Linux Network Servers
Using fstab to Mount NFS Directories
A mount command with the -a flag set causes Linux to mount all filesystems listed in etc fstab. Linux systems often include a mount -a command in the startup. Adding the -t nfs argument to the mount -a command limits the mount to all filesystems in fstab that have a filesystem type of NFS. The Red Hat netfs script uses the -t nfs argument to remount the NFS filesystems after a system boot. The filesystem table, etc fstab, defines the devices, partitions, and remote filesystems that make up a...
NetBIOS Name Service
Even though installing the Samba software has not yet been discussed, this is a good place to discuss the NetBIOS Name Server daemon (nmbd) and how it is configured. nmbd is the part of the basic Samba software distribution that turns a Linux server into an NBNS server. nmbd can handle queries from Windows 95 98 ME NT 2000 and LanManager clients, and it can be configured to act as a WINS server. Note The Microsoft implementation of NetBIOS name service is Windows Internet Name Service (WINS)....
The Message of a Failed ping
A failed ping test can also tell you a lot. Listing 13.10 shows a ping test failure. Listing 13.10 A Failed ping Test PING 172.16.2.2 (172.16.2.2) 56 data bytes ping sendto Network is unreachable ping wrote 172.16.2.2 64 chars, ret -1 ping sendto Network is unreachable AC 3 packets transmitted, 0 packets received, 100 packet loss Again, the test directs you to focus your troubleshooting efforts on certain layers of the network. A failure indicates you should focus on the network hardware,...
Running RIPv2 with gated
Gated can be used to configure a host to listen to RIPv2 router updates. This configuration performs the same function as the ripd configuration shown in Listing 7.9. Listing 7.15 is a possible gated configuration for this situation. Listing 7.15 A gated RIPv2 Configuration enable rip, don't broadcast updates, listen for RIP-2 updates on the multicast address, check that the updates are authentic. nobroadcast interface 172.16.60.2 version 2 multicast authentication simple EZdozIt The comments...
The Red Hat Caching Only Configuration
The caching-only configuration is the most common DNS server configuration so common, in fact, that many systems are delivered with a ready-made, caching-only server configuration. Red Hat provides a caching-only configuration in RPM format. Figure 4.1 shows a Gnome RPM query for the Red Hat package containing the caching-only server configuration. igure 4.1 A caching-only DNS server RPM Installing the caching-nameserver-7.2-1 RPM creates the named.conf file shown in Listing 4.5. Listing 4.5...
DNS Database Records
The database records used in a zone file are called standard resource records or sometimes just RRs. All resource records have the same basic format The name field identifies the domain object affected by this record. It could be an individual host or an entire domain. Unless the name is a fully qualified domain name, it is relative to the current domain. A few special values can be used in the name field. These are A blank name refers to the last named object. The last value of the name field...
Named Signal Processing
Signal processing is one area in which the version of BIND matters. BIND 8 and earlier versions of BIND handle several different signals. BIND 9 handles only two SIGHUP and SIGTERM. Under BIND 9, SIGHUP reloads the DNS database, and SIGTERM terminates the named process. You can use signals with BIND 8, but don't use signals with BIND 9. Control BIND 9 with rndc, which is covered in the next section. That said, BIND 8 accepts the following signals. The SIGHUP signal causes named to reread the...
Using the Host Table with DNS
But even though you will be using DNS, you will have a host table. Which source of information should your system check first, DNS or the host table I usually configure my systems to use DNS first, and to fall back to the host table only when DNS is not running. Your needs may be different. You may have special host aliases that are not included in the DNS database, or local systems that are known only to a small number of computers on your network and therefore are...
Using the pump DHCP Client
Pump is available on Red Hat systems, and supports both BootP and DHCP. Red Hat Linux 7.2 runs the pump command from the sbin ifup script only when dhcpcd is not found. This is an either or proposition. You use either dhcpcd or pump you do not use both. An interface that is configured by dhcpcd cannot be managed by pump. If your system uses dhcpcd, and most do, you can skip this section. The pump command is very simple pump -i eth0 configures interface eth0 with the information received from...
Running dhclient Software
The philosophy of dhclient is very different from that of most DHCP clients, which assume that users run DHCP because they don't know how to or don't want to manually configure TCP IP. dhclient assumes that the people running the software are sophisticated users who can easily configure TCP IP, and who want more than basic configuration from a DHCP client. Many Linux systems do not include the dhclient software. If your Linux system doesn't have the client, download dhcpd from http www.isc.org...
Checking an Ethernet Interface
Enter the ifconfig command with the interface name and no other command-line arguments to display the current configuration. The example in Listing 13.4 shows the configuration of eth0 on our sample Red Hat Linux system. Listing 13.4 Displaying the Configuration with ifconfig eth0 Link encap Ethernet HWaddr 00 00 C0 9A 72 CA inet addr 172.16.5.3 Bcast 172.16.5.255 Mask 255.255.255.0 UP BROADCAST NOTRAILERS RUNNING MTU 1500 Metric 1 RX packets 22283 errors 0 dropped 0 overruns 0 frame 0 TX...
Checking a PPP Interface
Troubleshooting a PPP connection can be complex because of the added layers of hardware and software involved. In addition to the TCP IP software, the connection uses PPP software and a scripting language, such as chat or dip, to establish the connection. The hardware uses a serial port, a serial device driver, and an external modem which also has its own command language. To fully test a PPP connection, you need to check all of these things. Chapter 2 describes PPP configuration and the design...
Mapping User IDs and Group IDs
User IDs and group IDs are as fundamental to NFS as they are to any other part of the Linux filesystem. But unlike the UID and GID you assign when creating new user accounts, you may not have any control over the UIDs and GIDs assigned by the clients of your NFS server. NFS provides several tools to help you deal with the possible problems that arise because of this. One of the most obvious problems with a trusted host security model is dealing with the root account. It is very unlikely that...
Resolving Address Conflicts
Most common interface configuration problems are easy to detect because they cause a hard failure. For example, a bad subnet mask causes a failure every time the user attempts to contact a system on another subnet. However, a bad IP address can be a more subtle problem. If the IP address is grossly misconfigured (that is, if the network portion of the address is incorrect), the system will have a hard failure that is easy to detect. But if the host portion of the address is incorrect, the...
The POP Protocol
There are two versions of POP POP2 and POP3. The POP protocols verify the user's login name and password, and move the user's mail from the server to the user's local mail reader. Both protocols perform the same basic functions, but they are incompatible. POP2 uses port 109, and POP3 uses port 110. Linux systems come with both versions of POP, but POP2 is rarely used. Most POP clients use POP3. POP3 is defined in RFC 1939, Post Office Protocol Version 3. It is a simple request response...
Partitioning with fdisk
Fdisk is a command-driven, text-based utility. At the fdisk prompt, enter any of the utility's single-character commands. Use the m command to display the list of commands shown here in Table A.2. Table A.2 Single-Character fdisk Commands Table A.2 Single-Character fdisk Commands Create an empty label for a Sun Microsystems disk Selects either sectors or cylinders as the units used to display partition size Writes the partition table to the disk and exits To partition a disk using fdisk, start...
Changing File Permissions
Use the chmod (Change Mode) command to change the permissions for a file. Permission can be defined on the chmod command line in either numeric or symbolic formats. For example -rw-r--r-- 1 craig craig 1349 May 3 2000 trace.txt chmod g+w,o-r trace.txt ls -l trace.txt -rw-rw---- 1 craig craig 1349 May 3 2000 trace.txt The first ls command shows the current permissions assigned to the file trace.txt, which are owner read write, group read, and world read. The chmod command uses the symbolic...
Enabling IP Packet Forwarding
When a computer forwards a packet that it has received from the network on to a remote system, it is called IP forwarding. All Linux systems can be configured to forward IP packets. In general, hosts do not forward datagrams, but routers must. To use a Linux system as a router, enable IP forwarding by setting the correct value in the proc sys net ipv4 ip_forward file. If the file contains a 0, forwarding is disabled. If it contains a 1, forwarding is enabled. A cat of the ip_forward file shows...
Loadable Ethernet Drivers
The Ethernet interface software is a kernel driver. The driver can be compiled into the kernel or can be loaded as a loadable module, which is the most common way to install an Ethernet driver. On a Red Hat system, the loadable Ethernet drivers are found in the lib modules re ease kernel drivers net directory, in which release is the kernel version number. A directory listing of the network device drivers found on a Red Hat 7.2 system is shown in Listing 2.1. Listing 2.1 Loadable Network Device...
Watching the Protocols with tcpdump
Tcpdump reads every packet from the Ethernet, and compares it to a filter you define. If it matches the filter, the packet header is displayed on your terminal, which permits you to monitor traffic in real time. Listing 13.15 provides a simple tcpdump example. Listing 13.15 A telnet Handshake as Seen by tcpdump tcpdump host 172.16.5.1 and 172.16.24.1 10 46 11.576386 phoebe.1027 > wren.telnet S 400405049 400405049(0) win 32120 < mss 14 60> (DF) 10 46 11.578991 wren.telnet > phoebe.1027 S...
Using smbmount
The SMB filesystem (smbfs) allows you to mount SMB shares, and use them as if they were part of the Linux filesystem. For this to work, the kernel must support the smbfs filesystem. Listing 9.12 shows a quick check for kernel support of smbfs. Listing 9.12 Checking Iproclfilesystems nodev proc nodev sockfs nodev tmpfs nodev shm nodev pipefs ext2 iso9660 nodev devpts ext3 vfat nodev autofs nodev smbfs The proc pseudo filesystem provides a glimpse into the kernel. The pseudo file proc filesystems...
Tools to Create User Accounts
All Linux distributions offer tools to help you create user accounts. Most distributions provide the useradd command for this purpose. The useradd command in Listing 3.11 creates a user account with the username kathy. Listing 3.11 The Effect of the useradd Command root grep kathy etc passwd root grep kathy etc shadow root grep kathy etc group root ls -a home kathy ls home kathy No such file or directory root grep kathy etc group . .bash_logout .bash_profile .bashrc Desktop .gtkrc .kde...
List of Listings
Listing 1.1 The Default GRUB Configuration Listing 1.2 A Sample lilo.conf File Listing 1.3 Adding Password Protection to LILO Listing 1.5 Runlevel Initialization Scripts Listing 1.6 The init.d Script Files Listing 2.1 Loadable Network Device Drivers Listing 2.2 An Ethernet Card Configuration Created by kudzu Listing 2.3 A Sample pap-secrets File Listing 2.4 A Sample chap-secrets File Listing 3.1 An Excerpt of the etc protocols File Listing 3.2 An Excerpt from etc services Listing 3.3 Excerpts...
Configuring xinetd
An alternative to inetd is the Extended Internet Services Daemon (xinetd). xinetd is configured in the etc xinetd.conf file, which provides the same information to xinetd as inetd.conf provides to inetd. But instead of using positional parameters with meanings determined by their relative location on a configuration line, xinetd.conf uses attribute and value pairs. The attribute name clearly identifies the purpose of each parameter. The value configures the attribute. For example, the third...
Understanding NFS
The Network File System (NFS), originally developed by Sun Microsystems, allows directories and files to be shared across a network. Through NFS, users and programs access files located on remote systems as if they were local files. NFS is a client server system. The client uses the remote directories as if they were part of its local filesystem the server makes the directories available for use. Attaching a remote directory to the local filesystem is called mounting a directory. Offering to...
Using the Realtime Blackhole List
The simplest way to block spam is to let someone else do it. sendmail allows you to use the Realtime Blockhole List (RBL) that comes from the Mail Abuse Prevention System (MAPS). Visit the website at mail-abuse.org rbl to find out more about the MAPS system. Using the RBL is very easy because the system is implemented through DNS. Every Linux system can issue DNS queries, so this is a very effective way to distribute information. Of course, a program can make use of the information only if it...
Loading Linux Services The init Process
The init process, which is process number one, is the mother of all processes. After the kernel initializes all of the devices, the init program runs and starts all of the software. The init program is configured by the etc inittab file. Listing 1.4 shows the inittab file that comes with Red Hat 7.2 inittab This file describes how the INIT process should set up the system in a certain run-level. Author Miquel van Smoorenburg, Modified for RHS Linux by Marc Ewing and Donnie Barnes Default...
Using an X Tool to Configure a PPP Client
So far, we have configured PPP by editing the configuration files with a text editor. It is also possible to configure a PPP client by using a graphical tool running under X Windows. Every Linux distribution offers at least one tool for this purpose, and a new set of tools is released with every new version of Linux. Red Hat 7.2 alone offers three easily accessible tools to do this one task. Perhaps the most accessible tool is the one that is launched by double-clicking the Dialup Configuration...
The etcprotocols File
Data from the network arrive at the computer as one stream. The stream may contain data packets from multiple sources bound for multiple applications. In telecommunications terminology, we say that the data stream is multiplexed. To deliver each packet to the correct application, it must be demultiplexed. The first step in this process is for the Internet Protocol to pass the packet to the correct transport protocol. IP determines the correct protocol by means of the protocol number that is...
The ftpaccess File
WU-FTPD has an optional configuration file named etc ftpaccess. This file is read if the FTP daemon is run with the -a command line option. In the discussion of Listing 3.6, we saw that Red Hat does run the FTP daemon with the -a option, which means that Red Hat uses the ftpaccess file. The active entries in the Red Hat 7.2 ftpaccess file are shown in Listing 3.16. Listing 3.16 Excerpts of the Red Hat ftpaccess File Don't allow system accounts to log in over ftp deny-uid -99 65534- deny-gid -99...
The Resolver Configuration Commands
The BIND 9 software delivered with Red Hat 7.2 uses the same resolver configuration file as the BIND 8 software used on many Linux systems. The commands it contains are identical to those found in a BIND 8 resolver configuration. resolv.conf is a text file that can contain the following commands nameserver address The nameserver command defines the IP address of a name server the resolver should use. Up to three nameserver commands can be included in the configuration. The servers are queried...
The named Control Tools
There are two versions of the named management tool one for BIND 8 and another one for BIND 9. BIND 8 uses the Name Daemon Control (ndc) tool, and BIND 9 uses the Remote Named Daemon Control (rndc) tool. The commands used with these tools are very similar. When there are differences, the text points them out. Otherwise, rndc commands will work for ndc simply by replacing rndc with ndc on the command line. The named management tool allows you to control named with much less fuss than sending...
Installing NFS
Listing 9.2 shows that the Network File System includes several different daemons and services to perform client and server functions. Additionally, the Red Hat 7.2 distribution has multiple startup scripts in the etc rc.d init.d directory that relate to NFS nfs This script starts most of the NFS daemons. It also processes the exports file, and clears the lock file. The exports file and the exportfs command that is used to process it are covered later in this chapter. nfslock This script starts...
Automounter
There are two automounter implementations available for Linux one based on the Berkeley automounter daemon (amd), and one based on the Solaris automounter (automount). Both are configured in a similar manner Both are given mount points and map files that define the characteristics of the file systems mounted on those mount points. Although its mount points can be defined in etc amd.conf, amd mount points and map files are often defined on the command line amd -a amd mnt wren etc nfs wren.map...
Managing lpd
The Line Printer Control (lpc) program is a tool for controlling the printers and administering the print queue on lpd printer servers. Table 10.1 lists the lpc commands used on our sample Red Hat 7.2 system and their purposes. Checks to see if the remote print queue is active. Displays the client configuration for the printer. Lists the default queue used by lpc. Lists the default configuration settings. Turns on the specified level of debugging for a printer. Turns off spooling to a print...
Filtering with Netscape
Many users use Netscape to read their e-mail. They can, of course, use the filter program or procmail (which is discussed next) to filter mail, even if they then read the mail with the Netscape mail reader. However, Netscape provides its own mail-filter capability, which is particularly suited to those users who prefer a graphical interface. Note For these examples, we use the version of Netscape delivered with Red Hat 7.2. From the Edit menu in the Netscape Messenger window, select Message...
Selecting an Installation Method
Linux can be installed from several different sources FTP (File Transfer Protocol), NFS (Network File System), SMB (Server Message Block), HTTP (Hypertext Transfer Protocol), local hard drive, or CD-ROM. A server system is often installed from a CD-ROM. It is a simple and fast installation method, and the CD-ROM provides a reliable backup medium when you need to reinstall. Never install a server from a local hard drive. This is an obsolete installation method that involves copying the operating...
Making a Boot Disk
A computer that cannot boot from a CD-ROM needs a boot floppy. Not every Linux distribution ships with a boot disk, even when you buy the top-of-the-line boxed set. Often, when a boot disk is needed, you have to make your own. Making a boot floppy is simple, and the process is essentially the same for all Linux distributions A boot image is copied from the CD-ROM to the floppy using either rawrite under DOS or dd under Unix. An example of each command illustrates how they are used. In the Red...
Installing the Boot Loader
After you have configured the partitions, the Red Hat installation asks you to select a boot loader, to decide where you want it installed, and to select which partitions should be booted by the loader. Red Hat 7.2 offers two boot loaders GRUB and LILO. GRUB is new for Red Hat in 7.2 LILO is much more widely used by other Linux distributions. Most people who install Red Hat 7.2 use GRUB because it is the default. I use LILO because it is what I'm used to, and it is what I use on my other Linux...
Configuring the Firewall
The 2.4 Linux kernel implements kernel-level packet filtering that is configurable with the iptables command. The iptables command and how it is used to create a basic firewall are covered in Chapter 12, Security. Red Hat 7.2 includes firewall configuration during the installation. The installation program does not provide the same level of control as you get from building your own iptables rules (as described in Chapter 12), but it does provide a simple way to create a basic access control...
Configuring the Kernel with xconfig
To start the kernel configuration process, change to the usr src linux directory, and run make xconfig, which opens the window shown in Figure 13.1. Old CD-ROM drivers (not SCSI, not IDE) Figure 13.1 The Kernel Configuration window The Kernel Configuration window displays more than 30 buttons that represent different configuration categories. (These buttons are described in detail in the upcoming Understanding the Kernel Configuration Categories section.) Click a button to view and set the...
The PPP Daemon
The PPP daemon is started by the pppd command. The command can be entered at the shell prompt, and it often is on client computers. On server systems, the command is usually stored in a shell script to run at boot time for dedicated PPP connections or on demand for dial-up connections. Red Hat systems provide the etc sysconfig network-scripts ifup-ppp script to start the PPP daemon. However, the script is not edited directly. The values that control the ifup-ppp script are found in the...
Running httpd
After the Apache RPM is installed, use a tool such as chkconfig or tksysv to add httpd to the boot process to ensure that the server restarts when the system reboots. For example, to start httpd for runlevels 3 and 5 on a Red Hat system, enter the following chkconfig command root chkconfig level 35 httpd on root chkconfig list httpd httpd 0 off 1 off 2 off 3 on 4 off 5 on 6 off If your system doesn't have chkconfig, use another tool, such as tksysv. Figure 6.2 shows how tksysv is used to run...
Installing gated
The gated software is part of some Linux distributions, and when it is, gated is often installed during the initial system installation. If the gated package was not installed during the initial installation, install it now. In this section, we use Red Hat Linux 7.1 as our sample system because the examples in this book are Red Hat-based, and 7.1 was the last release of Red Hat that shipped gated as its default routing software. On a Red Hat 7.1 system, use RPM to install the software from the...
Installing Samba
Samba services are implemented as two daemons. The SMB daemon (smbd), the heart of Samba, provides the file- and printer-sharing services. The NetBIOS Name Server daemon (nmbd) provides NetBIOS-to-IP-address name service. You can download Samba software from the Internet if you need to. Go to http www.samba.org to select the nearest download site, and then download the file samba-latest.tar.gz from that site. Unzip and untar the source tree into a working directory. Change to that directory,...
Running the POP and IMAP Daemons
The test in Listing 11.1 shows POP running, and the test in Listing 11.2 shows imapd up and running. However, a test on a freshly installed Red Hat system returns the Connection refused error. Trying 127.0.0.1 telnet connect to address telnet localhost pop3 Trying 127.0.0.1 telnet connect to address Among the possible causes for this error on the localhost may be that you have not installed POP or IMAP. POP and IMAP can be installed during the initial installation, or installed later using RPM....
Installing Zebra
The Zebra suite is available on the Web at http www.gnu.org and via FTP from ftp ftp.zebra.org . A beta-testers' website is available at http www.zebra.org . At the time of writing, the Zebra software is in beta release. If you prefer to use mature software, see the information on gated later in this chapter. However, for the type of routing applications that should reasonably be undertaken by a Linux system, the beta release of Zebra is more than adequate. The Zebra software suite is include...
The smbconf Global Section
The Red Hat sample configuration file contains two sections global and homes. The global section defines several parameters that affect the entire server. Minus the parameters that are specific to printer sharing, which are covered in Chapter 10, the parameters in the Red Hat smb.conf global section are the following workgroup Defines the workgroup of which this server is a member. A workgroup is a hierarchical grouping of hosts. It organizes network resources in the same way that directories...
Loading the Boot Sector
The ROM BIOS is configured through the BIOS setup program. Setup programs vary among different BIOS versions, but all of them allow the administrator to define which devices are used to boot the system and the order in which those devices are checked. On some PC systems, the floppy drive and the first hard drive are the boot devices, and they are checked in that order. Systems that permit booting from the CD-ROM usually list the CD-ROM as the first boot device, followed by the first hard drive....
Configuring SSL
The security features described previously are all designed to protect information provided by the server. In addition to protecting the security of server data, you are responsible for protecting the security of your client's data. If you want to run an electronic commerce business, you must use a secure server that protects your customers' personal information, such as credit card numbers. Secure Apache servers use Secure Sockets Layer (SSL) to encrypt protected sessions. SSL is both more...
Finding the Latest Software
To update software, you need to need to know what software needs to be updated and where to find it. Security advisories (such as those found at SANS, NIST, and CERT) usually describe the problem and tell you the solution often, they point you to the appropriate software fix. Even the bug reports found in the Bugtraq Archive sometimes include fixes, as mentioned in the discussion of Figure 12.1. The vulnerability report shown in Figure 12.3 includes links to the software updates that fix the...
Tcpd Access Control Files
Two files define access controls for tcpd The hosts.allow file lists the hosts that are allowed to access the system's services. The hosts.deny file lists the hosts that are denied service. If these files are not found, tcpd allows every host to have access, and simply logs the access request. When the files are present, tcpd reads the hosts.allow file first and then reads the hosts.deny file. It stops as soon as it finds a match for the host and the service in question. Therefore, access...
Configuring sshd
Very little configuration is required to get secure shell running, but a great deal of configuration is possible. Many of the software packages discussed in this book fit this pattern There are a great many configuration options, but the default values for those options work in almost every case and rarely need to be changed. sshd is no exception. Without configuration, it will work just fine, but there are configuration options that you can use to modify it for your particular site. sshd is...
Configuring a Linux NAT Server
Despite the fact that address translation is included in the packet-filtering software used to build a firewall, it is not specifically a security feature. A very common use for address translation is to connect a small network to the Internet. Assume that you have a small office network that connects to the Internet through a local ISP. Further, assume that the ISP assigns the office only one IP address, even though you have four computers on your network. Using a Linux NAT box, all four...
The Rewriting Rules Section
The Rewriting Rules section defines the rules used to parse e-mail addresses from user mail programs and rewrite them into the format required by the mail delivery programs. Rewrite rules match the input address against a pattern, and if a match is found, rewrite the address into a new format using the rules defined in the command. The left side of a rewrite rule contains a pattern defined by macro and literal values and by special symbols. The right side of a rewrite rule defines the template...
The gatedconf File
At startup, gated reads the gated.conf file. The file contains configuration statements that tell gated which routing protocols should be run and how they should be configured. There are several types of configuration statements Not all of these statements are required for a configuration, but when they are used, the statements must appear in the order listed here. These statements can be divided into two groups statements you probably won't use and statements you might use. Among the...
Using the dhcpcd Client
As the name implies, the DHCP Client daemon (dhcpcd) provides the client side of the DHCP protocol exchange, and it provides the means for moving the information received from the DHCP server into the client's configuration. The syntax of the dhcpcd command is dhcpcd -dknrBCDHRT -t timeout -c filename -h hostname -i vendorClassID -1 clientID -l leasetime -s ipaddr interface The name of the interface that dhcpcd should use for DHCP can be defined on the command line. An interface is specified...
Managing Mail with procmail
As mentioned in Chapter 5, procmail is the default local mail-delivery program for Linux systems. procmail provides the most powerful and complex e-mail filtering system available for Linux. procmail filters are defined by the user in the .procmailrc file. Additionally, the system administrator can define system-wide filters in the etc procmailrc file. The format of both files is the same. The system administrator uses the etc procmailrc file for general anti-spam filtering. The end user can...
Overview
This appendix is a quick reference guide to the m4 macros that you might use to construct a sendmail configuration file. (See Chapter 5, Configuring a Mail Server, for a tutorial on how m4 macros are used.) This appendix describes the syntax and function of the macros the information is accurate as of the day of publication. For the most current and accurate description of these macros, see the documentation that comes with the sendmail distribution and the README file in the sendmail cf...
Converting IP Addresses to Ethernet Addresses
As Figure 7.2 illustrates, IP can run over many different types of networks. The IP address is a logical address. The address means something to the logical IP network, but it doesn't mean anything to the physical networks over which IP must transport the data. To send data over a physical network, IP must convert the IP address to an address understood by the network. The most common example of this is the conversion from an IP address to an Ethernet address. The protocol that performs this...
Password Aging
In addition to protecting the password, the shadow file supports password aging, which defines a lifetime for each password and notifies the user to change the password when it reaches the end of its life. If it is not changed, the user is blocked from using her account. The changed, max, and warn fields tell the system when the password was changed, how long it should be kept, and when to warn the user to change it. When the password is changed, it must be used for the number of days defined...
Runlevel Initialization
After the system initialization script is run, init runs a script for the specific runlevel. On Red Hat, Mandrake, and Caldera systems, this is done by running a control script and passing it the runlevel number. The control script, etc rc.d rc, then runs all of the scripts that are appropriate for the runlevel. It does this by running the scripts that are stored in the directory etc rcn.d, where n is the specified runlevel. For example, if the rc script is passed a 5, it runs the scripts found...
The ifconfig Command
The ifconfig command assigns TCP IP configuration values to network interfaces. Many values can be set with this command, but only a few are really needed the IP address, the network mask, and the broadcast address. Assume that we have a network that uses the private network address 172.16.0.0 with the subnet mask 255.255.255.0. Further, assume that we need to configure a system named robin.foobird.org that is assigned the address 172.16.5.4. The ifconfig command to configure that interface is...
The Broadcast Address
The broadcast address is used to send a packet to every host on a network. The standard broadcast address is composed of the network address and a host address of 255. Given the ifconfig statement shown previously, the default broadcast address is 172.16.5.255. Using the IP address of 172.16.5.4 and the netmask of 255.255.255.0 gives a network address of 172.16.5.0. Add to that the host address of 255 to get 172.16.5.255. So why did I define the broadcast address instead of letting it default...
The Linux Routing Table
Chapter 2, The Network Interface, described the structure of an IP address, explaining that it is composed of a network portion and a host portion. Routing is network-oriented IP makes its decision on whether to directly deliver the packet or forward the packet to a router based on the network portion of the address. When the decision is made to forward the packet to a router, IP looks in the routing table to determine which router should handle the packet. The Linux routing table is displayed...
Checking the Network Interface
Configuration errors, including those that allow security breaches, are often the cause of problems on mature systems. You cannot eliminate these problems simply by configuring your system correctly. When you're on a network, the configuration errors made by the administrator at the remote end of the network may affect your users. Additionally, you may be the expert called upon to help users correct the configuration errors they make when setting up their desktop systems. Warning I specifically...
Loading Linux with GRUB
During the installation of Red Hat Linux 7.2, you're asked to select which boot loader should be used. By default, Red Hat uses the Grand Unified Bootloader (GRUB), and creates a GRUB configuration based on the values you select during the installation. Listing 1.1 shows the GRUB configuration generated by the Red Hat installation program for a desktop client. A dual-boot client configuration is used as an example because it is slightly more complex than a server configuration (servers do not...
Running ripd
Routing protocols are not limited to routers. It is possible to need a routing protocol on a Linux host. Suppose that you have a host on a network in which routing updates are distributed via RIPv2. This system is not a router, but because it is on a network segment with more than one router, you decide to configure it to listen to the RIPv2 updates that the routers are broadcasting. Listing 7.9 shows a possible ripd.conf file for this host. Listing 7.9 A Sample ripd.conf File Enable RIPV2, but...
Understanding SMB and NetBIOS
Microsoft Windows printer- and file-sharing applications are based on NetBIOS (Network Basic Input Output System). The BIOS defines the applications interface used to request DOS I O services. NetBIOS extends this with calls that support I O over a network. Developed 20 years ago for the PC Network product sold by Sytek, the NetBIOS API outlived the original product to become part of Windows for Workgroups, LAN Manager, Windows 95 98 ME, and Windows NT 2000. Originally, NetBIOS was a monolithic...
Installing Printers
Printer installation is part of the initial system installation on some Linux distributions. Others, such as Red Hat Linux 7.2, wait until the system is running before configuring the printer. Configuring the printer during or after the initial installation is essentially the same procedure. To install a printer, you must know the type of printer and its capabilities. All examples in this section use printconf, which is a printer-configuration tool available as part of Red Hat Linux 7.2. But...
The Lightweight Resolver
BIND 9 introduces a new, lightweight resolver library. The new library can be linked into any application, but it was designed for applications that need to use IPv6 addresses. Support for IPv6 has increased the complexity of the resolver to the point that it is difficult to implement as a traditional stub resolver. For this reason, the lightweight resolver splits the resolver into a library used by the applications and a separate resolver daemon that handles the bulk of the resolver process....
The Slave Server Configuration
Configuring a slave server is almost as simple as configuring a caching-only server. It uses the same three configuration files with only minor modifications to the named.conf file. Because of this, you can start with a caching-only configuration to test your system before you configure it as a slave server. Our sample slave server will be built by modifying the common caching-only configuration shown in Listing 4.4. Assume that wren (172.16.5.1) is the master server for the foobirds.org domain...
The Trusted Users Section
Trusted users are allowed to change the sender address when they are sending mail. Trusted users must be valid usernames from the etc passwd file. The trusted users defined in the sendmail.cf file that comes with your Linux system are root, uucp, and daemon The T commands define trusted users. The list of trusted users is stored in class t. Thus the three previously listed T commands could be replaced by three C commands Likewise, an F command can be used to load class t from a file. The...
Using Mail Aliases
Mail aliases are defined in the aliases file. The location of the aliases file is set in the sendmail configuration file. (You'll see this configuration file later in the chapter.) On Linux systems, the file is usually located in the etc directory ( etc aliases), and it is occasionally located in the etc mail directory. The basic format of entries in the file is The alias is the username in the e-mail address, and recipient is the name to which the mail should be delivered. The recipient field...
Defining Personal Mail Aliases
As the last eight lines in the Red Hat aliases file illustrate, one of the main functions of the alias file is to forward mail to other accounts or other computers. The aliases file defines mail forwarding for the entire system. The .forward file, which can be created in any user's home directory, defines mail forwarding for an individual user. It is possible to use the .forward file to do something that can be done in the etc aliases file. For example, if Norman Edwards had an account on a...
Creating an m4 Domain File
The domain directory is intended for m4 source files that contain information specific to your domain. This is a perfect place to put the commands that rewrite the hostname to the domain name on outbound mail, so we create a new m4 macro file in the domain directory and call it foobirds.m4. We begin by changing to the domain directory and copying the file generic.m4 to foobirds.m4 to act as a starting point for the configuration. Listing 5.10 shows these steps. Listing 5.10 The generic.m4...
Creating a dhcpdconf File
Dhcpd reads its configuration from the etc dhcpd.conf file. The dhcpd.conf file identifies the clients to the server, and defines the configuration that the server provides each client. The sample dhcpd.conf file shown in Listing 8.1 dynamically assigns IP addresses to the DHCP clients on a subnet, and supports a few clients that require static addresses. Listing 8.1 A Sample dhcpd.conf File Define global values that apply to all systems, max-lease-time 604800 default-lease-time 86400 option...
Sample iptables Commands
Putting this all together creates a firewall that can protect your network. Assume that we have a Linux router attached to a perimeter network with the address 172.16.12.254 on interface eth0 and to an external network with the address 192.168.6.5 on interface eth1. Further assume that the perimeter network contains only a sendmail server and an Apache server. Listing 12.4 contains some iptables commands we might use on the Linux system to protect the perimeter network. Listing 12.4 Sample...
The smbconf Variables
Reading an smb.conf file can be confusing if you don't understand the variables found in the file. Table 9.3 lists each variable and the value it carries. GID of the username assigned to the client GID of the username requested by the client Home directory of the username assigned to the client NIS home directory if NIS is supported The root directory of the current service The protocol negotiated during connection The username requested by the client Variables provide flexibility because each...
Using smbclient
The smbclient program is a tool for transferring files with a system offering an SMB share. It is particularly useful for transferring files with Windows systems that do not have FTP server software. smbclient acts like an FTP tool for SMB share files. Listing 9.11 illustrates this. added interface ip 172.16.5.2 bcast 172.16.5.255 nmask 255.255.255.0 Password added interface ip 172.16.5.2 bcast 172.16.5.255 nmask 255.255.255.0 Password 51795 blocks of size 131072. 11861 blocks available smb get...
The zebraconf File
The zebra routing manager is required if you want to use any of the Zebra routing daemons. zebra maintains the kernel routing table, maintains the network interface list, defines the static routes, and manages the sharing of information between the different routing protocols. zebra is configured by the zebra.conf file. Listing 7.5 shows a sample zebra.conf file for a Linux system using two Ethernet interfaces The hostname of this router hostname subnet60gw The password required for vtysh...
Running OSPF with gated
Listings 7.13 and 7.14 define the configuration of a router that uses RIPv2 on one subnet and OSPF on another. That same configuration can be replicated with gated. Listing 7.16 is a sample gated OSPF router configuration. Listing 7.16 A gated OSPF RIPv2 Interior Router Configuration Don't time-out subnet 60 interfaces Define the OSPF router id routerid 172.16.1.9 Enable RIP-2 announce OSPF routes to subnet 60 with a cost of 5. rip yes broadcast defaultmetric 5 interface 172.16.60.1 version 2...
The Hints File
The hints file contains information that named uses to initialize the cache. As indicated by the root domain (.) name on the zone statement, the hints the file contains are the names and addresses of the root name servers. The file helps the local server locate a root server during startup. After a root server is located, an authoritative list of root servers is downloaded from that server. The hints are not referred to again until the local server restarts. The named.conf file points to the...
PPP Client Configuration
Configuring a PPP client is as complex as configuring a server. The primary reason for this complexity is the fact that the client initiates the PPP connection. To do that, the client must be able to dial the server's phone number and perform any necessary login procedures. A pppd command for a client system might look like this pppd dev cual 115700 connect chat -v dial-server crtscts modem defaultroute You have seen all but one of these options before. In fact, this command is almost identical...
Chat Scripts
A chat script defines the steps that are necessary to successfully connect to a remote server. The script is a list of expect send pairs. Each pair consists of a string that the local system expects to receive, separated by whitespace from the response that it will send when the expected string is received. A sample script might contain the following OK ATDT301-555-1234 CONNECT d d r gin sophie ord TOga toGA The script in Listing 2.5 contains instructions for the modem as well as the login for...
The IMAP Protocol
Internet Message Access Protocol (IMAP) is an alternative to POP. It provides the same basic service as POP, and adds features to support mailbox synchronization. Mailbox synchronization is the ability to read individual mail messages on a client or directly on the server while keeping the mailbox on both systems completely up-to-date. On an average POP server, the entire contents of the mailbox are moved to the client, and either deleted from the server or retained as if never read. Deletion...
The etcservices File
The second stage of demultiplexing the network data is to identify the application to which the data are addressed. The transport protocol does this using the port number from the transport protocol header. The standard port numbers are identified in the etc services file. The port numbers for well-known services are assigned in Internet standards, so you never change the port number of an existing service. On rare occasions, you may need to add a new service to the file, but that is the only...
Configuring inetd
The inetd configuration is defined in the etc inetd.conf file. The file defines the ports that inetd monitors and the pathnames of the processes it starts when it detects network traffic on a port. Many Linux systems use inetd. In fact, prior to version 7.0, Red Hat used inetd instead of xinetd. Listing 3.3, which shows the active entries in an inetd.conf file, was generated on a server running Red Hat 6.2. Listing 3.3 Excerpts from an inetd.conf File Every entry in the inetd.conf file shown in...
Controlling Access with tcpd
The tcpd wrapper software is executed by inetd. It is an integral part of most Linux distributions that use inetd. Using tcpd on a Linux system is easier than it is on many other systems because the entries in the inetd.conf file already point to the tcpd program. Note The format of the inetd.conf file is explained in Chapter 3, Login Services . The following entries are from the inetd.conf file on a Linux system ftp stream tcp nowait root usr sbin tcpd in.ftpd -l -a telnet stream tcp nowait...
Sample liloconf File
A lilo.conf file starts with a global section that contains options that apply to the entire LILO process. Some of these entries relate to the installation of LILO by sbin lilo, and are only indirectly related to the boot process. Note The program sbin lilo is not the boot loader. The LILO boot loader is a simple loader stored in a boot sector. sbin lilo is the program that installs and updates the LILO boot Comments in the lilo.conf file start with a sharp sign ( ). The first active line of...
Partitioning with Disk Druid
If you select a custom installation, the Red Hat installation program asks which partitioning tool it should use. Select either the traditional fdisk program or Disk Druid, which uses a full-screen interface (see Figure A.1). When run under the graphical installer, Disk Druid uses a basic point-and-click interface. Figure A.1 Disk Druid's main screen The top of the screen displays the device name, the disk geometry, and the make and model of the disk, along with a graphical representation of...
The m4 Macro Control File
The usr share sendmail-cf cf directory's prototype files contain m4 macro commands. In addition to lots of comments, the tcpproto.mc file contains the macros shown in Listing 5.8. VERSIONID( Id tcpproto.mc,v 8.13.22.1 2000 08 03 15 25 20 ca Exp ') FEATURE(nouucp', reject') Listing 5.8 shows the configuration macros. The file tcpproto.mc also contains divert and dnl commands. A divert(-1) command precedes a large block of comments. m4 skips everything between a divert(-1) command and the next...
Using the elm Filter
Elm is an old terminal mode mailer. elm has some die-hard fans, but most users have moved on to mailers that include a graphical user interface. However, the elm source code distribution comes with a filtering tool aptly named filter. The source code is available from ftp.virginia.edu, where it is stored in the pub elm directory. Even if you don't use elm, you can use the filter program to process incoming mail. The filter program is invoked with the .forward file (covered in Chapter 5 during...
Configuring an Ethernet Device Driver
In most cases, the system correctly configures the network device driver without any help from the system administrator. Most drivers probe the card to discover the correct configuration. Additionally, the Ethernet drivers expect the adapters to use the manufacturer's default configuration, and if they do, no configuration changes are needed. But these techniques don't always work. When they don't, Ethernet adapter configuration parameters can be passed to the kernel through the boot prompt (as...
The options Statement
The options statement defines global options that affect the operation of BIND and the DNS protocol. The syntax of the options command for BIND 8 is shown in Listing B.1 Listing B.1 The BIND 8 options Statement Syntax version string directory pathname named-xfer pathname dump-file pathname memstatistics-file pathname pid-file pathname statistics-file pathname auth-nxdomain yes no deallocate-on-exit yes no dialup yes no fake-iquery yes no fetch-glue yes no has-old-clients yes no host-statistics...
Using the Access Database in sendmail
After building the database, you also need to let sendmail know that you have an access database, and you want to use it. Use the access_db feature to do that. Assume that you're using the configuration that was created in Chapter 5.We created two customized files a DOMAIN file specifically for the foobirds.org domain and a linux.mc file to include the custom DOMAIN file in the sendmail configuration. Because the access database is specific to our server, let's add the necessary feature to the...
Understanding the Access Database
The sendmail access database defines e-mail sources using e-mail addresses, domain names, and IP network numbers, along with the action that sendmail should take when it receives mail from the specified source. For example This database tells sendmail to reject any mail from the e-mail address spammer bigisp.com, from any host in the domain wespamu.com, and from any computer whose IP address begins with network number 172.18. Each entry in the database begins with the source of the mail,...
The PPP Kernel Module
Chapter 1 showed the kernel messages that are displayed when the serial drivers are installed. Similarly, when PPP is compiled into the kernel, messages about PPP are displayed during startup, as in this Caldera example PPP version 2.2.0 (dynamic channel allocation) PPP Dynamic channel allocation code copyright 1995 Caldera, Inc. PPP line discipline registered. If PPP is installed by your kernel, you're ready to run the PPP daemon. On most systems, however, the kernel component of PPP is not...
Building a sendmail Database
The configuration we have just created works fine. It operates just like the sendmail.cf that was created earlier, including masquerading hostnames as foobirds.org. But we also want to convert the username part of outbound addresses from the login name to the user's real name written as firstname.lastname. To do that, create a database to convert the username part of outbound e-mail addresses. Build the database by creating a text file with the necessary data and processing that file through...
Configuring the DHCP Server
After dhcpd is installed, it must be configured. The DHCP daemon is configured through the dhcpd.conf file. The file can contain an extensive list of configuration commands that provide direction to the server and configuration information to the clients. A DHCP server can be configured to provide service to individual hosts and to entire subnets of hosts. The dhcpd configuration language includes host and subnet statements that identify the scope of systems being serviced. A host statement...