Document Sample
Downloading Powered By Docstoc
					Linux Services
Linux DHCP Server

   DHCP is an IP address dynamically
    assigned from DHCP server.
   PC client will most likely get its IP
    address at boot time from the home
    router instead
   The DHCP server RPM's filename
    usually starts with the word dhcp
    followed by a version number
       dhcp-3.0.1rc14-1.i386.rpm.

        The /etc/dhcpd.conf File

   When DHCP starts, it reads the file
   The standard DHCP RPM package doesn't
    automatically install a /etc/dhcpd.conf file, but
    a sample copy of dhcpd.conf is in the following
       /usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample

/etc/dhcpd.conf example file
ddns-update-style interim;
ignore client-updates;

subnet netmask {

# --- default gateway
       option routers  ;
       option subnet-mask;

     option   nis-domain         "";
     option   domain-name          "";
     option   domain-name-servers;
     option   domain-name-servers;
     option   time-offset       -18000; # Eastern Standard Time

#       option netbios-node-type 2;

     range dynamic-bootp;
     default-lease-time 21600;
     max-lease-time 43200;

How to get DHCP started
   Use the chkconfig command to get DHCP
    configured to start at boot:

        [root@bigboy tmp]# chkconfig dhcpd on

   Use the service command to instruct the
    /etc/init.d/dhcpd script to start/stop/restart DHCP
    after booting

        [root@bigboy tmp]# service dhcpd start
        [root@bigboy tmp]# service dhcpd stop
        [root@bigboy tmp]# service dhcpd restart


   Samba is a suite of utilities that
    allows your Linux server to share
    files and other resources, such as
    printers, with Windows clients.

Get SMB started
   Configure Samba to start at boot time using the
    chkconfig command:
            [root@bigboy tmp]# chkconfig smb on
   Start/stop/restart Samba after boot time using
    the smb initialization script as in the examples
            [root@bigboy tmp]# service smb start
            [root@bigboy tmp]# service smb stop
            [root@bigboy tmp]# service smb restart

   Note: Unlike many Linux packages, Samba does
    not need to be restarted after changes have been
    made to its configuration file, as it is read after
    the receipt of every client request.
The Samba Configuration File
The /etc/samba/smb.conf file is the main configuration

  Section                                Description
  [global]    General Samba configuration parameters

 [printers]   Used for configuring printers

  [homes]     Defines treatment of user logins

 [netlogon]   A share for storing logon scripts.
              (Not created by default.)

 [profile]    A share for storing domain logon information such as "favorites" and
              desktop icons.
              (Not created by default.)

Samba's SWAT web interface

   SWAT, Samba's web based configuration
    tool to enables smb.conf file without
    needing to remember all the formatting.
   Each SWAT screen is actually a form that
    covers a separate section of the smb.conf
    file into which admin fill in the desired
    parameters, each parameter box has its
    own online help

Samba SWAT Main Menu

 Basic SWAT Setup
    Root must always remember that SWAT
     edits the smb.conf file but also strips out
     any comments that may have manually
     entered into it beforehand.
    The original Samba smb.conf file has
     many worthwhile comments in it, you
     should save a copy as a reference before
     proceeding with SWAT.
        For example, you could save the original file
         with the name /etc/samba/smb.conf.original
[root@tmp]# cp /etc/samba/smb.conf /etc/samba/smb.conf.original

Basic SWAT Setup
   The enabling and disabling, starting and
    stopping of SWAT is controlled by xinetd
    via a configuration file named
         service swat
           port        = 901
           socket_type      = stream
           protocol      = tcp
           wait        = no
           user        = root
           server       = /usr/sbin/swat
           log_on_failure += USERID
           disable      = no
           only_from       = localhost

Basic SWAT Setup
   The disable parameter must be set to no to accept
    connections. This can automatically be switched
    between yes and no.
   The default configuration only allows SWAT web
    access from the VGA console only as user root on
    port 901 with the Linux root password.
       This means root have to enter ""
        in browser to get the login screen.
   root can make SWAT accessible from other servers
    by adding IP address entries to the only_from
    parameter of the SWAT configuration file.
       An example of an entry to allow connections only
        from and localhost.

            only_from = localhost

Controlling SWAT
   Same as all xinetd-controlled applications,
    the chkconfig command automatically
    modifies the disable field accordingly in
    the configuration file and activates the
   Before SWAT can be used, the xinetd
    program which controls it must be
    activated in advance.
   You can start/stop/restart xinetd after
    boot time using the xinetd initialization

xinetd Programs
   Many network enabled Linux applications
    do not rely on themselves to provide
    restricted access or bind to a particular
    TCP port
   instead they often offload a lot of this
    work to a program suite made just for
    this purpose, xinetd
   The xinetd RPM is installed by default in
    Fedora Linux and uses /etc/xinetd.conf as
    its main configuration file

Controlling xinetd
   The starting and stopping of the xinetd daemon is
    controlled by the by scripts in the /etc/init.d
    directory and it is behavior at boot time is
    controlled by chkconfig.
   You can start/stop/restart xinetd after booting by
    using the following commands:
         [root@bigboy tmp]# service xinetd start
         [root@bigboy tmp]# service xinetd stop
         [root@bigboy tmp]# service xinetd restart

   To get xinetd configured to start at boot you can
    use the chkconfig command.
          [root@bigboy tmp]# chkconfig xinetd on

Controlling xinetd-Managed Applications
   Xinetd-managed applications all store
    their configuration files in the
    /etc/xinetd.d directory.
   Each configuration file has a disable
    statement that can set to yes or no. This
    governs whether xinetd is allowed to start
    them or not.
   You don't have to edit these files to
    activate or deactivate the application. The
    chkconfig command does that
    automatically will also stops or starts the
    application accordingly too
   Telnet is a program that allows users to log into
    server and get a command prompt just as if they
    were logged into the VGA console.
   The Telnet server RPM is installed and disabled by
    default on Fedora Linux.
   One of the disadvantages of Telnet is that the
    data is sent as clear text.
   A more secure method for remote logins would be
    via Secure Shell (SSH) which uses varying
    degrees of encryption.
   The older Telnet application remains popular.
    Many network devices don't have SSH clients,
    making telnet the only means of accessing other
    devices and servers from them

Installing The Telnet Server Software
   Older versions of RedHat had the Telnet
    server installed by default. Fedora Linux
    does not
       you will have to install it yourself.
   Most Linux software products are
    available in a precompiled package
    format. Downloading and installing
   When searching for the file, the Telnet
    server RPM's filename usually starts with
    the word "telnet-server" followed by a
    version number as in telnet-server-0.17-
Setting Up A Telnet Server

   To set up a Telnet server use the
    chkconfig command to activate Telnet.
       [root@bigboy tmp]# chkconfig telnet on

   Use the chkconfig command to deactivate
    telnet, even after the next reboot.
       [root@bigboy tmp]# chkconfig telnet off

Let Telnet Listen On Another TCP Port

   Letting telnet run on an alternate TCP
    port does not encrypt the traffic, but it
    makes it less likely to be detected as
    telnet traffic.
   Remember that this is not a foolproof
    strategy; good port scanning programs
    can detect telnet and other applications
    running on alternative ports.

Let Telnet Listen On Another TCP Port

1.   Edit /etc/services file and add an entry
     for a new service. Call it stelnet.
     # Local services
     stelnet      7777/tcp                    # "secure" telnet

2.   Copy the telnet configuration file called
     /etc/xinetd.d/telnet and call it
[root@bigboy tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet

      Let Telnet Listen On Another TCP Port
3.   Edit the new /etc/xinetd.d/stelnet file. Make the new service
     stelnet and add a port statement for TCP port 7777.
           # default: on
           # description: The telnet server serves telnet sessions
           # unencrypted username/password pairs for authentication.
           service stelnet
                flags       = REUSE
                socket_type = stream
                wait        = no
                user        = root
                server       = /usr/sbin/in.telnetd
                log_on_failure += USERID
                disable       = no
                port        = 7777

4.   Use chkconfig to activate stelnet.
                 [root@bigboy tmp]# chkconfig stelnet on
Let Telnet Allow Connections From
Trusted Addresses
   Root can restrict telnet logins access to individual
    remote servers by using the only_from keyword
    in the telnet configuration file.
   Add a list of trusted servers to the
    /etc/xinetd.d/telnet file separated by spaces:
         service telnet
              flags       = REUSE
              socket_type = stream
              wait        = no
              user        = root
              server       = /usr/sbin/in.telnetd
              log_on_failure += USERID
              disable      = no
              only_from       =

   Restart telnet by
                 # chkconfig telnet off
                 # chkconfig telnet on                                  24
Linux FTP
   The File Transfer Protocol (FTP) is used as
    one of the most common means of
    copying files between servers over the
   Most web based download sites use the
    built in FTP capabilities of web browsers
    and therefore most server oriented
    operating systems usually include an FTP
    server application as part of the software
   Fedora linux ftp sever using default Very
    Secure FTP Daemon (VSFTPD) package
FTP overview
   FTP relies on a pair of TCP ports to
    get the job done. It operates in two
    connection channels
       FTP Control Channel, TCP Port 21: All
        commands send and the ftp server's
        responses to those commands will go
        over the control connection.
       FTP Data Channel, TCP Port 20: This
        port is used for all subsequent data
        transfers between the client and server.

How To Get VSFTPD Started
   With Fedora, Redhat, Ubunbtu and Debian You
    can start, stop, or restart VSFTPD after booting
    by using these commands:
       [root@bigboy tmp]# /etc/init.d/vsftpd start
       [root@bigboy tmp]# /etc/init.d/vsftpd stop
       [root@bigboy tmp]# /etc/init.d/vsftpd restart

   With Redhat / Fedora you can configure VSFTPD
    to start at boot you can use the chkconfig

        [root@bigboy tmp]# chkconfig vsftpd on

The Apache Web Server
   Apache is probably the most popular
    Linux-based Web server application in
   When searching for the file, the Redhat /
    Fedora Apache RPM package's filename
    usually starts with the word httpd
    followed by a version number, as in

Get Apache started
   Use the chkconfig command to configure Apache
    to start at boot:

          [root@bigboy tmp]# chkconfig httpd on

   Use the httpd<code> init script in the
    <code>/etc/init.d directory to start,stop, and
    restart Apache after booting:

      [root@bigboy tmp]# /etc/init.d/httpd start
      [root@bigboy tmp]# /etc/init.d/httpd stop
      [root@bigboy tmp]# /etc/init.d/httpd restart

General Configuration Steps

   The configuration file used by Apache is
    /etc/httpd/conf/httpd.conf in Redhat /
    Fedora distributions
    /etc/apache*/httpd.conf in Debian /
    Ubuntu distributions.
   As for most Linux applications, you must
    restart Apache before changes to this
    configuration file take effect

Where To Put Web Pages
   All the statements that define the features of each
    web site are grouped together inside their own
    <VirtualHost> section, or container, in the
    httpd.conf file.
   The most commonly used statements, or
    directives, inside a <VirtualHost> container are:
       servername: Defines the name of the website
        managed by the <VirtualHost> container. This is
        needed in named virtual hosting only, as I'll explain
       DocumentRoot: Defines the directory in which the
        web pages for the site can be found.

Where To Put Web Pages

   By default, Apache searches the
    DocumentRoot directory for an index, or
    home, page named index.html.
   Example, if a servername of
    with a DocumentRoot directory of
    Apache displays the contents of the file
    /home/www/site1/index.html when someone
    enter in his browser.

The Default File Location
   By default, Apache expects to find all its
    web page files in the “/var/www/html/”
    directory with a generic DocumentRoot
    statement at the beginning of httpd.conf
   Apache will display Web page files as long
    as they are world readable, all the files
    and subdirectories in DocumentRoot
    should have the correct permissions
       Change the permissions on the /home/www
        directory to 755, which allows all users,
        including the Apache's httpd daemon, to read
        the files inside.
Named Virtual Hosting
   Apache allow to make Web server host more than
    one site per IP address by using Apache's named
    virtual hosting feature.
   Use the NameVirtualHost directive in the
    /etc/httpd/conf/httpd.conf file to tell Apache
    which IP addresses will participate in this feature.
   The <VirtualHost> containers in the file then tell
    Apache where it should look for the Web pages
    used on each Web site.
   Admin must specify the IP address for which each
    <VirtualHost> container applies.

Named Virtual Hosting Example
  ServerName localhost

  <VirtualHost *>
    DocumentRoot /home/www/site1

    DocumentRoot /home/www/site2

    DocumentRoot /home/www/site3

    DocumentRoot /home/www/site4
Protect Web Page Directories With

   Use Apache's htpasswd password utility to
    create username/password combinations
    independent of system login password for
    Web page access.
   Specify the location of the password file,
    and if it does not yet exist, should include
    a -c, or create, switch on the command
   Placing the file in /etc/httpd/conf
    directory, away from the DocumentRoot
    tree where Web users could possibly view

  htpasswd Example

[root@bigboy tmp]# htpasswd -c /etc/httpd/conf/.htpasswd peter
New password:
Re-type new password:
Adding password for user peter
[root@bigboy tmp]#

[root@bigboy tmp]# htpasswd /etc/httpd/conf/.htpasswd paul
New password:
Re-type new password:
Adding password for user paul
[root@bigboy tmp]#

Protect Web Page Directories With

   Make the .htpasswd file readable by all
    [root@bigboy tmp]# chmod 644 /etc/httpd/conf/.htpasswd

   Create a .htaccess file in the directory to
    which you want password control with
    these entries.
         AuthUserFile /etc/httpd/conf/.htpasswd
         AuthGroupFile /dev/null
         AuthName EnterPassword
         AuthType Basic
         require user peter

Protect Web Page Directories With
   Set the correct file protections on new .htaccess
    file in the directory /home/www.
      [root@bigboy tmp]# chmod 644 /home/www/.htaccess

   Make sure your /etc/httpd/conf/http.conf file has
    an AllowOverride statement in a <Directory>
    directive for any directory in the tree above
   In this example below, all directories below
    /var/www/ require password authorization.
             <Directory /home/www/*>
               AllowOverride AuthConfig

Protect Web Page Directories With

   Make sure that a <VirtualHost> directive
    that defines access to /home/www or
    another directory higher up in the tree.
          <VirtualHost *>
            DocumentRoot /home/www

   Restart Apache

Linux firewall

   Linux uses “iptable” for firewall
       A router that will use NAT and port
        forwarding to both protect home
        network and have another web server
        on home network while sharing the
        public IP address of firewall

iptable Features
   Integration with the Linux kernel with the
    capability of loading iptables-specific
    kernel modules designed for improved
    speed and reliability.
   Stateful packet inspection. This means
    that the firewall keeps track of each
    connection passing through it and in
    certain cases will view the contents of
    data flows in an attempt to anticipate the
    next action of certain protocols.
   Filtering packets based on a MAC address
    and the values of the flags in the TCP
iptable Features

   System logging that provides the option
    of adjusting the level of detail of the
   Network address translation.
   Support for transparent integration with
    such Web proxy programs as Squid.
   A rate limiting feature that helps iptables
    block some types of denial of service
    (DoS) attacks

Start iptable
   Start iptable with:
        [root@bigboy tmp]# service iptables start
        [root@bigboy tmp]# service iptables stop
        [root@bigboy tmp]# service iptables restart
   Sample of iptable command
     iptables -A FORWARD -s 0/0 -i eth0 -d -o eth1 -p TCP \
            --sport 1024:65535 --dport 80 -j ACCEPT

       iptables is being configured to allow the firewall to
        accept TCP packets for routing when they enter on
        interface eth0 from any IP address and are destined
        for an IP address of that is reachable
        via interface eth1.
       The source port is in the range 1024 to 65535 and
        the destination port is port 80
Secure Remote Logins

   OpenSSH, which provides a number of
    ways to create encrypted remote terminal
    and file transfer connections between
    clients and servers.
   The OpenSSH Secure Copy (SCP) and
    Secure FTP (SFTP) programs are secure
    replacements for FTP,
   Secure Shell (SSH) is often used as a
    stealthy alternative to TELNET

Starting OpenSSH
   OpenSSH is installed by default during
    Linux installations
   SSH and SCP are part of the same
    application, they share the same
    configuration file and are governed by the
    same /etc/init.d/sshd startup script
   configure SSH to start at boot by using
    the chkconfig command when running

         [root@bigboy tmp]# chkconfig sshd on

The /etc/ssh/sshd_config File
   The SSH configuration file is called
    /etc/ssh/sshd_config. By default SSH listens on all
    NICs and uses TCP port 22.
    #   The strategy used for options in the default sshd_config shipped with
    #   OpenSSH is to specify options with their default value where
    #   possible, but leave them commented. Uncommented options change a
    #   default value.

    #Port 22
    #Protocol 2,1

    #ListenAddress ::

   start, stop, and restart SSH with service comand

Other Linux services

   NTP
   Sendmail
   DNS
   MRTG
   Network File System (NFS)
   Etc.


‫1- کاربرد سرویس ‪ Telnet‬را توضیح دهید. عیب این‬   ‫‪‬‬
                                ‫سرویس چیست؟‬
           ‫2- ‪ Virtual Host‬چیست؟ توضیح دهید.‬    ‫‪‬‬


Shared By:
wang nianwu wang nianwu http://
About wangnianwu