首页 > 系统 > Linux >

LinuxCBT feat. SUSE 10 Enterprise Edition Training Notes

2011-08-05

LinuxCBT feat. SUSE 10 Enterprise EditionTraining Notes – 20061002.01Table of ContentsBoot Process 4Basic GNU/Linux/UNIX Command Line Interface (CLI) Utilities 4Standard ...

LinuxCBT feat. SUSE 10 Enterprise Edition

Training Notes – 20061002.01

Table of Contents

Boot Process 4

Basic GNU/Linux/UNIX Command Line Interface (CLI) Utilities 4

Standard Linux Shell Rules 5

Secure Shell (SSH) 5

Virtual Network Computing (VNC) 6

RDesktop Client (RDP) 6

Name Resolution Utilities 7

NETSTAT 7

IFCONFIG 8

RPM 8

User & Group Creation/Management 8

File Permissions 8

Symbolic Links (Shortcuts) 10

Provisioning of additional file systems/mount points 10

RAID Partitions 11

Logical Volume Management - Disk Aggregation Mechanism 11

SWAP Storage Provisioning 12

SYSLOG-NG Implementation 12

Log Rotation 13

Cron - System Scheduler 13

Network Time Protocol (NTP) 14

BIND DNS Configuration 14

DHCPD - Server 15

Samba Services - Integrates Windows with Unix/Linux 16

Samba Web Administration Tool (SWAT) 16

Network File System (NFS) 17

Remote Synchronization (RSYNC) 18

Apache HTTPD - Web Server 18

Apache Logging 21

Virtual Hosts (VHOSTS) 21

MySQL Implementation 22

PHPMyAdmin - Implementation 25

Postfix MTA 25

Courier-MTA - IMAP 26

SquirrelMail - Web-based Mail integration 27

Pure-FTPD 27

Xen Virtualization 28

XINETD - Super Server 28

TCP Wrappers - tcpd 29

IPTables Implementation & Operation 30

IPTables Usage 30

Network Mapper (Nmap) 31

Nessus - Vulnerability Scanner 31

TCPDump - Packet Sniffer 32

Ethereal - Network Analysis Tool 32

Snort Network Intrusion Detection System (NIDS) 33

BASE Installation 34

Boot Process

1. BIOS - Initializes hardware

2. Grand Unified Boot Loader (GRUB) - Stage 1(Master Boot Record - 512 bytes) -> Stage 1.5(File system drivers (XFS,EXT2,EXT3,ReiserFS))

3. OS (Linux) Kernel - Initializes/Detects/provides support for hardware

4. INIT(PID=1) - Loads services for various run levels (cumulative)

###INIT - The First User-mode Process###

/etc/inittab

Runlevel (0-6) Definitions:

0 - shutdown

1 - single user mode - NO Networking

2 - Multi-user, minus NFS & networking

3 - Multi-user

4 - Unused, reserved for ISVs, or for customization

5 - Multi-user with graphics (X11/X.org)

/etc/init.d/runlevel directory (/etc/init.d/rc5.d)

- Contains symlinks to programs in /etc/init.d

+ prefixed with K(Kill) or S(Started)

- Each service/daemon is started/killed in numerical order; i.e. K01acpid, K09apmd

Basic GNU/Linux/UNIX Command Line Interface (CLI) Utilities

tty = reveals current Teletype Terminal (TTY)

w = reveals currently logged-in sessions

ls/dir(alias to ls -l)

ls -lF - returns long format and '/' at the end of directories

ls -lF | grep /

touch - creates empty files / updates time stamps(atime/mtime) on objects

rm - removes objects (files/directories/etc.)

echo - echoes values and variables

echo $? - returns exit status of previously-executed command

set || env - reveals current shell variables

pwd - returns working directory

cd - changes directories; with no options, places us in HOME directory

mkdir - creates a directory

whoami - returns currently logged-in user

su - switches users

BASH communicates user-status (privilged/non-privileged) via the prompt:

1. prompt that terminates with '#' reflects 'root' user

2. non '#' prompt indicates non-root user

id - reveals id information (uid,gid,groups)

cp - copies files(files/directories)

mv - moves/renames files, and tries to preserve timestamp

stat - returns properties (size,inode,atime,mtime,ctime,perms,etc.) of files

Standard Linux Shell Rules

STDIN - Standard In - Default = Keyboard - &#39;<&#39;

STDOUT - Standard Out - Default = Monitor - &#39;>&#39;

STDERR - Standard Error - Default = STDOUT - &#39;2>&#39;

ls deano.txt 2> error.txt

grep linuxcbt 2>&1

File Descriptors:

0 = STDIN

1 = STDOUT

2 = STDERR

Piping - permits the connection of STDOUT & STDIN

cat test2.txt | grep directories | grep removes

Command Chaining - permits execution of multiple commands

command1 && command2 - runs command2 IF command1 is successful (logical AND)

command1 || command2 - runs command2 IF command1 fails

command1 ; command2 ; command2 - all commands execute

###More Key Shell Commands###

file - determines the type of file queried

which - identifies location in path of queried program

history - returns list of recently-run commands up to $HISTSIZE=1000

~/.bash_history - stores the user&#39;s history of commands

ps -ef - returns ALL running programs - UID,PID,PPID,STIME,etc.

top - returns top running programs

Common Clients - FTP,LFTP,Wget,SSH

FTP - interactive client used to connect to FTP servers

LFTP - supports many protocols (HTTP/FTP/HTTPS/etc.) and runs interactively/non-interactively(scripted)

Wget - supports many protocols, however, runs non-interactively

wget http://192.168.1.197/SUSE10/suse/i586/MozillaFirefox-1.5.0.4-1.9.i586.rpm

wget ftp://linuxcbt:abc123@linuxcbtmedia1/1million.txt

###Other basic utilities###

tar with gzip & bzip2 support

tar -czvf 1million.tgz 1million.txt

tar -cjvf 1million.bz2 1million.txt

Secure Shell (SSH)

SSH - provides encrypted communications for Telnet/FTP-like sessions

First outbound SSH connection yields ~/.ssh/known_hosts (lists trusted hosts)

File is appended as new connections are established

PKI - Password-less Login

Must generate RSA/DSA PKI (Public/Private) keys - &#39;ssh-keygen&#39;

Note: public key is used to encrypt information to recipient

Note: private key is used decrypt information received

Note: keys are user and host specific

ssh-copy-id -i ~/.ssh/id_rsa.pub linuxcbtsuse2

SCP - SFTP - SSH

SCP - performs non-interactive, LFTP/Wget-like, file transfers

scp source_file destination_file:

scp linuxcbtsuse2:path_to_file local_path (.//tmp)

SFTP - performs interactive, FTP-like transfers

sftp linuxcbtsuse2 - connects as &#39;linuxcbt&#39; to remote system

sftp root@linuxcbtsuse2 - connects as &#39;root&#39; to remote system

ALL sessions/transports are encrypted

Virtual Network Computing (VNC)

Note: Cross-platform capable

- client (Windows/MAC OS X/Linux/Solaris/Unix)

- client can differ from server

vncviewer - primary VNC client application

RDesktop Client (RDP)

- Permits easy connections to Windows 2000/2003/TS4/XP Boxes

rdesktop -g 640x480 -a 16 192.168.1.102

Other key network utilities/clients

PING - uses ICMP to probe hosts on local and/or remote subnets

- Default in Linux is to PING continuously

- Default PING size = 64 bytes

- Default interval = 1 second

- Default Time To Live (TTL) = 64

- PING sends ICMP(Echo) Packets & expects ICMP(Echo Reply) in return

- ping linuxcbtsuse2

Traceroute - maps the network between 2 hosts by displaying routers

Note: traceroute determines that host is router when the TTL is decremented,

and, indicates as such in its output

traceroute destination - traceroute 192.168.1.102

Note: some firewalls will NOT decrement the TTLs in ICMP packets

Matt&#39;s Traceroute (MTR)

Address Resolution Protocol (ARP) - reveals ARP table - layer-2 addresses

arp

ARP resolution example:

linuxcbtsuse2 (Layer-4) -> 192.168.1.197 (Layer-3) -> 00:12:3F:10:C6:93 (Layer-2)

www.insecure.org - Nmap - to find list of security utilities

Name Resolution Utilities

/etc/nsswitch.conf - controls the resolution source/order

ping linuxcbtsuse2 -> hosts(/etc/hosts) -> DNS

/etc/nsswitch.conf

-hosts: files(/etc/hosts) dns(/etc/resolv.conf)

DIG - dig

- queries standard DNS servers

- dig linuxcbtsuse2.linuxcbt.internal

- dig www.linuxcbt.com - queries local DNS server for this forward record

- dig linuxcbt.com mx - returns MX record type

- dig -x 192.168.1.100 - performs reverse query

- dig @ns1.linuxgenius.com www.linuxcbt.com

- host www.linuxcbt.com - returns A|CNAME records & IP address

- hostname - returns local short hostname

- hostname -f returns Fully-Qualified Domain Name (FQDN)

NETSTAT

- displays open sockets - client(1)SYN -> server(2)SYN-ACK -> client(3)ACK -> ESTABLISHED

Usage:

- netstat - displays open sockets with name resolution

- netstat -n displays open sockets without name resolution

Note: names are resolved using a combination of /etc/hosts & DNS

Note: services(ftp/http/etc.) are resolved via /etc/services

Note: protocols(tcp/ip/udp/unix/etc.) are resolved via /etc/protocols

client <-> server

man netstat - explore socket states

Important states:

- ESTABLISHED

- LISTEN

- SYN_SENT - waiting for SYNACK from remote system

- SYN_RECV - unable to respond to SYN_SENT

- FIN_WAIT1 - awaiting shutdown of socket

-netstat -a - reveals ALL protocols

-netstat -i - displays network interfaces

-netstat -s - displays protocol stats

-netstat -rn

-netstat -nl - netstat -ntl - netstat -nul

IFCONFIG

-ifconfig eth2 down - downs the eth2 interface

-ifconfig -a - displays ALL(active/inactive) interfaces

-ifconfig eth2 172.20.10.1

Note: changes to inactive interfaces usually activates the interface

Note: ommitting the subnet mask when defining an interface will cause Linux to derive both subnet mask and broadcast addresses based on class rules.

-ifconfig eth2 172.20.10.1 netmask 255.255.255.0

Alias/sub-interface configuration:

-ifconfig eth0:1 192.168.1.41 /24 - 255.255.255.0

-ifconfig eth0:2 192.168.1.42

Note: /etc/sysconfig/network - stores interface and global network configuration files

RPM

- permits the categorization/installation/upgrade/freshen/removal of packages

Query existing packages:

-rpm -qa - lists ALL installed packages

- rpm -ql name_of_package; i.e. rpm -ql rdesktop

- rpm -qpl package_name - queries package on file system

Install packages:

-rpm -ivh - installs packages

-rpm -Uvh - upgrades/installs packages

Remove packages:

-rpm -e - removes package

Freshen packages:

- package will be updated ONLY if it already exists

-rpm -Fvh package_name

User & Group Creation/Management

Note: /etc/passwd is the default user database

-linuxcbt:x:1000:100:linuxcbt:/home/linuxcbt:/bin/bash

-username:shadow_file(x):UID:GID(Primary):Description/Full Name:Home Directory:Shell

Note: /etc/skel houses template files to be copied to ALL newly-created users using YaST

Manual user creation:

-useradd username

Manual group creation:

-groupadd groupname

Note: create group(s) first, then create user, assigning user to group(s)

usermod/groupmod

File Permissions

10-bits represent permissions and file type

Directory = drwxrwxrwx = 777 = FULL permissions

File = - rwx rwxrwx = 777 = FULL permissions

bit 1 = placeholder for object type (file/directory/character/block device/etc.)

bits 2,3,4 = placeholder for permissions for the owner of the object

bits 5,6,7 = placeholder for permissions associated with group owner of the object

bits 8,9,10 = placeholder for ALL else

drwxr-xr-x 2 linuxcbt users 168 2006-09-08 11:22 temp2

rwx=7, r-x=5, r-x=5 = 755

-rw-r--r-- 1 linuxcbt users 1736 2006-09-06 12:01 test2.txt

rw-=6, r--=4, r--=4 = 644

Note: As per the default umask, default for directories = 755, and files = 644

Note: directories require &#39;x&#39; permission to permit entry

umask = 0022

Effective default permissions = Total permissions(777) - umask(0022)

777 = 0777

0777

0022

0755 = effective default directory permissions

0644 = rw, r, r

The &#39;x&#39; bit applied to files means the file is executable, however, applied to directories, permits entry into the directory.

Octal values for permissions:

r = 4

w = 2

x = 1

Total = 7

Change permissions using &#39;chmod&#39;

-rw-r--r-- 1 linuxcbt users 588895 2006-09-08 15:27 Salaries.xls

rw,r = 640

chmod 640 Sal* && ls -l Sal*

Note: root ALWAYS has access to ALL files

chmod 600 Sal* && ls -l Sal*

chmod 744 temp2

ls -ld temp2 - enumerates permissions, ownership, etc. associated with &#39;temp2&#39; directory

chmod u+rw,g+r,o+r = 644

u = user/owner of object

g = group ""

o = other ""

a = u,g,o

chmod a-r Salaries.txt

Change Ownership of objects (files & directories) using &#39;chown&#39;

chown linuxcbt test.txt

chown user.group object

chown linuxcbt.project1 test.txt

SETUID

Used to impersonate another user; usually root

test_script.pl, test_script.sh

-rw-r--r-- 1 linuxcbt users 588895 2006-09-08 15:27 Salaries.xls

0644

Note: leading bit can represent SETUID(4) & SETGID(2)

chmod 4644 Salaries.xls

SETUID FILE:

-rwSr--r-- 1 linuxcbt project1 588895 2006-09-08 15:27 Salaries.xls

i.e. /bin/su = SETUID executable

stat object name - returns permissions/metadata about the object

SETGID

Used to force permissions on directories

chmod 2770 project1 && ls -ld project1

Sticky

Used to allow users to share a directory but ONLY manipulate their files: /tmp

&#39;chgrp&#39; is used to change group ownership

Symbolic Links (Shortcuts)

Note: 2-types exist; Soft & Hard

Soft Links:

- Ability to reference objects(files & directories) withing & across file system

ln -s source destination

Note: Soft links reference human-readable file names

Note: Hard links reference distinct Inodes

ln source destination - within the SAME file system, creates a HARD link

Provisioning of additional file systems/mount points

new mount point = /app1

2 - shell utilities can be used to create partitions:

1. fdisk -l

2. parted - defaults to first disk

Note: Extended partitions occupy the remaining space on disk

Note: You may create an extended partition without 3 primary partitions

Typical disk layout on i386-compatible systems:

1. Primary

2. Primary

3. Primary

4. Extended - occupies remaining cylinders on disk

- n number of logical partitions begining with #5; i.e. /dev/sdb5

Note: newly-created mount points need NOT exist off the root of the file system

Note: every file system contains a &#39;lost+found&#39; directory to house orphaned files

RAID Partitions

/, /boot = standard(ext3/reiserfs) non-LVM, non-RAID partitions

All other partitions/mount points should be RAID/LVM

RAID-0 - Partitions - Offers speed, but NO REDUNDANCY

- Requires at least 2 partitions/disks

- Creates a partition that spans 2 partitions/disks

Note: Create RAID/LVM partitions using separate disks to realize performance benefits

- Must create unformatted partition types of 0xFD(Linux RAID) or 0x83(Linux)

- RAID-0 partitions need NOT be identical in size

Note: DO NOT format individual RAID component partitions

RAID-0 (10GB) - /raidvolumes/app2

-/dev/sdb6 (5GB)

-/dev/sdc7 (5GB)

Note: first RAID volume is created @ /dev/md0 (/raidvolumes/app2)

RAID-1 - Partition (5GB) - /raidvolumes/app3

-/dev/sdb7 (5GB)

-/dev/sdc8 (5GB)

/dev/md1

RAID-5 Partition (10GB) - /raidvolumes/app4

-/dev/sda3 (5GB)

-/dev/sdb8 (5GB)

-/dev/sdc9 (5GB)

/dev/md2

Logical Volume Management - Disk Aggregation Mechanism

- Facilitates the aggregation of various sized volumes into usable storage

- Allows dynamic resizing volumes

- Use LVM/RAID for non-root (/) and non-boot (/boot) mount points

Create LVM, underlying/supporting partitions(0x8e/0x83) and DO NOT FORMAT

LVM-VOL1 - 27GB

-/dev/sda3 (10GB)

-/dev/sdb5 (5GB)

-/dev/sdc7 (12GB)

Volume Group(system) - Consists of n volumes

-n logical volumes (typically 1-to-1)

Volume groups facilitate the aggregation of partitions/disks

Logical volumes facilitate the segmentation of volume groups

File system structure for LVM-managed volumes:

/dev/Volume Group Name(represents all partitions/disk)/Logical Volumes(user-accessible)

SWAP Storage Provisioning

free -m

swapon -s - displays current swap space(file(s)/partition(s))

Swap Files

- dd if=/dev/zero of=/swapfile1 bs=1024 count=524288

- mkswap /swapfile1

- swapon /swapfile1

- update /etc/fstab

+ /swapfile1 swap swap defaults 0 0

SYSLOG-NG Implementation

Extends traditional Syslog capabilities

Note: Facilities and Levels are supported to route messages

- Facility - identifies unique source of message

- Levels - identifies the severity of the message

+Debug

+Info

+Notice

+Warning

+Error

+Crit

+Alert

+Emerg

Note: Standard SYSLOG-NG message consists of the following components:

1. Source - where to get messages (Unix Syslog socket/UDP(514))

2. Filtering rules (facilities/levels/pattern matching)

3. Destination (file/other syslog/syslog-ng hosts(UDP/TCP)/Console(TTYs), Unix Datagrams)

Note: Network listening using UDP is disabled by default

level(error..emerg)

Note: &#39;log&#39; directive combines the 3 important components of Syslog-NG:

1. source

2. filter

3. destination

Note: edit /etc/syslog-ng/syslog-ng.conf to enable UDP listener

###Filter to receive info. from Local2###

filter f_cisco_pix { facility(local2); };

###Destination for info. sent to facility local2###

destination d_cisco_pix { file("/var/log/ciscopix.log"); };

###Log Statement to invoke the routing of messages to facility local2###

log { source(src); filter(f_cisco_pix); destination(d_cisco_pix); };

###Log to remote host###

destination d_cisco_pix { file("/var/log/ciscopix.log"); udp("192.168.1.197"); };

Log Rotation

/etc/logrotate.conf - includes all files in /etc/logrotate.d

man logrotate

/var/log/ciscopix.log {

daily

compress

dateext

#maxage 365

rotate 1000

#size=+2048k

notifempty

missingok

copytruncate

postrotate

/etc/init.d/syslog reload

endscript

}

logrotate -f /etc/logrotate.conf - forces log rotation

Cron - System Scheduler

1. Schedule using global scheduler - /etc/crontab (hourly,daily,weekly,monthly)

2. Schedule on a per-user basis - /var/spool/cron (root,linuxcbt,etc.) - crontab

Note: Cron checks the modification time of global and per-user file/directory every minute

Note: /etc/cron.allow and cron.deny are used to control access to cron

m(0-59) h(0-23) dom(1-31) m(1-12) dow(Sun,Mon,Tue or 0-7) user_to_run_job_as command_to_run

Note: for Day of Week (dow) field 0 & 7 are both Sunday

###Global Contab Entry###

#m h dom m dow user command

*/1 * * * * root ping -c 3 linuxcbtsuse2 >> /root/ping_linuxcbtsuse2.txt

*/5 12-16 * * * root ping -c 3 linuxcbtsuse2 >> /root/ping_linuxcbtsuse2.txt

###Per-user Crontabs:###

m(0-59) h(0-23) dom(1-31) m(1-12) dow(Sun,Mon,Tue or 0-7) command_to_run

*/1 * * * * ping -c 3 linuxcbtsuse2 >> /home/linuxcbt/ping_linuxcbtsuse2.txt

Network Time Protocol (NTP)

1. Synchronizes your SUSE box

2. creates a hierarchy of synchronizations hosts

There are 16 Strata

1 - most accurate - external time sources (GPS/Radio) are connected

2 - relies upon 1 for synch.

3 - relies upon 2 ...

Note: Try to synch with at least 3 clocks

1 - Externally-connected time source

+2 - 0.pool.ntp.or, 1.pool.ntp.org, ntp0.cornell.edu

-3 Our Clock

+4 Internal hosts relying upon our Stratum-3 clock

chkconfig ntp on - enables upon subsequent reboots NTP service

Note: NTP defaults to localhost for time synchronization

ntpq -np - returns current servers used to synch time

BIND DNS Configuration

Not installed by default

/etc/named.conf - primary configuration file of BIND(caching-only/Primary/Secondary)

BIND runs in the following modes:

1. Caching-only - resolves Internet queries

2. Primary - authoritative for 1 or more zones

3. Secondary - authoritative secondary server for 1 or more zones

client -> linuxcbtsuse1 -> /etc/resolv.conf - > perform query -> return results

Configured linuxcbtsuse2 with BIND and started as a caching-only server

/etc/named.conf

Note: configure &#39;forwarders&#39; directive to influence named servers used to resolve queries. Otherwise, name servers listed in /etc/resolv.conf will be used.

. = root - top-level domain

com = 2nd-level domain

edu

mil

gov

0.0.127.in-addr.arpa

1.168.192.in-addr.arpa

zone "linuxcbt.internal" in {

type master;

file "linuxcbt.internal.zone";

};

zone "1.168.192.in-addr.arpa" in {

type master;

file "master/192.168.1.zone";

};

###Slave configuration - linuxcbtsuse2(.197)

zone "linuxcbt.internal" in {

type slave;

masters { 192.168.1.40; };

file "slave/linuxcbt.internal.zone";

};

zone "1.168.192.in-addr.arpa" in {

type slave;

masters { 192.168.1.40; };

file "slave/192.168.1.zone";

};

Note: Zone information from primary is stored by default in-memory, slave

DHCPD - Server

Note: Automatic configuration of Layer-3 IP-address information

Uses broadcasts and UDP to exchange configuration information

DORA

D = Discovery - client broadcasts(All FFFFs) for DHCP server on subnet

O = Offer (IP Address configuration information)

R = Response

A = Acknowledgement from server that client accepted offer

DHCP Configuration includes global, subnet-specific and optionally host-specific info

Use YaST2 or configure manually

YaST requires the specification of DHCP interfaces, in order to service the subnet connected to the interface

Note: Default SuSE DHCP Server runs in chrooted environment

DHCPD&#39;s root = /var/lib/dhcp

host linuxcbtwin2 {

hardware ethernet 00:10:a4:ed:a0:4d; # appears in DORA process

fixed-address 192.168.1.102;

}

###Very Secure File Transfer Protocol Daemon (VSFTPD)###

Note: Current version of SUSE Enterprise does not supply a YaST object for management

Note: VSFTPD can be invoked with/without XINETD

Note: Default authentication permits &#39;anonymous&#39; access only

Note: &#39;/srv/ftp&#39; is default &#39;anonymous&#39; location as per home directory for &#39;ftp&#39; in /etc/passwd

Note: FTP supports PASSIVE & ACTIVE connections. VSFTPD supports both, by default

Note: FTP connections consist of Control and Data channels

Passive - client -> server(21), then client instructs server to listen to high port for data connection

Active - client -> server(21), then server makes connection to port on client to construct data connections, which is generally denied by most firewalls

Disable anonymous access by setting appropriate /etc/vsftpd.conf directives

Samba Services - Integrates Windows with Unix/Linux

Note: /home shares are dynamically generated for users who connect successfully

Note: /etc/samba/smb.conf - default configuration file for Samba

Note: Samba authenticates users using 2 authentication sources:

1. /etc/samba/smbpasswd - contains Windows-encrypted users/passwords, and, maps Samba users to local Linux users

2. /etc/passwd - stores Linux users

Note: File/directory access rests with Linux OS

Flow of permissions:

1. Samba client(Windows/Linux/Unix) submits Samba User

2. Samba Server attempts to equate submitted user to local Linux user

a. if successful, Samba server performs I/O as mapped user

b. if unsuccessful, Samba server attempts to map submitted user as guest

c. if guest mapping fails, access is denied

Note: /etc/samba/smbusers - maps Samba users to Linux users

Note: use &#39;smbpasswd -a username&#39; to add Samba users, whom are mapped to Linux users

###Samba Authentication Modes###

1. User - uses /etc/samba/smbpasswd - maintained with &#39;smbpasswd&#39; utility

2. Server - authentication via a Windows server

3. Domain - authenticates against an NT-style domain (PDC/BDC)

4. ADS - authenticates against Active Directory (AD) Domain controllers

5. Share - authenticates per-share - passwords are tied to shares

###Other Samba Clients###

-smbclient - facilitates puts/gets from Samba shares and other features

smbclient -U administrator //linuxcbtwin2/public1

smbclient -U administrator -L linuxcbtwin2

-smbtar - facilitates tarring/backup of remote shares

smbtar -s linuxcbtwin2 -x public1 -t public1.tar

-smbtree - enumerates remote shares

Samba Web Administration Tool (SWAT)

- Facilitates web-based administration of Samba via TCP:901

- Provides its own HTTPD server

- Controlled by XINETD - /etc/xinetd.d/swat, rcxinetd restart

- Must authenticate as &#39;root&#39; after restarting XINETD with SWAT enabled

- SWAT defaults to BASIC HTTP authentication, which is passed in the clear

- optionally, install &#39;samba-doc&#39; package

###Active Directory (AD) Installation and Integration with Samba###

-use &#39;dcpromo&#39; from Windows to promote it to an AD server

- Setup Microsoft&#39;s DNS on AD server for simplicity

- Optionally, configure appropriate BIND zones

- Define FQDN for AD root &#39;ad.linuxcbt.internal&#39;

- Define NETBIOS name of workgroup for legacy systems &#39;LINUXGENIUS&#39;

- Configure AD server to consult itselft for DNS &#39;127.0.0.1&#39;

Join SUSE Enterprise box to AD domain using YaST2

1. Network Services

2. Windows Domain Membership

3. Confirm ability to use remote (AD) users using &#39;getent passwd&#39;

Note: winbind daemon facilitates enumeration and usage of remote AD users

/etc/nsswitch.conf

###Samba File System (SMBFS) Driver##

-facilitates transparent mounting of remote SMB/CIFS shares

\\linuxcbtwin2\public1 - /LINUXGENIUS/linuxcbtwin2/public1

use &#39;mount&#39; to mount remote SMB/CIFS shares:

mount -t smbfs -o username=administrator,password=abc123,rw //linuxcbtwin2/public1 /LINUXGENIUS/linuxcbtwin2/public1

mount -t cifs -o user=administrator,password=abc123,rw //linuxcbtwin2/public1 /LINUXGENIUS/linuxcbtwin2/public1

Hide CIFS credentials in /root

nano .cifs_creds

user = administrator

password = abc123

mount -t cifs -o credentials=/root/.cifs_creds,rw //linuxcbtwin2/public1 /LINUXGENIUS/linuxcbtwin2/public1

Network File System (NFS)

Note: NFS is managed by the &#39;portmap&#39; service; use &#39;rcportmap to control&#39;

Note: YaST/YaST2, can be used to import/export NFS shares

Note: NFS with Linux 2.6, supports versions 2,3,4, and, TCP & UDP

Note: Use NFS on LANs

Note: Specify subnets/IPs in Hosts field to restrict hosts that may connect to your NFS share

Note: The default &#39;*&#39; Hosts value, permits ALL connected users with privileges to mount NFS-exported shares

Note: &#39;root_squash&#39; option for NFS-shares, equates remote &#39;root&#39; user to local &#39;nobody&#39; user

Note: &#39;sync&#39; option reduces likelihood of data-corruption by ensuring that file I/O has completed on NFS server before rendering result/exit status to NFS client

Confirm NFS status using the following:

1. ps -ef | grep -i nfs

2. rcportmap status - portmap controls NFS/NIS, and allows dynamic allocation of ports

3. rpcinfo -p

Note: server-exported share &#39;/app1&#39;, need NOT be the same name of the mount point on NFS client

###Mount remote share on NFS client###

mount linuxcbtsuse1:/app1 /app1

Note: YaST/YaST2 NFS-exported directories are stored in &#39;/etc/exports&#39;

Note: use &#39;exportfs -a&#39; to re-export items listed in &#39;/etc/exports&#39;

Remote Synchronization (RSYNC)

Installed by default

Synchronizes remote and optionally local directories and or files

rsync operates in 2 modes:

1. uses transport such as SSH to sync data. - requires rsync on target system

2. uses &#39;rsyncd&#39; to authenticate and facilitate transfer of files

1-client, &#39;rsync&#39; is used to connect to both modes

rsync -bazv

-b(backup - preserves existing files with ~ suffix or deletes), -a(archives stat info.)

-z(compression), -v(verbose)

Note: rsync client is required on both client and server when using SSH transport

rsync -bazv -e ssh source destination

rsync -bazv -e ssh /app2 root@linuxcbtsuse2: - syncs local /app2 with remote system and backs-up target files as necessary

rsync -bazv -e ssh /app2 root@linuxcbtsuse2:/

###Synch local with remote system###

rsync -azv -e ssh root@linuxcbtsuse2:/app2 /

#!/bin/bash

###Synchronizes local /app2 with remote /app2

rsync -azv -e ssh root@linuxcbtsuse2:/app2 /

###END

###rsyncd server - /etc/rsyncd.conf - binds to TCP:873###

Note: to contact rsyncd server using rsync client, specify &#39;::&#39; in host field

Note: rsync currently does NOT support synchronization between 2 remote hosts

rsync -azv -e ssh /app2 root@linuxcbtsuse2::/

Apache HTTPD - Web Server

>70% of ALL web servers run Apache

Apache is cross-platform capable; available for Linux/Solaris/AIX/Windows/MAC OSX/etc.

Install via YaST - Patterns - Select &#39;Web and LAMP Server&#39; - (Apache/MySQL/PHP/Python Modules)

###Apache2.2 Directory Layout###

/etc/apache2 - primary apache2.2 configuration directory

/etc/apache2/default-server.conf - config file for main HTTP server (NON-Virtual-Host)

/etc/apache2/errors.conf - error-handling

/etc/apache2/httpd.conf - Main Apache configuration file (includes other files)

/etc/apache2/uid.conf - controls credentials used by subsequent Apache processes

/etc/apache2/vhosts.d - houses Virtual Hosts files *.conf

/etc/apache2/vhosts.d/vhost-ssl.template - Sample SSL template

/etc/apache2/listen.conf - houses TCP-related bindings

/usr/lib/apache - houses dynamically-loaded modules *.so files

/usr/share/apache2/error - houses default error messages

/etc/apache2/mod_log_config.conf - houses variables to be expanded in Apache&#39;s log files

it maps log formats(on the left) to nicknames(on the right)

Nicknames can be referenced wherever a virtual host is defined

Difference between &#39;common(CLF)&#39; and &#39;combined&#39; is that combined provides everything provided by common + &#39;User Agent&#39; and &#39;Referrer&#39;.

/etc/apache2/default-server.conf - config file for main HTTP server (NON-Virtual-Host)

DocumentRoot "/srv/www/htdocs" - maps web space to file system space for default pages

i.e. http://linuxcbtsuse2.linuxcbt.internal -> /srv/www/htdocs

<Directory "/srv/www/htdocs"> - describes attributes of document root

Applicable Directives

</Directory>

Aliases - are like symlinks in the web space. They map a web space location to another location in the file system that is usually outside of the web root

alias /temp /srv/www/temp

<Directory "/srv/www/temp"> - describes attributes of document root

Applicable Directives

</Directory>

Note: Apache&#39;s Directory/File permissions flow downward

ScriptAlias - specifies the location where CGI scripts may be executed safely

ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"

mod_userdir = http://linuxcbtsuse1.linuxcbt.internal/~linuxcbt/index.html - /home/linuxcbt/public_html/index.html

Note: Apache, in prefork mode, spawns 6 processes:

1. Apache manager, which runs as &#39;root&#39;

2. 2-6 (5-child processes), run as non-privileged, &#39;wwwrun&#39; user - these child processes service HTTP connections

http://localhost/manual - returns manual with appropriate (browser-driven)

### Key Apache Directives - Directory, Alias, Files, Location ###

Note: These directives influence Apache&#39;s permissions to serve content

<Directory "physical_directory_location /srv/www/htdocs">

</Directory>

DirectoryIndex index.html index.html.var - influences default document to be served

Note: Changes made to *.conf files require at least a &#39;reload&#39; of the &#39;rcapache2&#39; services and sometimes a full &#39;restart&#39;

Note: IP address(es), short name, FQDN(linuxcbtsuse1.linuxcbt.internal) all lead to the default server referenced in /etc/apache2/default-server.conf, unless overidden via VHOST

###Order of evaluation when permitting/denying access to directory###

Order allow,deny

Allow from all

Order allow,deny

Allow from 172.20.20.0/255.255.255.0 192.168.1.0/255.255.255.0 127.0.0.1

Deny from all

Alias fakename physical_location

Alias /htdocs2 /srv/www/htdocs2

<Directory "/srv/www/htdocs2">

Options Indexes

AllowOverride None

Order allow,deny

Allow from all

</Directory>

<files noaccess.html>

</files>

Note: <files> applied within <directory> block affects the directory and below

Note: <files> applied outside of <directory> block impacts the ENTIRE server

<files noaccess.html>

Order allow,deny

Deny from all

</files>

<Location /templocation> - webspace directory permissions

Order allow,deny

Deny from all

</Location>

i.e. /status

###Redirect Directive - sends traffic to alternate location###

HTTP error messages are grouped into the following categories:

1. 200 - Good errors - no problems - content has been served

2. 300 - Redirect errors - used to indicate that content has been moved

3. 400 - Client errors

4. 500 - Server errors

If users access oursite/htdocs2, send them to /htdocs3

Redirect /htdocs2 http://linuxcbtsuse1.linuxcbt.internal/htdocs3

Redirect 301 /htdocs2 http://linuxcbtsuse1.linuxcbt.internal/htdocs3

Redirect permanent /htdocs2 http://linuxcbtsuse1.linuxcbt.internal/htdocs3

Note: Directory directives supports basic wildcards; i.e. &#39;*&#39;, &#39;?&#39;

###.htaccess files###

/srv/www/htdocs/temp1/.htaccess

Note: Update primary *.conf file to permit &#39;AllowOverride ALL&#39;

Note: There is a slight performance hit when using .htaccess, because Apache parses the file each time content is requested from the directory

Apache Logging

/var/log/apache2

-rcapache2.out - yields the results of testing the configuration file(httpd.conf)

-error_log - stores errors, usually 200-500 and other

-access_log - stores hits to the server

Note: Apache defaults to default files for Virtual Hosts that do not have log routing defined

/etc/apache2/mod_log_config.conf

LogFormat is used to concatenate and associate Apache log variables with nicknames

Nicknames are referenced in server/host configurations

LogFormat "%h %l %u %t \"%r\" %>s %b" common

Note: Values that return empty, are reflected with the &#39;-&#39; character

%h - connecting host&#39;s address

%l - uses ident to return information about the connecting client/user

%u - connected/attempted HTTP-authenticated user

%t - timestamp of connection -

day(2-digit)/Month(3-letters)/Year(4-digits):Hour:Minute:Second -TimeZone

%r - reflects request method (GET/POST/etc.)

%>s - represents status code returned to client - 200-500

%b - size of the returned content to the client - this represents zero bytes with &#39;-&#39;

%B - returns the same as %b but returns &#39;0&#39; for zero bytes

LogFormat "%h %l %u %t \"%r\" %>s %b \(signifies continuing line)

\"%{Referer}i\" \"%{User-Agent}i\"" combined

%{Referer} - returns site that referred this content (page/image/PDF/etc.)

%{User-Agent} - Connecting browser; i.e. (Blackberry/IE/Firefox/Safari/etc.)

172.20.20.1 - - [15/Sep/2006:16:18:15 -0400] "GET /index2.html HTTP/1.1" 404 1045 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060527 SUSE/1.5.0.4-1.9 Firefox/1.5.0.4"

Virtual Hosts (VHOSTS)

2-Types of VHosts:

1. IP-based - require 1-IP/site and can facilitate SSL/site

2. Name-based - requires 1-IP/ALL Sites but only 1 SSL site may operate

IP1 - 192.168.1.40 - default server

ifconfig eth0:1 192.168.1.41

IP2 - 192.168.1.41 - site1 - maps(DocumentRoot) to /srv/www/site1

IP2 - 172.20.20.1 - site2 - maps(DocumentRoot) to /srv/www/site2

IP3 - 192.168.1.42 - site3 - maps(DocumentRoot) to /srv/www/site3

Modify /etc/apache2/listen.conf to listen to the new IP address(es)

Note: logio is NOT loaded by default. Use YaST to add module.

Name-based Virtual Hosts

- permits the sharing of IP addresses across VHosts

Requirements:

1. Listen 192.168.1.40:80 - Listen 80(ALL IPs, Port 80)

2. NameVirtualHost 192.168.1.40:80

3. DNS MUST be properly configured

###SSL Configuration###

Requirements:

1. /etc/sysconfig/apache2 - APACHE_SERVER_FLAGS &#39;-DSSL&#39;

2. restart apache

3. Generate appropriate certificates (private/public key pair)

a. /usr/bin/gensslcert - creates keys based on system&#39;s FQDN and generic info

b. /usr/share/doc/packages/apache2/certificate.sh - prompts for values

4. restart apache and test connectivity using HTTPS

5. cp /etc/apache2/vhosts.d/vhost-ssl-template to working file

Key SSL files:

1. server.crt (Server&#39;s certificate - public key)

2. server.key (Server&#39;s private key)

3. server.csr (Certificate Signing Request - sent to CA(CACert.org, Verisign, Thawte, GoDaddy)

###Webalizer - Log analysis of Apache###

Note: Default /etc/webalizer.conf, parses standard &#39;access_log&#39; file

Note: Move /etc/webalizer.conf to /etc/webalizer/webalizer.conf

Note: Copy webazlier.conf to something that reflects the site being processed

Note: Log files should be processed chronologically

Note: Webalizer is limited to a 12-month history

Setup Basic HTTP AUTH

1. Configure /etc/apache2/default-server.conf

<Location /webalizer>

AuthType Basic

AuthName "Restricted"

AuthUserFile /etc/apache2/webalizer_passwords

Require valid-user

</Location>

2. Generate password file using &#39;htpasswd2 -c webalizer_passwords linuxcbt&#39;

###Redirect /webalizer to SSL-protected site###

Redirect /webalizer https://linuxcbtsuse1.linuxcbt.internal/webalizer

###PHP Scripts Integration###

Create PHP script in Document Root of web site:

MUST include opening &#39;<?&#39; and closing &#39;?>&#39; PHP tags in PHP scripts

Note: PHP scripts, served by Apache, do NOT need the &#39;x&#39; permissions

Note: use &#39;<? phpinfo(); ?>&#39; - to return usefule PHP/Apache/Linux info

Note: consult &#39;/etc/php5/apache2/php.ini&#39; to tweak PHP Module settings (memory/etc.)

Note: install &#39;php5-mysql&#39; package to allow PHP to talk to MySQL.

MySQL Implementation

/etc/my.cnf - global MySQL configuration file

/usr/sbin/mysqld - Main daemon

/var/lib/mysql - Primary root directory for DBs

-Below /var/lib/mysql are directories representing DBs

/usr/bin/mysql - primary client(interactive/non-interactive) used to connect to MySQLD

mysql - connects the currently-logged-in Linux/Unix user to the server

mysqld - supports, by default:

1. passwordless root(DBMS super-user) authentication

2. anonymous, passwordless, authentication

Note: Change both &#39;root&#39; accounts&#39; password and remove anonymous access

Note: A proper MySQL username consists of the following:

1. username

2. hostname

i.e. root@localhost, root@linuxcbtsuse1.linuxcbt.internal

###Alternate way for DBA to change user&#39;s password###

set password for &#39;root&#39;@&#39;localhost&#39; = password(&#39;abc123&#39;);

###Disable anonymous access###

delete from mysql.user where user = &#39;&#39;;

Note: Flush Privileges after dropping and changing accounts or risk permitting access based on former credentials until the server(mysqld) is restarted

Use: &#39;flush privileges;&#39;

Note: in standard MySQL installations, non-privileged Linux/Unix users are aliased to &#39;anonymous&#39;

###Delete superfluous DBs###

drop database test;

###Privileges scope###

mysql - DB used to manage system settings and credentials

mysql.user - Global level permissions table

mysql.host - impacts the host

mysql.tables_priv - impacts table-level permissions

mysql.columns_priv - effects column-level permissions

###Create new user###

1. Create DB - &#39;create database contacts;&#39;

2. Create user with permissions associated with DB

grant all on contacts.* to &#39;linuxcbt&#39;@&#39;localhost&#39; identified by &#39;abc123&#39;;

3. CREATE USER username;

###Drop/Delete Users###

1. DROP USER username;

Note: MySQL evaluates credentials based on 3 components:

1. user

2. hostname

3. password

###Define users who may login to MySQL from a remote system###

1. grant all on contacts.* to &#39;linuxcbt&#39;@&#39;%&#39; identified by &#39;abc123&#39;;

2. grant all on *.* to &#39;root&#39;@&#39;%&#39; identified by &#39;abc123&#39;;

Note: &#39;%&#39; is a wildcard to mean &#39;ANY&#39;, similar to &#39;*&#39; in the shell environment

Note: &#39;%&#39; is permitted in the &#39;host&#39; field/column and NOT in the &#39;user&#39; column of the privileges tables

###Key Show Commands###

show grants; - reveal permissions

show databases; - enumerates Databases that you have privileges to see

use DB; show tables; - lists tables in a given database

show engines; - returns list of supported(compiled-in) table storage engines

show status; - returns key running variables

show processlist; - returns running queries and connections

Note: MySQL binaries search for configuration files in a specific order:

1. Global config file - /etc/my.cnf

2. Per-user config file - ~/.my.cnf

3. Command-line - overrides ALL previously-set directives

Note: each program(MySQL binary) searches for distinct blocks in the config files

mysqld --verbose --help - returns options and variables that can be set in global and per-user configuration files

name=value - defines how variables are set in config files

###Execute MySQL query, returning results to STDOUT (batch-run/non-interactive invocation)

mysql -pabc123 -e &#39;show databases&#39; - returns list of DBs to STDOUT

###Backup databases###

mysqldump -p all-databases

mysqldump -p --all-databases > all_dbs.sql - dump ALL DBs in ASCII text format to a file

mysqldump -p --database mysql - returns code to recreate &#39;mysql&#39; DB & tables

###Creation of &#39;people&#39; table to store contacts###

DB(Contacts)

- Table(people)

-first_name

-last_name

-bus_phone1

-email

-PRIMARY KEY

CREATE TABLE `people` (

`first_name` char(30), `last_name` char(30), bus_phone1 char(20), email char(40),

PRIMARY KEY (`email`)

);

Note: use &#39;describe people&#39; to return the structure of the &#39;people&#39; table

###Import contacts into &#39;people&#39; table from externally-created text file###

Note: Create file named &#39;people.txt&#39;. mysqlimport strips &#39;.txt&#39; suffix and matches file name to table name.

Note: Import using &#39;mysqlimport&#39;

mysqlimport -pabc123 --local -d contacts people.txt

###PHP code to query &#39;contacts.people&#39; and dump info to HTML###

Steps:

1. Create connection object (host,user,password,DB)

2. Define query

3. Define result set variable

4. loop through result-set and return results to the browser

<?

#Step 1:

$conn1 = new mysqli(localhost, linuxcbt, abc123, contacts);

#Step 2:

$query1 = "select first_name, last_name, email FROM people";

#Step3:

$result1 = $conn1->query($query1);

#Step 4:

###Execute if result-set is NOT empty###

if ( $result1=$conn1->query($query1)) {

###Echo column headers###

echo "Full Name ", "E-Mail", "<br>";

###Loop through Result Set###

While ($obj1 = $result1->fetch_object()) {

echo $obj1->first_name, " ", $obj1->last_name , " ", $obj1->email, "<br>";

} #Terminates loop-through result-set

} #Terminates conditional check for result-set

?>

PHPMyAdmin - Implementation

Used to graphically, via a browser, manage MySQL instances

www.phpmyadmin.net

Note: Requires PHP-MySQL support on your Apache server

tar -xjvf phpMyAdmin-2.8.2.4.tar.bz2

Note: create symlink or alias to link to the current version PHPMyAdmin. This provides a consistent URL. i.e. http://linuxcbtsuse1.linuxcbt.internal/phpmyadmin

ln -s phpMyAdmin-2.8.2.4 phpmyadmin

Postfix MTA

Note: is a distributed, non-monolithic MTA (many binaries)

Note: Postfix does NOT permit outside network relaying by default

/etc/postfix/main.cf - Primary Postfix config file

/etc/postfix/master.cf - houses config for Postfix daemons

/etc/postfix/transport - governs message routing based on domain/etc.

/etc/postfix/virtual - houses virtual mappings for Virtual domains

/usr/bin/mailq - enumerates the contents of the mail queue

/usr/bin/newaliases - updates the aliases DB (/etc/aliases)

/usr/sbin/sendmail - drop-in replacement for &#39;Sendmail&#39;s&#39; &#39;sendmail&#39; binary

Key directives:

$myhostname = linuxcbtsuse1.linuxcbt.internal (Default FQDN)

user@linuxcbtsuse1.linuxcbt.internal - i.e. linuxcbt@linuxcbtsuse1.linuxcbt.internal

$mydomain = linuxcbt.internal (Default derivative of FQDN)

$myorigin = FQDN - sets the outbound domain in e-mails

$mydestination = controls domains that are considered local - i.e. root@linuxcbtsuse1.linuxcbt.internal

$mynetworks - permits relaying from trusted hosts/subnets - Default accepts messages from localhost and local subnet

$home_mailbox = Mailbox || Maildir - controls local delivery using either protocol

Mailbox - /var/spool/mail/user

Maildir = ~/Maildir/

Note: Most Mail User Agents (MUAs) such as Mutt, send messages using &#39;sendmail&#39; binary

Note: when using &#39;su&#39; the &#39;MAIL&#39; shell variable does NOT change

Note: Postfix defaults to SysLog for logging using the mail facility: /var/log/mail

Note: If DNS fails, Postfix fails, unless routing has been configured in /etc/postfix/transport

Note: postconf dumps running Postfix configuration

Note: After modifying lookup files such as /etc/postfix/transport, update the DB file using &#39;postmap filename&#39; i.e. &#39;postmap /etc/postfix/transport&#39;

Courier-MTA - IMAP

Requirements:

1. Courier Authlib - Authentication library for ALL Courier application

2. Courier IMAP

3. GNU C Compiler

AuthLib Installation:

http://courier-mta.org/authlib

Steps:

1. ./configure

2. make

3. make install (as root) - /usr/local/sbin

4. make install-configure (as root)

5. /usr/local/sbin/authdaemond start

IMAP Installation:

http://courier-mta.org/imap

Steps:

1. ./configure

2. make (produces binaries)

3. make install (as root) - copies files to /usr/lib/courier-imap

4. make install-configure (as root)

5. /usr/lib/courier-imap/libexec/imapd.rc start - starts IMAPD

Note: Courier IMAP requires Maildir/ directory in user&#39;s $HOME

###Postfix - Maildir/ config###

nano /etc/postfix/main.cf

couriertcpd - analagous to XINETD because it is a super-server

Note: Courier IMAP provides the following daemons:

1. IMAPD - TCP:143 - Clear-text access

2. IMAPD-SSL - TCP:993 - Encrypted access

3. POP3 - TCP:110 - Clear-text access to download messages

4. POP3-SSL - TCP:995 - Encrypted access to download messages

5. SYSV INIT Scripts - source code directory

chkconfig courier-authlib on

chkconfig courier-imap on

SquirrelMail - Web-based Mail integration

Steps:

1. Download from www.squirrelmail.org

2. Extract and untar: tar -xjvf squirrelmail-1.4.8...

3. Configure to use Courier - using squirrelmail/config/conf.pl

4. Change permissions on squirrelmail/data sub-directory to be owned by &#39;wwwrun&#39;

4. Symlink &#39;squirrelmail&#39; to &#39;squirrelmail-1.4.8...&#39; directory

5. Test logging into mail

###Connection logic to mailbox from client###

Browser -> SquirrelMail(PHP) -> Courier IMAP -> ~/Maildir/

###Moved Default SquirrelMail &#39;data&#39; directory outside of WebRoot###

mkdir /var/squirrelmail/data

chown -R wwwrun /var/squirrelmail

Pure-FTPD

Features:

1. Lightweight

2. Fast

3. Secure

4. SSL/TLS on the control connection

5. Bandwidth throttling

6. Runs in standalone and XINETD modes

/etc/pure-ftpd/pure-ftpd.conf - Primary configuration files

/usr/sbin/pure-ftpd - primary binary

Note: pure-ftpd defaults users to their home directories (chroot)

Note: by default, ONLY &#39;anonymous&#39; connections are permitted

Note: &#39;anonymous&#39; access works like VSFTPD; it is based on the &#39;ftp&#39; user in /etc/passwd

Note: by default, pure-ftpd logs ONLY using &#39;syslog&#39;

Note: the CLF/W3C/Stats log files do NOT log verbose FTP activity, however, &#39;syslogd&#39; does

###Enable FTP support in Syslog###

Requires: filter, destination, and, log directives

###Syslog-NG Configuration###

filter f_ftp { facility(ftp); };

destination d_ftp { file("/var/log/pure-ftp-syslog.log"); };

log { source(src); filter(f_ftp); destination(d_ftp); };

FTP Client -> FTP Server(21 - Control Connection - Clear Text)

Note: TLS Encryption applies solely to Control Connection - typically TCP:21

Note: TLS does NOT protect the Active/Passive data connection

Requirements:

1. Generate(use notes from docs) or use existing PEM file or certificate

2. modify pure-ftpd.conf file to permit TLS

Xen Virtualization

Features:

1. Provides a Virtual Machine Server (VM Server) - Hosts VMs - domain(0)

2. Virtual Machines (VMs) - instances of Operating Systems

3. Virtual Machine Monitor - Software layer running between SUSE(domain 0) & Hardware

Hardware <- VM Server -> VMM -> Virtual Machines (1..n)

Note: ample hardware (CPU power, RAM, Disk) is necessary to use Xen

Xen Supports 2 Modes:

1. Fully Virtual - runs slower - Supports most OSs, requires Hardware-assisted virtualization (AMD & Intel VT) - devices are emulated and requires more resources

2. Paravirtual - runs faster - Only SUSE Products (10.1 & higher, SUSE Ent. 10) - special &#39;Xen drivers&#39; are used to emulate hardware, resulting in faster performance

Note: this mode is considered &#39;VM-Aware&#39; Mode

Note: Installation of Xen, modifies /boot/grub/menu.lst - to include Xen boot option

###Post VM Server Installation Checks###

xm list - returns domain 0 - confirms if Xen is operable

xm shutdown vm1 - shuts the VM server &#39;vm1&#39;

xm destroy vm1 - destroys configuration of &#39;vm1&#39;

XINETD - Super Server

Note: Successor to traditional &#39;INETD&#39; with extensions

Client -> TCP:901(SWAT) -> XINETD -> SWAT

Features:

1. Spawns managed daemons(SWAT, pure-ftpd, VNC, etc.) when necessary

2. Access-time ACLS - restricting connectivity to managed services during specifc periods

3. Connections per second (CPS) - limits rush of traffic/flooding

4. Limits number of instances of spawned process

/etc/xinetd.conf - primary config file

/etc/xinetd.d - includes contents of the directory

Note: scope-level config files override directives discovered in global /etc/xinetd.conf

/usr/sbin/itox && /usr/sbin/xconv.pl - converts INETD files/entries to XINETD format

XINETD

-/etc/xinetd.conf

-INCLUDES contents of /etc/xinetd.d/*

XINETD config block resembles the following:

service_name

{

n number of directives (name = value pairs)

}

service2_name

{

name = value pairs

}

&#39;man xinetd.conf&#39; to examine all possible directives

XINETD - interacts natively with TCP Wrappers

Note: increase security of XINETD-protected services by usin the following directives:

1. interface = 127.0.0.1

2. only_from = 127.0.0.1

TCP Wrappers - tcpd

Controls access to protected services, inluding XINETD and non-XINETD-controlled services

Note: TCP Wrappers provides protection dynamically

TCP Wrappers order of processing:

1. /etc/hosts.allow

- swat:127.0.0.1 192.168.1.40 - daemon:client_list combo - GRANT ACCESS

2. /etc/hosts.deny

- swat:127.0.0.1 192.168.1.40 - DENY ACCESS

- IF NO MATCH - GRANT ACCESS

Note: TCP Wrappers uses the name of the daemon as its token

Note: TCP Wrappers permits placing ALL rules in one file(/etc/hosts.allow) providing we use the following syntax:

- daemon_name(swat) : client_list(127.0.0.1,192.168.1.0) : ALLOW | DENY

- daemon_list(swat,pure-ftpd,etc.) : client_list... : ALLOW | DENY

Note: The 3rd field of a TCP Wrappers rule may optionally contain a reference to invoke a shell script

Note: TCP Wrappers rules are executed immediately without having to reload/restart services

###Security Strategy###

1. Application Security - User authentication, port-bindings, etc.

2. XINETD - Wraps your application - Connection throttling, access times, logging, etc.

3. TCP Wrappers - Dynamic, kernel-based filtration to applications

4. Netfilter/IPTables - Stateful firewall

Netfilter is the firewall compiled into the Linux kernel

IPTables is a front-end, user-space utility used to manage Netfilter

Kernel -> Netfilter -IPTables - User

IPTables Implementation & Operation

Features:

1. Operates primarily @ Layers 3(Network) & 4(Transport) of the OSI model

a. IP = 192.168.1.40(Layer-3) - Note: 2^32 IPv4 addresses are available

a1. Mutexed into 2^16 ports = 1-65535 - Layer-4 ports (80, 901, 22, 23, 21, ...)

2. Modular - it is extended via plug-ins/modules

3. Provides &#39;/usr/sbin/iptables&#39; - primary utility, used to manage Netfilter

4. &#39;/usr/sbin/iptables-save & restore&#39; to backup and restore rules for reuse

5. Changes made happen instantly/dynamically

Note: IPTables consists of tables & chains

Table - 3 default tables

NAT

-Chains

Mangle

-Chains

Filter(Default Table)

-Chains

-INPUT - focuses on traffic inbound to a process

-OUTPUT - focuses on traffic outbound/leaving the system

-FORWARD - focuses on traffic being routed through the system (1 interface to another)

IPTables Usage

iptables -L - lists the current rule-set for the default chain(Filter)

Default policy applied to chains is &#39;ACCEPT&#39; - this permits traffic to flow uninhibited

iptables -L -t nat

Note: You cannot remove the default tables (Filter, NAT, Mangle)

Note: The &#39;Forward&#39; chain of the &#39;Filter&#39; table does not work unless IP forwarding has been enbaled

iptables -A chain_name - appends rule to bottom of the list

iptables -D chain_name rule_num - deletes rule at number

iptables -F chain_name - flushes rules in chain

iptables -P chain_name DROP - changes the policy to DROP

iptables -N new_chain_name - defines a new chain

iptables -E old_chain_name new_chain_name - renames a chain

iptables -Z chain_name - zeroes counters

###Rule to deny inbound access to Samba SWAT###

i.e. iptables -A INPUT --protocol --dport -s Jump Target(ACCEPT/DROP/DENY/LOG)

iptables -A INPUT -p tcp --dport 901 -s 192.168.1.102 -j DROP

iptables -A INPUT -p tcp --dport ssh -s 192.168.1.102 -j DROP

iptables -F INPUT

###Save/Restore Rules###

iptables-save > `date +%F`.iptables.rules - saves rules to disk

iptables-restore 2006-09-21.iptables.rules - reinstates rules

###Filter inbound ICMP echo-request traffic###

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

###Filter outbound ICMP echo-request traffic###

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

###SuSE Firewall2 - Graphical IPTables/Netfilter Management###

Note: SuSE Firewall2 changes default policies to &#39;DROP&#39;

Network Mapper (Nmap)

Note: http://www.insecure.org

rpm -Uvh nmap-version*

/usr/bin/nmap - primary utility - available to ALL users

Note: non-privileged users can use Nmap in a limited capacity (TCP-connect scans), with no stealth, in comparison to &#39;root&#39;

NmapFE - GUI front-end, which executes Nmap via the shell

###Nmap usage###

nmap

nmap localhost - scans localhost using SYN(if &#39;root&#39;) TCP-Connect(if &#39;non-root&#39;) - performs TCP-scan

nmap 192.168.1.40

nmap -v 192.168.1.40

nmap -v -sU 192.168.1.0/24

nmap -v -sU -p 67 192.168.1.0/24

nmap -v -O 192.168.1.197

nmap -v -oN nmap.scan.1 192.168.1.0/24

Nessus - Vulnerability Scanner

Nessus scans hosts, determines available services, and, vulnerabilities

www.nessus.org

Note: Nessus is Client/Server App. NessusD runs on Linux Server, client runs on: Windows/Linux/Mac/Solaris/etc.

Note: place Nessus server in location on network that has access to entire network

Register with Tenable Networks:

rpm -Uvh Nessus-3.0.3-suse10.0.i586.rpm

Note: Must apply activation code in order to receive feeds(definitions)

/opt/nessus//sbin/nessus-add-first-user - adds first user to Nessus

/opt/nessus//sbin/nessus-add-user - adds additional users to Nessus

0.0.0.0:1241 - Nessus binds to TCP:1241 by default on ALL IP addresses

Nessus Client can be used to connect to multiple NessusD back-end servers via scopes

TCPDump - Packet Sniffer

Note: TCPDump produces, optionally, a TCPDump-compliant file, which is readable by many clients, including:

1. TCPDump

2. Ethereal

3. Snort NIDS

/usr/sbin/tcpdump - is the single binary used to sniff on interfaces

###Usage###

tcpdump

control-C to kill

tcpdump -v - executes in verbose mode and returns capture synopsis

tcpdump -v -n - disables name resolution

tcpdump -vv - increases verbosity

tcpdump -v -i eth2

tcpdump -D - returns possible sniffing interfaces

tcpdump -v -i any - listens to ALL interfaces, non-promiscuous mode

tcpdump -v -c 5 - captures 5 packets and exits

tcpdump -q - runs in quiet mode

tcpdump -v -e - returns link header(MAC info) info

tcpdump -v -w capture.out - writes to capture.out file

tcpdump -v -r capture.out - replays packets in file

Note: 3 Qualifiers can be used to filter traffic:

1. Type - host|net|port

2. Dir - src, dst, src or dst, src and dst

3. Proto - ip, tcp, udp, etc.

tcpdump -v host 192.168.1.102

tcpdump -v src 192.168.1.102

tcpdump -v -r capture.out

Ethereal - Network Analysis Tool

Features:

1. Sniffer

2. Saves sniffed traffic in TCPDump format

3. Analyzes TCPDump-formatted data

4. Correlates streams of packets

/usr/bin/ethereal - primary utility

Snort Network Intrusion Detection System (NIDS)

Features/Modes:

1. Sniffer - i.e. TCPDump

2. Packet Logger - i.e. TCPDump

3. NIDS

Requires:

1. pcre-devel*

2. libpcap

3. mysql-devel* (optional to support DBMS logging with MySQL)

Download GPG signature and MD5 checksum files

gpg --verify snort-2.6.0.2.tar.gz.sig

###Compilation process###

1. ./configure --

2. make

3. make install

Snort - Sniffer Mode

snort -v - dumps basic headers - timestamp, and, IP header

snort -vd - dumps application layer

snort -ve - dumps layer-2 info (MAC)

snort -vde - dumps layers 2-7

Snort - Logger Mode - Sniffer Mode with output sent to Screen and/or file

snort -v -L - dumps ALL layers, minus physical to a TCPDump-compliant file

snort -v -l ./ - creates snort.log.timestamp in current directory

snort -v -b -l ./ - Binary Logging

snort -b -l ./ - Binary logging with NO ASCII output to STDOUT - drops less data

Snort - NIDS Mode with BASE

Steps:

1. Reconfigure Snort with --enable-dynamicplugin option

2. groupadd snort && useradd -g snort snort

3. Setup /etc/snort directory tree with config files and rules

4. Configure MySQL

5. Invoke Snort in NIDS mode

6. Download & configure BASE

1. make clean && ./configure --with-mysql --enable-dynamicplugin

2. make && make install

$HOME_NET 192.168.1.0/24

$RULE_PATH /etc/snort/rules

ouput database: log, mysql...

mysql

- create database snort;

- grant ALL on snort.* to snort@localhost identified by &#39;snortabc123&#39;;

- grant ALL on snort.* to snort identified by &#39;snortabc123&#39;;

mysql -pabc123 < create_mysql snort

NIDS Mode Invocation

/usr/local/bin/snort -c /etc/snort.conf -i eth0 -g snort -D -daemonizes

Download and extract rules files to /etc/snort/rules

BASE Installation

Requirements:

1. php support for MySQL

2. php gd support - optional

3. adodb - sourceforge.net - /srv/www/adodb

Note: BASE extends &#39;snort&#39; DB schema

相关文章
最新文章
热点推荐