1 / 58

Advanced Guide to Linux Networking and Security

Advanced Guide to Linux Networking and Security. Chapter 4 Using Simple Network Services. Objectives. Understand network daemons Configure “superservers” to handle multiple network services Set up administrative services such as logging and printing

xuxa
Download Presentation

Advanced Guide to Linux Networking and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Advanced Guide to Linux Networking and Security Chapter 4 Using Simple Network Services

  2. Objectives • Understand network daemons • Configure “superservers” to handle multiple network services • Set up administrative services such as logging and printing • Use simple network information services such as finger and talk • Understand basic mailing list and news server configurations Using Simple Network Services

  3. Network Daemons • Implement numerous services • Examples: Web access, e-mail, file sharing • Characteristics of daemons • Programs typically started by the system • Not associated with a user terminal • Names usually end with "d“ -- such as in inetd • Enter ps ax command to generate list of daemons • How to communicate with a daemon • Modify its configuration using signals Using Simple Network Services

  4. Network Daemons (continued) • Three commands demonstrating communication • killall –HUP syslogd • Reconfigures syslogd without stopping services • -HUP is an abbreviation of the SIGHUP signal • killall –TERM inetd • Stops a daemon by sending SIGTERM signal (-TERM) • kill 201 –KILL • Stops daemon with PID 201 using SIGKILL signal (-KILL) • Daemons consume various system resources • Examples: memory, disk space, and file descriptors • Security requirement for daemons • Daemons using TCP/UDP ports < 1024 run as root user Using Simple Network Services

  5. Daemons on Demand • Superservers: software loading daemons on demand • How superservers work • Listen on multiple network ports • Start appropriate service on one of two conditions • A client requests a connection for that port • A datagram arrives (in the case of UDP) • Two popular superservers: inetd and xinetd • Examine /etc directory to determine which is installed • Daemon not using a superserver is daemonized • Superserver disadvantage: length of time to load Using Simple Network Services

  6. Using inetd and TCP Wrappers • inetd (Internet daemon): original superserver • Monitors TCP and UDP ports • Launches programs to handle port connection • TCP Wrappers program (tcpd) • Provides logging and access control for connections • Example of one line in /etc/inetd.conf file: ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l –a • First field tells inetd which port to listen to • Second and third fields indicate connection type • Fourth field determines whether inetd pauses • Fifth field indicates which user ID server runs under • Sixth field launches program in response to packet Using Simple Network Services

  7. Using Simple Network Services

  8. Using inetd and TCP Wrappers (continued) • More on the sixth field: /usr/sbin/tcpd in.ftpd -l -a • Runs the TCP Wrappers program • If connection allowed, in.ftpd daemon spawned • -1 and a options passed on command line • Request is logged • If connection not allowed, packet is dropped • After editing inetd.conf, restart or reinitialize inetd • /etc/hosts.allow and /etc/hosts.deny files • Used to configure TCP Wrappers • Format: daemon name followed by IP name/address • Example: in.telnetd: 192.168.1.12 Using Simple Network Services

  9. Using inetd and TCP Wrappers (continued) • Default action of tcpd is to provide access • Keywords ALL and EXCEPT fine-tune tcpd setup • Example: tcpd configuration with ALL • hosts.allow file contains in.telnetd: 192.168 • Users with IP address prefix 192.168 access Telnet • hosts.deny file contains in.telnetd: ALL • All other users (not specifically allowed) are denied • Investigate options using man 5 hosts_access • You may combine allow and deny conditions • Check hosts_options man page for details Using Simple Network Services

  10. Using Simple Network Services

  11. Using xinetd • xinetd (Internet daemon or Internet Super Daemon) • Superserver with greatly enhanced functionality • /etc/xinetd.conf refers to /etc/xinetd.d directory • Format of each file in /etc/xinetd.d • First part names a service, such as FTP • Brackets enclose options applying to service • Options matching inetd.conf: socket_type, user,server • Other options, such as disable, extend inetd • Check man page for detailed list of available options • Restart xinetd after making configuration changes • Use script in /etc/rc.d/init.d or kill with SIGUSR2 Using Simple Network Services

  12. Exploring Network Testing Services • Using programs internal to superservers • Enabling network services (disabled by default) • Using xinetd: go to appropriate file in /etc/xinetd.d • Change disable=yes line to disable=no • Using inetd: go to appropriate line in /etc/inetd.conf file • Remove comment character from beginning of line • Five testing services activated with Telnet • echo: service on UDP/TCP port 7 echo prints input • chargen: uses UDP port 19 to return character stream • discard: service on UDP/TCP port 9 like /dev/null • time: service on UDP/TCP port 37 returns current time • daytime: service on UDP/TCP port 13 returns day/time Using Simple Network Services

  13. Using Administrative Services • Examples: logging and printing • Discussion of services to follow Using Simple Network Services

  14. Logging with logd • Two categories of logd daemons • klogd: used for kernel messages • syslogd: used for all other messages • Logging function configured via /etc/syslog.conf • Four message handling options in syslog.conf • Write the message to a file • Write message to pipe (which filter program listens to) • Print message on terminal of one or more named users • Forward message to another system (remote logging) • Remote logging offers security and backup benefits Using Simple Network Services

  15. Logging with logd (continued) • syslogd uses UDP port 514 for remote logging • Port 514 must be listed in /etc/services • Enable remote featureby editing /etc/sysconfig/syslog • Add –r to SYSLOG_OPTIONS line • Configure /etc/syslog.conf for local or remote storage • Locally store kernel message: kern.* /var/log/messages • Remotely store message: kern.* @london.myplace.net • Review syslogd man page for command options • Example 1: -s strips domain before logging an event • Example 2: -x prevents dereferencing of host names Using Simple Network Services

  16. Printing with Linux • Uses networking by default • Line Printer Daemon protocol • Allows Linux to interact with other operating systems • Supported by five programs • lpd: controls the line printer daemon • lpr: sends a print job to a print queue • lpq: displays the contents of the print queues • lprm: removes print jobs from print queues • lpc: controls the print queues • Uses TCP and listens on port 515 • Expects source ports to be in range of 721 to 731 Using Simple Network Services

  17. Printing with Linux (continued) • Configure printing to remote host in /etc/printcap • Example: :rm=printer.example.com:\ :rp=lazer:\ • :rm= defines remote host to print to • :rp= defines remote print queue to use • Ensure that print queue is valid on remote host • Set lpd permissions in /etc/lpd.conf and /etc/lpd.perms • Basic functions of lpd print server • Accepts print jobs • Spool print jobs to print queue directory • Send print jobs sequentially to physical printer Using Simple Network Services

  18. Printing with Linux (continued) • lpd response to request for remote printer • Use port 515 to connect to lpd program on remote host • Remote copy of lpd accepts connection • Assumptions: firewall not present and lpd copy is active • Remote lpd spools print job to local file • Processing continues as job originated on remote host • Internet Printing Protocol (IPP) • Experimental printing protocol • Supported by Common UNIX Printing System (CUPS) • Uses HTTP version 1.1 running on TCP port 631 Using Simple Network Services

  19. Printing with Linux (continued) • Configure CUPS via a Web browser • Start CUPS daemon (cuspd) • Point browser to http://localhost:631 • Main CUPS page is retrieved from Web server • Click Do Administration Tasks link for Administration page • Visit www.cups.org for more information Using Simple Network Services

  20. Using Simple Network Services

  21. Using Simple Network Services

  22. Configuring NTP Time Synchronization • Purpose: synchronize all hosts to common time • Network Time Protocol (NTP) • Internet's time synchronization protocol • NTP epoch: midnight, January 1, 1900 • Time represented by a 64-bit value • First 32 bits for time elapsed in seconds from NTP epoch • Last 32 bits for fractional part of current second • Hierarchy of NTP servers • Servers at stratum 1 synchronize time to atomic clocks • Atomic clock time broadcast from satellite • Lower level servers synchronize to servers above • Example: stratum 2 servers synchronize to stratum 1 Using Simple Network Services

  23. Using Simple Network Services

  24. Configuring NTP Time Synchronization (continued) • Hierarchy of NTP servers (continued) • Servers at same stratum may cross-synchronize • Servers engaging in this activity are known as peers • Peers rely on Correctness Principle to evaluate accuracy • ntpd daemon supports NTP in Linux • Used on both NTP servers and clients • Define time sources for ntpd in /etc/ntp.conf file • Example: server ntp.ucsd.edu • Use at least five servers for best accuracy • View list of stratum 1 and 2 servers at www.ntp.org • Avoid stratum 1 to prevent bottlenecks at server • Stratum 2 and stratum 3 offer high accuracy Using Simple Network Services

  25. Configuring NTP Time Synchronization (continued) • Before starting ntpd, verify accuracy of system time • Discrepancy greater than 1000 seconds not allowed • How to change current time values • Use manual method based on date command • Enter date -s "03/06/2005 10:31" • Automate process using script /etc/rc.d/init.d • Runs ntpdate –s pool.ntp.org at boot-up • driftfile: line used by ntpd to calibrate drift • Suite of utility programs provided with NTP server • Example 1: use ntpq to obtain detailed NTP information • Example 2: use ntptrace to trace chain of NTP servers Using Simple Network Services

  26. Supporting Clients with NTP • Configuring NTP clients • Generally use just one server statement • Add iburst to line (if synchronizing to private server) • Example: enter server 10.0.0.25 iburst • Adds server with IP address 10.0.0.25 • iburst: enables client to synchronize in 10 seconds • Simple Network Time Protocol (SNTP) • Used by time synchronization client in Windows • Subset of NTP allowing for accuracy within 1 second • Managing synchronization in Windows XP • Time server list in Internet Time tab of clock object • Add new servers by modifying Windows registry Using Simple Network Services

  27. Understanding SNMP on Linux • Simple Network Management Protocol • Gives feedback on status of network components • Example: determine whether routers are overloaded • Visit http://linas.org/linux/NMS.html for details • SNMP uses client/server architecture • SNMP specific terminology • Agent: SNMP aware program running on host • Configure the agent to watch for specific events on host • When an event occurs, agent collects details • SNMP console: gathers data from SNMP agents • Returns data to system administrator • Presents data statistically as graphs or as summaries Using Simple Network Services

  28. Allowing Dial-in Access with a PPP Server • pppd used on client and server for PPP connection • Actions following logon request from command line • Terminal program watches for username, password • Some terminal programs: getty, mgetty, mingetty • Managed by init, a master control program • Username and password passed to logon program • If accepted, logon program starts command shell • Setting up a PPP dial-in server • Requires mgetty to watch modem (through serial port) • mgetty validates logon information and starts pppd Using Simple Network Services

  29. Allowing Dial-in Access with a PPP Server (continued) • Configuring mgetty for listening in /etc/inittab file: • S1:2345:respawn:/sbin/mgetty -x 3 -s 57600 -D ttyS0 • Monitor first serial port (device ttyS0) for incoming calls • Restart init program after configuration changes • Use one of two commands: kill -1 1 or init 6 • Configuring mgetty to start pppd (using AutoPPP) • Go to /etc/mgetty+sendfax/login.config file • Enter /AutoPPP/ - a_ppp /usr/sbin/pppd -detach • Use /etc/ppp/options to store pppd command options • Modem parameters may also be stored in files • Example: /etc/ppp/options.ttyS0 Using Simple Network Services

  30. Using Basic Information Services • Services often not enabled by default for security reasons • Change settings for experimentation or deployment Using Simple Network Services

  31. Communicating with talk • talk uses talkd to initiate real-time conversation • talkd daemon must run on local and remote hosts • talkd uses UDP port 517 to communicate • Enable talkd in /etc/inetd.conf or /etc/xinetd.d/talk • Use talkd by starting talk program • Include username and host name after talk command • Example: Send message to talk abutler@dublin • talk takes over window as it attempts to connect • talkd on dublin checks whether abutler is logged on • Message displayed to abutler if abutler is logged on • Two-way dialog occurs if abutler responds with talk Using Simple Network Services

  32. Communicating with talk (continued) • talk options used after communication established • Use Ctrl+P and Ctrl+N to scroll up or down • Use mesgcommand to disable access • Ktalk (for KDE): graphical tool with talkd functionality • Linux supports other chat-style systems for Internet communication Using Simple Network Services

  33. Using Simple Network Services

  34. Using Simple Network Services

  35. Using finger to Collect User Information • Determines whether user logged on for talk • Provides length of time user has been logged on • Provides user's full name • Enable finger in /etc/inetd.conf or etc/xinetd.d/finger • Activates listening and delivery service in superserver • Superserver listens for incoming finger queries on port 79 • Intercepted queries sent to in.fingerd daemon • Initiate finger query user account is on same host • Example: finger jthomas Using Simple Network Services

  36. Using finger to Collect User Information (continued) • Initiate finger query user account is on different host • Example: finger jthomas@sophia.myplace.net • Reasons for declining use of finger protocol • Competition from other methods • Gaping security holes • Files used in finger transmissions • .plan: hidden file for extra information, such as address • .project: one line describing current project • .pgp: provides user's public encryption key Using Simple Network Services

  37. Using finger to Collect User Information (continued) • Set up .nofinger to hide the use of finger • Blocks finger queries from systems other than your own • kfinger graphical client for KDE • Executes finger queries • Also has talk capabilities Using Simple Network Services

  38. Using Simple Network Services

  39. Collecting Server Information with whois • Domain name information stored in a database • Database maintained by the domain registrar • whois queries database to learn about domain • Two-step process for learning about a domain • Use whois command against domain of interest • Example: $ whois byu.edu • whois queries main whois server, whois.internic.net • Query results point you to registrar and other information • Use whois server from query results in second query • Example: $ whois -h whois.educause.net byu.edu • Provides more details, such as IP addresses Using Simple Network Services

  40. Linux Telephony • Managing your telephone system using Linux • Computer must be connected to telephone system • Use hardware cards to connect phone lines to computer • Telephony software manages particular task • Two implementations of Linux telephony • Fax server: HylaFax, eFax, sendfax • Video and audio conferencing: Microsoft NetMeeting • Voice over IP (VoIP): digitizes phone calls using IP • Abundant telephony resources on the Web • Example: download gPhoneMan (tracks calls) Using Simple Network Services

  41. Using Simple Network Services

  42. Using Simple Network Services

  43. Understanding Mailing Lists And News Servers • Methods for sharing information with a large group • Mailing list: group of users connected via e-mail • How a mailing list works • Send an e-mail message (post it) to the e-mail list • Mailing List Manager (MLM) forwards message to users on list • How to become a member of a mailing list • Subscribe to list • Mailing-list software adds e-mail address to list • Unsubscribe to list for removal Using Simple Network Services

  44. Understanding Mailing Lists And News Servers (continued) • Tasks automated by mailing-list software • Subscribing, unsubscribing, sending message • Advantage of mailing-list software • Saves user's time by automating mailing tasks • Two types of moderated e-mail list • List administrator approves subscription • Administrator originates/approves each posted e-mail • Other features of MLM • Digest (message summary) options • Archiving options • Mail delivery options Using Simple Network Services

  45. Understanding Mailing Lists And News Servers (continued) • Newsgroups: an alternative to mailing lists • Messages (postings) handled by NNTP (not SMTP) • NNTP: Network News Transport Protocol • Analogize newsgroup postings to bulletin board • Accessing newsgroup does not involve subscription • Provide name of newsgroup server to news client • More free form than mailing lists • Most impose no control on topics Using Simple Network Services

  46. Using majordomo for Mailing Lists • majordomo package: collection of Perl scripts • Interacts with sendmail mail server • Creates automated mailing lists • Configuring majordomo • Create a user and group ID for majordomo • Use majordomo's wrapper to create a new mailing list • Include administrative password, owner e-mail address, and description • How to manage complex configuration issues • View instructions in documentation directory • Consider using a graphical tool, such as Webmin Using Simple Network Services

  47. Using majordomo for Mailing Lists (continued) • Using Webmin to facilitate configuration • Launch Webmin program • Go to Majordomo List Manager under Servers tab • Designate list owner in Owner e-mail address field • Each mailing list requires a list manager (owner) • majordomo will report problem to list owner • Create new list using “Add a new mailing list” • Portion of configuration involving sendmail • Set up aliases in sendmail for lists you create • Example: linux-security@rome.myplace.net • Enables user to interact with list called linux-security Using Simple Network Services

  48. Using Simple Network Services

  49. Using majordomo for Mailing Lists (continued) • Send message to majordomo at host for help or list • Queries to majordomo@rome.myplace.net • Query 1: includes help as body of message • Returns format and commands for interaction • Query 2: includes list as body of message • Returns list of mailing lists hosted on server • List owner can interact with majordomo via e-mail • List owner or user can issue commands to majordomo • Owner specific commands will require a password Using Simple Network Services

  50. Using Other Mailing List Managers • LISTSERV: most widely used MLM in the world • Available for purchase from L-Soft (www.lsoft.com) • Advantages of LISTSERV • Scalability for huge mailing lists • Flexible security features • Web-based configuration and maintenance interface • ListProc: another commercial MLM • Available for purchase from ListProc (www.listproc.net) • Features • Graphical configuration tools • Security enhancements, such as password-protection • Ability to delete invalid e-mail addresses Using Simple Network Services

More Related