Document Sample
talk Powered By Docstoc
					Advanced Guide to Linux
Networking and Security

         Chapter 4
Using Simple Network Services

• Understand network daemons
• Configure “superservers” to handle multiple network
• Set up administrative services such as logging and
• Use simple network information services such as
  finger and talk
• Understand basic mailing list and news server

Using Simple Network Services                       2
                        Network Daemons

• Implement numerous services
   – Examples: Web access, e-mail, file sharing
• Characteristics of daemons
   – Programs typically started by the system
   – Not associated with a user terminal
   – Names usually end with "d“ -- such as in inetd
• Enter ps ax command to generate list of daemons
• How to communicate with a daemon
   – Modify its configuration using signals

Using Simple Network Services                         3
          Network Daemons (continued)
• Three commands demonstrating communication
   – killall –HUP syslogd
         • Reconfigures syslogd without stopping services
         • -HUP is an abbreviation of the SIGHUP signal
   – killall –TERM inetd
         • Stops a daemon by sending SIGTERM signal (-TERM)
   – kill 201 –KILL
         • Stops daemon with PID 201 using SIGKILL signal (-KILL)
• Daemons consume various system resources
   – Examples: memory, disk space, and file descriptors
• Security requirement for daemons
   – Daemons using TCP/UDP ports < 1024 run as root user
 Using Simple Network Services                                 4
                    Daemons on Demand

• Superservers: software loading daemons on demand
• How superservers work
    – Listen on multiple network ports
    – Start appropriate service on one of two conditions
         • A client requests a connection for that port
         • A datagram arrives (in the case of UDP)
• Two popular superservers: inetd and xinetd
    – Examine /etc directory to determine which is installed
• Daemon not using a superserver is daemonized
• Superserver disadvantage: length of time to load
Using Simple Network Services                              5
         Using inetd and TCP Wrappers
• inetd (Internet daemon): original superserver
     – Monitors TCP and UDP ports
     – Launches programs to handle port connection
• TCP Wrappers program (tcpd)
     – Provides logging and access control for connections
• Example of one line in /etc/inetd.conf file:
         ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l –a
          •   First field tells inetd which port to listen to
          •   Second and third fields indicate connection type
          •   Fourth field determines whether inetd pauses
          •   Fifth field indicates which user ID server runs under
          •   Sixth field launches program in response to packet
Using Simple Network Services                                         6
Using Simple Network Services   7
         Using inetd and TCP Wrappers
• More on the sixth field: /usr/sbin/tcpd in.ftpd -l -a
     – Runs the TCP Wrappers program
     – If connection allowed, in.ftpd daemon spawned
          • -1 and a options passed on command line
          • Request is logged
     – If connection not allowed, packet is dropped
• After editing inetd.conf, restart or reinitialize inetd
• /etc/hosts.allow and /etc/hosts.deny files
     – Used to configure TCP Wrappers
     – Format: daemon name followed by IP name/address
          • Example: in.telnetd:
Using Simple Network Services                               8
         Using inetd and TCP Wrappers
• Default action of tcpd is to provide access
• Keywords ALL and EXCEPT fine-tune tcpd setup
• Example: tcpd configuration with ALL
     – hosts.allow file contains in.telnetd: 192.168
          • Users with IP address prefix 192.168 access Telnet
     – hosts.deny file contains in.telnetd: ALL
          • All other users (not specifically allowed) are denied
• Investigate options using man 5 hosts_access
• You may combine allow and deny conditions
     – Check hosts_options man page for details
Using Simple Network Services                                       9
Using Simple Network Services   10
                                Using xinetd
• xinetd (Internet daemon or Internet Super Daemon)
     – Superserver with greatly enhanced functionality
     – /etc/xinetd.conf refers to /etc/xinetd.d directory
• Format of each file in /etc/xinetd.d
     – First part names a service, such as FTP
     – Brackets enclose options applying to service
          • Options matching inetd.conf: socket_type, user, server
          • Other options, such as disable, extend inetd
          • Check man page for detailed list of available options
• Restart xinetd after making configuration changes
     – Use script in /etc/rc.d/init.d or kill with SIGUSR2
Using Simple Network Services                                   11
    Exploring Network Testing Services
• Using programs internal to superservers
• Enabling network services (disabled by default)
    – Using xinetd: go to appropriate file in /etc/xinetd.d
         • Change disable=yes line to disable=no
    – Using inetd: go to appropriate line in /etc/inetd.conf file
         • Remove comment character from beginning of line
• Five testing services activated with Telnet
    –   echo: service on UDP/TCP port 7 echo prints input
    –   chargen: uses UDP port 19 to return character stream
    –   discard: service on UDP/TCP port 9 like /dev/null
    –   time: service on UDP/TCP port 37 returns current time
    –   daytime: service on UDP/TCP port 13 returns day/time
 Using Simple Network Services                                 12
          Using Administrative Services

• Examples: logging and printing
• Discussion of services to follow

Using Simple Network Services             13
                          Logging with logd

• Two categories of logd daemons
   – klogd: used for kernel messages
   – syslogd: used for all other messages
• Logging function configured via /etc/syslog.conf
• Four message handling options in syslog.conf
   –   Write the message to a file
   –   Write message to pipe (which filter program listens to)
   –   Print message on terminal of one or more named users
   –   Forward message to another system (remote logging)
• Remote logging offers security and backup benefits
 Using Simple Network Services                             14
            Logging with logd (continued)

• syslogd uses UDP port 514 for remote logging
   – Port 514 must be listed in /etc/services
• Enable remote feature by editing /etc/sysconfig/syslog
   – Add –r to SYSLOG_OPTIONS line
• Configure /etc/syslog.conf for local or remote storage
   – Locally store kernel message: kern.* /var/log/messages
   – Remotely store message: kern.*
• Review syslogd man page for command options
   – Example 1: -s strips domain before logging an event
   – Example 2: -x prevents dereferencing of host names
 Using Simple Network Services                             15
                        Printing with Linux
• Uses networking by default
• Line Printer Daemon protocol
     – Allows Linux to interact with other operating systems
     – Supported by five programs
          •   lpd: controls the line printer daemon
          •   lpr: sends a print job to a print queue
          •   lpq: displays the contents of the print queues
          •   lprm: removes print jobs from print queues
          •   lpc: controls the print queues
     – Uses TCP and listens on port 515
     – Expects source ports to be in range of 721 to 731

Using Simple Network Services                                  16
           Printing with Linux (continued)
• Configure printing to remote host in /etc/printcap
    – Example:\
         • :rm= defines remote host to print to
         • :rp= defines remote print queue to use
    – Ensure that print queue is valid on remote host
• Set lpd permissions in /etc/lpd.conf and /etc/lpd.perms
• Basic functions of lpd print server
    – Accepts print jobs
    – Spool print jobs to print queue directory
    – Send print jobs sequentially to physical printer
 Using Simple Network Services                           17
           Printing with Linux (continued)

• lpd response to request for remote printer
    – Use port 515 to connect to lpd program on remote host
    – Remote copy of lpd accepts connection
         • Assumptions: firewall not present and lpd copy is active
    – Remote lpd spools print job to local file
    – Processing continues as job originated on remote host
• Internet Printing Protocol (IPP)
    – Experimental printing protocol
    – Supported by Common UNIX Printing System (CUPS)
    – Uses HTTP version 1.1 running on TCP port 631
 Using Simple Network Services                                   18
           Printing with Linux (continued)

• Configure CUPS via a Web browser
    –   Start CUPS daemon (cuspd)
    –   Point browser to http://localhost:631
    –   Main CUPS page is retrieved from Web server
    –   Click Do Administration Tasks link for Administration
• Visit for more information

 Using Simple Network Services                                  19
Using Simple Network Services   20
Using Simple Network Services   21
                   Configuring NTP Time
• Purpose: synchronize all hosts to common time
• Network Time Protocol (NTP)
   – Internet's time synchronization protocol
   – NTP epoch: midnight, January 1, 1900
   – Time represented by a 64-bit value
         • First 32 bits for time elapsed in seconds from NTP epoch
         • Last 32 bits for fractional part of current second
• Hierarchy of NTP servers
   – Servers at stratum 1 synchronize time to atomic clocks
         • Atomic clock time broadcast from satellite
   – Lower level servers synchronize to servers above
         • Example: stratum 2 servers synchronize to stratum 1
 Using Simple Network Services                                   22
Using Simple Network Services   23
               Configuring NTP Time
             Synchronization (continued)
• Hierarchy of NTP servers (continued)
   – Servers at same stratum may cross-synchronize
         • Servers engaging in this activity are known as peers
         • Peers rely on Correctness Principle to evaluate accuracy
• ntpd daemon supports NTP in Linux
   – Used on both NTP servers and clients
• Define time sources for ntpd in /etc/ntp.conf file
   – Example: server
   – Use at least five servers for best accuracy
   – View list of stratum 1 and 2 servers at
         • Avoid stratum 1 to prevent bottlenecks at server
         • Stratum 2 and stratum 3 offer high accuracy
 Using Simple Network Services                                   24
               Configuring NTP Time
             Synchronization (continued)
• Before starting ntpd, verify accuracy of system time
   – Discrepancy greater than 1000 seconds not allowed
• How to change current time values
   – Use manual method based on date command
         • Enter date -s "03/06/2005 10:31"
   – Automate process using script /etc/rc.d/init.d
         • Runs ntpdate –s at boot-up
• driftfile: line used by ntpd to calibrate drift
• Suite of utility programs provided with NTP server
   – Example 1: use ntpq to obtain detailed NTP information
   – Example 2: use ntptrace to trace chain of NTP servers
 Using Simple Network Services                           25
            Supporting Clients with NTP
• Configuring NTP clients
    – Generally use just one server statement
    – Add iburst to line (if synchronizing to private server)
• Example: enter server iburst
    – Adds server with IP address
    – iburst: enables client to synchronize in 10 seconds
• Simple Network Time Protocol (SNTP)
    – Used by time synchronization client in Windows
    – Subset of NTP allowing for accuracy within 1 second
• Managing synchronization in Windows XP
    – Time server list in Internet Time tab of clock object
    – Add new servers by modifying Windows registry
Using Simple Network Services                                   26
          Understanding SNMP on Linux
• Simple Network Management Protocol
    – Gives feedback on status of network components
         • Example: determine whether routers are overloaded
    – Visit for details
• SNMP uses client/server architecture
• SNMP specific terminology
    – Agent: SNMP aware program running on host
         • Configure the agent to watch for specific events on host
         • When an event occurs, agent collects details
    – SNMP console: gathers data from SNMP agents
         • Returns data to system administrator
         • Presents data statistically as graphs or as summaries
 Using Simple Network Services                                     27
     Allowing Dial-in Access with a PPP
• pppd used on client and server for PPP connection
• Actions following logon request from command line
    – Terminal program watches for username, password
         • Some terminal programs: getty, mgetty, mingetty
         • Managed by init, a master control program
    – Username and password passed to logon program
    – If accepted, logon program starts command shell
• Setting up a PPP dial-in server
    – Requires mgetty to watch modem (through serial port)
    – mgetty validates logon information and starts pppd

 Using Simple Network Services                               28
     Allowing Dial-in Access with a PPP
             Server (continued)
• Configuring mgetty for listening in /etc/inittab file:
    – S1:2345:respawn:/sbin/mgetty -x 3 -s 57600 -D ttyS0
    – Monitor first serial port (device ttyS0) for incoming calls
• Restart init program after configuration changes
    – Use one of two commands: kill -1 1 or init 6
• Configuring mgetty to start pppd (using AutoPPP)
    – Go to /etc/mgetty+sendfax/login.config file
    – Enter /AutoPPP/ - a_ppp /usr/sbin/pppd -detach
    – Use /etc/ppp/options to store pppd command options
• Modem parameters may also be stored in files
    – Example: /etc/ppp/options.ttyS0
 Using Simple Network Services                                29
      Using Basic Information Services

• Services often not enabled by default for security
• Change settings for experimentation or deployment

Using Simple Network Services                      30
                 Communicating with talk
• talk uses talkd to initiate real-time conversation
     – talkd daemon must run on local and remote hosts
• talkd uses UDP port 517 to communicate
• Enable talkd in /etc/inetd.conf or /etc/xinetd.d/talk
• Use talkd by starting talk program
     – Include username and host name after talk command
     – Example: Send message to talk abutler@dublin
          •   talk takes over window as it attempts to connect
          •   talkd on dublin checks whether abutler is logged on
          •   Message displayed to abutler if abutler is logged on
          •   Two-way dialog occurs if abutler responds with talk
Using Simple Network Services                                        31
    Communicating with talk (continued)

• talk options used after communication established
   – Use Ctrl+P and Ctrl+N to scroll up or down
   – Use mesg command to disable access
• Ktalk (for KDE): graphical tool with talkd functionality
• Linux supports other chat-style systems for Internet

 Using Simple Network Services                           32
Using Simple Network Services   33
Using Simple Network Services   34
                 Using finger to Collect User
•     Determines whether user logged on for talk
•     Provides length of time user has been logged on
•     Provides user's full name
•     Enable finger in /etc/inetd.conf or etc/xinetd.d/finger
       – Activates listening and delivery service in superserver
            • Superserver listens for incoming finger queries on port 79
            • Intercepted queries sent to in.fingerd daemon
• Initiate finger query user account is on same host
       – Example: finger jthomas

    Using Simple Network Services                                   35
              Using finger to Collect User
               Information (continued)
• Initiate finger query user account is on different host
    – Example: finger
• Reasons for declining use of finger protocol
    – Competition from other methods
    – Gaping security holes
• Files used in finger transmissions
    – .plan: hidden file for extra information, such as address
    – .project: one line describing current project
    – .pgp: provides user's public encryption key

 Using Simple Network Services                              36
              Using finger to Collect User
               Information (continued)
• Set up .nofinger to hide the use of finger
    – Blocks finger queries from systems other than your own
• kfinger graphical client for KDE
    – Executes finger queries
    – Also has talk capabilities

 Using Simple Network Services                           37
Using Simple Network Services   38
       Collecting Server Information with
• Domain name information stored in a database
  – Database maintained by the domain registrar
• whois queries database to learn about domain
• Two-step process for learning about a domain
   – Use whois command against domain of interest
        • Example: $ whois
        • whois queries main whois server,
        • Query results point you to registrar and other information
  – Use whois server from query results in second query
     • Example: $ whois -h
     • Provides more details, such as IP addresses
 Using Simple Network Services                                    39
                           Linux Telephony

• Managing your telephone system using Linux
    – Computer must be connected to telephone system
         • Use hardware cards to connect phone lines to computer
    – Telephony software manages particular task
• Two implementations of Linux telephony
    – Fax server: HylaFax, eFax, sendfax
    – Video and audio conferencing: Microsoft NetMeeting
• Voice over IP (VoIP): digitizes phone calls using IP
• Abundant telephony resources on the Web
    – Example: download gPhoneMan (tracks calls)
 Using Simple Network Services                                40
Using Simple Network Services   41
Using Simple Network Services   42
Understanding Mailing Lists And News
• Methods for sharing information with a large group
• Mailing list: group of users connected via e-mail
• How a mailing list works
    – Send an e-mail message (post it) to the e-mail list
    – Mailing List Manager (MLM) forwards message to
      users on list
• How to become a member of a mailing list
    – Subscribe to list
    – Mailing-list software adds e-mail address to list
    – Unsubscribe to list for removal
Using Simple Network Services                               43
 Understanding Mailing Lists And News
         Servers (continued)
• Tasks automated by mailing-list software
    – Subscribing, unsubscribing, sending message
• Advantage of mailing-list software
    – Saves user's time by automating mailing tasks
• Two types of moderated e-mail list
    – List administrator approves subscription
    – Administrator originates/approves each posted e-mail
• Other features of MLM
    – Digest (message summary) options
    – Archiving options
    – Mail delivery options
 Using Simple Network Services                           44
 Understanding Mailing Lists And News
         Servers (continued)
• Newsgroups: an alternative to mailing lists
    – Messages (postings) handled by NNTP (not SMTP)
         • NNTP: Network News Transport Protocol
    – Analogize newsgroup postings to bulletin board
         • Accessing newsgroup does not involve subscription
         • Provide name of newsgroup server to news client
    – More free form than mailing lists
         • Most impose no control on topics

 Using Simple Network Services                                 45
     Using majordomo for Mailing Lists
• majordomo package: collection of Perl scripts
     – Interacts with sendmail mail server
     – Creates automated mailing lists
• Configuring majordomo
     – Create a user and group ID for majordomo
     – Use majordomo's wrapper to create a new mailing list
          • Include administrative password, owner e-mail address,
            and description
• How to manage complex configuration issues
     – View instructions in documentation directory
     – Consider using a graphical tool, such as Webmin
Using Simple Network Services                                  46
      Using majordomo for Mailing Lists
• Using Webmin to facilitate configuration
    – Launch Webmin program
    – Go to Majordomo List Manager under Servers tab
    – Designate list owner in Owner e-mail address field
         • Each mailing list requires a list manager (owner)
         • majordomo will report problem to list owner
    – Create new list using “Add a new mailing list”
• Portion of configuration involving sendmail
    – Set up aliases in sendmail for lists you create
    – Example:
         • Enables user to interact with list called linux-security
 Using Simple Network Services                                        47
Using Simple Network Services   48
      Using majordomo for Mailing Lists
• Send message to majordomo at host for help or list
   – Queries to
         • Query 1: includes help as body of message
            – Returns format and commands for interaction
         • Query 2: includes list as body of message
            – Returns list of mailing lists hosted on server
• List owner can interact with majordomo via e-mail
• List owner or user can issue commands to majordomo
   – Owner specific commands will require a password

 Using Simple Network Services                                 49
     Using Other Mailing List Managers
• LISTSERV: most widely used MLM in the world
   – Available for purchase from L-Soft (
   – Advantages of LISTSERV
        • Scalability for huge mailing lists
        • Flexible security features
        • Web-based configuration and maintenance interface
• ListProc: another commercial MLM
   – Available for purchase from ListProc (
   – Features
        • Graphical configuration tools
        • Security enhancements, such as password-protection
        • Ability to delete invalid e-mail addresses
Using Simple Network Services                                  50
     Using Other Mailing List Managers
• SmartList: free MLM
    – Works in conjunction with procmail and sendmail
    – Features
         • Remote list maintenance
         • Archiving
         • Message digests
• Mailman: another free MLM
    – Includes many standard list management features
    – Managed via a Web browser interface

Using Simple Network Services                           51
     Understanding Linux News Servers

• Newsgroup postings passed using NNTP
   –   Set up a news server to get a feed from another (ISP)
   –   Download all messages ISP news server has
   –   Upload messages generated at your site
   –   Newsgroups may be added to or removed from server
• INN (Internet News): widely used Linux news server
• Elements of news servers that may create problems
   – Requires large network bandwidth and storage space
   – Configuration is difficult, requires ongoing tuning
   – Policy questions concerning use in organization

 Using Simple Network Services                             52
     Understanding Linux News Servers
• Setting up an INN news server
   – Check that cleanfeed and inn are installed
         • Install programs if not present
   – Contact your ISP for permission to use server as feed
   – Plan your news server
         • Focus on groups to include or create
         • Descriptions at
   – Create and communicate polices for use
• Configuration files for INN stored in /etc/news
• Newsgroup postings stored in /var/spool/news
• Compact news file system (CNFS) conserves space
 Using Simple Network Services                                    53
                        Linux News Clients

• Used to read newsgroup postings in graphical or text
• Using Netscape browser to view newsgroup postings
    – Enter at least name and organization for access
    – List at least one news server (ask ISP for list)
    – Subscribe to newsgroups
• Graphical newsreaders supplied by Linux platforms
    – KDE supports Knode newsreader or krn
    – Gnome supports Pan newsreader
• Text-mode newsreader: trn
 Using Simple Network Services                           54
Using Simple Network Services   55

•   Network daemons implement network services
•   Communicate with daemons using signals
•   Superservers load daemons on demand
•   Superserver programs: inetd and xinetd
•   Network testing services are also supported by
    inetd and xinetd

Using Simple Network Services                        56
                    Summary (continued)

• Linux logging controlled by klogd and syslogd
• Network printing protocols: Line Printer Daemon
  Protocol and Internet Printing Protocol
• Network Time Protocol (NTP): Internet's time
  synchronization protocol
• Simple Network Management Protocol (SNMP)
  specifies system for monitoring networks
• pppd used on client and server sides of PPP
Using Simple Network Services                       57
                    Summary (continued)

• Use talk in conjunction with talkd for Internet chat
• Use finger in conjunction with fingerd to collect user
• whois utility returns information about specific
• Linux telephony used to manage telephone
• Mailing lists and newsgroups are used to share

Using Simple Network Services                         58

Shared By:
xiangpeng xiangpeng
About pengxiang