1 / 18

CT 320: Network and System Administration

CT 320: Network and System Administration. Network Services Colorado State University Computer Science Department Chris Wilcox Fall 2012. Original slides from Dr. James Walden at Northern Kentucky University. Topics. Name/address resolution Service selection Enabling/disabling services

zwi
Download Presentation

CT 320: Network and System Administration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CT 320: Network and System Administration Network Services Colorado State University Computer Science Department Chris Wilcox Fall 2012 Original slides from Dr. James Walden at Northern Kentucky University.

  2. Topics • Name/address resolution • Service selection • Enabling/disabling services • xinetd • TCP Wrappers CT 320: Fall Semester 2012

  3. Name Resolution Translate human-readable names to network address. HOSTS.TXT Name translation for entire Internet in 1970s, early 1980s. A single file distributed from a single host. Didn’t scale: Net changed before file distributed everywhere. DNS – Domain Name System Designed to resolve scalability issues in 1984 (RFC 882-3). Distributed database: many files, many servers. Allows local control of segments. CT 320: Fall Semester 2012

  4. /etc/hosts Maps hostnames to IP addresses. 127.0.0.1 localhost 10.30.10.15 myhost.nku.edu myhost me 10.30.10.22 xerxes.nku.edu xerxes logsvr 10.30.10.33 darius.nku.edu darius 10.30.10.42 cyrus.nku.edu cyrus10.30.10.55 ntp.nku.edu ntp-server 10.30.10.57 artaxerxes.nku.edu CT 320: Fall Semester 2012

  5. /etc/hosts • Oldest, simplest means of name resolution. • Derived from original HOSTS.TXT file. • Available during boot process. • Before DNS available. • Available when DNS is down. • Store essential name mappings for reliability. • Can share between hosts. • rsync, NIS, LDAP, etc. CT 320: Fall Semester 2012

  6. A minimal /etc/hosts Name mappings for localhost: 127.0.0.1 localhost 10.30.10.15 myhost.nku.edumyhost Name mappings for default gateway: 10.30.10.1 gw-5.nku.edu gw-5 Name mappings for name servers: 10.23.4.250 dns3.nku.edu dns3 10.88.9.253 ldap3.nku.edu ldap3 10.92.5.250 nfs4.nku.edu nfs4 CT 320: Fall Semester 2012

  7. DNS Clients Configuration file: /etc/resolv.conf Sets search domains. Sets primary and backup DNS servers. Auto-created by DHCP if used. Example: search nku.edu nameserver 172.28.10.29 nameserver 172.28.10.30 CT 320: Fall Semester 2012

  8. DNS Lookups > host www.google.com www.google.com is an alias for www.l.google.com. www.l.google.com has address 216.239.37.104 www.l.google.com has address 216.239.37.99 > host www.nku.edu www.nku.edu has address 192.122.237.7 CT 320: Fall Semester 2012

  9. Choosing services Configuration file: /etc/nsswitch.conf Controls where data is found about: User accounts and groups. Hostnames and IP addresses. Network configuration. E-mail addresses and cryptographic keys. Potential data sources Files (usually under /etc) Compat NIS or NIS+ LDAP DNS CT 320: Fall Semester 2012

  10. Choosing services # /etc/nsswitch.conf # # Example cfg of GNU Name Service Switch functionality. passwd: compat group: compat shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis CT 320: Fall Semester 2012

  11. Network Services Enable/disable immediately service name stop service name start Enable/disable service start at boot time. chkconfig –level <runlevels> name off chkconfig –level <runlevels> name off Service Files Service start/stop script: /etc/init.d/name Service config files: /etc/sysconfig, /etc Symlinks /etc/rc.d/rc<level>.d/S##name /etc/rc.d/rc<level>.d/K##name CT 320: Fall Semester 2012

  12. xinetd superserver Manages low resource services. Handles networking issues for service. Low # of connections, or Small effort/connection. Examples: telnet, ftp, daytime, echo Additional features Access control: /etc/hosts.{allow,deny} Logging. Resource management. CT 320: Fall Semester 2012

  13. TCP Wrappers Provide host-based access control. To any service linked with libwrap. strings –f program | grep host_access Examples: portmap, sshd, xinetd. How does it work? Checks access control lists for service. Logs connection. If permitted, runs the server process for service. CT 320: Fall Semester 2012

  14. TCP Wrappers • Checks /etc/hosts.allow If any rule matches, allows access. If no rule matches, goes to next step. • Checks /etc/hosts.deny If any rule matches, denies access. Otherwise, allows access. Typically, the last rule denies access to all. CT 320: Fall Semester 2012

  15. Access Control Lists <daemon list>: <client list> [: <option>: <option>: ...] <daemon list>: A comma separated list of process names (not service names) or the ALL wildcard. <client list>: A comma separated list of hostnames, host IP addresses, special patterns, or special wildcards. <option>: An optional action or colon separated list of actions performed when the rule is triggered. Option fields allow or deny access, log access attempts, and can even run shell commands. CT 320: Fall Semester 2012

  16. Wildcards ALL — Matches everything. It can be used for both the daemon list and the client list. LOCAL — Matches any host that does not contain a period (.), such as localhost. KNOWN — Matches any host where the hostname and host address are known or where the user is known. UNKNOWN — Matches any host where the hostname or host address are unknown or where the user is unknown. PARANOID — Matches any host where the hostname does not match the host address. CT 320: Fall Semester 2012

  17. EXCEPT Operator • Excepts a service or IP/host from list. • Examples: • ALL: .ex.com EXCEPT evil.ex.com. • ALL EXCEPT vsftpd: 192.168.0. CT 320: Fall Semester 2012

  18. ACL Examples • vsftpd : .example.com • Permits/denies access to vsftpd from .example.com. • Depends on whether in hosts.allow or hosts.deny. • sshd : .example.com \ : spawn /bin/echo `/bin/date` access denied>>/var/log/sshd.log \ : deny • Denies access no matter where it appears. • Runs /bin/echo to manually log access attempt. CT 320: Fall Semester 2012

More Related