970 likes | 1.16k Views
Unix Server Tools. Guntis Barzdins Girts Folkmanis Juris Krūmiņš. Q&A: Who and how choose how to execute shell and/or object binary file ?. man execve execve(const char *path, char *const argv[], char *const envp[]);
E N D
Unix Server Tools Guntis Barzdins Girts Folkmanis Juris Krūmiņš
Q&A: Who and how choose how to execute shell and/or object binary file ? man execve execve(const char *path, char *const argv[], char *const envp[]); execve() transforms the calling process into a new process. The new process is constructed from an ordinary file, whose name is pointed to by path, called the new processfile. This file is either an executable object file, or a file of data for an interpreter. An executable object file consists of an identifying header, followed by pages of data representing the initial program (text) and initialized data pages. Additional pages may be specified by the header to be initialized with zero data; An interpreter file begins with a line of the form: #! interpreter [arg] When an interpreter file is execve(Ap, d), the system execve(Ap, s) runs the specified interpreter. If the optional arg is specified, it becomes the first argument to the interpreter, and the name of the originally execve(Ap, d) file becomes the second argument; otherwise, the name of the originally execve(Ap, d) file becomes the first argument. The original arguments are shifted over to become the subsequent arguments. The zeroth argument, normally the name of the execve(Ap, d) file, is left unchanged ....
Q&A: Who and how choose how to execute shell and/or object binary file ? /etc/magic: ... 0 string \177ELF ELF >4 byte 0 invalid class >4 byte 1 32-bit >4 byte 2 64-bit >5 byte 0 invalid byte order >5 byte 1 LSB >>16 leshort 0 no file type, >>16 leshort 1 relocatable, >>16 leshort 2 executable, >>16 leshort 3 shared object, ... # bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) 0 string #!/bin/bash Bourne-Again shell script text 0 string #!\ /bin/bash Bourne-Again shell script text 0 string #!/usr/local/bin/bash Bourne-Again shell script text 0 string #!\ /usr/local/bin/bash Bourne-Again shell script text # generic shell magic 0 string #!\ / a >3 string >\0 %s script text 0 string #!/ a >2 string >\0 %s script text 0 string #!\ commands text >3 string >\0 for %s ... 0 string :\ shell archive or commands for antique kernel text 0 string #!/bin/sh Bourne shell script text 0 string #!\ /bin/sh Bourne shell script text 0 string #!/bin/csh C shell script text 0 string #!\ /bin/csh C shell script text ...
Unix Server Tools • IP connectivity, routing • Deamons • Syslog • Inetd etc. • Cron • Security
Two IP processing modes: host or router • Manual change # more /proc/sys/net/ipv4/ip_forward 0 # echo 1 > /proc/sys/net/ipv4/ip_forward # more /proc/sys/net/ipv4/ip_forward 1 # • Use of sysctl (modify kernel parameters /proc/sys/ at runtime) Eg: #/sbin/sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1 Eg: #/sbin/sysctl -w net.ipv4.ip_forward=0 net.ipv4.ip_forward = 0 • Record changes in /etc/sysctl.conf (to activate after reboot)
unix sbin # sysctl -a abi.fake_utsname = 0 abi.trace = 0 abi.defhandler_libcso = 68157441 abi.defhandler_lcall7 = 68157441 abi.defhandler_elf = 0 abi.defhandler_coff = 117440515 dev.rtc.max-user-freq = 64 net.unix.max_dgram_qlen = 10 net.ipv4.ip_conntrack_max = 8184 net.ipv4.netfilter.ip_conntrack_generic_timeout = 600 net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30 net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180 net.ipv4.netfilter.ip_conntrack_udp_timeout = 30 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000 net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120 net.ipv4.netfilter.ip_conntrack_buckets = 1023 net.ipv4.netfilter.ip_conntrack_max = 8184 net.ipv4.conf.eth0.force_igmp_version = 0 net.ipv4.conf.eth0.arp_ignore = 0 net.ipv4.conf.eth0.arp_announce = 0 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.tag = 0 net.ipv4.conf.eth0.log_martians = 0 net.ipv4.conf.eth0.bootp_relay = 0 net.ipv4.conf.eth0.medium_id = 0 net.ipv4.conf.eth0.proxy_arp = 0 net.ipv4.conf.eth0.accept_source_route = 1 net.ipv4.conf.eth0.send_redirects = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.eth0.shared_media = 1 net.ipv4.conf.eth0.secure_redirects = 1 net.ipv4.conf.eth0.accept_redirects = 1 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.conf.eth0.forwarding = 0 net.ipv4.conf.lo.force_igmp_version = 0 net.ipv4.conf.lo.arp_ignore = 0 net.ipv4.conf.lo.arp_announce = 0 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.tag = 0 net.ipv4.conf.lo.log_martians = 0 net.ipv4.conf.lo.bootp_relay = 0 net.ipv4.conf.lo.medium_id = 0 net.ipv4.conf.lo.proxy_arp = 0 net.ipv4.conf.lo.accept_source_route = 1 net.ipv4.conf.lo.send_redirects = 1 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.lo.shared_media = 1 net.ipv4.conf.lo.secure_redirects = 1 net.ipv4.conf.lo.accept_redirects = 1 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.default.force_igmp_version = 0 net.ipv4.conf.default.arp_ignore = 0 net.ipv4.conf.default.arp_announce = 0 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.tag = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.bootp_relay = 0 net.ipv4.conf.default.medium_id = 0 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.default.accept_source_route = 1 net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.shared_media = 1 net.ipv4.conf.default.secure_redirects = 1 net.ipv4.conf.default.accept_redirects = 1 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.all.force_igmp_version = 0 net.ipv4.conf.all.arp_ignore = 0 net.ipv4.conf.all.arp_announce = 0 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.tag = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.all.bootp_relay = 0 net.ipv4.conf.all.medium_id = 0 net.ipv4.conf.all.proxy_arp = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.shared_media = 1 net.ipv4.conf.all.secure_redirects = 1 net.ipv4.conf.all.accept_redirects = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.forwarding = 0 net.ipv4.neigh.eth0.locktime = 100 net.ipv4.neigh.eth0.proxy_delay = 80 net.ipv4.neigh.eth0.anycast_delay = 100 net.ipv4.neigh.eth0.proxy_qlen = 64 net.ipv4.neigh.eth0.unres_qlen = 3 net.ipv4.neigh.eth0.gc_stale_time = 60 net.ipv4.neigh.eth0.delay_first_probe_time = 5 net.ipv4.neigh.eth0.base_reachable_time = 30 net.ipv4.neigh.eth0.retrans_time = 100 net.ipv4.neigh.eth0.app_solicit = 0 net.ipv4.neigh.eth0.ucast_solicit = 3 net.ipv4.neigh.eth0.mcast_solicit = 3 net.ipv4.neigh.lo.locktime = 100 net.ipv4.neigh.lo.proxy_delay = 80 net.ipv4.neigh.lo.anycast_delay = 100 net.ipv4.neigh.lo.proxy_qlen = 64 net.ipv4.neigh.lo.unres_qlen = 3 net.ipv4.neigh.lo.gc_stale_time = 60 net.ipv4.neigh.lo.delay_first_probe_time = 5 net.ipv4.neigh.lo.base_reachable_time = 30 net.ipv4.neigh.lo.retrans_time = 100 net.ipv4.neigh.lo.app_solicit = 0 net.ipv4.neigh.lo.ucast_solicit = 3 net.ipv4.neigh.lo.mcast_solicit = 3 net.ipv4.neigh.default.gc_thresh3 = 1024 net.ipv4.neigh.default.gc_thresh2 = 512 net.ipv4.neigh.default.gc_thresh1 = 128 net.ipv4.neigh.default.gc_interval = 30 net.ipv4.neigh.default.locktime = 100 net.ipv4.neigh.default.proxy_delay = 80 net.ipv4.neigh.default.anycast_delay = 100 net.ipv4.neigh.default.proxy_qlen = 64 net.ipv4.neigh.default.unres_qlen = 3 net.ipv4.neigh.default.gc_stale_time = 60 net.ipv4.neigh.default.delay_first_probe_time = 5 net.ipv4.neigh.default.base_reachable_time = 30 net.ipv4.neigh.default.retrans_time = 100 net.ipv4.neigh.default.app_solicit = 0 net.ipv4.neigh.default.ucast_solicit = 3 net.ipv4.neigh.default.mcast_solicit = 3 net.ipv4.tcp_westwood = 0 net.ipv4.ipfrag_secret_interval = 600 net.ipv4.tcp_low_latency = 0 net.ipv4.tcp_frto = 0 net.ipv4.tcp_tw_reuse = 0 net.ipv4.icmp_ratemask = 6168 net.ipv4.icmp_ratelimit = 100 net.ipv4.tcp_adv_win_scale = 2 net.ipv4.tcp_app_win = 31 net.ipv4.tcp_rmem = 4096 87380 174760 net.ipv4.tcp_wmem = 4096 16384 131072 net.ipv4.tcp_mem = 23552 24064 24576 net.ipv4.tcp_dsack = 1 net.ipv4.tcp_ecn = 0 net.ipv4.tcp_reordering = 3 net.ipv4.tcp_fack = 1 net.ipv4.tcp_orphan_retries = 0 net.ipv4.inet_peer_gc_maxtime = 120 net.ipv4.inet_peer_gc_mintime = 10 net.ipv4.inet_peer_maxttl = 600 net.ipv4.inet_peer_minttl = 120 net.ipv4.inet_peer_threshold = 65664 net.ipv4.igmp_max_msf = 10 net.ipv4.route.secret_interval = 600 net.ipv4.route.min_adv_mss = 256 net.ipv4.route.min_pmtu = 552 net.ipv4.route.mtu_expires = 600 net.ipv4.route.gc_elasticity = 8 net.ipv4.route.error_burst = 500 net.ipv4.route.error_cost = 100 net.ipv4.route.redirect_silence = 2048 net.ipv4.route.redirect_number = 9 net.ipv4.route.redirect_load = 2 net.ipv4.route.gc_interval = 60 net.ipv4.route.gc_timeout = 300 net.ipv4.route.gc_min_interval = 0 net.ipv4.route.max_size = 8192 net.ipv4.route.gc_thresh = 512 net.ipv4.route.max_delay = 10 net.ipv4.route.min_delay = 2 net.ipv4.icmp_ignore_bogus_error_responses = 0 net.ipv4.icmp_echo_ignore_broadcasts = 0 net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.ip_local_port_range = 1024 4999 net.ipv4.tcp_max_syn_backlog = 256 net.ipv4.tcp_rfc1337 = 0 net.ipv4.tcp_stdurg = 0 net.ipv4.tcp_abort_on_overflow = 0 net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_syncookies = 0 net.ipv4.tcp_fin_timeout = 60 net.ipv4.tcp_retries2 = 15 net.ipv4.tcp_retries1 = 3 net.ipv4.tcp_keepalive_intvl = 75 net.ipv4.tcp_keepalive_probes = 9 net.ipv4.tcp_keepalive_time = 7200 net.ipv4.ipfrag_time = 30 net.ipv4.ip_dynaddr = 0 net.ipv4.ipfrag_low_thresh = 196608 net.ipv4.ipfrag_high_thresh = 262144 net.ipv4.tcp_max_tw_buckets = 16384 net.ipv4.tcp_max_orphans = 8192 net.ipv4.tcp_synack_retries = 5 net.ipv4.tcp_syn_retries = 5 net.ipv4.ip_nonlocal_bind = 0 net.ipv4.ip_no_pmtu_disc = 0 net.ipv4.ip_autoconfig = 0 net.ipv4.ip_default_ttl = 64 net.ipv4.ip_forward = 0 net.ipv4.tcp_retrans_collapse = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_timestamps = 1 net.core.somaxconn = 128 net.core.hot_list_length = 128 net.core.optmem_max = 10240 net.core.message_burst = 50 net.core.message_cost = 5 net.core.mod_cong = 290 net.core.lo_cong = 100 net.core.no_cong = 20 net.core.no_cong_thresh = 10 net.core.netdev_max_backlog = 300 net.core.dev_weight = 64 net.core.rmem_default = 106496 net.core.wmem_default = 106496 net.core.rmem_max = 106496 net.core.wmem_max = 106496 vm.block_dump = 0 vm.laptop_mode = 0 vm.max_map_count = 65536 vm.max-readahead = 31 vm.min-readahead = 3 vm.page-cluster = 3 vm.pagetable_cache = 25 50 vm.kswapd = 512 32 8 vm.overcommit_memory = 0 vm.bdflush = 50 500 0 0 500 3000 60 20 0 vm.vm_passes = 60 vm.vm_lru_balance_ratio = 2 vm.vm_mapped_ratio = 100 vm.vm_cache_scan_ratio = 6 vm.vm_vfs_scan_ratio = 6 vm.vm_gfp_debug = 0 kernel.lowlatency = 0 kernel.overflowgid = 65534 kernel.overflowuid = 65534 kernel.random.uuid = 5784cebf-b4c1-4e2d-b60c-c8ed66b10136 kernel.random.boot_id = 65fcbb7e-b4c3-452f-8d98-dc7ac3d67ea6 kernel.random.write_wakeup_threshold = 128 kernel.random.read_wakeup_threshold = 8 kernel.random.entropy_avail = 772 kernel.random.poolsize = 512 kernel.threads-max = 2047 kernel.cad_pid = 1 kernel.sysrq = 1 kernel.sem = 250 32000 32 128 kernel.msgmnb = 16384 kernel.msgmni = 16 kernel.msgmax = 8192 kernel.shmmni = 4096 kernel.shmall = 2097152 kernel.shmmax = 33554432 kernel.rtsig-max = 1024 kernel.rtsig-nr = 0 kernel.hotplug = /sbin/hotplug kernel.modprobe = /sbin/modprobe kernel.printk = 1 4 1 7 kernel.ctrl-alt-del = 0 kernel.real-root-dev = 256 kernel.cap-bound = -257 kernel.tainted = 0 kernel.core_pattern = core kernel.core_setuid_ok = 0 kernel.core_uses_pid = 0 kernel.panic = 0 kernel.domainname = (none) kernel.hostname = unix kernel.version = #1 Thu Sep 23 14:41:14 EEST 2004 kernel.osrelease = 2.4.26-gentoo-r9 kernel.ostype = Linux fs.lease-break-time = 45 fs.dir-notify-enable = 1 fs.leases-enable = 1 fs.overflowgid = 65534 fs.overflowuid = 65534 fs.dentry-state = 1640 1438 45 0 0 0 fs.file-max = 13100 fs.file-nr = 140 37 13100 fs.inode-state = 1443 18 0 0 0 0 0 fs.inode-nr = 1443 18 unix sbin #
ifconfig • ifconfig eth0 192.168.99.35 netmask 255.255.255.0 up • ifconfig eth0 Link encap:Ethernet HWaddr 00:80:C8:F8:4A:51 inet addr:192.168.99.35 Bcast:192.168.99.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:190312 errors:0 dropped:0 overruns:0 frame:0 TX packets:86955 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:30701229 (29.2 Mb) TX bytes:7878951 (7.5 Mb) Interrupt:9 Base address:0x5000
Netstat: routing, sockets • Routing table: • [root@morgan]# netstat -rn • Kernel IP routing table • Destination Gateway Genmask Flags MSS Window irtt Iface • 192.168.98.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 • 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo • 0.0.0.0 192.168.98.254 0.0.0.0 UG 40 0 0 eth0 • IP socket status: • [root@morgan]# netstat --inet -n • Active Internet connections (w/o servers) • Proto Recv-Q Send-Q Local Address Foreign Address State • tcp 0 192 192.168.98.82:22 192.168.99.35:40991 ESTABLISHED • tcp 0 0 192.168.98.82:42929 192.168.100.17:993 ESTABLISHED • tcp 96 0 127.0.0.1:40863 127.0.0.1:6010 ESTABLISHED • tcp 0 0 127.0.0.1:6010 127.0.0.1:40863 ESTABLISHED • tcp 0 0 127.0.0.1:38502 127.0.0.1:6010 ESTABLISHED • tcp 0 0 127.0.0.1:6010 127.0.0.1:38502 ESTABLISHED • tcp 0 0 192.168.98.82:53733 209.10.26.51:80 SYN_SENT • tcp 0 0 192.168.98.82:44468 192.168.100.17:993 ESTABLISHED • tcp 0 0 192.168.98.82:44320 192.168.100.17:139 TIME_WAIT • [root@morgan]#
Security Hardening Recommended IP/ICMP Settings • Disable Ping # sysctl –w net.ipv4.icmp_echo_ignore_all=1 • Disable ICMP Echo Requests # sysctl –w net.ipv4.icmp_echo_ignore_broadcasts=1 • Disable IP Source Routing # sysctl –w net.ipv4.conf.all.accept_source_route=0 • Disable ICMP Redirects # sysctl –w net.ipv4.conf.all.accept_redirects=0 • Enable TCP SYN Cookie Protection # sysctl –w net.ipv4.tcp_syncookies=1 • Disable Bogus Error Logging # sysctl –w net.ipv4.icmp_ignore_bogus_error_responses=1 • Enable Packet Logging # sysctl –w net.ipv4.conf.all.log_martians=1
configure domain name resolver • In Linuxresolver has 2 config files • /etc/hosts specifies static mappings 185.300.10.1 host1 185.300.10.2 host2 185.300.10.3 host3 185.300.10.4 host4 merlin 185.300.10.5 host5 arthur king 185.300.10.5 timeserver 128.114.1.15 name1.xyz.aus.century.com name1 • /etc/resolv.conf specifies the nameservers and the default domain domain abc.aus.century.com nameserver 192.9.201.1 nameserver 192.9.201.2
Configuring the Network Card Once the right driver is loaded for the network card, the card needs to be configured. As with many other things, the network card may have been configured at installation time by sysinstall. To display the configuration for the network interfaces on your system, enter the following command: juriskr >ifconfig fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=40<POLLING> inet 10.1.2.6 netmask 0xffffff00 broadcast 10.1.2.255 inet 10.1.2.4 netmask 0xffffffff broadcast 10.1.2.4 inet 10.1.2.7 netmask 0xffffffff broadcast 10.1.2.7 inet 10.1.2.12 netmask 0xffffffff broadcast 10.1.2.12 inet 10.1.2.9 netmask 0xffffffff broadcast 10.1.2.9 ether 00:02:55:c8:45:aa media: Ethernet autoselect (100baseTX <full-duplex>) status: active ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 To configure your card, you need root privileges. The network card configuration can be done from the command line with ifconfig(8) but you would have to do it after each reboot of the system. The file /etc/rc.conf is where to add the network card's configuration. juriskr >cat /etc/rc.conf | grep ifconfig ifconfig_fxp0="inet 10.1.2.6 netmask 255.255.255.0" ifconfig_fxp0_alias0="inet 10.1.2.4 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet 10.1.2.7 netmask 255.255.255.255" ifconfig_fxp0_alias2="inet 10.1.2.9 netmask 255.255.255.255" ifconfig_fxp0_alias3="inet 10.1.2.12 netmask 255.255.255.255" Setting Up Network Interface Cards FreeBSD
Virtual Hosts A very common use of FreeBSD is virtual site hosting, where one server appears to the network as many servers. This is achieved by assigning multiple network addresses to a single interface. A given network interface has one “real” address, and may have any number of “alias” addresses. These aliases are normally added by placing alias entries in /etc/rc.conf.An alias entry for the interface fxp0 looks like: ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx“ Note that alias entries must start with alias0 and proceed upwards in order, (for example, _alias1, _alias2, and so on). The configuration process will stop at the first missing number. ifconfig_fxp0_alias0="inet 10.1.2.4 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet 10.1.2.7 netmask 255.255.255.255" ifconfig_fxp0_alias2="inet 10.1.2.9 netmask 255.255.255.255" ifconfig_fxp0_alias3="inet 10.1.2.12 netmask 255.255.255.255" Setting Up Network Interface Cards FreeBSD
Testing and Troubleshooting Testing the Ethernet Card To verify that an Ethernet card is configured correctly, you have to try two things. First, ping the interface itself, and then ping another machine on the LAN. First test the local interface: juriskr >ping -c 3 10.1.2.6 PING 10.1.2.6 (10.1.2.6): 56 data bytes 64 bytes from 10.1.2.6: icmp_seq=0 ttl=64 time=0.054 ms 64 bytes from 10.1.2.6: icmp_seq=1 ttl=64 time=0.050 ms 64 bytes from 10.1.2.6: icmp_seq=2 ttl=64 time=0.066 ms --- 10.1.2.6 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.050/0.057/0.066/0.007 ms Now we have to ping another machine on the LAN: juriskr >ping 10.1.2.5 PING 10.1.2.5 (10.1.2.5): 56 data bytes 64 bytes from 10.1.2.5: icmp_seq=0 ttl=64 time=0.381 ms 64 bytes from 10.1.2.5: icmp_seq=1 ttl=64 time=0.188 ms 64 bytes from 10.1.2.5: icmp_seq=2 ttl=64 time=0.178 ms ^C --- 10.1.2.5 ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.178/0.249/0.381/0.093 ms You could also use the machine name instead of IP address if you have set up the /etc/hosts file. Setting Up Network Interface Cards FreeBSD
Ifconfig output RHEL [juris@ns1 ~]$ ifconfig eth0 Link encap:Ethernet HWaddr 00:0B:CD:41:F4:93 inet addr:81.xxx.xxx.xxx Bcast:81.xxx.xxx.xxx Mask:255.255.255.224 inet6 addr: fe80::20b:cdff:fe41:f493/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:473091457 errors:0 dropped:0 overruns:0 frame:0 TX packets:488547237 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3458689275 (3.2 GiB) TX bytes:3985927941 (3.7 GiB) Interrupt:193 eth0:1 Link encap:Ethernet HWaddr 00:0B:CD:41:F4:93 inet addr:10.xxx.xxx.xxx Bcast:10.xxx.xxx.xxx Mask:255.255.252.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:193 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6004400 errors:0 dropped:0 overruns:0 frame:0 TX packets:6004400 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:645400309 (615.5 MiB) TX bytes:645400309 (615.5 MiB) [juris@ns1 ~]$
Daemons A daemon is a process that: • runs in the background • not associated with any terminal • output doesn't end up in another session. • terminal generated signals (^C) aren't received.
Unix and Daemons • Unix systems typically have many daemon processes. • Most servers run as a daemon process.
Common Daemons • Web server (httpd) • Mail server (sendmail) • SuperServer (inetd) • System logging (syslogd) • Print server (lpd) • router process (routed, gated)
Daemon Output • No terminal - must use something else: • file system • central logging facility • Syslog is often used - provides central repository for system logging.
Syslog service • syslogd daemon provides system logging services to "clients". • Simple API for "clients" • A library provided by O.S.
Sending a message to syslogd • Standard programming interface provided by syslog() function: #include <syslog.h> void syslog( int priority, const char *message, . . . ); • Works like printf()
syslogd Filesystem /var/log/messages Unix domain socket /dev/log syslogd UDP socket port 514 Console /dev/klog Remote syslogd
Syslog messages • Think of syslog as a server that accepts messages. • Each message includes a number of fields, including: • a level indicating the importance (8 levels) • LOG_EMERG 0kernel panic • LOG ALERT 1condition needing immediate attention • LOG_CRIT 2critical conditions • LOG_ERR 3errors • LOG_WARNING 4warning messages • LOG_NOTICE 5not an error, but may need attention • LOG_INFO 6informational messages • LOG_DEBUG 7when debugging a system
Syslog message fields (cont.) • a facility that indicates the type of process that sent the message: • LOG_MAIL, LOG_AUTH, LOG_USER,LOG_KERN,LOG_LPR, . . . • Timestamp (added by syslogd) • uname –n (added by syslogd) • A text string.
Logfile example Dec 27 02:45:00 moet.colorado.edu netinfod [71]: cann’t lookup child Dec 27 02:50:00 bruno ftpd [27876]: open of pid file failed: not a directory Dec 27 02:50:47 anchor vmunix: spurious VME interruptat processor level 5 Dec 27 02:52:17 bruno pingem[107]: moose.cs.colorado.eduhas not answered 34 times Dec 27 02:55:33 bruno sendmail [28040] : host name/addressmismatch: 192.93.110.26 != bull.bull..fr
/ * c program: syslog using openlog and closelog */ #include <syslog.h> main ( ) { openlog ( “SA-BOOK”, LOG_PID, LOG_USER); syslog ( LOG_WARNING, “Testing …. “); closelog ( ); } On the host, this code produce the following log entry: Dec 28 17:23:49 moet.colorado.edu SA-BOOK [84]: Testing...
Log files • Log files are normally kept in /var/log(setings in /etc/syslog.conf “/etc/init.d/syslog restart”) • Read them • Syslog logs the system and what is happening on it • Logcheck is a handy utility which checks the contents of logs and mails anything unusual • http://www.psionic.com/abacus/logcheck/
Back to daemons • To force a process to run in the background, just fork() and have the parent exit. • There are a number of ways to disassociate a process from any controlling terminal. • Call setsid() and then fork() again.
Daemon initialization • Daemons should close all unnecessary descriptors • often including stdin, stdout, stderr. • Get set up for using syslog • Call openlog() • Often change working directory.
Too many daemons? • There can be many servers running as daemons - and idle most of the time. • Much of the startup code is the same for these servers. • Most of the servers are asleep most of the time, but use up space in the process table.
Internet Daemon • Daemon inetd started at boot time • Configuration file /etc/inetd.conf • Name, type, protocol, wait-status, uid, server, arguments # ftp stream tcp6 nowait root /usr/sbin/tcpd in.ftpd telnet stream tcp6 nowait root /usr/sbin/tcpd in.telnetd # # Mail is a useful thing... pop3 stream tcp nowait root /etc/mail/popper popper -s imap stream tcp nowait root /etc/mail/imapd imapd
Internet Daemon • When to modify inetd.conf • Disable a service • Add a # at the beginning of the entry • Send hang-up to inetd kill –HUP processid • Enable a service • Change the path • Modify arguments
inetd • The SuperServer is named inetd. This single daemon creates multiple sockets and waits for (multiple) incoming requests. • inetd typically uses select to watch multiple sockets for input. • When a request arrives, inetd will fork and the child process handles the client.
inetd children • The child process closes all unnecessary sockets. • The child dup’s the client socket to descriptors 0,1 and 2 (stdin, stdout, stderr). • The child exec’s the real server program, which handles the request and exits.
Output file descriptorused fordefault 0 standard input keyboard 1 standard output screen 2 standard error screen
inetd based servers • Servers that are started by inetd assume that the socket holding the request is already established (descriptors 0,1 or 2). • TCP servers started by inetd don’t call accept, so they must call getpeername if they need to know the address of the client.
/etc/inetd.conf • inetdreads a configuration file that lists all the services it should handle. • inetd creates a socket for each listed service, and adds the socket to a fd_set given to select().
inetd service specification • For each service, inetd needs to know: • the port number and transport protocol • wait/nowait flag. • login name the process should run as. • pathname of real server program. • command line arguments to server program.
example /etc/inetd.conf # comments start with # echo stream tcp nowait root internal echo dgram udp wait root internal chargen stream tcp nowait root internal chargen dgram udp wait root internal ftp stream tcp nowait root /usr/sbin/ftpd ftpd -l telnet stream tcp nowait root /usr/sbin/telnetd telnetd finger stream tcp nowait root /usr/sbin/fingerd fingerd # Authentication auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o # TFTP tftp dgram udp wait root /usr/sbin/tftpd tftpd -s /tftpboot
example /etc/services ftp 21/tcp # File Transfer Protocol telnet 23/tcp # Telnet smtp 25/tcp # Simple Mail Transfer Protocol tftp 69/udp # Trivial File Transfer Protocol www 80/tcp # World Wide Web ntp 123/tcp # Network Time Protocol ntp 123/udp # Network Time Protocol
wait/nowait • Specifying WAIT means that inetd should not look for new clients for the service until the child (the real server) has terminated. • TCP servers usually specify nowait - this means inetd can start multiple copies of the TCP server program - providing concurrency!
UDP & wait/nowait • Most UDP services run with inetd told to wait until the child server has died. • Some UDP servers hang out for a while, handling multiple clients before exiting. • inetd was told to wait – so it ignores the socket until the UDP server exits.
Super inetd • Some versions of inetd have server code to handle simple services such as echo server, daytime server, chargen, …
Servers • Servers that are expected to deal with frequent requests are typically not run from inetd: mail, web, NFS. • Many servers are written so that a command line option can be used to run the server from inetd.
xinetd • Some versions of Unix provide a service very similar to inetd called xinetd. • configuration scheme is different • basic idea (functionality) is the same…
example /etc/xinetd.d # typical xinetd.conf defaults { instances = 60 log_type = SYSLOG daemon log_on_success = HOST PID log_on_failure = HOST cps = 25 30 } includedir /etc/xinetd.d root# ls /etc/xinetd.d chargen daytime-udp finger shell time-udp chargen-udp echo ftp telnet root# cat /etc/xinetd.d/telnet service telnet { disable = yes socket_type = stream wait = no user = root server = /usr/libexec/telnetd groups = yes flags = REUSE access_times = 8:00-18:00 only_from = 128.138.12.0/24 }
The Superservers • Superservers listen on multiple network ports and start the appropriate service when a client connection arrives for that port. • xinetd is a superserver gaining popularity • It is a revised version of inetd that creates a more secure environment • Shipped with Red Hat Linux • xinetd lately is the most widely used superserver • Application level security is provided via TCP Wrappers - the tcpd program