linux network administration.pdf

8/16/2019 linux network administration.pdf

1/77

Study Guide for

Advanced Linux Network Administration

Lab work for LPI 202

released under the G!L by LinuxI"

A#ril 200$


2/77

GN% ree !ocumentation License

Copyright (c) 2003 LinuxIT. Permission is granted to copy, distribute andor modi!y this document under the terms o! the "#$ %ree &ocumentation License, 'ersion .2 or any ater *ersion pubished by the %ree +o!tare %oundation- ith the In*ariant +ections being istory, /cnoedgements, ith the %ront1Co*er Texts being reeased under the "%&L by LinuxIT.

GN% ree !ocumentation LicenseVersion 1.2, November 2002

Copyright (C) 2000,200,2002 %ree +o!tare %oundation, Inc.45 Tempe Pace, +uite 330, 6oston, 7/ 021308 $+/9*eryone is permitted to copy and distribute *erbatim copieso! this icense document, but changing it is not aoed.

0& P'(A)*L(

The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in thesense of freedom to assure ever!one the effective freedom to cop! and redistribute it, ith or ithout modif!in#it, either commerciall! or noncommerciall!. $econdaril!, this License preserves for the author and publisher aa! to #et credit for their ork, hile not bein# considered responsible for modifications made b! others.

This License is a kind of "cop!left", hich means that derivative orks of the document must themselves be freein the same sense. %t complements the &N' &eneral (ublic License, hich is a cop!left license desi#ned for freesoftare.

)e have desi#ned this License in order to use it for manuals for free softare, because free softare needs freedocumentation a free pro#ram should come ith manuals providin# the same freedoms that the softare does.*ut this License is not limited to softare manuals+ it can be used for an! textual ork, re#ardless of subectmatter or hether it is published as a printed book. )e recommend this License principall! for orks hosepurpose is instruction or reference.

+& APPLI,A*ILI"- AN! !(INI"I.NS

This License applies to an! manual or other ork, in an! medium, that contains a notice placed b! the cop!ri#htholder sa!in# it can be distributed under the terms of this License. $uch a notice #rants a orld-ide, ro!alt!-freelicense, unlimited in duration, to use that ork under the conditions stated herein. The "ocument", belo, refersto an! such manual or ork. /n! member of the public is a licensee, and is addressed as "!ou". ou accept thelicense if !ou cop!, modif! or distribute the ork in a a! reuirin# permission under cop!ri#ht la.

/ "odified Version" of the ocument means an! ork containin# the ocument or a portion of it, either copiedverbatim, or ith modifications and3or translated into another lan#ua#e.

/ "$econdar! $ection" is a named appendix or a front-matter section of the ocument that deals exclusivel! iththe relationship of the publishers or authors of the ocument to the ocument4s overall subect 5or to relatedmatters6 and contains nothin# that could fall directl! ithin that overall subect. 5Thus, if the ocument is in part atextbook of mathematics, a $econdar! $ection ma! not explain an! mathematics.6 The relationship could be amatter of historical connection ith the subect or ith related matters, or of le#al, commercial, philosophical,ethical or political position re#ardin# them.

The "%nvariant $ections" are certain $econdar! $ections hose titles are desi#nated, as bein# those of %nvariant$ections, in the notice that sa!s that the ocument is released under this License. %f a section does not fit theabove definition of $econdar! then it is not alloed to be desi#nated as %nvariant. The ocument ma! contain7ero %nvariant $ections. %f the ocument does not identif! an! %nvariant $ections then there are none.

The "8over Texts" are certain short passa#es of text that are listed, as 9ront-8over Texts or *ack-8over Texts,in the notice that sa!s that the ocument is released under this License. / 9ront-8over Text ma! be at most :ords, and a *ack-8over Text ma! be at most 2: ords.

2


3/77


/ "Transparent" cop! of the ocument means a machine-readable cop!, represented in a format hosespecification is available to the #eneral public, that is suitable for revisin# the document strai#htforardl! ith#eneric text editors or 5for ima#es composed of pixels6 #eneric paint pro#rams or 5for drain#s6 some idel!available drain# editor, and that is suitable for input to text formatters or for automatic translation to a variet! of formats suitable for input to text formatters. / cop! made in an otherise Transparent file format hose markup,or absence of markup, has been arran#ed to thart or discoura#e subseuent modification b! readers is notTransparent. /n ima#e format is not Transparent if used for an! substantial amount of text. / cop! that is not"Transparent" is called ";paue".

TL,(ost$cript or (9 desi#ned for human modification. TL, (ost$cript or (9 produced b! some ord processors for output purposes onl!.

The "Title (a#e" means, for a printed book, the title pa#e itself, plus such folloin# pa#es as are needed to hold,le#ibl!, the material this License reuires to appear in the title pa#e. 9or orks in formats hich do not have an!title pa#e as such, "Title (a#e" means the text near the most prominent appearance of the ork4s title, precedin#the be#innin# of the bod! of the text.

/ section "oever, !ou ma! accept compensation in exchan#e for copies. %f !ou distribute a lar#e enou#h number of copies !ou must also follo the conditions in section A.

ou ma! also lend copies, under the same conditions stated above, and !ou ma! publicl! displa! copies.

& ,.P-ING IN 1%AN"I"-

%f !ou publish printed copies 5or copies in media that commonl! have printed covers6 of the ocument,numberin# more than 100, and the ocument4s license notice reuires 8over Texts, !ou must enclose the copiesin covers that carr!, clearl! and le#ibl!, all these 8over Texts 9ront-8over Texts on the front cover, and *ack-8over Texts on the back cover. *oth covers must also clearl! and le#ibl! identif! !ou as the publisher of thesecopies. The front cover must present the full title ith all ords of the title euall! prominent and visible. ou ma!add other material on the covers in addition. 8op!in# ith chan#es limited to the covers, as lon# as the! preserve

the title of the ocument and satisf! these conditions, can be treated as verbatim cop!in# in other respects.%f the reuired texts for either cover are too voluminous to fit le#ibl!, !ou should put the first ones listed 5as man!as fit reasonabl!6 on the actual cover, and continue the rest onto adacent pa#es.

%f !ou publish or distribute ;paue copies of the ocument numberin# more than 100, !ou must either include amachine-readable Transparent cop! alon# ith each ;paue cop!, or state in or ith each ;paue cop! acomputer-netork location from hich the #eneral netork-usin# public has access to donload usin# public-standard netork protocols a complete Transparent cop! of the ocument, free of added material. %f !ou use thelatter option, !ou must take reasonabl! prudent steps, hen !ou be#in distribution of ;paue copies in uantit!,

A


4/77


to ensure that this Transparent cop! ill remain thus accessible at the stated location until at least one !ear after the last time !ou distribute an ;paue cop! 5directl! or throu#h !our a#ents or retailers6 of that edition to thepublic.

%t is reuested, but not reuired, that !ou contact the authors of the ocument ell before redistributin# an! lar#enumber of copies, to #ive them a chance to provide !ou ith an updated version of the ocument.

$& ).!II,A"I.NS

ou ma! cop! and distribute a odified Version of the ocument under the conditions of sections 2 and A above,provided that !ou release the odified Version under precisel! this License, ith the odified Version fillin# therole of the ocument, thus licensin# distribution and modification of the odified Version to hoever possessesa cop! of it. %n addition, !ou must do these thin#s in the odified Version

• A& 'se in the Title (a#e 5and on the covers, if an!6 a title distinct from that of the ocument, and fromthose of previous versions 5hich should, if there ere an!, be listed in the >istor! section of theocument6. ou ma! use the same title as a previous version if the ori#inal publisher of that version#ives permission.

• *& List on the Title (a#e, as authors, one or more persons or entities responsible for authorship of themodifications in the odified Version, to#ether ith at least five of the principal authors of the ocument5all of its principal authors, if it has feer than five6, unless the! release !ou from this reuirement.

• ,& $tate on the Title pa#e the name of the publisher of the odified Version, as the publisher.• !& (reserve all the cop!ri#ht notices of the ocument.• (& /dd an appropriate cop!ri#ht notice for !our modifications adacent to the other cop!ri#ht notices.• & %nclude, immediatel! after the cop!ri#ht notices, a license notice #ivin# the public permission to use

the odified Version under the terms of this License, in the form shon in the /ddendum belo.• G& (reserve in that license notice the full lists of %nvariant $ections and reuired 8over Texts #iven in the

ocument4s license notice.• & %nclude an unaltered cop! of this License.• I& (reserve the section


5/77


or#ani7ation as the authoritative definition of a standard.

ou ma! add a passa#e of up to five ords as a 9ront-8over Text, and a passa#e of up to 2: ords as a *ack-8over Text, to the end of the list of 8over Texts in the odified Version. ;nl! one passa#e of 9ront-8over Textand one of *ack-8over Text ma! be added b! 5or throu#h arran#ements made b!6 an! one entit!. %f theocument alread! includes a cover text for the same cover, previousl! added b! !ou or b! arran#ement made b!

the same entit! !ou are actin# on behalf of, !ou ma! not add another+ but !ou ma! replace the old one, on explicitpermission from the previous publisher that added the old one.

The author5s6 and publisher5s6 of the ocument do not b! this License #ive permission to use their names for publicit! for or to assert or impl! endorsement of an! odified Version.

5& ,.)*INING !.,%)(N"S

ou ma! combine the ocument ith other documents released under this License, under the terms defined insection B above for modified versions, provided that !ou include in the combination all of the %nvariant $ections of all of the ori#inal documents, unmodified, and list them all as %nvariant $ections of !our combined ork in itslicense notice, and that !ou preserve all their )arrant! isclaimers.

The combined ork need onl! contain one cop! of this License, and multiple identical %nvariant $ections ma! bereplaced ith a sin#le cop!. %f there are multiple %nvariant $ections ith the same name but different contents,make the title of each such section uniue b! addin# at the end of it, in parentheses, the name of the ori#inal

author or publisher of that section if knon, or else a uniue number. ake the same adustment to the sectiontitles in the list of %nvariant $ections in the license notice of the combined ork.

%n the combination, !ou must combine an! sections


6/77


%f a section in the ocument is oever, parties ho have received copies, or ri#hts, from !ou under this License ill not have their licenses terminated so lon# as such parties remain in full compliance.

+0& %"%'( '(/ISI.NS . "IS LI,(NS(

The 9ree $oftare 9oundation ma! publish ne, revised versions of the &N' 9ree ocumentation License fromtime to time. $uch ne versions ill be similar in spirit to the present version, but ma! differ in detail to addressne problems or concerns. $ee http33.#nu.or#3cop!left3.


7/77

Linux%T Technical


8/77

Linux%T Technical 8( 8onfi#uration........................................................................................................ BJ1.1 efault >8( 8onfi#urations.................................................................................................BJ

1.2 !namic N$ ........................................................................................................................:01.A >8( Cela!........................................................................................................................... :22. N%$ 8onfi#uration............................................................................................................ :A

2.1 aster $erver 8onfi#uration.................................................................................................. :A2.2 $lave $erver 8onfi#uration.................................................................................................... :B2.2 8lient $etup............................................................................................................................ :B2.A $ettin# up N9$ home directories........................................................................................... ::2.B *asic N%$ /dministration........................................................................................................::

A. L/( 8onfi#uration........................................................................................................ :IA.1 )hat is ldap............................................................................................................................:IA.2 ;penL/( server confi#uration.............................................................................................:JA.A 8lient confi#uration files......................................................................................................... :KA.B i#ratin# $!stem 9iles to L/( ............................................................................................G0A.: L/( /uthentication $cheme................................................................................................GB

B. (/ /uthentication........................................................................................................ GIB.1 (/ /are /pplications ....................................................................................................... GIB.2 (/ 8onfi#uration................................................................................................................. GI

System Security&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:1. %pchains and %ptables...................................................................................................... I0

1.1 The Tables............................................................................................................................. I01.2 The Tar#ets............................................................................................................................ I01.A ........................................................................................................................................ IA2.2 L$;9..................................................................................................................................... IB2.A N


9/77

LinuxI" "echnical (ducation ,entre

)ail and Lists HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH HHHHHHHH

)ail and Lists

+&,onfi


10/77



1. Configuring Mailing Lists

+&+ )a=ordomo and Sendmail

onload the code from

http33.#reatcircle.com3maordomo3

$ource version maordomo-1.KB.:.tar.#7

Pre>installation ,onfi;< as is

W_HOME = /usr/test/majordomo-$(VERSION)

ou need to create the director! ?usr?test

mkdir /usr/test

8reate a #roup called ma=ordomo ith &% $5, and add a user called ma=ordomo ith'% +2

groupadd -g 45 majordomo

useradd -g 45 -u 123 majordomo

2. %n the sam#le&cf file e need to define our domain 5for example seafront.bar6. This isalso here the path to the sendmail binar! is set

$whereami = "seafront.bar";$sendmail_command = "/usr/sbin/sendmail";

No e can run

make install


11/77



make install-wrapper

9inall! !ou can test the confi#uration as su##ested ith the folloin#

cd /usr/test/majordomo-1.94.5; ./wrapper config-test

%f all #oes ell !ou ill be prompted to re#ister to the maordomo mailin# list. $ince e donot have a valid email address, anser N; to the uestion.

Sendmail ,onfi


12/77



answer test"

owner-test: tuxtest-approval: tux

A. Cun newaliases and restart sendmail.

)a=ordomo "est

$end an email to [email protected] ith the content subscribe test

%f all #oes ell !ou ill receive a response ith further steps to be taken.

2. Using Sendmail

2&+ ,onfi


13/77



Sendmail Settinere e need to do thefolloin#

1. *! default sendmail is confi#ured to listen for connections ;NL for the 12I.0.0.1interface. %n order to make sendmail listen to all interfaces e need to comment out thefolloin# line in ?etc?mail?sendmail&mc usin# 4dnl4 hich stands for Mdo next line

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

;nce this is done run

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Notice ake sure 3etc3sendmail.cf isn4t also there, if it is, delete it.

Cestart sendmail and tr! the folloin#

telnet test1.seafront.bar 25

8arninhost>names

seafront.bar

Cestart sendmail and send a mail to an existin# user. %f !ou have a user tux on themachine then check the output of the folloin#

mail -v -s “test seafront domain” [email protected] < /etc/passwd


14/77



2&2 /irtual ostin<

)e ant the server seafront.bar to accept mail for the city.bar domain. 9or thise follo the folloin# steps.

"he !NS entries

)e need to add an = record for the cit!.bar domain. >ere is the hole block for clarit!

seafront.bar. IN MX 10 test1.seafront.bar.

city.bar. IN MX 10 test1.seafront.bar.

test1.seafront.bar. IN A 192.168.246.12

Ceload the 7one file

rndc reload

Sendmail Settinhost>names file

city.bar

%f mail is sent to [email protected] and tux is a valid user on test1.seafront.bar thenmail ill be delivered to the local user tux .

To avoid this e can use the ?etc?mail?virtusertable database.

2. %f !ou ant to forard mail onto another account here are example entries for thevirtusertable database

tuxEcit!.bar mr.tuxEotherdomain.or#Ecit!.bar administrator listEcit!.bar local-list

>ere mail for user tux is diverted to mr.tuxEotherdomain.or#, the user administrator is thecatchall account, lists are redirected to local lists 5this needs to point to a valid list definedin the aliases


15/77



3. Managing Mail Traffic

&+ %sin< Procmail

%n depth information can be found in the #rocmail, #rocmailrc and #rocmailexmanpa#es. >ere are a fe examples taken from #rocmailex@5

$ort all mail comin# from the lpi-dev mailin# list into the mail folder L(%

0P QT;Hlpi-devL(%

9orard mails beteen to accounts main.address and the-other.address. This rule is for the procmailrc on the main address account. Notice the =-Loop header used to preventloops

0 c P OQ=-Loop !ournameEmain.address formail -/ "=-Loop !ournameEmain.address" R S$


16/77


!NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH HHHHHHHH

!NS

+& %sin< di< and host

2& *asic *ind 9 ,onfi


17/77



1. Using dig and host

The bind>utils packa#e provides a number of tools used to uer! N$ server. )e illuse direcursive Cueries

*! forcin# all ueried N$ servers not to perform recursive ueries e ill discover that

e need to manuall! follo the thread of information 5list of N$ servers for each domain6in order to #et an anser.

9or this e need to uer! a hostname that has not been cached on our local server !et.

'


18/77



'esult The root N$ server L.C;;T-$


19/77



ould !ield an anser since all the information is no cached on the local cachin# server

Search NS record for domain 5authoritative N$ servers6

host -t NS tldp.org

tldp.org name server ns2.unc.edu.tldp.org name server ncnoc.ncren.net.tldp.org name server ns.unc.edu.

Search )D record for domain

host -t MX tldp.org

tldp.org mail is handled by 0 gabber.metalab.unc.edu

9inall!, it is possible to see all records ith host >a.

2. Basic Bind 8 Configuration

The confi#uration file for a *ind J server is ?etc?named&conf This file has the folloin#main entries

ain entries in named&conf

lo


20/77



7one "." %N U

t!pe hint+file "named.ca"+

+

7one "localhost" %N U

t!pe master+

file "localhost.7one"+

allo-update U none+ +

+

7one "0.0.12I.in-addr.arpa" %N U

t!pe master+

file "named.local"+

allo-update U none+ +

+

2&+ "he Lo


21/77



foo_channel . Next e ant to lo# queries usin# this channel. The entr! in named&conf

ill look like this

logging {

channel foo_channel {

file "LOG "; print-time yes;

print-category yes; print-severity yes; };

category "queries" {

"foo_channel";

};};

8ate#ories such as queries are predefined and listed in the named&conf@5 manpa#es.>oever some of the names have chan#ed, so e include as a reference the list of cate#ories for *%N K belo

*%N K Lo##in# 8ate#oriesdefault 8ate#or! used hen no specific channels 5lo# levels, files ...6 have been

defined#eneral 8atch all for messa#es that haven4t been classified belo

database essa#es about the internal 7one filessecurit! /pproval of reuestsconfi# (rocessin# of the confi#uration fileresolver %nfornation about operations performed b! clientsxfer-in or xfer-out

Ceceived or sent 7one files

notif! Lo# N;T%9 messa#esclient 8lient activit!update @one updatesueries 8lient ueriesdnssec N$


22/77



};

)e next cover the most common options.

version

anpa#e sa!s MThe version the server should report via the ndc command. Thedefault is the real version number of thisserver, but some server operators prefer the strin# 5surel! !ou must be okin# 6

version “(surely you must bejoking)”;

directoryThe orkin# director! of theserver

directory “/var/named”;

fetch>


23/77



datasiEe Limit the si7e of the cache datasize 512M;

allow>Cuery 5list6 / lists of hosts or netorks that ma! uer! the server

allow>recursion 5list6List of hosts that can submit recursive ueries

allow>transfer 5list6List of hosts 5usuall! the slaves6 ho are alloed to do 7one transfers

2& "he Bone Statement

The s!ntax for a 7one entr! in named&conf is as follos

zone domain_name {

type zone_type;

file zone_file;

local_options;

};

)e first look at the local_options available. $ome of these are the same options ith thesame s!ntax as the #lobal options e have ust covered 5ith some additional ones6. Themost common ones are notify, allow>transfer and allow>Cuery. /dditional ones aremasters 5list of master servers6 or dialu#.

The domain_name is the name of the domain e ant to keep records for. 9or eachdomain name there is usuall! an additional 7one that controls the local in-addr.arpa 7one.

The zone_type can either bemaster the server has a master cop! of the 7one fileslave the server has a version of the 7one file that as donloaded from a master serverhint predefined 7one containin# a list of root serversstub similar to a slave server but onl! keeps the N$ records

The zone_file is a path to the file containin# the 7one records. %f the path is not anabsolute path then the path is taken relativel! to the director! #iven earlier b! thedirectory option 5usuall! 3var3named6.


24/77




25/77



localhost all %( address for the local interfaces

localnets netork associated to the localhost interfaces

"he Server Statement

This statement is used to assi#n confi#uration options for a specific server. 9or example if a server is #ivin# bad information it can be marked as bo


26/77



IN NS ns

N;T%8<

1. %f the name of the domain is missin# then E is assumed

2. The full! ualified name of the name-server is ns.seafront.bar.. / host name thatdoesn4t end ith a dot ill automaticall! have the domain-name 4E4 appended to it. >erefor example

ns becomes ns.seafront.bar.

A W Cecords definin# the mail-servers for this domain, = records

domain-name IN MX PRI mail-server

The PRI entr! is a priorit! number. %f several mail-servers are defined for a domain thenthe servers ith the loest priorit! number are used first.

B W /uthoritative information for hosts on the domain, called / records

host-name IN A IP-address

Authority !ele


27/77



as started ithin the %


28/77



A. /ppl! the folloin# chan#es in named&conf;

include "/etc/slave.key ";

zone "seafront.bar " IN { type master;

file "seafront.zone";

allow-transfer { key seafront.bar .; };

};

zone 2.1.10.in-addr.arpa {type master;

file “10.1.2.zone”

allow-transfer{key seafront.bar.;);

};

Slave ,onfi


29/77



ata authenticit! ma! be compromised at different levels. The reco#nised areas are

- altered slave 7one files- cache impersonation- cache poisonin#

New '' records

The inte#rit! and authenticit! of data is #uarantied b! si#nin# the Cesource Cecords usin#a private ke!. These si#natures can be verified usin# a public N$X


30/77



)/CN%N&

)/CN%N& This version of dnssec-si#n7one produces 7ones that are)/CN%N&)/CN%N& incompatible ith the forth comin# $ based N$$k sitch hichould allo to make use of a ke! si#nin# ke! 5X$X6 hich is then forarded to a parent7one to #enerate a $ record ...

%f !ou ant to make use of this si#ned 7one, chan#e the filename in named&conf for theseafront.bar 7one to Mseafront.bar.si#ned


31/77

Linux%T Technical


32/77

Linux%T Technical


33/77

Linux%T Technical


34/77

Linux%T Technical


35/77

Linux%T Technical osts

)e ill cover virtual hosts hen confi#urin# $$L servers later in this chapter. 9or no e

distin#uish to concepts

DVirtual>ost %((;CTF %( based virtual host

DVirtual>ost>;$TN/


36/77

Linux%T Technical


37/77

Linux%T Technical


38/77

Linux%T Technical oever most default confi#urations involve a sin#le apache server listenin#

on both ports J0 and BBA.

9or this an additional Listen directive is set in htt#d&conf askin# the server to listen onport BBA. /pache ill then bind to both ports BBA and J0. Non encr!pted connections arehandled on port J0 hile an $$L aare virtual host is confi#ured to listen on port BBA

SSL CONFIGURATION

The $$L 8;N9%&'C/T%;N lines are

SSLEngine onSSLCipherSuite

ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

SSLCertificateFile PATH_TO_FILE.crt

SSLCertificateKeyFile PATH_TO_FILE.key

)e need to #enerate the servers private ke! 59%L


39/77

Linux%T Technical


40/77

Linux%T Technical ost for test1- make the certificate and the ke! make host1.seafront.bar - add these lines to htt#d&conf

SSLEngine onSSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXPSSLCertificateFile /etc/httpd/conf/test1.seafront.bar.crtSSLCertificateKeyFile /etc/httpd/conf/test1.seafront.bar.outServerAdmin [email protected]

DocumentRoot /var/www/html/test1 ServerName test1.seafront.bar

Notice that the certificate that is presented once !ou connect to the https33test1 site isincorrect. This is because test1.seafront.bar resolves to the servers %( address and theserver ill start the $$L handshake before lookin# at the >TT( reuest. The next sectionill fix that.

IP *ased /irtual osts

)e ill directl! create a series of virtual $$L aare hosts and verif! that the! present theclient ith the correct certificate.

"ask /ssi#n ne %( addresses to the eth0 interface ifconfig eth0:0 X.X.X.X


41/77

Linux%T Technical


42/77

Linux%T Technical E sitch. The confi#urationfile is ?etc?sCuid?sCuid&conf . The s!ntax of this file can be checked usin# the >k sitch

s:uid 1 chec

The ?etc?init&d?sCuid rc-script is used to start the service.

&2 Access Lists and Access ,ontrol

• /ccess Lists 5acl6

/ccess lists are created as follos

acl aclname t!pe strin#

The next line defines an access list name called localnet correspondin# to the local L/N

ac ocanet src 52.;


43/77

Linux%T Technical


44/77

Linux%T Technical


45/77

Linux%T Technical ere e re#ister suid to use the (lu##able /uthentication odule.This is done b! addin# a file in ?etc?#am&d? called sCuid ith the folloin# content

etcpam.ds:uid


46/77

Linux%T Technical auth service hich is the ?etc?#am&d?system>auth file.

/lso note the folloin# from the pamHauth man pa#e.

)hen used for authenticatin# to local 'N%= shado passord databases the pro#rammust be runnin# as root or else it on4t have sufficient permissions to access the user passord database. $uch use of this pro#ram is not recommended, but if !ou absolutel!need to then make the pro#ram setuid root

chon root pamHauth chmod uYs pamHauth

(lease note that in such confi#urations it is also stron#l! recommended that the pro#ramis moved into a director! here normal users cannot access it, as this mode of operation ill allo an! local user to brute-force other users passords. /lso note thepro#ram has not been full! audited and the author cannot be held responsible for an!securit! issues due to such installations.


47/77

Linux%T Technical


48/77


!,P ,onfi


49/77


!,P ,onfi8( server can be used to administer %(s over several netork, the

dhc#d&conf confi#uration file is composed of #lobal options folloed b! netork sections


50/77


!,P ,onfi8( server to update the 7one fileson the N$ server.

Additional ,onfi8( server add the folloin# to the dhc#d&conf file

ddns-update-st!le interim+i#nore client-updates+ke! seafront.bar. U al#orithm hmac-md:+

secret NAv%/pnVIG)$Ya2>rAY/@pu(#V)ee&$*8B]+ +

7one seafront.bar. U primar! 1K2.1GJ.A.100+ ke! seafront.bar.+

7one A.1GJ.1K2.in-addr.arpa. U primar! 1K2.1GJ.A.100+ ke! seafront.bar.+

;ptionall!, it is possible to set a specific host name and domain name for a #iven host iththe ke!ords

ddns-hostname host_nameddns-domain-name domain_name

%f the ddns>hostname option are not present then the >8( server ill tr! and use the nameprovided b! the client. The domain on the other hand cannot be set b! the client, so if ddns>domain>name is not present then the >8( server ill use the value #iven b! the domain>name option.

Additional ,onfi


51/77


52/77


!,P ,onfi8( server each router needs tobe able to rela! >8(%$8;V8( server.

9or a Linux router this is done usin# the dhc#>relay or dhcrelay 5more recent6 tool. *othtools take a mandator! sin#le ar#ument hich is th %( of the >8( server.

*! default the rela! tools ill listen on all netork interfaces for >8( reuests. ;ne canspecif! an interface ith the >i option

dhcrelay -i eth0 IP_FOR_DHCP_server

:2


53/77


NIS ,onfi


54/77


NIS ,onfim option to y#init is to indicate the server is a master server

usribypypinit 1m


55/77


NIS ,onfi


56/77


NIS ,onfi


57/77


L!AP ,onfi


58/77


L!AP ,onfi


59/77


L!AP ,onfi


60/77


L!AP ,onfi


61/77


L!AP ,onfi


62/77


L!AP ,onfi


63/77


L!AP ,onfi


64/77


L!AP ,onfi


65/77


L!AP ,onfi


66/77

Linux%T Technical /lib/libpam.so.0 (0x00941000)

These applications ill scan the (/ confi#uration files hich in turn tell the applicationho the authentication ill take place.

$&2 PA) ,onfioever, if the director! ?etc?#am&d exists then #am&conf is i#nored and each service isconfi#ured throu#h a separate file in #am&d. These files are similar to #am&conf exceptthat the service name is dropped

t!pe control module-path module-ar#uments

type defines the Mmana#ement #roup t!pe. (/ modules are classified into four


67/77

Linux%T Technical


68/77

Linux%T Technical


69/77

Linux%T Technical


70/77

Linux%T Technical = fla# 5ump6. >ere is an overvie of available tar#ets

for a #iven table

filter 5nothin# individual to this chain6nat N/T, $N/T, /$'


71/77

Linux%T Technical oever, iptabes onl! sends packets to the %N('T chainif the! are destined for the local s!stem and onl! sends them to the ;'T('T chain if thelocal s!stem #enerated the packets. 9or this reason, !ou must be sure to place the rule

I1


72/77

Linux%T Technical


73/77

Linux%T Technical


74/77

Linux%T Technical


75/77

Linux%T Technical 9C9 > $" > /C > P+ > +T > +W# > %I#

Let’s assume that we want to watch packets used in establishing a TCP connection. Recall the structure of a TCP header without options:

0 4 3 11111111111111111111111111111111111111111111111111111111111111111 > source port > destination port > 11111111111111111111111111111111111111111111111111111111111111111 > se:uence number > 11111111111111111111111111111111111111111111111111111111111111111 > acnoedgment number > 11111111111111111111111111111111111111111111111111111111111111111

> L > rs*d |C|E|U|A|P|R|S|F| indo siYe > 11111111111111111111111111111111111111111111111111111111111111111 > TCP checsum > urgent pointer > 11111111111111111111111111111111111111111111111111111111111111111

A TCP header usually holds 20 octets of data, unless options are present. The first line of the graph containsoctets 0 - 3, the second line shows octets 4 - 7 etc

Starting to count with 0, the relevant TCP control bits are contained in octet 13:

0 8> 4> 23> 3

1111111111111111>111111111111111>111111111111111>1111111111111111 > L > rs*d >C>9>$>/>P>>+>%> indo siYe > 1111111111111111>111111111111111>111111111111111>1111111111111111 > > 3th octet > > >

LetZs ha*e a coser oo at octet no. 3@

> > >111111111111111> >C>9>$>/>P>>+>%>

I:


76/77

Linux%T Technical 111111111111111>

>8 4 3 0>

These are the TCP control bits we are interested in. We have numberedthe bits in this octet from 0 to 7, right to left, so the PSH bit is bit number 3, while the URG bit is number 5.

Recall that we want to capture packets with only SYN set. Let’s seewhat happens to octet 13 if a TCP datagram arrives with the SYN bit setin its header:

>C>9>$>/>P>>+>%> >111111111111111> >0 0 0 0 0 0 0>

>111111111111111> >8 ; 4 B 3 2 0>

Looking at the control bits section we see that only bit number 1 (SYN)is set.

Assuming that octet number 13 is an 8-bit unsigned integer in network byte order, the binary value of this octetis

0000000

and its decimal representation is

8 ; 4 B 3 2 0

0U2 V 0U2 V 0U2 V 0U2 V 0U2 V 0U2 V U2 V 0U2 H 2

We’re almost done, because now we know that if only SYN is set, the value of the 13th octet in the TCPheader, when interpreted as a 8-bit unsigned integer in network byte order, must be exactly 2.

This relationship can be expressed as

tcpE3F HH 2

2&5 N)AP

nmap - Network exploration tool and security scanner

The scanner makes use of the fact that a closed port should (according to RFC 793) send back an RST. In thecase if a SYN scan, connections that are half opened are immediately close by nmap by sending an RST itself.

IG


77/77

Linux%T Technical

linux network administration.pdf

Documents