500 likes | 900 Views
Linux Services. Sirak Kaewjamnong. Linux DHCP Server. DHCP is an IP address dynamically assigned from DHCP server. PC client will most likely get its IP address at boot time from the home router instead
E N D
Linux Services Sirak Kaewjamnong
Linux DHCP Server • DHCP is an IP address dynamically assigned from DHCP server. • PC client will most likely get its IP address at boot time from the home router instead • The DHCP server RPM's filename usually starts with the word dhcp followed by a version number • dhcp-3.0.1rc14-1.i386.rpm.
The /etc/dhcpd.conf File • When DHCP starts, it reads the file /etc/dhcpd.conf. • The standard DHCP RPM package doesn't automatically install a /etc/dhcpd.conf file, but a sample copy of dhcpd.conf is in the following directory • /usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample
/etc/dhcpd.confexample file ddns-update-style interim; ignore client-updates; subnet 172.27.21.0 netmask 255.255.255.0 { # --- default gateway option routers 172.27.21.254; option subnet-mask 255.255.255.0; option nis-domain "cp.su.ac.th"; option domain-name "cp.su.ac.th"; option domain-name-servers 202.28.72.66; option domain-name-servers 202.44.135.9; option time-offset -18000; # Eastern Standard Time # option netbios-node-type 2; range dynamic-bootp 172.27.21.200 172.27.21.250; default-lease-time 21600; max-lease-time 43200; } }
How to get DHCP started • Use the chkconfig command to get DHCP configured to start at boot: • Use the service command to instruct the /etc/init.d/dhcpd script to start/stop/restart DHCP after booting [root@bigboy tmp]# chkconfig dhcpd on [root@bigboy tmp]# service dhcpd start [root@bigboy tmp]# service dhcpd stop [root@bigboy tmp]# service dhcpd restart
SAMBA • Samba is a suite of utilities that allows your Linux server to share files and other resources, such as printers, with Windows clients.
Get SMB started • Configure Samba to start at boot time using the chkconfig command: • Start/stop/restart Samba after boot time using the smb initialization script as in the examples below: • Note: Unlike many Linux packages, Samba does not need to be restarted after changes have been made to its configuration file, as it is read after the receipt of every client request. [root@bigboy tmp]# chkconfig smb on [root@bigboy tmp]# service smb start [root@bigboy tmp]# service smb stop [root@bigboy tmp]# service smb restart
The Samba Configuration File The /etc/samba/smb.conf file is the main configuration
Samba's SWAT web interface • SWAT, Samba's web based configuration tool to enables smb.conf file without needing to remember all the formatting. • Each SWAT screen is actually a form that covers a separate section of the smb.conf file into which admin fill in the desired parameters, each parameter box has its own online help
Basic SWAT Setup • Root must always remember that SWAT edits the smb.conf file but also strips out any comments that may have manually entered into it beforehand. • The original Samba smb.conf file has many worthwhile comments in it, you should save a copy as a reference before proceeding with SWAT. • For example, you could save the original file with the name /etc/samba/smb.conf.original [root@tmp]# cp /etc/samba/smb.conf /etc/samba/smb.conf.original
Basic SWAT Setup • The enabling and disabling, starting and stopping of SWAT is controlled by xinetd via a configuration file named /etc/xinetd.d/swat service swat { port = 901 socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/swat log_on_failure += USERID disable = no only_from = localhost }
Basic SWAT Setup • The disable parameter must be set to no to accept connections. This can automatically be switched between yes and no. • The default configuration only allows SWAT web access from the VGA console only as user root on port 901 with the Linux root password. • This means root have to enter "http://127.0.0.1:901" in browser to get the login screen. • root can make SWAT accessible from other servers by adding IP address entries to the only_from parameter of the SWAT configuration file. • An example of an entry to allow connections only from 192.168.1.3 and localhost. only_from = localhost 192.168.1.3
Controlling SWAT • Same as all xinetd-controlled applications, the chkconfig command automatically modifies the disable field accordingly in the configuration file and activates the change. • Before SWAT can be used, the xinetd program which controls it must be activated in advance. • You can start/stop/restart xinetd after boot time using the xinetd initialization
xinetd Programs • Many network enabled Linux applications do not rely on themselves to provide restricted access or bind to a particular TCP port • instead they often offload a lot of this work to a program suite made just for this purpose, xinetd • The xinetd RPM is installed by default in Fedora Linux and uses /etc/xinetd.conf as its main configuration file
Controlling xinetd • The starting and stopping of the xinetd daemon is controlled by the by scripts in the /etc/init.d directory and it is behavior at boot time is controlled by chkconfig. • You can start/stop/restart xinetd after booting by using the following commands: • To get xinetd configured to start at boot you can use the chkconfig command. [root@bigboy tmp]# service xinetd start [root@bigboy tmp]# service xinetd stop [root@bigboy tmp]# service xinetd restart [root@bigboy tmp]# chkconfig xinetd on
Controlling xinetd-Managed Applications • Xinetd-managed applications all store their configuration files in the /etc/xinetd.d directory. • Each configuration file has a disable statement that can set to yes or no. This governs whether xinetd is allowed to start them or not. • You don't have to edit these files to activate or deactivate the application. The chkconfig command does that automatically will also stops or starts the application accordingly too
Telnet • Telnet is a program that allows users to log into server and get a command prompt just as if they were logged into the VGA console. • The Telnet server RPM is installed and disabled by default on Fedora Linux. • One of the disadvantages of Telnet is that the data is sent as clear text. • A more secure method for remote logins would be via Secure Shell (SSH) which uses varying degrees of encryption. • The older Telnet application remains popular. Many network devices don't have SSH clients, making telnet the only means of accessing other devices and servers from them
Installing The Telnet Server Software • Older versions of RedHat had the Telnet server installed by default. Fedora Linux does not • you will have to install it yourself. • Most Linux software products are available in a precompiled package format. Downloading and installing packages • When searching for the file, the Telnet server RPM's filename usually starts with the word "telnet-server" followed by a version number as in telnet-server-0.17-28.i386.rpm.
Setting Up A Telnet Server • To set up a Telnet server use the chkconfig command to activate Telnet. • Use the chkconfig command to deactivate telnet, even after the next reboot. [root@bigboy tmp]# chkconfig telnet on [root@bigboy tmp]# chkconfig telnet off
Let Telnet Listen On Another TCP Port • Letting telnet run on an alternate TCP port does not encrypt the traffic, but it makes it less likely to be detected as telnet traffic. • Remember that this is not a foolproof strategy; good port scanning programs can detect telnet and other applications running on alternative ports.
Let Telnet Listen On Another TCP Port • Edit /etc/services file and add an entry for a new service. Call it stelnet. • Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet: # Local services stelnet 7777/tcp # "secure" telnet [root@bigboy tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet
Let Telnet Listen On Another TCP Port • Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP port 7777. • Use chkconfig to activate stelnet. # default: on # description: The telnet server serves telnet sessions # unencrypted username/password pairs for authentication. service stelnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no port = 7777 } [root@bigboy tmp]# chkconfig stelnet on
Let Telnet Allow Connections From Trusted Addresses • Root can restrict telnet logins access to individual remote servers by using the only_from keyword in the telnet configuration file. • Add a list of trusted servers to the /etc/xinetd.d/telnet file separated by spaces: • Restart telnet by service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no only_from = 192.168.1.100127.0.0.1192.168.1.200 } #chkconfig telnet off #chkconfig telnet on
Linux FTP • The File Transfer Protocol (FTP) is used as one of the most common means of copying files between servers over the Internet. • Most web based download sites use the built in FTP capabilities of web browsers and therefore most server oriented operating systems usually include an FTP server application as part of the software suite. • Fedora linux ftp sever using default Very Secure FTP Daemon (VSFTPD) package
FTP overview • FTP relies on a pair of TCP ports to get the job done. It operates in two connection channels • FTP Control Channel, TCP Port 21: All commands send and the ftp server's responses to those commands will go over the control connection. • FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfers between the client and server.
How To Get VSFTPD Started • With Fedora, Redhat, Ubunbtu and Debian You can start, stop, or restart VSFTPD after booting by using these commands: • With Redhat / Fedora you can configure VSFTPD to start at boot you can use the chkconfig command. [root@bigboy tmp]# /etc/init.d/vsftpd start [root@bigboy tmp]# /etc/init.d/vsftpd stop [root@bigboy tmp]# /etc/init.d/vsftpd restart [root@bigboy tmp]# chkconfig vsftpd on
The Apache Web Server • Apache is probably the most popular Linux-based Web server application in use. • When searching for the file, the Redhat / Fedora Apache RPM package's filename usually starts with the word httpd followed by a version number, as in httpd-2.0.48-1.2.rpm
Get Apache started • Use the chkconfig command to configure Apache to start at boot: • Use the httpd<code> init script in the <code>/etc/init.d directory to start,stop, and restart Apache after booting: [root@bigboy tmp]# chkconfig httpd on [root@bigboy tmp]# /etc/init.d/httpd start [root@bigboy tmp]# /etc/init.d/httpd stop [root@bigboy tmp]# /etc/init.d/httpd restart
General Configuration Steps • The configuration file used by Apache is /etc/httpd/conf/httpd.conf in Redhat / Fedora distributions • /etc/apache*/httpd.conf in Debian / Ubuntu distributions. • As for most Linux applications, you must restart Apache before changes to this configuration file take effect
Where To Put Web Pages • All the statements that define the features of each web site are grouped together inside their own <VirtualHost> section, or container, in the httpd.conf file. • The most commonly used statements, or directives, inside a <VirtualHost> container are: • servername: Defines the name of the website managed by the <VirtualHost> container. This is needed in named virtual hosting only, as I'll explain soon. • DocumentRoot: Defines the directory in which the web pages for the site can be found.
Where To Put Web Pages • By default, Apache searches the DocumentRoot directory for an index, or home, page named index.html. • Example, if a servername of www.my-site.com with a DocumentRoot directory of /home/www/site1/ Apache displays the contents of the file /home/www/site1/index.html when someone enter http://www.my-site.com in his browser.
The Default File Location • By default, Apache expects to find all its web page files in the “/var/www/html/” directory with a generic DocumentRoot statement at the beginning of httpd.conf • Apache will display Web page files as long as they are world readable, all the files and subdirectories in DocumentRoot should have the correct permissions • Change the permissions on the /home/www directory to 755, which allows all users, including the Apache's httpd daemon, to read the files inside.
Named Virtual Hosting • Apache allow to make Web server host more than one site per IP address by using Apache's named virtual hosting feature. • Use the NameVirtualHost directive in the /etc/httpd/conf/httpd.conf file to tell Apache which IP addresses will participate in this feature. • The <VirtualHost> containers in the file then tell Apache where it should look for the Web pages used on each Web site. • Admin must specify the IP address for which each <VirtualHost> container applies.
Named Virtual Hosting Example ServerName localhost NameVirtualHost 97.158.253.26 <VirtualHost *> DocumentRoot /home/www/site1 </VirtualHost> <VirtualHost 97.158.253.26> DocumentRoot /home/www/site2 ServerName www.my-site.com ServerAlias my-site.com, www.my-cool-site.com </VirtualHost> <VirtualHost 97.158.253.26> DocumentRoot /home/www/site3 ServerName www.test-site.com </VirtualHost> <VirtualHost 97.158.253.26> DocumentRoot /home/www/site4 ServerName www.another-site.com </VirtualHost>
Protect Web Page Directories With Passwords • Use Apache's htpasswd password utility to create username/password combinations independent of system login password for Web page access. • Specify the location of the password file, and if it does not yet exist, should include a -c, or create, switch on the command line. • Placing the file in /etc/httpd/conf directory, away from the DocumentRoot tree where Web users could possibly view it.
htpasswd Example [root@bigboy tmp]# htpasswd -c /etc/httpd/conf/.htpasswd peter New password: Re-type new password: Adding password for user peter [root@bigboy tmp]# [root@bigboy tmp]# htpasswd /etc/httpd/conf/.htpasswd paul New password: Re-type new password: Adding password for user paul [root@bigboy tmp]#
Protect Web Page Directories With Passwords • Make the .htpasswd file readable by all users. • Create a .htaccess file in the directory to which you want password control with these entries. [root@bigboy tmp]# chmod 644 /etc/httpd/conf/.htpasswd AuthUserFile /etc/httpd/conf/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword AuthType Basic require user peter
Protect Web Page Directories With Passwords • Set the correct file protections on new .htaccess file in the directory /home/www. • Make sure your /etc/httpd/conf/http.conf file has an AllowOverride statement in a <Directory> directive for any directory in the tree above /home/www. • In this example below, all directories below /var/www/ require password authorization. [root@bigboy tmp]# chmod 644 /home/www/.htaccess <Directory /home/www/*> AllowOverride AuthConfig </Directory>
Protect Web Page Directories With Passwords • Make sure that a <VirtualHost> directive that defines access to /home/www or another directory higher up in the tree. • Restart Apache <VirtualHost *> ServerName 97.158.253.26 DocumentRoot /home/www </VirtualHost>
Linux firewall • Linux uses “iptable” for firewall solutions • A router that will use NAT and port forwarding to both protect home network and have another web server on home network while sharing the public IP address of firewall
iptable Features • Integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability. • Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. • Filtering packets based on a MAC address and the values of the flags in the TCP header.
iptable Features • System logging that provides the option of adjusting the level of detail of the reporting. • Network address translation. • Support for transparent integration with such Web proxy programs as Squid. • A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks
Start iptable • Start iptable with: • Sample of iptable command • iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. • The source port is in the range 1024 to 65535 and the destination port is port 80 [root@bigboy tmp]# service iptables start [root@bigboy tmp]# service iptables stop [root@bigboy tmp]# service iptables restart iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \ --sport 1024:65535 --dport 80 -j ACCEPT
Secure Remote Logins • OpenSSH, which provides a number of ways to create encrypted remote terminal and file transfer connections between clients and servers. • The OpenSSH Secure Copy (SCP) and Secure FTP (SFTP) programs are secure replacements for FTP, • Secure Shell (SSH) is often used as a stealthy alternative to TELNET
Starting OpenSSH • OpenSSH is installed by default during Linux installations • SSH and SCP are part of the same application, they share the same configuration file and are governed by the same /etc/init.d/sshd startup script • configure SSH to start at boot by using the chkconfig command when running Fedora [root@bigboy tmp]# chkconfig sshd on
The /etc/ssh/sshd_config File • The SSH configuration file is called /etc/ssh/sshd_config. By default SSH listens on all NICs and uses TCP port 22. • start, stop, and restart SSH with service comand # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress ::
Other Linux services • NTP • Sendmail • DNS • MRTG • Network File System (NFS) • Etc.