Docstoc

Downloading

Document Sample
Downloading Powered By Docstoc
					Linux Services
Linux DHCP Server

   DHCP is an IP address dynamically
    assigned from DHCP server.
   PC client will most likely get its IP
    address at boot time from the home
    router instead
   The DHCP server RPM's filename
    usually starts with the word dhcp
    followed by a version number
       dhcp-3.0.1rc14-1.i386.rpm.


                                        2
        The /etc/dhcpd.conf File

   When DHCP starts, it reads the file
    /etc/dhcpd.conf.
   The standard DHCP RPM package doesn't
    automatically install a /etc/dhcpd.conf file, but
    a sample copy of dhcpd.conf is in the following
    directory
       /usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample




                                                                 3
/etc/dhcpd.conf example file
ddns-update-style interim;
ignore client-updates;

subnet 172.27.21.0 netmask 255.255.255.0 {

# --- default gateway
       option routers            172.27.21.254;
       option subnet-mask          255.255.255.0;

     option   nis-domain         "cp.su.ac.th";
     option   domain-name          "cp.su.ac.th";
     option   domain-name-servers     202.28.72.66;
     option   domain-name-servers     202.44.135.9;
     option   time-offset       -18000; # Eastern Standard Time

#       option netbios-node-type 2;

     range dynamic-bootp 172.27.21.200 172.27.21.250;
     default-lease-time 21600;
     max-lease-time 43200;

    }
}
                                                                  4
How to get DHCP started
   Use the chkconfig command to get DHCP
    configured to start at boot:

        [root@bigboy tmp]# chkconfig dhcpd on


   Use the service command to instruct the
    /etc/init.d/dhcpd script to start/stop/restart DHCP
    after booting

        [root@bigboy tmp]# service dhcpd start
        [root@bigboy tmp]# service dhcpd stop
        [root@bigboy tmp]# service dhcpd restart



                                                      5
SAMBA

   Samba is a suite of utilities that
    allows your Linux server to share
    files and other resources, such as
    printers, with Windows clients.




                                         6
Get SMB started
   Configure Samba to start at boot time using the
    chkconfig command:
            [root@bigboy tmp]# chkconfig smb on
   Start/stop/restart Samba after boot time using
    the smb initialization script as in the examples
    below:
            [root@bigboy tmp]# service smb start
            [root@bigboy tmp]# service smb stop
            [root@bigboy tmp]# service smb restart

   Note: Unlike many Linux packages, Samba does
    not need to be restarted after changes have been
    made to its configuration file, as it is read after
    the receipt of every client request.
                                                          7
The Samba Configuration File
The /etc/samba/smb.conf file is the main configuration

  Section                                Description
  [global]    General Samba configuration parameters

 [printers]   Used for configuring printers

  [homes]     Defines treatment of user logins

 [netlogon]   A share for storing logon scripts.
              (Not created by default.)


 [profile]    A share for storing domain logon information such as "favorites" and
              desktop icons.
              (Not created by default.)




                                                                                     8
Samba's SWAT web interface

   SWAT, Samba's web based configuration
    tool to enables smb.conf file without
    needing to remember all the formatting.
   Each SWAT screen is actually a form that
    covers a separate section of the smb.conf
    file into which admin fill in the desired
    parameters, each parameter box has its
    own online help




                                                9
Samba SWAT Main Menu




                       10
 Basic SWAT Setup
    Root must always remember that SWAT
     edits the smb.conf file but also strips out
     any comments that may have manually
     entered into it beforehand.
    The original Samba smb.conf file has
     many worthwhile comments in it, you
     should save a copy as a reference before
     proceeding with SWAT.
        For example, you could save the original file
         with the name /etc/samba/smb.conf.original
[root@tmp]# cp /etc/samba/smb.conf /etc/samba/smb.conf.original


                                                                  11
Basic SWAT Setup
   The enabling and disabling, starting and
    stopping of SWAT is controlled by xinetd
    via a configuration file named
    /etc/xinetd.d/swat
         service swat
         {
           port        = 901
           socket_type      = stream
           protocol      = tcp
           wait        = no
           user        = root
           server       = /usr/sbin/swat
           log_on_failure += USERID
           disable      = no
           only_from       = localhost
         }


                                               12
Basic SWAT Setup
   The disable parameter must be set to no to accept
    connections. This can automatically be switched
    between yes and no.
   The default configuration only allows SWAT web
    access from the VGA console only as user root on
    port 901 with the Linux root password.
       This means root have to enter "http://127.0.0.1:901"
        in browser to get the login screen.
   root can make SWAT accessible from other servers
    by adding IP address entries to the only_from
    parameter of the SWAT configuration file.
       An example of an entry to allow connections only
        from 192.168.1.3 and localhost.

            only_from = localhost 192.168.1.3


                                                           13
Controlling SWAT
   Same as all xinetd-controlled applications,
    the chkconfig command automatically
    modifies the disable field accordingly in
    the configuration file and activates the
    change.
   Before SWAT can be used, the xinetd
    program which controls it must be
    activated in advance.
   You can start/stop/restart xinetd after
    boot time using the xinetd initialization


                                             14
xinetd Programs
   Many network enabled Linux applications
    do not rely on themselves to provide
    restricted access or bind to a particular
    TCP port
   instead they often offload a lot of this
    work to a program suite made just for
    this purpose, xinetd
   The xinetd RPM is installed by default in
    Fedora Linux and uses /etc/xinetd.conf as
    its main configuration file


                                            15
Controlling xinetd
   The starting and stopping of the xinetd daemon is
    controlled by the by scripts in the /etc/init.d
    directory and it is behavior at boot time is
    controlled by chkconfig.
   You can start/stop/restart xinetd after booting by
    using the following commands:
         [root@bigboy tmp]# service xinetd start
         [root@bigboy tmp]# service xinetd stop
         [root@bigboy tmp]# service xinetd restart

   To get xinetd configured to start at boot you can
    use the chkconfig command.
          [root@bigboy tmp]# chkconfig xinetd on

                                                        16
Controlling xinetd-Managed Applications
   Xinetd-managed applications all store
    their configuration files in the
    /etc/xinetd.d directory.
   Each configuration file has a disable
    statement that can set to yes or no. This
    governs whether xinetd is allowed to start
    them or not.
   You don't have to edit these files to
    activate or deactivate the application. The
    chkconfig command does that
    automatically will also stops or starts the
    application accordingly too
                                              17
Telnet
   Telnet is a program that allows users to log into
    server and get a command prompt just as if they
    were logged into the VGA console.
   The Telnet server RPM is installed and disabled by
    default on Fedora Linux.
   One of the disadvantages of Telnet is that the
    data is sent as clear text.
   A more secure method for remote logins would be
    via Secure Shell (SSH) which uses varying
    degrees of encryption.
   The older Telnet application remains popular.
    Many network devices don't have SSH clients,
    making telnet the only means of accessing other
    devices and servers from them


                                                    18
Installing The Telnet Server Software
   Older versions of RedHat had the Telnet
    server installed by default. Fedora Linux
    does not
       you will have to install it yourself.
   Most Linux software products are
    available in a precompiled package
    format. Downloading and installing
    packages
   When searching for the file, the Telnet
    server RPM's filename usually starts with
    the word "telnet-server" followed by a
    version number as in telnet-server-0.17-
    28.i386.rpm.
                                                19
Setting Up A Telnet Server

   To set up a Telnet server use the
    chkconfig command to activate Telnet.
       [root@bigboy tmp]# chkconfig telnet on


   Use the chkconfig command to deactivate
    telnet, even after the next reboot.
       [root@bigboy tmp]# chkconfig telnet off




                                                 20
Let Telnet Listen On Another TCP Port

   Letting telnet run on an alternate TCP
    port does not encrypt the traffic, but it
    makes it less likely to be detected as
    telnet traffic.
   Remember that this is not a foolproof
    strategy; good port scanning programs
    can detect telnet and other applications
    running on alternative ports.




                                                21
Let Telnet Listen On Another TCP Port

1.   Edit /etc/services file and add an entry
     for a new service. Call it stelnet.
     # Local services
     stelnet      7777/tcp                    # "secure" telnet

2.   Copy the telnet configuration file called
     /etc/xinetd.d/telnet and call it
     /etc/xinetd.d/stelnet:
[root@bigboy tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet




                                                                   22
      Let Telnet Listen On Another TCP Port
3.   Edit the new /etc/xinetd.d/stelnet file. Make the new service
     stelnet and add a port statement for TCP port 7777.
           # default: on
           # description: The telnet server serves telnet sessions
           # unencrypted username/password pairs for authentication.
           service stelnet
           {
                flags       = REUSE
                socket_type = stream
                wait        = no
                user        = root
                server       = /usr/sbin/in.telnetd
                log_on_failure += USERID
                disable       = no
                port        = 7777
           }


4.   Use chkconfig to activate stelnet.
                 [root@bigboy tmp]# chkconfig stelnet on
                                                                       23
Let Telnet Allow Connections From
Trusted Addresses
   Root can restrict telnet logins access to individual
    remote servers by using the only_from keyword
    in the telnet configuration file.
   Add a list of trusted servers to the
    /etc/xinetd.d/telnet file separated by spaces:
         service telnet
         {
              flags       = REUSE
              socket_type = stream
              wait        = no
              user        = root
              server       = /usr/sbin/in.telnetd
              log_on_failure += USERID
              disable      = no
              only_from       = 192.168.1.100 127.0.0.1 192.168.1.200
         }

   Restart telnet by
                 # chkconfig telnet off
                 # chkconfig telnet on                                  24
Linux FTP
   The File Transfer Protocol (FTP) is used as
    one of the most common means of
    copying files between servers over the
    Internet.
   Most web based download sites use the
    built in FTP capabilities of web browsers
    and therefore most server oriented
    operating systems usually include an FTP
    server application as part of the software
    suite.
   Fedora linux ftp sever using default Very
    Secure FTP Daemon (VSFTPD) package
                                              25
FTP overview
   FTP relies on a pair of TCP ports to
    get the job done. It operates in two
    connection channels
       FTP Control Channel, TCP Port 21: All
        commands send and the ftp server's
        responses to those commands will go
        over the control connection.
       FTP Data Channel, TCP Port 20: This
        port is used for all subsequent data
        transfers between the client and server.

                                              26
How To Get VSFTPD Started
   With Fedora, Redhat, Ubunbtu and Debian You
    can start, stop, or restart VSFTPD after booting
    by using these commands:
       [root@bigboy tmp]# /etc/init.d/vsftpd start
       [root@bigboy tmp]# /etc/init.d/vsftpd stop
       [root@bigboy tmp]# /etc/init.d/vsftpd restart

   With Redhat / Fedora you can configure VSFTPD
    to start at boot you can use the chkconfig
    command.

        [root@bigboy tmp]# chkconfig vsftpd on



                                                       27
The Apache Web Server
   Apache is probably the most popular
    Linux-based Web server application in
    use.
   When searching for the file, the Redhat /
    Fedora Apache RPM package's filename
    usually starts with the word httpd
    followed by a version number, as in
    httpd-2.0.48-1.2.rpm




                                                28
Get Apache started
   Use the chkconfig command to configure Apache
    to start at boot:

          [root@bigboy tmp]# chkconfig httpd on


   Use the httpd<code> init script in the
    <code>/etc/init.d directory to start,stop, and
    restart Apache after booting:

      [root@bigboy tmp]# /etc/init.d/httpd start
      [root@bigboy tmp]# /etc/init.d/httpd stop
      [root@bigboy tmp]# /etc/init.d/httpd restart



                                                     29
General Configuration Steps

   The configuration file used by Apache is
    /etc/httpd/conf/httpd.conf in Redhat /
    Fedora distributions
    /etc/apache*/httpd.conf in Debian /
    Ubuntu distributions.
   As for most Linux applications, you must
    restart Apache before changes to this
    configuration file take effect




                                               30
Where To Put Web Pages
   All the statements that define the features of each
    web site are grouped together inside their own
    <VirtualHost> section, or container, in the
    httpd.conf file.
   The most commonly used statements, or
    directives, inside a <VirtualHost> container are:
       servername: Defines the name of the website
        managed by the <VirtualHost> container. This is
        needed in named virtual hosting only, as I'll explain
        soon.
       DocumentRoot: Defines the directory in which the
        web pages for the site can be found.


                                                            31
Where To Put Web Pages

   By default, Apache searches the
    DocumentRoot directory for an index, or
    home, page named index.html.
   Example, if a servername of www.my-site.com
    with a DocumentRoot directory of
             /home/www/site1/
    Apache displays the contents of the file
    /home/www/site1/index.html when someone
    enter http://www.my-site.com in his browser.




                                                   32
The Default File Location
   By default, Apache expects to find all its
    web page files in the “/var/www/html/”
    directory with a generic DocumentRoot
    statement at the beginning of httpd.conf
   Apache will display Web page files as long
    as they are world readable, all the files
    and subdirectories in DocumentRoot
    should have the correct permissions
       Change the permissions on the /home/www
        directory to 755, which allows all users,
        including the Apache's httpd daemon, to read
        the files inside.
                                                       33
Named Virtual Hosting
   Apache allow to make Web server host more than
    one site per IP address by using Apache's named
    virtual hosting feature.
   Use the NameVirtualHost directive in the
    /etc/httpd/conf/httpd.conf file to tell Apache
    which IP addresses will participate in this feature.
   The <VirtualHost> containers in the file then tell
    Apache where it should look for the Web pages
    used on each Web site.
   Admin must specify the IP address for which each
    <VirtualHost> container applies.

                                                         34
Named Virtual Hosting Example
  ServerName localhost
  NameVirtualHost 97.158.253.26

  <VirtualHost *>
    DocumentRoot /home/www/site1
  </VirtualHost>

  <VirtualHost 97.158.253.26>
    DocumentRoot /home/www/site2
   ServerName www.my-site.com
    ServerAlias my-site.com, www.my-cool-site.com
  </VirtualHost>

  <VirtualHost 97.158.253.26>
    DocumentRoot /home/www/site3
   ServerName www.test-site.com
  </VirtualHost>

  <VirtualHost 97.158.253.26>
    DocumentRoot /home/www/site4
   ServerName www.another-site.com
  </VirtualHost>
                                                    35
Protect Web Page Directories With
Passwords

   Use Apache's htpasswd password utility to
    create username/password combinations
    independent of system login password for
    Web page access.
   Specify the location of the password file,
    and if it does not yet exist, should include
    a -c, or create, switch on the command
    line.
   Placing the file in /etc/httpd/conf
    directory, away from the DocumentRoot
    tree where Web users could possibly view
    it.


                                              36
  htpasswd Example

[root@bigboy tmp]# htpasswd -c /etc/httpd/conf/.htpasswd peter
New password:
Re-type new password:
Adding password for user peter
[root@bigboy tmp]#

[root@bigboy tmp]# htpasswd /etc/httpd/conf/.htpasswd paul
New password:
Re-type new password:
Adding password for user paul
[root@bigboy tmp]#




                                                                 37
Protect Web Page Directories With
Passwords

   Make the .htpasswd file readable by all
    users.
    [root@bigboy tmp]# chmod 644 /etc/httpd/conf/.htpasswd

   Create a .htaccess file in the directory to
    which you want password control with
    these entries.
         AuthUserFile /etc/httpd/conf/.htpasswd
         AuthGroupFile /dev/null
         AuthName EnterPassword
         AuthType Basic
         require user peter


                                                             38
Protect Web Page Directories With
Passwords
   Set the correct file protections on new .htaccess
    file in the directory /home/www.
      [root@bigboy tmp]# chmod 644 /home/www/.htaccess


   Make sure your /etc/httpd/conf/http.conf file has
    an AllowOverride statement in a <Directory>
    directive for any directory in the tree above
    /home/www.
   In this example below, all directories below
    /var/www/ require password authorization.
             <Directory /home/www/*>
               AllowOverride AuthConfig
             </Directory>

                                                         39
Protect Web Page Directories With
Passwords

   Make sure that a <VirtualHost> directive
    that defines access to /home/www or
    another directory higher up in the tree.
          <VirtualHost *>
            ServerName 97.158.253.26
            DocumentRoot /home/www
          </VirtualHost>



   Restart Apache



                                               40
Linux firewall

   Linux uses “iptable” for firewall
    solutions
       A router that will use NAT and port
        forwarding to both protect home
        network and have another web server
        on home network while sharing the
        public IP address of firewall




                                              41
iptable Features
   Integration with the Linux kernel with the
    capability of loading iptables-specific
    kernel modules designed for improved
    speed and reliability.
   Stateful packet inspection. This means
    that the firewall keeps track of each
    connection passing through it and in
    certain cases will view the contents of
    data flows in an attempt to anticipate the
    next action of certain protocols.
   Filtering packets based on a MAC address
    and the values of the flags in the TCP
    header.
                                             42
iptable Features

   System logging that provides the option
    of adjusting the level of detail of the
    reporting.
   Network address translation.
   Support for transparent integration with
    such Web proxy programs as Squid.
   A rate limiting feature that helps iptables
    block some types of denial of service
    (DoS) attacks


                                                  43
Start iptable
   Start iptable with:
        [root@bigboy tmp]# service iptables start
        [root@bigboy tmp]# service iptables stop
        [root@bigboy tmp]# service iptables restart
   Sample of iptable command
     iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \
            --sport 1024:65535 --dport 80 -j ACCEPT


       iptables is being configured to allow the firewall to
        accept TCP packets for routing when they enter on
        interface eth0 from any IP address and are destined
        for an IP address of 192.168.1.58 that is reachable
        via interface eth1.
       The source port is in the range 1024 to 65535 and
        the destination port is port 80
                                                                           44
Secure Remote Logins

   OpenSSH, which provides a number of
    ways to create encrypted remote terminal
    and file transfer connections between
    clients and servers.
   The OpenSSH Secure Copy (SCP) and
    Secure FTP (SFTP) programs are secure
    replacements for FTP,
   Secure Shell (SSH) is often used as a
    stealthy alternative to TELNET


                                           45
Starting OpenSSH
   OpenSSH is installed by default during
    Linux installations
   SSH and SCP are part of the same
    application, they share the same
    configuration file and are governed by the
    same /etc/init.d/sshd startup script
   configure SSH to start at boot by using
    the chkconfig command when running
    Fedora

         [root@bigboy tmp]# chkconfig sshd on


                                                46
The /etc/ssh/sshd_config File
   The SSH configuration file is called
    /etc/ssh/sshd_config. By default SSH listens on all
    NICs and uses TCP port 22.
    #   The strategy used for options in the default sshd_config shipped with
    #   OpenSSH is to specify options with their default value where
    #   possible, but leave them commented. Uncommented options change a
    #   default value.

    #Port 22
    #Protocol 2,1

    #ListenAddress 0.0.0.0
    #ListenAddress ::


   start, stop, and restart SSH with service comand


                                                                                47
Other Linux services

   NTP
   Sendmail
   DNS
   MRTG
   Network File System (NFS)
   Etc.



                                48
                                       ‫سواالت‬

‫1- کاربرد سرویس ‪ Telnet‬را توضیح دهید. عیب این‬   ‫‪‬‬
                                ‫سرویس چیست؟‬
           ‫2- ‪ Virtual Host‬چیست؟ توضیح دهید.‬    ‫‪‬‬




                                                ‫94‬

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:4/27/2013
language:English
pages:49
wang nianwu wang nianwu http://
About wangnianwu