Installing the Boot Loader
After you have configured the partitions, the Red Hat installation asks you to select a boot loader, to decide where you want it installed, and to select which partitions should be booted by the loader. Red Hat 7.2 offers two boot loaders GRUB and LILO. GRUB is new for Red Hat in 7.2 LILO is much more widely used by other Linux distributions. Most people who install Red Hat 7.2 use GRUB because it is the default. I use LILO because it is what I'm used to, and it is what I use on my other Linux...
Configuring the DHCP Server
After dhcpd is installed, it must be configured. The DHCP daemon is configured through the dhcpd.conf file. The file can contain an extensive list of configuration commands that provide direction to the server and configuration information to the clients. A DHCP server can be configured to provide service to individual hosts and to entire subnets of hosts. The dhcpd configuration language includes host and subnet statements that identify the scope of systems being serviced. A host statement...
Running RIPv2 with gated
Gated can be used to configure a host to listen to RIPv2 router updates. This configuration performs the same function as the ripd configuration shown in Listing 7.9. Listing 7.15 is a possible gated configuration for this situation. Listing 7.15 A gated RIPv2 Configuration enable rip, don't broadcast updates, listen for RIP-2 updates on the multicast address, check that the updates are authentic. nobroadcast interface 172.16.60.2 version 2 multicast authentication simple EZdozIt The comments...
Password Aging
In addition to protecting the password, the shadow file supports password aging, which defines a lifetime for each password and notifies the user to change the password when it reaches the end of its life. If it is not changed, the user is blocked from using her account. The changed, max, and warn fields tell the system when the password was changed, how long it should be kept, and when to warn the user to change it. When the password is changed, it must be used for the number of days defined...
The smbconf Variables
Reading an smb.conf file can be confusing if you don't understand the variables found in the file. Table 9.3 lists each variable and the value it carries. GID of the username assigned to the client GID of the username requested by the client Home directory of the username assigned to the client NIS home directory if NIS is supported The root directory of the current service The protocol negotiated during connection The username requested by the client Variables provide flexibility because each...
The zone Statement
The zone statements are the most important statements in the configuration file, and they constitute the bulk of the named.conf file. A zone statement performs the following critical configuration functions It defines a zone that is serviced by this name server. It defines the type of name server that this server is for the zone. A server can be a master server or a slave server. And because this is defined on a per-zone basis, the same server can be the master for some zones while being a...
Controlling Server and Protocol Operations
Configuration parameters and options can be associated with individual host and subnet statements. The group statement can be used to apply parameters and options to a group of host or subnet statements. Additionally, configuration parameters and options can be specified that apply to every system and network defined in the configuration file. With this flexibility, the dhcpd configuration language allows you to create every conceivable configuration. The configuration language includes several...
Partitioning with Disk Druid
If you select a custom installation, the Red Hat installation program asks which partitioning tool it should use. Select either the traditional fdisk program or Disk Druid, which uses a full-screen interface (see Figure A.1). When run under the graphical installer, Disk Druid uses a basic point-and-click interface. Figure A.1 Disk Druid's main screen The top of the screen displays the device name, the disk geometry, and the make and model of the disk, along with a graphical representation of...
The options Statement
The options statement defines global options that affect the operation of BIND and the DNS protocol. The syntax of the options command for BIND 8 is shown in Listing B.1 Listing B.1 The BIND 8 options Statement Syntax version string directory pathname named-xfer pathname dump-file pathname memstatistics-file pathname pid-file pathname statistics-file pathname auth-nxdomain yes no deallocate-on-exit yes no dialup yes no fake-iquery yes no fetch-glue yes no has-old-clients yes no host-statistics...
Installing NFS
Listing 9.2 shows that the Network File System includes several different daemons and services to perform client and server functions. Additionally, the Red Hat 7.2 distribution has multiple startup scripts in the etc rc.d init.d directory that relate to NFS nfs This script starts most of the NFS daemons. It also processes the exports file, and clears the lock file. The exports file and the exportfs command that is used to process it are covered later in this chapter. nfslock This script starts...
The gatedconf File
At startup, gated reads the gated.conf file. The file contains configuration statements that tell gated which routing protocols should be run and how they should be configured. There are several types of configuration statements Not all of these statements are required for a configuration, but when they are used, the statements must appear in the order listed here. These statements can be divided into two groups statements you probably won't use and statements you might use. Among the...
The Hints File
The hints file contains information that named uses to initialize the cache. As indicated by the root domain (.) name on the zone statement, the hints the file contains are the names and addresses of the root name servers. The file helps the local server locate a root server during startup. After a root server is located, an authoritative list of root servers is downloaded from that server. The hints are not referred to again until the local server restarts. The named.conf file points to the...
Selecting Your Secret Password
The list of one-time password phrases is generated by a program named opiekey. To uniquely identify yourself to that program, you need a secret password. Use opiepassword to select that secret password. For example, assume that I'm new to OPIE, and I want to generate a list of password phrases before going on a trip. First, I log in to the OPIE server's console with my traditional reusable password and run opiepasswd to select a secret OPIE password, which must be at least 10 characters long....
Sharing Printers with lpd
The Line Printer daemon (lpd) provides printer services for local and remote users. It is an essential service that is started at boot time from a startup script. On both Red Hat systems, lpd is started by the letclrc.dlinit.dllpd script that is generally included in the startup by default, and can be controlled chkconfig or tksysv. Use the lpd script to stop, start, or reload the Line Printer daemon. Because the printcap file is read only by lpd during its startup, the reload option is useful...
The m4 Macro Control File
The usr share sendmail-cf cf directory's prototype files contain m4 macro commands. In addition to lots of comments, the tcpproto.mc file contains the macros shown in Listing 5.8. VERSIONID( Id tcpproto.mc,v 8.13.22.1 2000 08 03 15 25 20 ca Exp ') FEATURE(nouucp', reject') Listing 5.8 shows the configuration macros. The file tcpproto.mc also contains divert and dnl commands. A divert(-1) command precedes a large block of comments. m4 skips everything between a divert(-1) command and the next...
List of Listings
Listing 1.1 The Default GRUB Configuration Listing 1.2 A Sample lilo.conf File Listing 1.3 Adding Password Protection to LILO Listing 1.5 Runlevel Initialization Scripts Listing 1.6 The init.d Script Files Listing 2.1 Loadable Network Device Drivers Listing 2.2 An Ethernet Card Configuration Created by kudzu Listing 2.3 A Sample pap-secrets File Listing 2.4 A Sample chap-secrets File Listing 3.1 An Excerpt of the etc protocols File Listing 3.2 An Excerpt from etc services Listing 3.3 Excerpts...
Tcpd Access Control Files
Two files define access controls for tcpd The hosts.allow file lists the hosts that are allowed to access the system's services. The hosts.deny file lists the hosts that are denied service. If these files are not found, tcpd allows every host to have access, and simply logs the access request. When the files are present, tcpd reads the hosts.allow file first and then reads the hosts.deny file. It stops as soon as it finds a match for the host and the service in question. Therefore, access...
Runlevel Initialization
After the system initialization script is run, init runs a script for the specific runlevel. On Red Hat, Mandrake, and Caldera systems, this is done by running a control script and passing it the runlevel number. The control script, etc rc.d rc, then runs all of the scripts that are appropriate for the runlevel. It does this by running the scripts that are stored in the directory etc rcn.d, where n is the specified runlevel. For example, if the rc script is passed a 5, it runs the scripts found...
Running OSPF with gated
Listings 7.13 and 7.14 define the configuration of a router that uses RIPv2 on one subnet and OSPF on another. That same configuration can be replicated with gated. Listing 7.16 is a sample gated OSPF router configuration. Listing 7.16 A gated OSPF RIPv2 Interior Router Configuration Don't time-out subnet 60 interfaces Define the OSPF router id routerid 172.16.1.9 Enable RIP-2 announce OSPF routes to subnet 60 with a cost of 5. rip yes broadcast defaultmetric 5 interface 172.16.60.1 version 2...
The smbconf Global Section
The Red Hat sample configuration file contains two sections global and homes. The global section defines several parameters that affect the entire server. Minus the parameters that are specific to printer sharing, which are covered in Chapter 10, the parameters in the Red Hat smb.conf global section are the following workgroup Defines the workgroup of which this server is a member. A workgroup is a hierarchical grouping of hosts. It organizes network resources in the same way that directories...
Using gated
Despite the fact that Red Hat Linux uses Zebra as its default routing software, many other Linux distributions ship with gated. If you don't have gated software with your distribution, a commercial version can be obtained from the Internet at http www.gated.org . Also, at this writing, you can still find and download a precompiled Linux gated binary from an online repository. However, if your distribution doesn't include gated, this is a good time to transition to Zebra. If you do have gated,...
High Performance User Authentication
If the server has more than a few users who are required to use password authentication to access the website, the performance of the standard password file will be inadequate. The standard authentication module, mod_auth, uses a flat file that must be searched sequentially to find the user's password. Searching a flat file of only a few hundred entries can be very time consuming. An alternative is to store the passwords in an indexed database. Two modules, mod_auth_dbm and mod_auth_db, provide...
Dhcpd Configuration Options
The dhcpd option statements cover all DHCP configuration options defined in the RFCs. Furthermore, any new option that might be defined in the future can be included in the dhcpd configuration by using the decimal option code assigned to it in the RFC that describes the option. An option name in the form option-nnn where nnn is the decimal option code can be used to add any new option to the dhcpd.conf file. For example, assume that you want to assign the string yes to a new DHCP configuration...
Overview
This appendix is a quick reference guide to the m4 macros that you might use to construct a sendmail configuration file. (See Chapter 5, Configuring a Mail Server, for a tutorial on how m4 macros are used.) This appendix describes the syntax and function of the macros the information is accurate as of the day of publication. For the most current and accurate description of these macros, see the documentation that comes with the sendmail distribution and the README file in the sendmail cf...
Configuring a Linux NAT Server
Despite the fact that address translation is included in the packet-filtering software used to build a firewall, it is not specifically a security feature. A very common use for address translation is to connect a small network to the Internet. Assume that you have a small office network that connects to the Internet through a local ISP. Further, assume that the ISP assigns the office only one IP address, even though you have four computers on your network. Using a Linux NAT box, all four...
Configuring an NFS Client
To configure an NFS client, you need to know the hostname of the NFS server and the directories it exports. The name of the server is usually very well advertised no one creates a server unless they want to have clients. The network administrator tells users which systems are NFS servers. The Linux showmount command lists the directories that a server exports and the clients permitted to mount those directories. For example, a showmount exports query to wren produces the output shown in Listing...
Running the POP and IMAP Daemons
The test in Listing 11.1 shows POP running, and the test in Listing 11.2 shows imapd up and running. However, a test on a freshly installed Red Hat system returns the Connection refused error. Trying 127.0.0.1 telnet connect to address telnet localhost pop3 Trying 127.0.0.1 telnet connect to address Among the possible causes for this error on the localhost may be that you have not installed POP or IMAP. POP and IMAP can be installed during the initial installation, or installed later using RPM....
Zone File Directives
The four directives are evenly divided into two that simplify the construction of a zone file, INCLUDE and GENERATE and two that define values used by the resource records, ORIGIN and TTL. The TTL Directive Defines the default TTL for resource records that do not specify an explicit time to live. The TTL value can be specified as a number of seconds, or as a combination of numbers and letters. Defining one week as the default TTL using seconds is Using the alphanumeric format, one week can be...
Security Monitoring Tools
In addition to using simple commands to learn about your system, you should use some of the tools that have been specifically designed to detect the holes that intruders exploit and the changes they make to your system. There are several, and many of them are available on the Internet. TARA (Tiger Auditors Research Assistant) is an updated version of the venerable Tiger package. TARA, like Tiger, is a group of shell scripts and C programs that scan configuration files and filesystems looking...
Understanding NFS
The Network File System (NFS), originally developed by Sun Microsystems, allows directories and files to be shared across a network. Through NFS, users and programs access files located on remote systems as if they were local files. NFS is a client server system. The client uses the remote directories as if they were part of its local filesystem the server makes the directories available for use. Attaching a remote directory to the local filesystem is called mounting a directory. Offering to...
Selecting an Installation Method
Linux can be installed from several different sources FTP (File Transfer Protocol), NFS (Network File System), SMB (Server Message Block), HTTP (Hypertext Transfer Protocol), local hard drive, or CD-ROM. A server system is often installed from a CD-ROM. It is a simple and fast installation method, and the CD-ROM provides a reliable backup medium when you need to reinstall. Never install a server from a local hard drive. This is an obsolete installation method that involves copying the operating...
The Red Hat Caching Only Configuration
The caching-only configuration is the most common DNS server configuration so common, in fact, that many systems are delivered with a ready-made, caching-only server configuration. Red Hat provides a caching-only configuration in RPM format. Figure 4.1 shows a Gnome RPM query for the Red Hat package containing the caching-only server configuration. igure 4.1 A caching-only DNS server RPM Installing the caching-nameserver-7.2-1 RPM creates the named.conf file shown in Listing 4.5. Listing 4.5...
Converting IP Addresses to Ethernet Addresses
As Figure 7.2 illustrates, IP can run over many different types of networks. The IP address is a logical address. The address means something to the logical IP network, but it doesn't mean anything to the physical networks over which IP must transport the data. To send data over a physical network, IP must convert the IP address to an address understood by the network. The most common example of this is the conversion from an IP address to an Ethernet address. The protocol that performs this...
The etcservices File
The second stage of demultiplexing the network data is to identify the application to which the data are addressed. The transport protocol does this using the port number from the transport protocol header. The standard port numbers are identified in the etc services file. The port numbers for well-known services are assigned in Internet standards, so you never change the port number of an existing service. On rare occasions, you may need to add a new service to the file, but that is the only...
Checking an Ethernet Interface
Enter the ifconfig command with the interface name and no other command-line arguments to display the current configuration. The example in Listing 13.4 shows the configuration of eth0 on our sample Red Hat Linux system. Listing 13.4 Displaying the Configuration with ifconfig eth0 Link encap Ethernet HWaddr 00 00 C0 9A 72 CA inet addr 172.16.5.3 Bcast 172.16.5.255 Mask 255.255.255.0 UP BROADCAST NOTRAILERS RUNNING MTU 1500 Metric 1 RX packets 22283 errors 0 dropped 0 overruns 0 frame 0 TX...
Monitoring Your Server
Apache provides tools to monitor the status of your server and logs that keep a history of how the system is used and how it performs over time. One of these tools is the server-status monitor. To use this monitor, it must either be compiled into httpd or installed as a dynamically loadable module. The following two lines from the Red Hat httpd.conf configuration file load the required module LoadModule To get the maximum amount of information from the server-status display, add the...
Mapping User IDs and Group IDs
User IDs and group IDs are as fundamental to NFS as they are to any other part of the Linux filesystem. But unlike the UID and GID you assign when creating new user accounts, you may not have any control over the UIDs and GIDs assigned by the clients of your NFS server. NFS provides several tools to help you deal with the possible problems that arise because of this. One of the most obvious problems with a trusted host security model is dealing with the root account. It is very unlikely that...
The umount Command
The opposite of the mount command is the umount command, which is used to remove a mounted directory from the local filesystem. A filesystem can be dismounted using either the remote filesystem name or the local mount point directory on the umount command line, so to dismount the usr local bin directory, enter either the remote name There are a few options associated with the umount command that are of particular interest. The -a and -t options are used in the same way that they are used with...
The POP Protocol
There are two versions of POP POP2 and POP3. The POP protocols verify the user's login name and password, and move the user's mail from the server to the user's local mail reader. Both protocols perform the same basic functions, but they are incompatible. POP2 uses port 109, and POP3 uses port 110. Linux systems come with both versions of POP, but POP2 is rarely used. Most POP clients use POP3. POP3 is defined in RFC 1939, Post Office Protocol Version 3. It is a simple request response...
Sample iptables Commands
Putting this all together creates a firewall that can protect your network. Assume that we have a Linux router attached to a perimeter network with the address 172.16.12.254 on interface eth0 and to an external network with the address 192.168.6.5 on interface eth1. Further assume that the perimeter network contains only a sendmail server and an Apache server. Listing 12.4 contains some iptables commands we might use on the Linux system to protect the perimeter network. Listing 12.4 Sample...
Using traceroute
When you're sure that your system has the proper routes, use the traceroute command to test the route end to end. traceroute traces the route of UDP packets or ICMP echo packets through the network, and lists every router between your computer and the remote hosts. It does this by sending out UDP packets with small time-to-live (TTL) values and invalid port numbers to force ICMP errors and to record the sources of those errors. Here's how it works. The TTL field is intended to ensure that...
The exportfs Command
After defining the directories to export in the etc exports file, run the exportfs command to process the exports file and to build var lib nfs xtab. The xtab file contains information about the currently exported directories, and it is the file that mountd reads when processing client mount requests. To process all of the entries in the etc exports file, run exportfs with the -a command-line option This command builds a completely new xtab file based on the contents of the etc exports file. It...
The Reverse Domain File
The reverse domain file maps IP addresses to hostnames. This is the reverse of what the domain database does when it maps hostnames to addresses. But there is another reason this is called the reverse domain All of the IP addresses are written in reverse. For example, in the reverse domain, the address 172.16.5.2 is written as 2.5.16.172.in-addr.arpa. The address is reversed to make it compatible with the structure of a domain name. An IP address is written from the most general to the most...
The Linux Routing Table
Chapter 2, The Network Interface, described the structure of an IP address, explaining that it is composed of a network portion and a host portion. Routing is network-oriented IP makes its decision on whether to directly deliver the packet or forward the packet to a router based on the network portion of the address. When the decision is made to forward the packet to a router, IP looks in the routing table to determine which router should handle the packet. The Linux routing table is displayed...
Managing lpd
The Line Printer Control (lpc) program is a tool for controlling the printers and administering the print queue on lpd printer servers. Table 10.1 lists the lpc commands used on our sample Red Hat 7.2 system and their purposes. Checks to see if the remote print queue is active. Displays the client configuration for the printer. Lists the default queue used by lpc. Lists the default configuration settings. Turns on the specified level of debugging for a printer. Turns off spooling to a print...
Checking a PPP Interface
Troubleshooting a PPP connection can be complex because of the added layers of hardware and software involved. In addition to the TCP IP software, the connection uses PPP software and a scripting language, such as chat or dip, to establish the connection. The hardware uses a serial port, a serial device driver, and an external modem which also has its own command language. To fully test a PPP connection, you need to check all of these things. Chapter 2 describes PPP configuration and the design...
Routing with Zebra
Zebra is a routing software package that provides support for RIP, RIPv2, OSPF, and BGP. In addition, Zebra provides support for IPv6 routing with both the RIPng protocol and the OSPFv6 protocol. There are internal and external aspects to routing software. On the external side, routing software runs a protocol to exchange routing information with external routers. On the internal side, routing software processes the information learned from the protocol, selects the best routes, and updates the...
The named Control Tools
There are two versions of the named management tool one for BIND 8 and another one for BIND 9. BIND 8 uses the Name Daemon Control (ndc) tool, and BIND 9 uses the Remote Named Daemon Control (rndc) tool. The commands used with these tools are very similar. When there are differences, the text points them out. Otherwise, rndc commands will work for ndc simply by replacing rndc with ndc on the command line. The named management tool allows you to control named with much less fuss than sending...
Define
Define sets a value used by sendmail. Most defines are done in the m4 source files that are called by the .mc file, not in the .mc file itself. Because many define parameters directly affect a single sendmail.cf option, macro, or class, many define statements correspond to individual sendmail.cf command lines. For example, the following define command define( confMAILER_NAME', MAILER_DAEMON') placed in an m4 source file has the same effect as the following command placed directly in the...
Installing Samba
Samba services are implemented as two daemons. The SMB daemon (smbd), the heart of Samba, provides the file- and printer-sharing services. The NetBIOS Name Server daemon (nmbd) provides NetBIOS-to-IP-address name service. You can download Samba software from the Internet if you need to. Go to http www.samba.org to select the nearest download site, and then download the file samba-latest.tar.gz from that site. Unzip and untar the source tree into a working directory. Change to that directory,...
The Message of a Failed ping
A failed ping test can also tell you a lot. Listing 13.10 shows a ping test failure. Listing 13.10 A Failed ping Test PING 172.16.2.2 (172.16.2.2) 56 data bytes ping sendto Network is unreachable ping wrote 172.16.2.2 64 chars, ret -1 ping sendto Network is unreachable AC 3 packets transmitted, 0 packets received, 100 packet loss Again, the test directs you to focus your troubleshooting efforts on certain layers of the network. A failure indicates you should focus on the network hardware,...
Installing Zebra
The Zebra suite is available on the Web at http www.gnu.org and via FTP from ftp ftp.zebra.org . A beta-testers' website is available at http www.zebra.org . At the time of writing, the Zebra software is in beta release. If you prefer to use mature software, see the information on gated later in this chapter. However, for the type of routing applications that should reasonably be undertaken by a Linux system, the beta release of Zebra is more than adequate. The Zebra software suite is include...
Using the elm Filter
Elm is an old terminal mode mailer. elm has some die-hard fans, but most users have moved on to mailers that include a graphical user interface. However, the elm source code distribution comes with a filtering tool aptly named filter. The source code is available from ftp.virginia.edu, where it is stored in the pub elm directory. Even if you don't use elm, you can use the filter program to process incoming mail. The filter program is invoked with the .forward file (covered in Chapter 5 during...
Creating a dhcpdconf File
Dhcpd reads its configuration from the etc dhcpd.conf file. The dhcpd.conf file identifies the clients to the server, and defines the configuration that the server provides each client. The sample dhcpd.conf file shown in Listing 8.1 dynamically assigns IP addresses to the DHCP clients on a subnet, and supports a few clients that require static addresses. Listing 8.1 A Sample dhcpd.conf File Define global values that apply to all systems, max-lease-time 604800 default-lease-time 86400 option...
Maintaining Firewall Rules with iptables
The Linux kernel categorizes firewall traffic into three groups, and applies different filter rules to each category of traffic Input firewall Incoming traffic is tested against the input firewall rules before it is accepted. Output firewall Outbound traffic is tested against the output firewall rules before it is sent. Forwarding firewall Traffic that is being forwarded through the Linux system is tested against the rules for the forwarding firewall. The INPUT and OUTPUT rulesets can be used...
Using the Realtime Blackhole List
The simplest way to block spam is to let someone else do it. sendmail allows you to use the Realtime Blockhole List (RBL) that comes from the Mail Abuse Prevention System (MAPS). Visit the website at mail-abuse.org rbl to find out more about the MAPS system. Using the RBL is very easy because the system is implemented through DNS. Every Linux system can issue DNS queries, so this is a very effective way to distribute information. Of course, a program can make use of the information only if it...
The ifconfig Command
The ifconfig command assigns TCP IP configuration values to network interfaces. Many values can be set with this command, but only a few are really needed the IP address, the network mask, and the broadcast address. Assume that we have a network that uses the private network address 172.16.0.0 with the subnet mask 255.255.255.0. Further, assume that we need to configure a system named robin.foobird.org that is assigned the address 172.16.5.4. The ifconfig command to configure that interface is...
The IMAP Protocol
Internet Message Access Protocol (IMAP) is an alternative to POP. It provides the same basic service as POP, and adds features to support mailbox synchronization. Mailbox synchronization is the ability to read individual mail messages on a client or directly on the server while keeping the mailbox on both systems completely up-to-date. On an average POP server, the entire contents of the mailbox are moved to the client, and either deleted from the server or retained as if never read. Deletion...
Using the dhcpcd Client
As the name implies, the DHCP Client daemon (dhcpcd) provides the client side of the DHCP protocol exchange, and it provides the means for moving the information received from the DHCP server into the client's configuration. The syntax of the dhcpcd command is dhcpcd -dknrBCDHRT -t timeout -c filename -h hostname -i vendorClassID -1 clientID -l leasetime -s ipaddr interface The name of the interface that dhcpcd should use for DHCP can be defined on the command line. An interface is specified...
Partitioning with fdisk
Fdisk is a command-driven, text-based utility. At the fdisk prompt, enter any of the utility's single-character commands. Use the m command to display the list of commands shown here in Table A.2. Table A.2 Single-Character fdisk Commands Table A.2 Single-Character fdisk Commands Create an empty label for a Sun Microsystems disk Selects either sectors or cylinders as the units used to display partition size Writes the partition table to the disk and exits To partition a disk using fdisk, start...
NetBIOS Name Service
Even though installing the Samba software has not yet been discussed, this is a good place to discuss the NetBIOS Name Server daemon (nmbd) and how it is configured. nmbd is the part of the basic Samba software distribution that turns a Linux server into an NBNS server. nmbd can handle queries from Windows 95 98 ME NT 2000 and LanManager clients, and it can be configured to act as a WINS server. Note The Microsoft implementation of NetBIOS name service is Windows Internet Name Service (WINS)....
Configuring sshd
Very little configuration is required to get secure shell running, but a great deal of configuration is possible. Many of the software packages discussed in this book fit this pattern There are a great many configuration options, but the default values for those options work in almost every case and rarely need to be changed. sshd is no exception. Without configuration, it will work just fine, but there are configuration options that you can use to modify it for your particular site. sshd is...
Installing Apache
The Apache web server is part of most Linux distributions, and that includes the Red Hat Linux distribution that we are using as an example. The Apache web server software is one of the components that can be selected during the operating system installation. See Appendix A, Installing Linux, for a description of this procedure. If Apache is not among the software you selected during the initial installation, you need to install it now. The easiest way to install software is with a package...
Finding the Latest Software
To update software, you need to need to know what software needs to be updated and where to find it. Security advisories (such as those found at SANS, NIST, and CERT) usually describe the problem and tell you the solution often, they point you to the appropriate software fix. Even the bug reports found in the Bugtraq Archive sometimes include fixes, as mentioned in the discussion of Figure 12.1. The vulnerability report shown in Figure 12.3 includes links to the software updates that fix the...
Resolving Address Conflicts
Most common interface configuration problems are easy to detect because they cause a hard failure. For example, a bad subnet mask causes a failure every time the user attempts to contact a system on another subnet. However, a bad IP address can be a more subtle problem. If the IP address is grossly misconfigured (that is, if the network portion of the address is incorrect), the system will have a hard failure that is easy to detect. But if the host portion of the address is incorrect, the...
Configuring the Kernel with xconfig
To start the kernel configuration process, change to the usr src linux directory, and run make xconfig, which opens the window shown in Figure 13.1. Old CD-ROM drivers (not SCSI, not IDE) Figure 13.1 The Kernel Configuration window The Kernel Configuration window displays more than 30 buttons that represent different configuration categories. (These buttons are described in detail in the upcoming Understanding the Kernel Configuration Categories section.) Click a button to view and set the...
Running BGP with gated
In this section, a router is configured to connect the OSPF backbone area described in the preceding section to an external autonomous system using BGP. The configuration for this router is shown in Listing 7.17. Listing 7.17 A gated OSPF BGP Exterior Router Configuration Defines our AS number for BGP autonomoussystem 249 Defines the OSPF router id routerid 172.16.1.5 group type external peeras 164 peer 26.6.0.103 peer 26.20.0.72 Enable OSPF subnet 1 is the backbone area use password...
Sample printcap
Below is the printcap file that is the result of defining three printers using the printconf tool. One is a remote SMB printer, one is a remote Unix printer, and the other is a locally attached printer. Listing 10.2 shows the printcap file that printconf created when these three printers were configured. Listing 10.2 A Sample printcap File DO NOT EDIT MANUAL CHANGES WILL BE LOST This file is autogenerated by printconf-backend during lpd init. Hand edited changes can be put in etc...
Running ripd
Routing protocols are not limited to routers. It is possible to need a routing protocol on a Linux host. Suppose that you have a host on a network in which routing updates are distributed via RIPv2. This system is not a router, but because it is on a network segment with more than one router, you decide to configure it to listen to the RIPv2 updates that the routers are broadcasting. Listing 7.9 shows a possible ripd.conf file for this host. Listing 7.9 A Sample ripd.conf File Enable RIPV2, but...
The PPP Daemon
The PPP daemon is started by the pppd command. The command can be entered at the shell prompt, and it often is on client computers. On server systems, the command is usually stored in a shell script to run at boot time for dedicated PPP connections or on demand for dial-up connections. Red Hat systems provide the etc sysconfig network-scripts ifup-ppp script to start the PPP daemon. However, the script is not edited directly. The values that control the ifup-ppp script are found in the...
Creating an m4 Domain File
The domain directory is intended for m4 source files that contain information specific to your domain. This is a perfect place to put the commands that rewrite the hostname to the domain name on outbound mail, so we create a new m4 macro file in the domain directory and call it foobirds.m4. We begin by changing to the domain directory and copying the file generic.m4 to foobirds.m4 to act as a starting point for the configuration. Listing 5.10 shows these steps. Listing 5.10 The generic.m4...
Configuring SSL
The security features described previously are all designed to protect information provided by the server. In addition to protecting the security of server data, you are responsible for protecting the security of your client's data. If you want to run an electronic commerce business, you must use a secure server that protects your customers' personal information, such as credit card numbers. Secure Apache servers use Secure Sockets Layer (SSL) to encrypt protected sessions. SSL is both more...
One Time Passwords
Choosing good passwords and protecting the password file are useless if a thief steals the password from the network. Clear-text, reusable passwords that travel over a network simply aren't secure. All security experts know this, so several alternatives to reusable passwords have been created. One of these is a one-time password, which is just what it sounds like you use the password once and throw it away. These passwords are desirable because they cannot be reused. Anyone who steals a...
Loadable Ethernet Drivers
The Ethernet interface software is a kernel driver. The driver can be compiled into the kernel or can be loaded as a loadable module, which is the most common way to install an Ethernet driver. On a Red Hat system, the loadable Ethernet drivers are found in the lib modules re ease kernel drivers net directory, in which release is the kernel version number. A directory listing of the network device drivers found on a Red Hat 7.2 system is shown in Listing 2.1. Listing 2.1 Loadable Network Device...
Using Mail Aliases
Mail aliases are defined in the aliases file. The location of the aliases file is set in the sendmail configuration file. (You'll see this configuration file later in the chapter.) On Linux systems, the file is usually located in the etc directory ( etc aliases), and it is occasionally located in the etc mail directory. The basic format of entries in the file is The alias is the username in the e-mail address, and recipient is the name to which the mail should be delivered. The recipient field...
Checking Socket Status with netstat
Netstat is a command that can be used to check on a wide variety of network information, such as the status of network connections, the contents of the routing table, what masqueraded connections are supported by the system, and what multicast groups the system has joined. The most important of these is the status of network connections, which is the default netstat display. To limit that display to TCP IP network connections, use the inet command-line option, as shown in Listing 13.13. Listing...
Testing DNS with nslookup
Nslookup is a test tool that comes with the BIND software. It is an interactive program that allows you to query a DNS server for any type of resource record and to directly view the server's response. This tool is useful for checking your own servers, but (even more important) it can be used to directly query remote servers. Notice the emphasis on the word directly. Using nslookup, it is possible to directly connect to a remote server to see how that server responds to queries without going...
Changing File Permissions
Use the chmod (Change Mode) command to change the permissions for a file. Permission can be defined on the chmod command line in either numeric or symbolic formats. For example -rw-r--r-- 1 craig craig 1349 May 3 2000 trace.txt chmod g+w,o-r trace.txt ls -l trace.txt -rw-rw---- 1 craig craig 1349 May 3 2000 trace.txt The first ls command shows the current permissions assigned to the file trace.txt, which are owner read write, group read, and world read. The chmod command uses the symbolic...
Testing DNS with host
The host command is a very simple tool for looking up an IP address. The format of the host command is Only the host command and the domain name of the remote host are needed to look up an IP address. To look up different resource record types, specify the desired record type (mx, soa, ns, etc.) with the -t argument in the options field. To pass the query to a specific server, identify the server in the server field. If no server is specified, the local server is used. Listing 13.19 is an...
Configuring xinetd
An alternative to inetd is the Extended Internet Services Daemon (xinetd). xinetd is configured in the etc xinetd.conf file, which provides the same information to xinetd as inetd.conf provides to inetd. But instead of using positional parameters with meanings determined by their relative location on a configuration line, xinetd.conf uses attribute and value pairs. The attribute name clearly identifies the purpose of each parameter. The value configures the attribute. For example, the third...
The ftpaccess File
WU-FTPD has an optional configuration file named etc ftpaccess. This file is read if the FTP daemon is run with the -a command line option. In the discussion of Listing 3.6, we saw that Red Hat does run the FTP daemon with the -a option, which means that Red Hat uses the ftpaccess file. The active entries in the Red Hat 7.2 ftpaccess file are shown in Listing 3.16. Listing 3.16 Excerpts of the Red Hat ftpaccess File Don't allow system accounts to log in over ftp deny-uid -99 65534- deny-gid -99...
Using fstab to Mount NFS Directories
A mount command with the -a flag set causes Linux to mount all filesystems listed in etc fstab. Linux systems often include a mount -a command in the startup. Adding the -t nfs argument to the mount -a command limits the mount to all filesystems in fstab that have a filesystem type of NFS. The Red Hat netfs script uses the -t nfs argument to remount the NFS filesystems after a system boot. The filesystem table, etc fstab, defines the devices, partitions, and remote filesystems that make up a...
Automounter
There are two automounter implementations available for Linux one based on the Berkeley automounter daemon (amd), and one based on the Solaris automounter (automount). Both are configured in a similar manner Both are given mount points and map files that define the characteristics of the file systems mounted on those mount points. Although its mount points can be defined in etc amd.conf, amd mount points and map files are often defined on the command line amd -a amd mnt wren etc nfs wren.map...
Using vtysh
The vtysh tool provides an interactive interface into the zebra routing manager and each routing daemon. vtysh allows you to examine and modify the configuration of each program in the Zebra suite. Listing 7.6 shows a vtysh session in which the current zebra configuration is examined. In a later example, this configuration will be modified with vtysh. Listing 7.6 Examining zebra.conf through the vtysh Interface password Wats Watt enable password CHLLlns root service zebra start Starting zebra...
Creating User Keys
The ssh-keygen program generates the public and private encryption keys used for public key authentication. Simply invoke the ssh-keygen command and enter a passphrase, which is your secret password, when prompted. Listing 12.10 is an example. Listing 12.10 An Example of the ssh-keygen Command Generating public private rsa1 key pair. Enter file in which to save the key ( home craig .ssh identity) Enter passphrase (empty for no passphrase) Who are the trusted Enter same passphrase again Who are...
Using an SMB Printer
A Linux system can be an SMB client as easily as it can be an SMB server. A Linux user can print to a remote SMB printer with a standard lpr command if the SMB printer is properly defined in the printcap file. We used the Red Hat printconf tool earlier in the chapter to define a remote SMB printer. The printconf screen used to create that printer was shown in Figure 10.5. The printconf input in Figure 10.5 created this printcap entry sd var spool lpd hp af var spool lpd hp hp.acct lpd_bounce...
Watching the Protocols with tcpdump
Tcpdump reads every packet from the Ethernet, and compares it to a filter you define. If it matches the filter, the packet header is displayed on your terminal, which permits you to monitor traffic in real time. Listing 13.15 provides a simple tcpdump example. Listing 13.15 A telnet Handshake as Seen by tcpdump tcpdump host 172.16.5.1 and 172.16.24.1 10 46 11.576386 phoebe.1027 > wren.telnet S 400405049 400405049(0) win 32120 < mss 14 60> (DF) 10 46 11.578991 wren.telnet > phoebe.1027 S...
Tools to Create User Accounts
All Linux distributions offer tools to help you create user accounts. Most distributions provide the useradd command for this purpose. The useradd command in Listing 3.11 creates a user account with the username kathy. Listing 3.11 The Effect of the useradd Command root grep kathy etc passwd root grep kathy etc shadow root grep kathy etc group root ls -a home kathy ls home kathy No such file or directory root grep kathy etc group . .bash_logout .bash_profile .bashrc Desktop .gtkrc .kde...
Defining Personal Mail Aliases
As the last eight lines in the Red Hat aliases file illustrate, one of the main functions of the alias file is to forward mail to other accounts or other computers. The aliases file defines mail forwarding for the entire system. The .forward file, which can be created in any user's home directory, defines mail forwarding for an individual user. It is possible to use the .forward file to do something that can be done in the etc aliases file. For example, if Norman Edwards had an account on a...
Using the pump DHCP Client
Pump is available on Red Hat systems, and supports both BootP and DHCP. Red Hat Linux 7.2 runs the pump command from the sbin ifup script only when dhcpcd is not found. This is an either or proposition. You use either dhcpcd or pump you do not use both. An interface that is configured by dhcpcd cannot be managed by pump. If your system uses dhcpcd, and most do, you can skip this section. The pump command is very simple pump -i eth0 configures interface eth0 with the information received from...
The Lightweight Resolver
BIND 9 introduces a new, lightweight resolver library. The new library can be linked into any application, but it was designed for applications that need to use IPv6 addresses. Support for IPv6 has increased the complexity of the resolver to the point that it is difficult to implement as a traditional stub resolver. For this reason, the lightweight resolver splits the resolver into a library used by the applications and a separate resolver daemon that handles the bulk of the resolver process....
Understanding the Access Database
The sendmail access database defines e-mail sources using e-mail addresses, domain names, and IP network numbers, along with the action that sendmail should take when it receives mail from the specified source. For example This database tells sendmail to reject any mail from the e-mail address spammer bigisp.com, from any host in the domain wespamu.com, and from any computer whose IP address begins with network number 172.18. Each entry in the database begins with the source of the mail,...
Running dhclient Software
The philosophy of dhclient is very different from that of most DHCP clients, which assume that users run DHCP because they don't know how to or don't want to manually configure TCP IP. dhclient assumes that the people running the software are sophisticated users who can easily configure TCP IP, and who want more than basic configuration from a DHCP client. Many Linux systems do not include the dhclient software. If your Linux system doesn't have the client, download dhcpd from http www.isc.org...
Configuring a dhcrelay Server
The DHCP relay agent dhcrelay is provided as part of the dhcpd distribution. The relay agent listens for DHCP boot requests, and forwards those requests to a DHCP server. The relay agent must be attached to the same subnet as the DHCP client because the request from the client uses the limited broadcast address. However, the relay does not need to share a subnet with the server because it uses the server's IP address to send the request directly to the server. The server then sends the DHCP...
