1 / 199

Unix Server Tools

Guntis Barzdins Girts Folkmanis Juris Krūmiņš Artūrs Lavrenovs. Unix Server Tools. Unix Server Tools. IP connectivity, routing Daemons Syslog Inetd etc. Cron Security. Networking Software. G ood free implementations for: DNS BIND v8/9, djbdns SMTP

imani-short
Download Presentation

Unix Server Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Guntis Barzdins Girts Folkmanis Juris Krūmiņš Artūrs Lavrenovs Unix Server Tools

  2. Unix Server Tools IP connectivity, routing Daemons Syslog Inetd etc. Cron Security

  3. Networking Software Good free implementations for: DNS BIND v8/9, djbdns SMTP sendmail, qmail, postfix, exim POP/IMAP qpopper, uwimapd, dovecot HTTP Apache, nginx PHP, MySQL “If it was hard to develop, it should be hard to install!”

  4. Two IP processing modes: host or router Manual change # more /proc/sys/net/ipv4/ip_forward 0 # echo 1 > /proc/sys/net/ipv4/ip_forward # more /proc/sys/net/ipv4/ip_forward 1 # Use of sysctl (modify kernel parameters /proc/sys/ at runtime) Eg: #/sbin/sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 Eg: #/sbin/sysctl -w net.ipv4.ip_forward=0 net.ipv4.ip_forward = 0 Record changes in /etc/sysctl.conf (to activate after reboot)

  5. unix sbin # sysctl -a abi.fake_utsname = 0 abi.trace = 0 abi.defhandler_libcso = 68157441 abi.defhandler_lcall7 = 68157441 abi.defhandler_elf = 0 abi.defhandler_coff = 117440515 dev.rtc.max-user-freq = 64 net.unix.max_dgram_qlen = 10 net.ipv4.ip_conntrack_max = 8184 net.ipv4.netfilter.ip_conntrack_generic_timeout = 600 net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30 net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180 net.ipv4.netfilter.ip_conntrack_udp_timeout = 30 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000 net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120 net.ipv4.netfilter.ip_conntrack_buckets = 1023 net.ipv4.netfilter.ip_conntrack_max = 8184 net.ipv4.conf.eth0.force_igmp_version = 0 net.ipv4.conf.eth0.arp_ignore = 0 net.ipv4.conf.eth0.arp_announce = 0 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.tag = 0 net.ipv4.conf.eth0.log_martians = 0 net.ipv4.conf.eth0.bootp_relay = 0 net.ipv4.conf.eth0.medium_id = 0 net.ipv4.conf.eth0.proxy_arp = 0 net.ipv4.conf.eth0.accept_source_route = 1 net.ipv4.conf.eth0.send_redirects = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.eth0.shared_media = 1 net.ipv4.conf.eth0.secure_redirects = 1 net.ipv4.conf.eth0.accept_redirects = 1 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.conf.eth0.forwarding = 0 net.ipv4.conf.lo.force_igmp_version = 0 net.ipv4.conf.lo.arp_ignore = 0 net.ipv4.conf.lo.arp_announce = 0 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.tag = 0 net.ipv4.conf.lo.log_martians = 0 net.ipv4.conf.lo.bootp_relay = 0 net.ipv4.conf.lo.medium_id = 0 net.ipv4.conf.lo.proxy_arp = 0 net.ipv4.conf.lo.accept_source_route = 1 net.ipv4.conf.lo.send_redirects = 1 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.lo.shared_media = 1 net.ipv4.conf.lo.secure_redirects = 1 net.ipv4.conf.lo.accept_redirects = 1 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.default.force_igmp_version = 0 net.ipv4.conf.default.arp_ignore = 0 net.ipv4.conf.default.arp_announce = 0 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.tag = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.bootp_relay = 0 net.ipv4.conf.default.medium_id = 0 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.default.accept_source_route = 1 net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.shared_media = 1 net.ipv4.conf.default.secure_redirects = 1 net.ipv4.conf.default.accept_redirects = 1 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.all.force_igmp_version = 0 net.ipv4.conf.all.arp_ignore = 0 net.ipv4.conf.all.arp_announce = 0 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.tag = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.all.bootp_relay = 0 net.ipv4.conf.all.medium_id = 0 net.ipv4.conf.all.proxy_arp = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.shared_media = 1 net.ipv4.conf.all.secure_redirects = 1 net.ipv4.conf.all.accept_redirects = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.forwarding = 0 net.ipv4.neigh.eth0.locktime = 100 net.ipv4.neigh.eth0.proxy_delay = 80 net.ipv4.neigh.eth0.anycast_delay = 100 net.ipv4.neigh.eth0.proxy_qlen = 64 net.ipv4.neigh.eth0.unres_qlen = 3 net.ipv4.neigh.eth0.gc_stale_time = 60 net.ipv4.neigh.eth0.delay_first_probe_time = 5 net.ipv4.neigh.eth0.base_reachable_time = 30 net.ipv4.neigh.eth0.retrans_time = 100 net.ipv4.neigh.eth0.app_solicit = 0 net.ipv4.neigh.eth0.ucast_solicit = 3 net.ipv4.neigh.eth0.mcast_solicit = 3 net.ipv4.neigh.lo.locktime = 100 net.ipv4.neigh.lo.proxy_delay = 80 net.ipv4.neigh.lo.anycast_delay = 100 net.ipv4.neigh.lo.proxy_qlen = 64 net.ipv4.neigh.lo.unres_qlen = 3 net.ipv4.neigh.lo.gc_stale_time = 60 net.ipv4.neigh.lo.delay_first_probe_time = 5 net.ipv4.neigh.lo.base_reachable_time = 30 net.ipv4.neigh.lo.retrans_time = 100 net.ipv4.neigh.lo.app_solicit = 0 net.ipv4.neigh.lo.ucast_solicit = 3 net.ipv4.neigh.lo.mcast_solicit = 3 net.ipv4.neigh.default.gc_thresh3 = 1024 net.ipv4.neigh.default.gc_thresh2 = 512 net.ipv4.neigh.default.gc_thresh1 = 128 net.ipv4.neigh.default.gc_interval = 30 net.ipv4.neigh.default.locktime = 100 net.ipv4.neigh.default.proxy_delay = 80 net.ipv4.neigh.default.anycast_delay = 100 net.ipv4.neigh.default.proxy_qlen = 64 net.ipv4.neigh.default.unres_qlen = 3 net.ipv4.neigh.default.gc_stale_time = 60 net.ipv4.neigh.default.delay_first_probe_time = 5 net.ipv4.neigh.default.base_reachable_time = 30 net.ipv4.neigh.default.retrans_time = 100 net.ipv4.neigh.default.app_solicit = 0 net.ipv4.neigh.default.ucast_solicit = 3 net.ipv4.neigh.default.mcast_solicit = 3 net.ipv4.tcp_westwood = 0 net.ipv4.ipfrag_secret_interval = 600 net.ipv4.tcp_low_latency = 0 net.ipv4.tcp_frto = 0 net.ipv4.tcp_tw_reuse = 0 net.ipv4.icmp_ratemask = 6168 net.ipv4.icmp_ratelimit = 100 net.ipv4.tcp_adv_win_scale = 2 net.ipv4.tcp_app_win = 31 net.ipv4.tcp_rmem = 4096 87380 174760 net.ipv4.tcp_wmem = 4096 16384 131072 net.ipv4.tcp_mem = 23552 24064 24576 net.ipv4.tcp_dsack = 1 net.ipv4.tcp_ecn = 0 net.ipv4.tcp_reordering = 3 net.ipv4.tcp_fack = 1 net.ipv4.tcp_orphan_retries = 0 net.ipv4.inet_peer_gc_maxtime = 120 net.ipv4.inet_peer_gc_mintime = 10 net.ipv4.inet_peer_maxttl = 600 net.ipv4.inet_peer_minttl = 120 net.ipv4.inet_peer_threshold = 65664 net.ipv4.igmp_max_msf = 10 net.ipv4.route.secret_interval = 600 net.ipv4.route.min_adv_mss = 256 net.ipv4.route.min_pmtu = 552 net.ipv4.route.mtu_expires = 600 net.ipv4.route.gc_elasticity = 8 net.ipv4.route.error_burst = 500 net.ipv4.route.error_cost = 100 net.ipv4.route.redirect_silence = 2048 net.ipv4.route.redirect_number = 9 net.ipv4.route.redirect_load = 2 net.ipv4.route.gc_interval = 60 net.ipv4.route.gc_timeout = 300 net.ipv4.route.gc_min_interval = 0 net.ipv4.route.max_size = 8192 net.ipv4.route.gc_thresh = 512 net.ipv4.route.max_delay = 10 net.ipv4.route.min_delay = 2 net.ipv4.icmp_ignore_bogus_error_responses = 0 net.ipv4.icmp_echo_ignore_broadcasts = 0 net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.ip_local_port_range = 1024 4999 net.ipv4.tcp_max_syn_backlog = 256 net.ipv4.tcp_rfc1337 = 0 net.ipv4.tcp_stdurg = 0 net.ipv4.tcp_abort_on_overflow = 0 net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_syncookies = 0 net.ipv4.tcp_fin_timeout = 60 net.ipv4.tcp_retries2 = 15 net.ipv4.tcp_retries1 = 3 net.ipv4.tcp_keepalive_intvl = 75 net.ipv4.tcp_keepalive_probes = 9 net.ipv4.tcp_keepalive_time = 7200 net.ipv4.ipfrag_time = 30 net.ipv4.ip_dynaddr = 0 net.ipv4.ipfrag_low_thresh = 196608 net.ipv4.ipfrag_high_thresh = 262144 net.ipv4.tcp_max_tw_buckets = 16384 net.ipv4.tcp_max_orphans = 8192 net.ipv4.tcp_synack_retries = 5 net.ipv4.tcp_syn_retries = 5 net.ipv4.ip_nonlocal_bind = 0 net.ipv4.ip_no_pmtu_disc = 0 net.ipv4.ip_autoconfig = 0 net.ipv4.ip_default_ttl = 64 net.ipv4.ip_forward = 0 net.ipv4.tcp_retrans_collapse = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_timestamps = 1 net.core.somaxconn = 128 net.core.hot_list_length = 128 net.core.optmem_max = 10240 net.core.message_burst = 50 net.core.message_cost = 5 net.core.mod_cong = 290 net.core.lo_cong = 100 net.core.no_cong = 20 net.core.no_cong_thresh = 10 net.core.netdev_max_backlog = 300 net.core.dev_weight = 64 net.core.rmem_default = 106496 net.core.wmem_default = 106496 net.core.rmem_max = 106496 net.core.wmem_max = 106496 vm.block_dump = 0 vm.laptop_mode = 0 vm.max_map_count = 65536 vm.max-readahead = 31 vm.min-readahead = 3 vm.page-cluster = 3 vm.pagetable_cache = 25 50 vm.kswapd = 512 32 8 vm.overcommit_memory = 0 vm.bdflush = 50 500 0 0 500 3000 60 20 0 vm.vm_passes = 60 vm.vm_lru_balance_ratio = 2 vm.vm_mapped_ratio = 100 vm.vm_cache_scan_ratio = 6 vm.vm_vfs_scan_ratio = 6 vm.vm_gfp_debug = 0 kernel.lowlatency = 0 kernel.overflowgid = 65534 kernel.overflowuid = 65534 kernel.random.uuid = 5784cebf-b4c1-4e2d-b60c-c8ed66b10136 kernel.random.boot_id = 65fcbb7e-b4c3-452f-8d98-dc7ac3d67ea6 kernel.random.write_wakeup_threshold = 128 kernel.random.read_wakeup_threshold = 8 kernel.random.entropy_avail = 772 kernel.random.poolsize = 512 kernel.threads-max = 2047 kernel.cad_pid = 1 kernel.sysrq = 1 kernel.sem = 250 32000 32 128 kernel.msgmnb = 16384 kernel.msgmni = 16 kernel.msgmax = 8192 kernel.shmmni = 4096 kernel.shmall = 2097152 kernel.shmmax = 33554432 kernel.rtsig-max = 1024 kernel.rtsig-nr = 0 kernel.hotplug = /sbin/hotplug kernel.modprobe = /sbin/modprobe kernel.printk = 1 4 1 7 kernel.ctrl-alt-del = 0 kernel.real-root-dev = 256 kernel.cap-bound = -257 kernel.tainted = 0 kernel.core_pattern = core kernel.core_setuid_ok = 0 kernel.core_uses_pid = 0 kernel.panic = 0 kernel.domainname = (none) kernel.hostname = unix kernel.version = #1 Thu Sep 23 14:41:14 EEST 2004 kernel.osrelease = 2.4.26-gentoo-r9 kernel.ostype = Linux fs.lease-break-time = 45 fs.dir-notify-enable = 1 fs.leases-enable = 1 fs.overflowgid = 65534 fs.overflowuid = 65534 fs.dentry-state = 1640 1438 45 0 0 0 fs.file-max = 13100 fs.file-nr = 140 37 13100 fs.inode-state = 1443 18 0 0 0 0 0 fs.inode-nr = 1443 18 unix sbin #

  6. ifconfig ifconfig eth0 192.168.99.35 netmask 255.255.255.0 up ifconfig eth0 Link encap:Ethernet HWaddr 00:80:C8:F8:4A:51 inet addr:192.168.99.35 Bcast:192.168.99.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:190312 errors:0 dropped:0 overruns:0 frame:0 TX packets:86955 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:30701229 (29.2 Mb) TX bytes:7878951 (7.5 Mb) Interrupt:9 Base address:0x5000 Obsolete in Linux for many (10+) years but still heavily used everywhere because of muscle memory (and compatibility with other UNIX versions)

  7. ip – ifconfig replacement in Linux Many new features Developed Replaces many networking commands – arp, iptunnel, nameif, netstat, route More cisco-ish syntax ip link set eth0 up ip addr add 192.168.99.35/24 dev eth0 ip addr show dev eth0 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:12:33:44:55:66 brd ff:ff:ff:ff:ff:ff inet 192.168.99.35/24 brd 192.168.99.255 scope global eth0 valid_lft forever preferred_lft forever

  8. Netstat: routing, sockets Routing table: [root@morgan]# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.98.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo 0.0.0.0 192.168.98.254 0.0.0.0 UG 40 0 0 eth0 [root@newlinuxway]# ip route default via 192.168.99.1 dev eth0 proto static 192.168.99.0/24 dev eth0 proto kernel scope link src 192.168.99.35 metric 1 IP socket status: [root@morgan]# netstat --inet -n Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 192 192.168.98.82:22 192.168.99.35:40991 ESTABLISHED tcp 0 0 192.168.98.82:42929 192.168.100.17:993 ESTABLISHED tcp 96 0 127.0.0.1:40863 127.0.0.1:6010 ESTABLISHED tcp 0 0 127.0.0.1:6010 127.0.0.1:40863 ESTABLISHED tcp 0 0 127.0.0.1:38502 127.0.0.1:6010 ESTABLISHED tcp 0 0 127.0.0.1:6010 127.0.0.1:38502 ESTABLISHED tcp 0 0 192.168.98.82:53733 209.10.26.51:80 SYN_SENT tcp 0 0 192.168.98.82:44468 192.168.100.17:993 ESTABLISHED tcp 0 0 192.168.98.82:44320 192.168.100.17:139 TIME_WAIT [root@newlinuxway]# ss -f inet -n

  9. route [root@newlinuxway]# ip route {add | del} 193.1.9.0/24 via 193.1.9.1

  10. Security Hardening Recommended IP/ICMP Settings Disable Ping # sysctl –w net.ipv4.icmp_echo_ignore_all=1 Disable ICMP Echo Requests # sysctl –w net.ipv4.icmp_echo_ignore_broadcasts=1 Disable IP Source Routing # sysctl –w net.ipv4.conf.all.accept_source_route=0 Disable ICMP Redirects # sysctl –w net.ipv4.conf.all.accept_redirects=0 Enable TCP SYN Cookie Protection # sysctl –w net.ipv4.tcp_syncookies=1 Disable Bogus Error Logging # sysctl –w net.ipv4.icmp_ignore_bogus_error_responses=1 Enable Bogus Packet Logging # sysctl –w net.ipv4.conf.all.log_martians=1 Create blackhole # sysctl net.inet.tcp.blackhole=1 # sysctl net.inet.udp.blackhole=1

  11. configure domain name resolver In Linuxresolver has 2 config files /etc/hosts specifies static mappings 185.300.10.1 host1 185.300.10.2 host2 185.300.10.3 host3 185.300.10.4 host4 merlin 185.300.10.5 host5 arthur king 185.300.10.5 timeserver 128.114.1.15 name1.xyz.aus.century.com name1 /etc/resolv.conf specifies the nameservers and the default domain domain abc.aus.century.com nameserver 192.9.201.1 nameserver 192.9.201.2

  12. resolvconf – resolv.conf replacement Some software dynamically manages network connections (in some of newer UNIX) cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN Nameserver 127.0.1.1 ps aux | grep dns nobody 1481 0.0 0.0 31004 988 ? S Oct22 6:51 /usr/sbin/dnsmasq --no-resolv --keep-in-foreground --no-hosts --bind-interfaces --pid-file=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --conf-file=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec --enable-dbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d

  13. Popular Routing Protocols

  14. Quagga (previously GNU Zebra)

  15. Quagga

  16. Setting Up Network Interface Cards FreeBSD • Configuring the Network Card Once the right driver is loaded for the network card, the card needs to be configured. As with many other things, the network card may have been configured at installation time by sysinstall. To display the configuration for the network interfaces on your system, enter the following command: juriskr >ifconfig fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=40<POLLING> inet 10.1.2.6 netmask 0xffffff00 broadcast 10.1.2.255 inet 10.1.2.4 netmask 0xffffffff broadcast 10.1.2.4 inet 10.1.2.7 netmask 0xffffffff broadcast 10.1.2.7 inet 10.1.2.12 netmask 0xffffffff broadcast 10.1.2.12 inet 10.1.2.9 netmask 0xffffffff broadcast 10.1.2.9 ether 00:02:55:c8:45:aa media: Ethernet autoselect (100baseTX <full-duplex>) status: active ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 To configure your card, you need root privileges. The network card configuration can be done from the command line with ifconfig(8) but you would have to do it after each reboot of the system. The file /etc/rc.conf is where to add the network card's configuration. juriskr >cat /etc/rc.conf | grep ifconfig ifconfig_fxp0="inet 10.1.2.6 netmask 255.255.255.0" ifconfig_fxp0_alias0="inet 10.1.2.4 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet 10.1.2.7 netmask 255.255.255.255" ifconfig_fxp0_alias2="inet 10.1.2.9 netmask 255.255.255.255" ifconfig_fxp0_alias3="inet 10.1.2.12 netmask 255.255.255.255"

  17. Setting Up Network Interface Cards FreeBSD • Virtual Hosts A very common use of FreeBSD is virtual site hosting, where one server appears to the network as many servers. This is achieved by assigning multiple network addresses to a single interface. A given network interface has one “real” address, and may have any number of “alias” addresses. These aliases are normally added by placing alias entries in /etc/rc.conf.An alias entry for the interface fxp0 looks like: ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx“ Note that alias entries must start with alias0 and proceed upwards in order, (for example, _alias1, _alias2, and so on). The configuration process will stop at the first missing number. ifconfig_fxp0_alias0="inet 10.1.2.4 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet 10.1.2.7 netmask 255.255.255.255" ifconfig_fxp0_alias2="inet 10.1.2.9 netmask 255.255.255.255" ifconfig_fxp0_alias3="inet 10.1.2.12 netmask 255.255.255.255"

  18. Setting Up Network Interface Cards FreeBSD • Testing and Troubleshooting • Testing the Ethernet Card • To verify that an Ethernet card is configured correctly, you have to try two things. First, ping the interface itself, and then ping another machine on the LAN. • First test the local interface: juriskr >ping -c 3 10.1.2.6 PING 10.1.2.6 (10.1.2.6): 56 data bytes 64 bytes from 10.1.2.6: icmp_seq=0 ttl=64 time=0.054 ms 64 bytes from 10.1.2.6: icmp_seq=1 ttl=64 time=0.050 ms 64 bytes from 10.1.2.6: icmp_seq=2 ttl=64 time=0.066 ms --- 10.1.2.6 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.050/0.057/0.066/0.007 ms • Now we have to ping another machine on the LAN: juriskr >ping 10.1.2.5 PING 10.1.2.5 (10.1.2.5): 56 data bytes 64 bytes from 10.1.2.5: icmp_seq=0 ttl=64 time=0.381 ms 64 bytes from 10.1.2.5: icmp_seq=1 ttl=64 time=0.188 ms 64 bytes from 10.1.2.5: icmp_seq=2 ttl=64 time=0.178 ms ^C --- 10.1.2.5 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.178/0.249/0.381/0.093 ms • You could also use the machine name instead of IP address if you have set up the /etc/hosts file.

  19. Ifconfig output RHEL [juris@ns1 ~]$ ifconfig eth0 Link encap:Ethernet HWaddr 00:0B:CD:41:F4:93 inet addr:81.xxx.xxx.xxx Bcast:81.xxx.xxx.xxx Mask:255.255.255.224 inet6 addr: fe80::20b:cdff:fe41:f493/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:473091457 errors:0 dropped:0 overruns:0 frame:0 TX packets:488547237 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3458689275 (3.2 GiB) TX bytes:3985927941 (3.7 GiB) Interrupt:193 eth0:1 Link encap:Ethernet HWaddr 00:0B:CD:41:F4:93 inet addr:10.xxx.xxx.xxx Bcast:10.xxx.xxx.xxx Mask:255.255.252.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:193 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6004400 errors:0 dropped:0 overruns:0 frame:0 TX packets:6004400 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:645400309 (615.5 MiB) TX bytes:645400309 (615.5 MiB) [juris@ns1 ~]$

  20. Daemons A daemon is a process that: runs in the background not associated with any terminal output doesn't end up in another session. terminal generated signals (^C) aren't received.

  21. Unix and Daemons Unix systems typically have many daemon processes. Most servers run as a daemon process.

  22. Common Daemons Web server (httpd) Mail server (sendmail) SuperServer (inetd) System logging (syslogd) Print server (lpd) router process (routed, gated)

  23. Daemon Output No terminal - must use something else: file system central logging facility Syslog is often used - provides central repository for system logging.

  24. Syslog service syslogd daemon provides system logging services to "clients". Simple API for "clients" A library provided by O.S.

  25. Sending a message to syslogd Standard programming interface provided by syslog() function: #include <syslog.h> void syslog( int priority, const char *message, . . . ); Works like printf()

  26. syslogd Filesystem /var/log/messages Unix domain socket /dev/log syslogd UDP socket port 514 Console /dev/klog Remote syslogd

  27. Syslog messages Think of syslog as a server that accepts messages. Each message includes a number of fields, including: a level indicating the importance (8 levels) LOG_EMERG 0kernel panic LOG ALERT 1condition needing immediate attention LOG_CRIT 2critical conditions LOG_ERR 3errors LOG_WARNING 4warning messages LOG_NOTICE 5not an error, but may need attention LOG_INFO 6informational messages LOG_DEBUG 7when debugging a system

  28. Syslog message fields (cont.) a facility that indicates the type of process that sent the message: LOG_MAIL, LOG_AUTH, LOG_USER,LOG_KERN,LOG_LPR, . . . Timestamp (added by syslogd) uname –n (added by syslogd) A text string.

  29. Logfile example Dec 27 02:45:00 moet.colorado.edu netinfod [71]: cann’t lookup child Dec 27 02:50:00 bruno ftpd [27876]: open of pid file failed: not a directory Dec 27 02:50:47 anchor vmunix: spurious VME interruptat processor level 5 Dec 27 02:52:17 bruno pingem[107]: moose.cs.colorado.eduhas not answered 34 times Dec 27 02:55:33 bruno sendmail [28040] : host name/addressmismatch: 192.93.110.26 != bull.bull..fr

  30. / * c program: syslog using openlog and closelog */ #include <syslog.h> main ( ) { openlog ( “SA-BOOK”, LOG_PID, LOG_USER); syslog ( LOG_WARNING, “Testing …. “); closelog ( ); } On the host, this code produce the following log entry: Dec 28 17:23:49 moet.colorado.edu SA-BOOK [84]: Testing...

  31. Log files Log files are normally kept in /var/log(setings in /etc/syslog.conf “/etc/init.d/syslog restart”) Read them Syslog logs the system and what is happening on it Logcheck is a handy utility which checks the contents of logs and mails anything unusual http://www.psionic.com/abacus/logcheck/

  32. rsyslog Replaces syslog in many newer Linux distros Configuration and old input backwards compatible with syslog Anonymization, Encryption, Signatures Speed Rate-Limiting New inputs - systemd New outputs – DB, compressed files

  33. Back to daemons To force a process to run in the background, just fork() and have the parent exit. There are a number of ways to disassociate a process from any controlling terminal. Call fork()and then setsid()

  34. Daemon initialization Daemons should close all unnecessary descriptors often including stdin, stdout, stderr. Get set up for using syslog Call openlog() Often change working directory. OR take a risk Many POSIX-based operating systems provide a function called daemon() which performs some or all of the steps listed above. Unfortunately it has three significant drawbacks: It is not available on all systems. Its behaviour is not standardised (or necessarily well-documented). Its behaviour is more difficult to customise.

  35. Too many daemons? There can be many servers running as daemons - and idle most of the time. Much of the startup code is the same for these servers. Most of the servers are asleep most of the time, but use up space in the process table.

  36. Internet Daemon Daemon inetd started at boot time Configuration file /etc/inetd.conf Name (service name=port), type, protocol, wait-status, uid, server, arguments # ftp stream tcp6 nowait root /usr/sbin/tcpd in.ftpd telnet stream tcp6 nowait root /usr/sbin/tcpd in.telnetd # # Mail is a useful thing... pop3 stream tcp nowait root /etc/mail/popper popper -s imap stream tcp nowait root /etc/mail/imapd imapd

  37. Internet Daemon When to modify inetd.conf Disable a service Add a # at the beginning of the entry Send hang-up to inetd kill –HUP processid Enable a service Change the path Modify arguments

  38. inetd The SuperServer is named inetd. This single daemon creates multiple sockets and waits for (multiple) incoming requests. inetd typically uses select to watch multiple sockets for input. When a request arrives, inetd will fork and the child process handles the client.

  39. inetd children The child process closes all unnecessary sockets. The child dup’s the client socket to descriptors 0,1 and 2 (stdin, stdout, stderr). The child exec’s the real server program, which handles the request and exits.

  40. Output file descriptorused fordefault 0 standard input keyboard 1 standard output screen 2 standard error screen

  41. inetd based servers Servers that are started by inetd assume that the socket holding the request is already established (descriptors 0,1 or 2). TCP servers started by inetd don’t call accept, so they must call getpeername if they need to know the address of the client.

  42. /etc/inetd.conf inetdreads a configuration file that lists all the services it should handle. inetd creates a socket for each listed service, and adds the socket to a fd_set given to select().

  43. inetd service specification For each service, inetd needs to know: the port number and transport protocol wait/nowait flag. login name the process should run as. pathname of real server program. command line arguments to server program.

  44. # comments start with # echo stream tcp nowait root internal echo dgram udp wait root internal chargen stream tcp nowait root internal chargen dgram udp wait root internal ftp stream tcp nowait root /usr/sbin/ftpd ftpd -l telnet stream tcp nowait root /usr/sbin/telnetd telnetd finger stream tcp nowait root /usr/sbin/fingerd fingerd # Authentication auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o # TFTP tftp dgram udp wait root /usr/sbin/tftpd tftpd -s /tftpboot example /etc/inetd.conf

  45. ftp 21/tcp # File Transfer Protocol telnet 23/tcp # Telnet smtp 25/tcp # Simple Mail Transfer Protocol tftp 69/udp # Trivial File Transfer Protocol www 80/tcp # World Wide Web ntp 123/tcp # Network Time Protocol ntp 123/udp # Network Time Protocol example /etc/services

  46. wait/nowait Specifying WAIT means that inetd should not look for new clients for the service until the child (the real server) has terminated. TCP servers usually specify nowait - this means inetd can start multiple copies of the TCP server program - providing concurrency!

  47. UDP & wait/nowait Most UDP services run with inetd told to wait until the child server has died. Some UDP servers hang out for a while, handling multiple clients before exiting. inetd was told to wait – so it ignores the socket until the UDP server exits.

  48. Super inetd Some versions of inetd have server code to handle simple services such as echo server, daytime server, chargen, …

  49. Servers Servers that are expected to deal with frequent requests are typically not run from inetd: mail, web, NFS. Many servers are written so that a command line option can be used to run the server from inetd.

More Related