinetd.d/ : Contains files for services managed by xinetd
Managing Services
Managing Services in Inetd and Xinetd - For Inetd : Comment out corresponding service from inetd.conf - Restart Inetd # pkill –HUP inetd - For Xinetd : Make changes in xinetd.conf and xinetd.d - Access control Mechanisms for services can be specified # /etc/rc.d/init.d/xinetd restart
Typical Services to be Blocked - Finger, rwho, rsh , rlogin, rexec, echo, ntalk - FTP, Telnet - Use ssh, scp, sftp
Ports
There are 65535 ports available Services tend to use <1024
These are “priviledged” ports, only root may listen on them If you have something running
under a port you don't recognise, Find out what it is Decide if you need it
Useful Tools
Netstat -an tells you what connections are active
Netstat -lp tells which ports are listening
ps -ef lists the running process
chkrootkit checks for signs of rootkits Common rootkits install trojaned tools
Scheduling processes - cron
Many aspects of system administration require things to be done on a routine basis
Rotating logs building help files checking disk space checking permissions
Remembering to do thing is error prone Unix provides scheduling mechanism refereed to as cron. Cron has two parts
Daemon - crond table of actions /etc/crontab
Cron
the crond Daemon is started at boot time
the daemon ‘wakes up’ every minute to check its table of actions
if their is something to do -> run command if nothing to do --> go back to sleep for 1 min
Cron table is a list (time,commnd) pairs. The format is
minute hour day month dayofweek command
Crontab Commands can be scheduled by
minute (0 59) Hour ( 0 to 23) Day of the month (1 - 31) Month ( 1 to 12) Day of the week (0=Sunday 6 = sat, or use mon,tues,wed)
Example01 * * * * commnd2 # hourly at 1 minute past* 1 * * * commnd2 # daily at 1 am04 1 * * * commnd3 # run at 4 minute past 1 each day* means ‘check every’
Cron
Under Redhat Linux the cron table is used to execute a set of commands in some special directories /etc/cron.hourly /etc/cron.daily
contains logrotate, makewhatis,slocate,tmpwatch /etc/cron.weekly /etc/cron.monthly
You can add you own commands to the appropriate directory, but remember they need to be ‘batch’ commands as they will run automatically
Crontab Files
Minute 0-59 Hour 0-23 Day 1-31 Month 1-12 Weekday 0-6 (0=Sunday)
* Matches everything 1-3 Matches range 1,5 Matches Series
Special strings - @hourly (same as 0 * * * *), @daily, @weekly, @monthly, @yearly, etc.
Most special of all @reboot
Examples
15,45 10 * * 1-5 write garth % Hi Garth % get a job
30 2 * * 1 (cd /user/joe/p; make)find /tmp –atime +3 –exec rm –f {} ‘;’
Output mailed to owner of crontab file
crontab commandsUser crontab crontab Replace ^C exit crontab –l List crontab –e Edit crontab –l > cronfile crontab cronfile
cron.allow - If this file exists, it must contain your username for you to use cron jobs.
cron.deny - If the cron.allow file does not exist but this does then, you must not be listed here.
System crontab Just edit /etc/crontab as root, nowadays it reloads automatically
The cron utility
The cron utility runs in the background and constantly checks the /etc/crontab file.
The cron utility also checks the /var/cron/tabs directory, in search of new crontab files. These crontab files store information about specific functions which cron is supposed to perform at certain times.
Common Uses for CRON
Cleaning the filesystem Distribution of config files Rotating log files Backups Heavy task offloading
The cron utility
The cron utility uses two different types of configuration files, the system crontab and user crontabs.
The only difference between these two formats is the sixth field. In the system crontab, the sixth field is the name of a user for the command to run as. This gives the system crontab the ability to run commands as any user. In a user crontab, the sixth field is the command to run, and all commands run as the user who created the crontab; this is an important security feature.
The cron utility
# /etc/crontab - root's crontab for FreeBSD # # $FreeBSD: src/etc/crontab,v 1.32 2002/11/22 16:13:39 tom Exp $ # # SHELL=/bin/sh PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin HOME=/var/log # ##minute hour mday month wday who command# # */5 * * * * root /usr/libexec/atrun
The cron utility Like most FreeBSD configuration files, the # character represents a comment. A comment can be
placed in the file as a reminder of what and why a desired action is performed. Comments cannot be on the same line as a command or else they will be interpreted as part of the command; they must be on a new line. Blank lines are ignored.
First, the environment must be defined. The equals (=) character is used to define any environment settings, as with this example where it is used for the SHELL, PATH, and HOME options. If the shell line is omitted, cron will use the default, which is sh. If the PATH variable is omitted, no default will be used and file locations will need to be absolute. If HOME is omitted, cron will use the invoking users home directory.
This line defines a total of seven fields. Listed here are the values minute, hour, mday, month, wday, who, and command. These are almost all self explanatory. minute is the time in minutes the command will be run. hour is similar to the minute option, just in hours. mday stands for day of the month. month is similar to hour and minute, as it designates the month. The wday option stands for day of the week. All these fields must be numeric values, and follow the twenty-four hour clock. The who field is special, and only exists in the /etc/crontab file. This field specifies which user the command should be run as. When a user installs his or her crontab file, they will not have this option. Finally, the command option is listed. This is the last field, so naturally it should designate the command to be executed.
This last line will define the values discussed above. Notice here we have a */5 listing, followed by several more * characters. These * characters mean “first-last”, and can be interpreted as every time. So, judging by this line, it is apparent that the atrun command is to be invoked by root every five minutes regardless of what day or month it is. For more information on the atrun command, see the atrun(8) manual page.
Commands can have any number of flags passed to them; however, commands which extend to multiple lines need to be broken with the backslash “\” continuation character.
The cron utility
Installing a Crontab Important: You must not use the procedure described here to edit/install
the system crontab. Simply use your favorite editor: the cron utility will notice that the file has changed and immediately begin using the updated version.
To install a freshly written user crontab, first use your favorite editor to create a file in the proper format, and then use the crontab utility.
For users who wish to begin their own crontab file from scratch, without the use of a template, the crontab -e option is available. This will invoke the selected editor with an empty file. When the file is saved, it will be automatically installed by the crontab command.
If you later want to remove your user crontab completely, use crontab with the -r option.
Unix Security
Security Hardening : Access Control
TCP Wrappers
Effective Access Control Mechanism Invisible Layer to Block or Permit Access to Services Hostname, IPAddresses, Logging /etc/hosts.allow /etc/hosts.deny
73
TCP Wrappers
TCP Wrappers - tcpd - is an application-level access control program
TCP Wrappers is not a firewall and should be used with one if Linux security issues exist
Configuration is done by two files: /etc/hosts.allow and /etc/hosts.deny Ensure proper and expected configuration by testing carefully before relying on it Use transparently with inetd OR link explicitly a daemon with the libwrap shared
library
74
TCP Wrappers
75
TCP Wrappers
Security Hardening : Access Control
Firewalls What is a Firewall? Access control policy Isolates networks Packet Filtering
IPTables
Chains (Input, Output, Forward) Targets (Accept, Drop, Reject, Log) Efficient Packet Filtering based on protocols, IP Address, state/stateless
etc # iptables -A INPUT -s 160.36.172.1 -j DROP
Security tools Security tool (Bastille / Titan / JASS) Host intrusion detection systems
Monitor changes in filesystems/memory Record attributes and checksums in a secure location Compare later and report anomalies
(Network) Intrusion detection or prevention systems
Monitor host or whole network Signature-Based Detection Statistical anomaly-based detection Stateful Protocol Analysis Detection
Linux Packet Filtering types
Ipfw (Linux 1.2 kernels) Ipfwadm (Linux 2.0 kernels) Ipchains (Linux 2.2 kernels) Iptables (Linux 2.4 kernels) Iptables (Linux 2.6 kernels) Iptables (Linux 3.* kernels)
Iptables log and rule format
Apr 30 21:04:10 sparrow kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=11339 DF PROTO=UDP SPT=33272 DPT=53 LEN=53
/sbin/iptables –A OUTPUT –o lo –p udp –s localhost/32 - -sport 1024:65535 –d localhost/32 - -dport domain –j ACCEPT #domain/udp (O)
IPTables
Iptables Rules:Allow SSH to the bridge machine itself
iptables –A INPUT –p tcp –d 10.252.49.231 \ -–dport 22 –j ACCEPT
iptables –A INPUT –i eth0 –m state \--state RELATED,ESTABLISHED –j ACCEPT
iptables –A INPUT –i lo –j ACCEPT
iptables –P INPUT DROP
Iptables Rules: Allow TCP through the bridge, feed to Snort
iptables –A FORWARD –m state \--state RELATED,ESTABLISHED –j QUEUE
iptables –A FORWARD –p tcp –m state \
--state NEW,RELATED –j QUEUE
Masquerading Modem connections/DHCP Doesn’t drop connections when
address changes Makes all packets from internal look
like they are coming from the modem machine/DHCP address (outgoing interface’s address):
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe iptable_nat
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
Configuring NAT with iptable First example:
iptables –t nat –A POSTROUTING –s 10.0.1.2 –j SNAT --to-source 128.143.71.21
Pooling of IP addresses:iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.128.71.0–128.143.71.30
ISP migration: iptables –t nat –R POSTROUTING –s 10.0.1.0/24 –j SNAT --to-source 128.195.4.0–128.195.4.254
IP masquerading: iptables –t nat –A POSTROUTING –s 10.0.1.0/24 –o eth1 –j MASQUERADE
Load balancing:iptables -t nat -A PREROUTING -i eth1 -j DNAT --to-destination 10.0.1.2-10.0.1.4
Configuring NAT in Linux Linux uses the Netfilter/iptable package to
add filtering rules to the IP module
Incomingdatagram
filterINPUT
Destinationis local?
filterFORW ARD
natOUTPUT
To application From application
Outgoingdatagram
natPOSTROUTING
(SNAT)
No
Yes filterOUTPUT
natPREROUTING
(DNAT)
Source NAT
Translate source address
iptables –t nat –A POSTROUTING \ –o <outgoing-interface> -j SNAT \ –-to-source <address>[-<address>][:port-port]
iptables –t nat –A POSTROUTING –o eth1 \ -J SNAT –-to-source 10.252.49.231
Destination NAT
Translate destination address
iptables –t nat –A PREROUTING \ –i <incoming-interface> -j DNAT \ --to-destination <address>[-<address>][:port-port]
iptables –t nat –A PREROUTING -i eth0 –p tcp \-d 10.252.49.77 –dport 80 –j DNAT \ --to-destination 10.252.49.231
iptables –t nat –A PREROUTING -i eth0 –p tcp \-d 10.252.49.77 –dport 80 –j REDIRECT
Load Balancing Source Policy Routing: Make sure
Person A, who pays the lower rate, gets routed over the house modem instead of the DSL
Split Access for Multiple Uplinks: Packets coming in from ISP A go back out ISP A
Load Balancing: default route becomes a multipath path route, balance routes over 2 providers
iptables –t nat –A PREROUTING –i eth0 –d 10.252.49.231 –p tcp –-dport 80 –j DNAT –-to-destination 10.252.50.4-10.252.50.8
Hacked WebServer
Queuing Disciplines
First-In-First-Out (FIFO) no classes fast, easy to implement
Priority Queuing all traffic in a high-priority class is sent before any in a lower
priority one Class-based Queuing (CBQ)
a number of bytes is sent from each class before going to the next class
Unix Traffic Shaping
CBQ is an interface to the Linux tc command
tc (traffic control)
Other queuing systems besides CBQ are available
HBQ, TBF, SFQ
Link Sharing between CBQ Traffic Classes
C onn . 150%
R T - V ideo50%
C onn . 215%
C onn . 310%
T ex t, C G I25%
C onn . 412 .5%
C onn . 512 .5%
G IF , JP E G25%
L ink (P ipe )
Link Sharing Goal
Over appropriate time-intervals, each interior or leaf class should receive its allocated bandwidth
(given sufficient demand)
CBQ – Class Based Queueeth0
TRIUMF10Mpbs
Linux BwmgrUBC 10Mbps142.90.0.0/16
eth3Internet2Mbps
•If you want to control traffic in both directions, you must set up CBQ for both interfaces
•Imagine you want to shape traffic from Internet to the TRIUMF to 10Mbit and traffic in the opposite direction to 2Mbit. You need to setup CBQ on both eth0 and eth3 interfaces, thus you need two config files
142.103.0.0/16
QOS – Outgoing Packets (Classless)
pfifo_fast – first in first out – 3 bands, packets in Band 0 get handled, then Band 1, etc.
Token Bucket Filter – Rate does not exceed some limit, but bursting is possible with enough tokens Allows uploading without killing interactive sessions:
tc qdisc add dev ppp0 root tbf rate 220kbit latency 50ms burst 1540
Stochastic Fairness Queueing – less accurate but promotes fairness so no one conversation drowns out the others
tc qdisc add dev ppp0 root sfq perturb 10
red - Random Early Detection simulates physical congestion by randomly dropping packets when nearing configured bandwidth allocation. Well suited to very large bandwidth applications.
Bridging
Linux 2.4 kernel (2.4.21) bridging support built into 2.4 kernels
If you also want iptables support on the bridge must also install the ebtables-brnf patch for your kernel
Bridge is configured using tools from bridge-utils brctl addbr br0; brctl addif br0 eth0; brctl addif br0 eth3
iplink set br0 up; ifconfig eth0 up ifconfig eth3 up
ip addr add 142.103.66.4/24 brd + dev br0
Build the Bridge
ifconfig eth0 0.0.0.0 up
ifconfig eth1 0.0.0.0 up
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 eth1
No Spanning Tree Protocol:brctl stp br0 off
Turn it on:ifconfig br0 0.0.0.0 up
Or give the bridge an IP address and turn it on:ifconfig br0 10.252.49.231 netmask 255.255.255.0 up
route add default gw 10.252.49.1
Networking Software
Good free implementations for: DNS
BIND v8/9, djbdns SMTP
sendmail, qmail, postfix, exim POP/IMAP
qpopper, uwimapd HTTP
Apache, nginx PHP, mySQL
“If it was hard to develop, it should be hard to install!”
Setting Up a Basic Name Server
Later versions of BIND use the configuration file /etc/named.conf
This file is divided into five sections: options, controls, three different zones and an include line, which refers to the rndc security file
A zone is a part of the DNS domain tree for which the DNS server has authority to provide information
Zone information is contained in files referred to in named.conf
DNS
Using DNS system Before Internet network started use DNS system there
was hosts files.
However there are one main disadvantage of using host file - search time increase exponentially.
This is the main reason why Internet network started use DNS system.
By the way, DNS system let you use distributed administrative model in order to delegate administrative rights to other people.
DNS You can imagine DNS system structure using image below:
net
"." (root)
com edu auru
.ru domain
msuwsu
.wsu.ru domain
gwgw1
hostgw.wsu.ru
hostgw1.wsu.ru
hostwsu.ru
DNS DNS zones
terra flora
www
comedu
gov…
mfgntserver
…
Terraflora.com domain
mfg.terraflora.com zone
terraflora.com zone
servers
DNS DNS request:
Required information for DNS requests Making DNS requests DNS requests types:
Recursive requests Iterative requests
DNSada.wsu.ruIP(crypt.iae.nsk.su) = ?
Root serversIP(crypt.iae.nsk.su) = ?
Authoritative server for nsk.su - ns.nsk.su server
ns.nsk.su
iaebox.iae.nsk.su
ada.wsu.ru
IP(crypt.iae.nsk.su) = ?
IP(crypt.iae.nsk.su) = ?
IP(crypt.iae.nsk.su) = 193.124.169.58
Authoritative server for iae.nsk.su - iaebox.iae.nsk.su
IP(crypt.iae.nsk.su) = 193.124.169.58
212.16.195.98ns.wsu.ru
DNS DNS system planning factors. Number of servers and system
platforms Server types:
Primary server Secondary servers Cache servers Forward servers Stealth servers
DNS DNS database resource records
(RR) DNS database RR forms and types Standard RR DNS database file structure IN-ADDR.ARPA zone for reverse
address-to-name translation
DNS RR format
TYPE contain RR type code CLASS contain RR class code TTL contain Time to Live value RDLENGTH – data length RDATA – data NAME
TYPE
CLASS
TTL
RDLENGTH
RDATA
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
DNS DNS RR
types A NS MX MD MF CNAME SOA WKS SRV TXT PTR …
• DNS CLASS types– IN– CS– CH– HS
DNS BIND server configuration acl – define access control list in order to control access to
server resourcesControls – define control channel for rndc control utility.Include - can be used to merge a lot of configuration file in
one.Key – use information to check identity using TSIG technology.Logging – use to control logging options of DNS server.Options - different DNS server options. Use mainly for global
server configuration.Server - certain server configuration options.trusted-keys - used for DNSSEC protocol to hold trusted
keys.View - define view options. Zone – define zone option.
DNSSplit DNS example: …view "internal" {
match-clients { 10.0.0.0 / 8 ; };recursion yes;zone "example.com" {
type master;file "example-internal.db";
};};view "external" {
match-clients { any; };recursion no;zone "example.com" {
type master;file "example-external.db";
};};….
DNS
DNS configuration file example:logging { category lame-servers { null; };};options { directory "/var/named"; allow-transfer { 195.13.160.52;
195.244.128.2; 10.196.5.130; }; recursive-clients 2000; notify yes;};acl "internals" { 127.0.0.1; 10.196.0.0/16;
10.1.72.0/24; 10.129.24.0/24; 10.130.24.0/24;
};view "internal" { match-clients { "internals"; }; recursion yes;
zone "." IN { type hint; file "named.ca";};zone "0.0.127.in-addr.arpa" IN { type master;
file "named.local"; allow-update { none; };};zone "test.lv" { type master; file "test.lv.zone";};};view "external" { match-clients { any; }; recursion no;zone "." IN { type hint; file "named.ca";};zone "test.lv" { type master; file "test.lv.public.zone";};};
DNS
DNS server database file:$ORIGIN .$TTL 3600 ; 1 hourtest.lv IN SOA ns1.test.lv.
jurisk.test.lv. ( 2006040301 ; serial 28800 ; refresh (8
hours) 1800 ; retry (5 minutes) 1209600 ; expire (2
weeks) 28800 ; minimum (1
hour) ) NS ns1.test.lv. A 10.196.5.131 MX 10 eproxy.test.lv. MX 20 eproxy1.test.lv. MX 30 eproxy2.test.lv.$ORIGIN test.lv.router A 10.196.5.1eproxy A 10.196.5.187eproxy1 A 10.196.5.188eproxy2 A 10.196.5.189ns1 A 10.196.5.131mail CNAME ns1nais A 10.196.2.11
;; test WWW on Lattelekom servers;www A 81.198.40.10admin A 81.198.40.10editor A 81.198.40.10www A 81.198.40.11tavro A 81.198.40.10tekno A 81.198.40.11$ORIGIN it.test.lv.router A 10.196.5.1$ORIGIN test.lv.proxy2 A 10.196.5.8help A 10.196.5.10ssiahq01 A 10.196.5.31nw1 A 10.196.5.58
DNSReverse DNS zone in-addr.arpa$ORIGIN .$TTL 3600 ; 1 hour5.196.10.in-addr.arpa IN SOA ns1.test.lv. root.ns1.test.lv. ( 2006012401 ; serial 3600 ; refresh (1 hour) 300 ; retry (5 minutes) 3600000 ; expire (5 weeks 6 days 16 hours) 3600 ; minimum (1 hour) ) NS ns1.test.lv.
$ORIGIN 5.196.10.in-addr.arpa.1 PTR router.it.test.lv.7 PTR instructor.it2.test.lv.8 PTR proxy2.test.lv.10 PTR help.test.lv.31 PTR ssiahq01.test.lv.58 PTR nw1.test.lv.60 PTR sandbox.test.lv.77 PTR rs6000f50.test.lv.119 PTR risc6000f30.test.lv.
sudo /sbin/service named restartPassword:Stopping named: Starting named: [ OK ]
Restart named
$ sudo tail /var/log/messagesJan 28 22:36:22 womnibook named[11333]: loading configuration from '/etc/named.conf'Jan 28 22:36:22 womnibook named[11333]: no IPv6 interfaces foundJan 28 22:36:22 womnibook named[11333]: listening on IPv4 interface lo, 127.0.0.1#53Jan 28 22:36:22 womnibook named[11333]: listening on IPv4 interface eth0, 192.168.1.74#53Jan 28 22:36:22 womnibook named[11333]: listening on IPv4 interface eth1, 192.168.2.5#53Jan 28 22:36:22 womnibook named[11333]: command channel listening on 127.0.0.1#953Jan 28 22:36:22 womnibook named[11333]: zone johannes.org/IN: loaded serial 142Jan 28 22:36:22 womnibook named[11333]: runningJan 28 22:36:22 womnibook named[11333]: zone johannes.org/IN: sending notifies (serial 142)Jan 28 22:36:22 womnibook named: named startup succeeded
DNS Usefull utilities:
Dig Host Nslookup Rndc Named-checkzone Name-checkconfig
Using Command-line Utilities
Mailservers
Maturity Security Features Performance
qmail medium high high high
Sendmail high low high low
Postfix medium high medium high
exim medium low high medium
Courier low medium high medium
Bron: Life with qmail, p. 5
Configuring a Basic Email Server
Sendmail is the most widely used email server
The sendmail package contains the sendmail daemon Sendmail is started using a script in /etc/rc.d/init.d Sendmail is configured using the file /etc/sendmail.cf Most email administrators prefer to use the m4 program to configure sendmail
Email basics
Workstation
MUA
Mail Server
MTA
Email database
Mail Server
MTA
Email database
MDA MDA
Workstation
MUA
POP3/IMAP
SMTP
SMTP
Simplified Mail Transactions
mbox mbox
Mail User Agent
Mail Delivery Agent
Mail Delivery Agent
Mail Transport
Agent
Mail Transport
Agent
Mail User Agent
Message composed using an MUA MUA gives message to MTA for delivery
If local, the MTA gives it to the local MDA If remote, transfer to another MTA
Watching sendmail Work
Watching sendmail Work
Structure of qmailqmail-smtpd
qmail-localqmail-remote
qmail-lspawnqmail-rspawn
qmail-send
qmail-inject
qmail-queue
Incoming SMTP mail Other incoming mail
Installation qmail and qmail-pop3d
tux:~# apt-get updatetux:~# apt-get install qmail
sh -c "start-stop-daemon --start --quiet --user root \ --exec /usr/bin/tcpserver -- \ 0 pop-3 /usr/sbin/qmail-popup `hostname`.`dnsdomainname` \ /usr/bin/checkpassword /usr/sbin/qmail-pop3d Maildir &
Configuration of qmail
Configuration stored in /var/qmail/control/
Configure: Relaying Multiple host names Virtual domains Aliases qmail-users Blackhole lists Mailbox formaat
The qmail security guarantee
In March 1997, I offered $500 to the first person to publish a verifiable security hole in the latest version of qmail: for example, a way for a user to exploit qmail to take over another account.
My offer still stands. Nobody has found any security holes in qmail.
D.J.Bernstein
On November 1, 2007, Bernstein raised the reward to US$1000.
Principles, sendmail vs qmail
Do as little as possible in setuid programs Of 20 recent sendmail security holes, 11 worked only because the entire
sendmail system is setuid Only qmail-queue is setuid
Its only function is add a new message to the queue
Do as little as possible as root The entire sendmail system runs as root
Operating system protection has no effect Only qmail-start and qmail-lspawn run as root.
Principles, sendmail vs qmail
Programs and files are not addresses sendmail treats programs and files as addresses
“sendmail goes through horrendous contortions trying to keep track of whether a local user was responsible for an address. This has proven to be an unmitigated disaster”
(DJB)
qmail programs and files are not addresses “The local delivery agent, qmail-local, can run programs or write to files as directed by ~user/.qmail, but it's always running as that user. Security impact: .qmail, like .cshrc and .exrc and various other files, means that anyone who can write arbitrary files as a user can execute arbitrary programs as that user. That's it.”
(DJB)
Keep it simple
Parsing Limited parsing of strings
Minimizes risk of security holes from configuration errors
Libraries Avoid standard C library, stdio
“Write bug-free code” (DJB)
Webmail system (SquirreMail)
Web server Mail Server
Workstation
Webmail client(Squirre Mail)
browser
MUA
Email database
MTA
Apache
what is Apache? Apache’s functionality installing Apache directory structure configuration tools
Outline
Apache Dynamic Content
CGI PHP
MySQL
If you request an HTML file
Browser Webserver
HTML
1 23
4
Web server
...is a software program that does the following Accepts requests for web pages from a browser. Looks for the requested pages on the server hard drive. Sends a copy of the the requested web page to the browser. A web server can only serve HTML and jpg/gif files
In our case, we use a very popular web server called Apache.
Apache
open-source very popular (more than 67% of the
web sites) highly configurable and extensible
with third-party modules runs on many operating systems
(most of the Unix) is actively being developed
Apache functionality
DBM databases for authentication customized responses to errors and
problems unlimited flexible URL rewriting and
aliasing Virtual Hosts Configurable Reliable Piped Logs
Apache modules (1) mod_access
Access control based on client hostname or IP address
mod_alias Mapping different parts of the host filesystem in the document tree, and URL
redirection mod_auth
User authentication using text files
mod_autoindex Automatic directory listings
mod_cgi Invoking CGI scripts
Apache modules (2) mod_include
Server-parsed documents
mod_mime Determining document types using file extensions
mod_proxy Caching proxy abilities
mod_rewrite Powerful URI-to-filename mapping using regular expressions
mod_usertrack User tracking using Cookies
mod_vhost_alias Support for dynamically configured mass virtual hosting
Apache modules (3)
mod_ssl This module provides strong cryptography for the Apache 1.3
webserver via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols by the help of the Open Source SSL/TLS toolkit OpenSSL.
Requires Apache 1.3.x and OpenSSL 0.9.x Private and Public keys Thawte (www.thawte.com), Versisign (www.verisign.com)
Installing Apache
Unix binary package RPM DEB
Source Windows (MSI Installer)
Installing Apache
$ ./configure --prefix=/usr/local/apache
$ make
$ make install
$ /usr/local/apache/bin/apachectl start
Installing Apache
./configure –help --show-layout
show GNU style directory layout --with-layout=GNU
Use GNU style directory layout --enable-suexec
Enable suEXEC support for CGI and SSI --add-module=/path/to/mod_foo.c
compiles, installs and adds module as a Dynamic Shared Object
Testing Apache installation
arnis@perkons:~$ ps aux | grep apacheroot 289 0.0 0.2 8400 2564 ? Ss Nov15 0:02
/usr/local/apache/bin/httpdroot 307 0.0 0.1 8764 1480 ? Ss Nov15 0:00
/usr/local/apache-ssl/bin/httpd -DSSLapache- 315 0.0 0.1 14768 1580 ? S Nov15 0:27
/usr/local/apache-ssl/bin/httpd -DSSLapache- 13822 0.0 0.2 15224 2644 ? S Nov15 0:26
/usr/local/apache-ssl/bin/httpd -DSSLapache 11290 0.0 0.3 16856 3112 ? S Nov17 0:31
/usr/local/apache/bin/httpdapache 498 0.2 0.8 12596 8484 ? S Nov18 8:54
/usr/local/apache/bin/httpd
....
Testing Apache installation
Apache directory layout
Debian /etc/init.d/apache
Apache control script /etc/apache
Apache configuration files /var/www
Default Document Root /usr/lib/cgi-bin
Default script directory
Apache directory layout (2)
/var/log/apache log files (access.log, error.log)
/usr/sbin rotatelogs, ab (Apache Benchmark)
/usr/bin htpasswd, htdigest, dbmmanage
/usr/lib/apache/1.3 Apache modules
/usr/lib/apache/suexec
Apache directory layout (3)
Slackware /usr/local/apache /usr/local/apache/conf /usr/local/apache/htdocs /usr/local/apache/cgi-bin /var/log/apache /usr/local/apache/bin
Apache access log
LogFormat "%v %h %l %u %t \"%r\" %>s %b" commonCustomLog /usr/local/apache/logs/access_log common
%v – virtual host %h – remote host %u – user %t - time %r – HTTP request %>s – status code %b – size
www.atlants.lv 159.148.85.46 - - [21/Nov/2004:17:23:36 +0200]
"GET /index.php?m=5 HTTP/1.1" 200 32257
Apache error log
ErrorLog /usr/local/apache/logs/error_log
LogLevel warn
[Sun Nov 21 09:13:42 2004] [error] PHP Fatal error: Call to undefined function PN_DBMsgError() in /home/msaule/public_html/referer.
php on line 85
[Sun Nov 21 12:41:09 2004] [error] [client 81.198.145.117] File does not exist: /home/sms/public_html/favicon.ico
php on line 85
[Sun Nov 21 13:02:50 2004] [error] [client 66.249.66.173] File does not exist: /home/code/public_html/robots.txt
[Sun Nov 21 13:08:26 2004] [error] [client 81.198.176.114] File does not exist: /home/refuser2/public_html/_vti_bin/owssvr.dll
[Sun Nov 21 13:08:26 2004] [error] [client 81.198.176.114] File does not exist: /home/refuser2/public_html/MSOffice/cltreq.asp
[Sun Nov 21 13:09:07 2004] [error] [client 81.198.176.114] File does not exist: /home/refuser2/public_html/_vti_bin/owssvr.dll
[Sun Nov 21 13:09:07 2004] [error] [client 81.198.176.114] File does not exist: /home/refuser2/public_html/MSOffice/cltreq.asp
Apache configuration
Edit httpd.conf Check configuration “apachectl
configtest” Restart Apache Check changes
http://httpd.apache.org/docs/
Apache configuration
Virtual host<VirtualHost *> ServerName www.jrt.lv ServerAlias www.jrt.com CustomLog /usr/local/apache/logs/jrt_access_log
common ErrorLog /usr/local/apache/logs/jrt_error_log DocumentRoot /home/jrt/public_html</VirtualHost>
Apache configuration
.htaccessAuthType Basic AuthUserFile /home/someuser/passwdAuthName "Admin" require valid-user
htpasswdhtpasswd -c <password file> <username>
user1:Y90u499mUj6xEuser2:DOrWgcNwzaQUQ
Apache2
Unix Threading New Build System Multiprotocol Support New Apache API IPv6 Support Filtering Multilanguage Error Responses Regular Expression Library Updated
Dynamic content
Script Engine (PHP, Perl, ...)
Browser Webserver
HTML&
Scripts
1 2
3
4
56
Dynamic content
Scripting engine CGI PHP Apache module vs. CGI
Dynamic content
Apache only sends content to the user
What if I need some resources/information from server Send e-mail Store some information in file (guestbook) Execute unix applications And much more...
We need programming language
Dynamic content
Script engine is a software program that does the following:
Accepts scripts passed along from the web server that are of the non-HTML type. Processes these scripts. Returns the result of this processing to the web server.
Dynamic content
Two ways how to server dynamic content
CGI Apache module
Many programming languages to use
PHP, Perl, Python, C, C++, shell scripts ...
Common gateway interface (CGI)
A standard for running external programs from a World-Wide Web HTTP server. CGI specifies how to pass arguments to the executing program as part of the HTTP request. It also defines a set of environment variables. Commonly, the program will generate some HTML which will be passed back to the browser but it can also request URL redirection.
CGI example
Shell script
#!/bin/bashecho "Content-type: text/plain"echo ""echo "Hello world!"echo "Today is:" `date`
CGI example (2)
Perl script
#!/usr/bin/perlprint "Content-type: text/plain\n\n";print "Hello world!\n";print "Today is: " . localtime() . "\n";
Apache modules
mod_perlmod_perl brings together the full power of the Perl programming
language and the Apache HTTP server. You can use Perl to manage Apache, respond to requests for web pages and much more.
mod_phpPHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML
mod_python, OpenASP Module, ...
PHP
What is PHP? Installing PHP Configuring PHP
PHP: Hypertext Preprocessor(PHP)
<html> <head> <title>Example</title> </head> <body>
<?php echo "Hi, I'm a PHP script!"; ?>
</body></html>
PHP Pros
easy to learn ideal for small projects widely used no strong typing
Cons no strong typing code maintenance interpreted language executes in the Web server process
Installing PHP
Server-side scripting
Command line scripting
Client-side GUI applications
Installing PHP
Gentoo# emerge \<apache-2
# USE="-*" emerge php mod_php
# ebuild /var/db/pkg/dev-php/mod_php-<your PHP version>/mod_php-<your PHP version>.ebuild config
# nano /etc/conf.d/apache Add "-D PHP4" to APACHE_OPTS # rc-update add apache default
# /etc/init.d/apache start
Installing PHP
Source instalation Install PHP./configure --with-mysql --with-apxs=/www/bin/apxsmakemake installcp php.ini-dist /usr/local/lib/php.ini Edit your httpd.conf to load the PHP module. LoadModule php4_module libexec/libphp4.so AddModule mod_php4.c AddType application/x-httpd-php .php .phtml Restart Apache
PHP Configuration
php.ini read once at web server startup
; any text on a line after an unquoted semicolon (;) is ignored
[php] ; section markers (text within square brackets) are also ignored
; Boolean values can be set to either: ; true, on, yes
; or false, off, no, none
register_globals = off
track_errors = yes
; you can enclose strings in double-quotes
include_path = ".:/usr/local/lib/php"
PHP Configuration
php.ini directivesmax_execution_time = 30 ; Maximum execution time of each script,
in seconds max_input_time = 60 ; Maximum amount of time each script may
spend parsing request data memory_limit = 8M ; Maximum amount of memory a script may
consume (8MB)
; - Show all errors except for notices and coding standards warningserror_reporting = E_ALL & ~E_NOTICE & ~E_STRICT display_errors = Offlog_errors = Onerror_log = filename
PHP Configuration
Apache configuration file<VirtualHost 10.10.10.10>
DocumentRoot /home/someuser/public_htmlServerName www.somesite.lv<Directory /home/someuser/public_html/> php_admin_value open_basedir /home/someuser/:/tmp/:/usr/share/pear/ php_value auto_prepend_file /home/someuser/includes/default.inc php_value upload_max_filesize 10M</Directory>
</VirtualHost>
PHP Configuration
.htaccess fileAddType application/x-httpd-php .php3php_value include_path
.:/home/someuser/includes:/home/someuser/public_html
php_flag register_globals Off
PHP scripts<?ini_set("display_errors", "true");ini_set("error_log","/home/someuser/log/php.log");...
Apache module vs. CGI
Apache module Good performance One user for all websites
Other user’s source files can be accessed PHP safe_mode
CGI New process each time suEXEC – each website under its own user
fastCGI
Apache, PHP and MySQL
PHP Engine
Browser Webserver
MySQL DatabaseServer
HTML&
PHP
1 2
3
4
56
78
MySQL
About MySQL Installing MySQL MySQL directory structure MySQL commands Some examples PHPMyAdmin
MySQL
Open source Very fast Stable Easy to use Independant storage engines
Can be run with or without transaction control Security
SSL support Resources configurable per user basis
MySQL 4.x
Subqueries New client-server protocol with
prepared statements Unicode and UTF-8 support Query cashing Much more...
Installing MySQL
Binary distributionshell> groupadd mysqlshell> useradd -g mysql mysqlshell> cd /usr/localshell> gunzip < /path/to/mysql-VERSION-OS.tar.gz | tar xvf -shell> ln -s full-path-to-mysql-VERSION-OS mysqlshell> cd mysqlshell> scripts/mysql_install_db --user=mysqlshell> chown -R root .shell> chown -R mysql datashell> chgrp -R mysql .shell> bin/mysqld_safe --user=mysql &
Installing MySQL
Source distributionshell> groupadd mysqlshell> useradd -g mysql mysqlshell> gunzip < mysql-VERSION.tar.gz | tar -xvf -shell> cd mysql-VERSIONshell> ./configure --prefix=/usr/local/mysqlshell> makeshell> make installshell> cp support-files/my-medium.cnf /etc/my.cnfshell> cd /usr/local/mysqlshell> bin/mysql_install_db --user=mysqlshell> chown -R root .shell> chown -R mysql varshell> chgrp -R mysql .shell> bin/mysqld_safe --user=mysql &
Post-Instalation Procedures
Check instalation shell> bin/mysqladmin version
Create system tables shell> bin/mysql_install_db --user=mysql
Make nessesary databases and users
CREATE DATABASE GRANT
MySQL directory structure
./ MySQL server control scripts
bin/ MySQL server, MySQL client and commandline tools
data/ Databases – directories Tables – files (MYD, MYI,FRM)
var/log Log files
MySQL binaries
mysql MySQL client
mysqladmin MySQL administration tool
mysqldump Tool for creating database dumps
MySQL commands
CREATE DATABASE <database name> DROP GRANT ALL PRIVILEGES on database.*
to user@localhost IDENTIFIED BY ‘password’ Privilege type (ALL, ALTER, CREATE, DELETE, INSERT, SELECT,
GRANT, ...) Privilege level (globa, database, table, column) User and host (localhost, IP address, network, %)
REVOKE
PHP and database example
MySQL and SQLite Examples
PHPMyAdmin
phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web (http://www.phpmyadmin.net/)
CREATE/DROP databases CREATE/DROP/ALTER tables Delete/add/edit/search information Execute SQL queries Manage privileges Export data
PHP and SQLite example
<?php
// create new database (OO interface) $db = new SQLiteDatabase("db.sqlite");
// create table foo and insert sample data $db->query("BEGIN; CREATE TABLE foo(id INTEGER PRIMARY KEY, name CHAR(255)); INSERT INTO foo (name) VALUES('Ilia'); INSERT INTO foo (name) VALUES('Ilia2'); INSERT INTO foo (name) VALUES('Ilia3'); COMMIT;");
// execute a query $result = $db->query("SELECT * FROM foo"); // iterate through the retrieved rows while ($result->valid()) { // fetch current row $row = $result->current(); print_r($row); // proceed to next row $result->next(); }
// not generally needed as PHP will destroy the connection unset($db);
?>
PHP and MySQL example<?php// Connecting, selecting database$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') or die('Could not connect: ' . mysql_error());echo 'Connected successfully';mysql_select_db('my_database') or die('Could not select database');
// Performing SQL query$query = 'SELECT * FROM my_table';$result = mysql_query($query) or die('Query failed: ' . mysql_error());
// Printing results in HTMLecho "<table>\n";while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) { echo "\t<tr>\n"; foreach ($line as $col_value) { echo "\t\t<td>$col_value</td>\n"; } echo "\t</tr>\n";}echo "</table>\n";
// Free resultsetmysql_free_result($result);
// Closing connectionmysql_close($link);?>