Normunds Grūzītis

 IP connectivity, routing
 Daemons
 Syslog
 Inetd etc.
 Cron
 Security

 Good free implementations for:

DNS

BIND v8/9, djbdns



SMTP
 sendmail, qmail , postfix, exim
POP/IMAP
 qpopper, uwimapd, dovecot
HTTP

Apache, nginx

PHP, MySQL
“If it was hard to develop, it should be hard to install!”


Manual change
# more /proc/sys/net/ipv4/ip_forward
0
# echo 1 > /proc/sys/net/ipv4/ip_forward
# more /proc/sys/net/ipv4/ip_forward
1
#

Use of sysctl (modify kernel parameters /proc/sys/ at runtime)
Eg: #/sbin/sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Eg: #/sbin/sysctl -w net.ipv4.ip_forward=0 net.ipv4.ip_forward = 0

Record changes in /etc/sysctl.conf
(to activate after reboot)

unix sbin # sysctl -a abi.fake_utsname = 0 abi.trace = 0 abi.defhandler_libcso = 68157441 abi.defhandler_lcall7 = 68157441 abi.defhandler_elf = 0 abi.defhandler_coff = 117440515 dev.rtc.max-user-freq = 64 net.unix.max_dgram_qlen = 10 net.ipv4.ip_conntrack_max = 8184 net.ipv4.netfilter.ip_conntrack_generic_timeout = 600 net.ipv4.netfilter.ip_conntrack_icmp_timeout = 30 net.ipv4.netfilter.ip_conntrack_udp_timeout_stream = 180 net.ipv4.netfilter.ip_conntrack_udp_timeout = 30 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close = 10 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_last_ack = 30 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 432000 net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_sent = 120 net.ipv4.netfilter.ip_conntrack_buckets = 1023 net.ipv4.netfilter.ip_conntrack_max = 8184 net.ipv4.conf.eth0.force_igmp_version = 0 net.ipv4.conf.eth0.arp_ignore = 0 net.ipv4.conf.eth0.arp_announce = 0 net.ipv4.conf.eth0.arp_filter = 0 net.ipv4.conf.eth0.tag = 0 net.ipv4.conf.eth0.log_martians = 0 net.ipv4.conf.eth0.bootp_relay = 0 net.ipv4.conf.eth0.medium_id = 0 net.ipv4.conf.eth0.proxy_arp = 0 net.ipv4.conf.eth0.accept_source_route = 1 net.ipv4.conf.eth0.send_redirects = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.eth0.shared_media = 1 net.ipv4.conf.eth0.secure_redirects = 1 net.ipv4.conf.eth0.accept_redirects = 1 net.ipv4.conf.eth0.mc_forwarding = 0 net.ipv4.conf.eth0.forwarding = 0 net.ipv4.conf.lo.force_igmp_version = 0 net.ipv4.conf.lo.arp_ignore = 0 net.ipv4.conf.lo.arp_announce = 0 net.ipv4.conf.lo.arp_filter = 0 net.ipv4.conf.lo.tag = 0 net.ipv4.conf.lo.log_martians = 0 net.ipv4.conf.lo.bootp_relay = 0 net.ipv4.conf.lo.medium_id = 0 net.ipv4.conf.lo.proxy_arp = 0 net.ipv4.conf.lo.accept_source_route = 1 net.ipv4.conf.lo.send_redirects = 1 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.lo.shared_media = 1 net.ipv4.conf.lo.secure_redirects = 1 net.ipv4.conf.lo.accept_redirects = 1 net.ipv4.conf.lo.mc_forwarding = 0 net.ipv4.conf.lo.forwarding = 0 net.ipv4.conf.default.force_igmp_version = 0 net.ipv4.conf.default.arp_ignore = 0 net.ipv4.conf.default.arp_announce = 0 net.ipv4.conf.default.arp_filter = 0 net.ipv4.conf.default.tag = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.conf.default.bootp_relay = 0 net.ipv4.conf.default.medium_id = 0 net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.default.accept_source_route = 1 net.ipv4.conf.default.send_redirects = 1 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.default.shared_media = 1 net.ipv4.conf.default.secure_redirects = 1 net.ipv4.conf.default.accept_redirects = 1 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv4.conf.all.force_igmp_version = 0 net.ipv4.conf.all.arp_ignore = 0 net.ipv4.conf.all.arp_announce = 0 net.ipv4.conf.all.arp_filter = 0 net.ipv4.conf.all.tag = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.all.bootp_relay = 0 net.ipv4.conf.all.medium_id = 0 net.ipv4.conf.all.proxy_arp = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.all.shared_media = 1 net.ipv4.conf.all.secure_redirects = 1 net.ipv4.conf.all.accept_redirects = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.forwarding = 0 net.ipv4.neigh.eth0.locktime = 100 net.ipv4.neigh.eth0.proxy_delay = 80 net.ipv4.neigh.eth0.anycast_delay = 100 net.ipv4.neigh.eth0.proxy_qlen = 64 net.ipv4.neigh.eth0.unres_qlen = 3 net.ipv4.neigh.eth0.gc_stale_time = 60 net.ipv4.neigh.eth0.delay_first_probe_time = 5 net.ipv4.neigh.eth0.base_reachable_time = 30 net.ipv4.neigh.eth0.retrans_time = 100 net.ipv4.neigh.eth0.app_solicit = 0 net.ipv4.neigh.eth0.ucast_solicit = 3 net.ipv4.neigh.eth0.mcast_solicit = 3 net.ipv4.neigh.lo.locktime = 100 net.ipv4.neigh.lo.proxy_delay = 80 net.ipv4.neigh.lo.anycast_delay = 100 net.ipv4.neigh.lo.proxy_qlen = 64 net.ipv4.neigh.lo.unres_qlen = 3 net.ipv4.neigh.lo.gc_stale_time = 60 net.ipv4.neigh.lo.delay_first_probe_time = 5 net.ipv4.neigh.lo.base_reachable_time = 30 net.ipv4.neigh.lo.retrans_time = 100 net.ipv4.neigh.lo.app_solicit = 0 net.ipv4.neigh.lo.ucast_solicit = 3 net.ipv4.neigh.lo.mcast_solicit = 3 net.ipv4.neigh.default.gc_thresh3 = 1024 net.ipv4.neigh.default.gc_thresh2 = 512 net.ipv4.neigh.default.gc_thresh1 = 128 net.ipv4.neigh.default.gc_interval = 30 net.ipv4.neigh.default.locktime = 100 net.ipv4.neigh.default.proxy_delay = 80 net.ipv4.neigh.default.anycast_delay = 100 net.ipv4.neigh.default.proxy_qlen = 64 net.ipv4.neigh.default.unres_qlen = 3 net.ipv4.neigh.default.gc_stale_time = 60 net.ipv4.neigh.default.delay_first_probe_time = 5 net.ipv4.neigh.default.base_reachable_time = 30 net.ipv4.neigh.default.retrans_time = 100 net.ipv4.neigh.default.app_solicit = 0 net.ipv4.neigh.default.ucast_solicit = 3 net.ipv4.neigh.default.mcast_solicit = 3 net.ipv4.tcp_westwood = 0 net.ipv4.ipfrag_secret_interval = 600 net.ipv4.tcp_low_latency = 0 net.ipv4.tcp_frto = 0 net.ipv4.tcp_tw_reuse = 0 net.ipv4.icmp_ratemask = 6168 net.ipv4.icmp_ratelimit = 100 net.ipv4.tcp_adv_win_scale = 2 net.ipv4.tcp_app_win = 31 net.ipv4.tcp_rmem = 4096 87380 174760 net.ipv4.tcp_wmem = 4096 16384 131072 net.ipv4.tcp_mem = 23552 24064 24576 net.ipv4.tcp_dsack = 1 net.ipv4.tcp_ecn = 0 net.ipv4.tcp_reordering = 3 net.ipv4.tcp_fack = 1 net.ipv4.tcp_orphan_retries = 0 net.ipv4.inet_peer_gc_maxtime = 120 net.ipv4.inet_peer_gc_mintime = 10 net.ipv4.inet_peer_maxttl = 600 net.ipv4.inet_peer_minttl = 120 net.ipv4.inet_peer_threshold = 65664 net.ipv4.igmp_max_msf = 10 net.ipv4.route.secret_interval = 600 net.ipv4.route.min_adv_mss = 256 net.ipv4.route.min_pmtu = 552 net.ipv4.route.mtu_expires = 600 net.ipv4.route.gc_elasticity = 8 net.ipv4.route.error_burst = 500 net.ipv4.route.error_cost = 100 net.ipv4.route.redirect_silence = 2048 net.ipv4.route.redirect_number = 9 net.ipv4.route.redirect_load = 2 net.ipv4.route.gc_interval = 60 net.ipv4.route.gc_timeout = 300 net.ipv4.route.gc_min_interval = 0 net.ipv4.route.max_size = 8192 net.ipv4.route.gc_thresh = 512 net.ipv4.route.max_delay = 10 net.ipv4.route.min_delay = 2 net.ipv4.icmp_ignore_bogus_error_responses = 0 net.ipv4.icmp_echo_ignore_broadcasts = 0 net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.ip_local_port_range = 1024 4999 net.ipv4.tcp_max_syn_backlog = 256 net.ipv4.tcp_rfc1337 = 0 net.ipv4.tcp_stdurg = 0 net.ipv4.tcp_abort_on_overflow = 0 net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_syncookies = 0 net.ipv4.tcp_fin_timeout = 60 net.ipv4.tcp_retries2 = 15 net.ipv4.tcp_retries1 = 3 net.ipv4.tcp_keepalive_intvl = 75 net.ipv4.tcp_keepalive_probes = 9 net.ipv4.tcp_keepalive_time = 7200 net.ipv4.ipfrag_time = 30 net.ipv4.ip_dynaddr = 0 net.ipv4.ipfrag_low_thresh = 196608 net.ipv4.ipfrag_high_thresh = 262144 net.ipv4.tcp_max_tw_buckets = 16384 net.ipv4.tcp_max_orphans = 8192 net.ipv4.tcp_synack_retries = 5 net.ipv4.tcp_syn_retries = 5 net.ipv4.ip_nonlocal_bind = 0 net.ipv4.ip_no_pmtu_disc = 0 net.ipv4.ip_autoconfig = 0 net.ipv4.ip_default_ttl = 64 net.ipv4.ip_forward = 0 net.ipv4.tcp_retrans_collapse = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_timestamps = 1 net.core.somaxconn = 128 net.core.hot_list_length = 128 net.core.optmem_max = 10240 net.core.message_burst = 50 net.core.message_cost = 5 net.core.mod_cong = 290 net.core.lo_cong = 100 net.core.no_cong = 20 net.core.no_cong_thresh = 10 net.core.netdev_max_backlog = 300 net.core.dev_weight = 64 net.core.rmem_default = 106496 net.core.wmem_default = 106496 net.core.rmem_max = 106496 net.core.wmem_max = 106496 vm.block_dump = 0 kernel.sem = 250 32000 32 128 kernel.msgmnb = 16384 kernel.msgmni = 16 kernel.msgmax = 8192 kernel.shmmni = 4096 kernel.shmall = 2097152 kernel.shmmax = 33554432 kernel.rtsig-max = 1024 kernel.rtsig-nr = 0 kernel.hotplug = /sbin/hotplug kernel.modprobe = /sbin/modprobe kernel.printk = 1 4 1 7 kernel.ctrl-alt-del = 0 kernel.real-root-dev = 256 kernel.cap-bound = -257 kernel.tainted = 0 kernel.core_pattern = core kernel.core_setuid_ok = 0 kernel.core_uses_pid = 0 kernel.panic = 0 kernel.domainname = (none) kernel.hostname = unix kernel.version = #1 Thu Sep 23 14:41:14 EEST 2004 kernel.osrelease = 2.4.26-gentoo-r9 kernel.ostype = Linux fs.lease-break-time = 45 fs.dir-notify-enable = 1 fs.leases-enable = 1 fs.overflowgid = 65534 fs.overflowuid = 65534 fs.dentry-state = 1640 1438 45 0 0 0 fs.file-max = 13100 fs.file-nr = 140 37 13100 fs.inode-state = 1443 18 0 0 0 0 0 fs.inode-nr = 1443 18 unix sbin # vm.laptop_mode = 0 vm.max_map_count = 65536 vm.max-readahead = 31 vm.min-readahead = 3 vm.page-cluster = 3 vm.pagetable_cache = 25 50 vm.kswapd = 512 32 8 vm.overcommit_memory = 0 vm.bdflush = 50 500 0 0 500 3000 60 20 0 vm.vm_passes = 60 vm.vm_lru_balance_ratio = 2 vm.vm_mapped_ratio = 100 vm.vm_cache_scan_ratio = 6 vm.vm_vfs_scan_ratio = 6 vm.vm_gfp_debug = 0 kernel.lowlatency = 0 kernel.overflowgid = 65534 kernel.overflowuid = 65534 kernel.random.uuid = 5784cebf-b4c1-4e2d-b60c-c8ed66b10136 kernel.random.boot_id = 65fcbb7e-b4c3-452f-8d98-dc7ac3d67ea6 kernel.random.write_wakeup_threshold = 128 kernel.random.read_wakeup_threshold = 8 kernel.random.entropy_avail = 772 kernel.random.poolsize = 512 kernel.threads-max = 2047 kernel.cad_pid = 1 kernel.sysrq = 1

 ifconfig eth0 192.168.99.35 netmask 255.255.255.0 up
 ifconfig eth0 Link encap:Ethernet HWaddr 00:80:C8:F8:4A:51 inet addr:192.168.99.35 Bcast:192.168.99.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:190312 errors:0 dropped:0 overruns:0 frame:0
TX packets:86955 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100
RX bytes:30701229 (29.2 Mb) TX bytes:7878951 (7.5 Mb)
Interrupt:9 Base address:0x5000
Obsolete in Linux for many (10+) years but still heavily used everywhere because of muscle memory (and compatibility with other
UNIX versions)

 Many new features
 Developed
 Replaces many networking commands – arp, iptunnel, nameif, netstat, route
 More cisco-ish syntax
 ip link set eth0 up
 ip addr add 192.168.99.35/24 dev eth0
 ip addr show dev eth0




2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:12:33:44:55:66 brd ff:ff:ff:ff:ff:ff inet 192.168.99.35/24 brd 192.168.99.255 scope global eth0 valid_lft forever preferred_lft forever

Routing table:
[root@morgan]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.98.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo
0.0.0.0 192.168.98.254 0.0.0.0 UG 40 0 0 eth0
[ root@newlinuxway ]# ip route default via 192.168.99.1 dev eth0 proto static
192.168.99.0/24 dev eth0 proto kernel scope link src 192.168.99.35 metric 1
IP socket status:
[root@morgan]# netstat --inet -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 192 192.168.98.82:22 192.168.99.35:40991 ESTABLISHED tcp 0 0 192.168.98.82:42929 192.168.100.17:993 ESTABLISHED tcp 96 0 127.0.0.1:40863 127.0.0.1:6010 ESTABLISHED tcp 0 0 127.0.0.1:6010 127.0.0.1:40863 ESTABLISHED tcp 0 0 127.0.0.1:38502 127.0.0.1:6010 ESTABLISHED tcp 0 0 127.0.0.1:6010 127.0.0.1:38502 ESTABLISHED tcp 0 0 192.168.98.82:53733 209.10.26.51:80 SYN_SENT tcp 0 0 192.168.98.82:44468 192.168.100.17:993 ESTABLISHED tcp 0 0 192.168.98.82:44320 192.168.100.17:139 TIME_WAIT
[ root@newlinuxway ]# ss -f inet -n

Recommended IP/ICMP Settings
 Disable Ping
# sysctl –w net.ipv4.icmp_echo_ignore_all=1

Disable ICMP Echo Requests
# sysctl –w net.ipv4.icmp_echo_ignore_broadcasts=1

Disable IP Source Routing
# sysctl –w net.ipv4.conf.all.accept_source_route=0
 Disable ICMP Redirects
# sysctl –w net.ipv4.conf.all.accept_redirects=0

Enable TCP SYN Cookie Protection
# sysctl –w net.ipv4.tcp_syncookies=1

Disable Bogus Error Logging
# sysctl –w net.ipv4.icmp_ignore_bogus_error_responses=1
 Enable Bogus Packet Logging
# sysctl –w net.ipv4.conf.all.log_martians=1
Create blackhole
# sysctl net.inet.tcp.blackhole=1
# sysctl net.inet.udp.blackhole=1

 In Linux resolver has 2 config files

/etc/hosts specifies static mappings
185.300.10.1 host1
185.300.10.2 host2
185.300.10.3 host3
185.300.10.4 host4 merlin
185.300.10.5 host5 arthur king
185.300.10.5 timeserver
128.114.1.15 name1.xyz.aus.century.com name1

/etc/resolv.conf
specifies the nameservers and the default domain domain abc.aus.century.com
nameserver 192.9.201.1
nameserver 192.9.201.2

 Some software dynamically manages network connections (in some of newer UNIX)
 ls -l /etc/resolv.conf (a symlink)
 cat /etc/resolv.conf


# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

Nameserver 127.0.1.1
 ps aux | grep dns
 nobody 1481 0.0 0.0 31004 988 ? S Oct22 6:51 /usr/sbin/dnsmasq --no-resolv -keep-in-foreground --no-hosts --bind-interfaces --pidfile=/var/run/NetworkManager/dnsmasq.pid --listen-address=127.0.1.1 --conffile=/var/run/NetworkManager/dnsmasq.conf --cache-size=0 --proxy-dnssec --enabledbus=org.freedesktop.NetworkManager.dnsmasq --conf-dir=/etc/NetworkManager/dnsmasq.d

[ root@newlinuxway ]# ip route {add | del} 193.1.9.0/24 via 193.1.9.1

(specify how routers communicate with each other and gain knowledge of the topology of the network)

vs. CISCO

Setting Up Network Interface Cards FreeBSD
 Configuring the Network Card
Once the right driver is loaded for the network card, the card needs to be configured. As with many other things, the network card may have been configured at installation time by sysinstall . To display the configuration for the network interfaces on your system, enter the following command: juriskr >ifconfig fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=40<POLLING> inet 10.1.2.6 netmask 0xffffff00 broadcast 10.1.2.255
inet 10.1.2.4 netmask 0xffffffff broadcast 10.1.2.4
inet 10.1.2.7 netmask 0xffffffff broadcast 10.1.2.7
inet 10.1.2.12 netmask 0xffffffff broadcast 10.1.2.12
inet 10.1.2.9 netmask 0xffffffff broadcast 10.1.2.9
ether 00:02:55:c8:45:aa media: Ethernet autoselect (100baseTX <full-duplex>) status: active ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500 sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000
To configure your card, you need root privileges. The network card configuration can be done from the command line with ifconfig(8) but you would have to do it after each reboot of the system. The file /etc/rc.conf
is where to add the network card's configuration.
juriskr >cat /etc/rc.conf | grep ifconfig ifconfig_fxp0="inet 10.1.2.6 netmask 255.255.255.0" ifconfig_fxp0_alias0="inet 10.1.2.4 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet 10.1.2.7 netmask 255.255.255.255" ifconfig_fxp0_alias2="inet 10.1.2.9 netmask 255.255.255.255" ifconfig_fxp0_alias3="inet 10.1.2.12 netmask 255.255.255.255"

Setting Up Network Interface Cards FreeBSD
 IP-based Virtual Hosts (vs. name-based)
A very common use of FreeBSD is virtual site hosting, where one server appears to the network as many servers. This is achieved by assigning multiple network addresses to a single interface. A given network interface has one “real” address, and may have any number of “alias” addresses. These aliases are normally added by placing alias entries in
/etc/rc.conf. An alias entry for the interface fxp0 looks like: ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx“
Note that alias entries must start with alias0 and proceed upwards in order, (for example, _alias1, _alias2, and so on). The configuration process will stop at the first missing number. ifconfig_fxp0_alias0="inet 10.1.2.4 netmask 255.255.255.255" ifconfig_fxp0_alias1="inet 10.1.2.7 netmask 255.255.255.255" ifconfig_fxp0_alias2="inet 10.1.2.9 netmask 255.255.255.255" ifconfig_fxp0_alias3="inet 10.1.2.12 netmask 255.255.255.255"

Setting Up Network Interface Cards FreeBSD
 Testing and Troubleshooting

Testing the Ethernet Card

To verify that an Ethernet card is configured correctly, you have to try two things. First, ping the interface itself, and then ping another machine on the LAN.

First test the local interface: juriskr >ping -c 3 10.1.2.6
PING 10.1.2.6 (10.1.2.6): 56 data bytes
64 bytes from 10.1.2.6: icmp_seq=0 ttl=64 time=0.054 ms
64 bytes from 10.1.2.6: icmp_seq=1 ttl=64 time=0.050 ms
64 bytes from 10.1.2.6: icmp_seq=2 ttl=64 time=0.066 ms


--- 10.1.2.6 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.050/0.057/0.066/0.007 ms
Now we have to ping another machine on the LAN: juriskr >ping 10.1.2.5
PING 10.1.2.5 (10.1.2.5): 56 data bytes
64 bytes from 10.1.2.5: icmp_seq=0 ttl=64 time=0.381 ms
64 bytes from 10.1.2.5: icmp_seq=1 ttl=64 time=0.188 ms
64 bytes from 10.1.2.5: icmp_seq=2 ttl=64 time=0.178 ms
^C
--- 10.1.2.5 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.178/0.249/0.381/0.093 ms
You could also use the machine name instead of IP address if you have set up the /etc/hosts file.

[juris@ns1 ~]$ ifconfig eth0 Link encap:Ethernet HWaddr 00:0B:CD:41:F4:93 inet addr:81.xxx.xxx.xxx Bcast:81.xxx.xxx.xxx Mask:255.255.255.224
inet6 addr: fe80::20b:cdff:fe41:f493/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:473091457 errors:0 dropped:0 overruns:0 frame:0
TX packets:488547237 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
RX bytes:3458689275 (3.2 GiB) TX bytes:3985927941 (3.7 GiB)
Interrupt:193 eth0:1 Link encap:Ethernet HWaddr 00:0B:CD:41:F4:93 inet addr:10.xxx.xxx.xxx Bcast:10.xxx.xxx.xxx Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:193 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6004400 errors:0 dropped:0 overruns:0 frame:0
TX packets:6004400 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
RX bytes:645400309 (615.5 MiB) TX bytes:645400309 (615.5 MiB)
[juris@ns1 ~]$



 output doesn't end up in another session.
 terminal generated signals (^C) aren't received.




 Web server (httpd)
 Mail server (sendmail)
 SuperServer (inetd)
 System logging (syslogd)
 Print server (lpd)
 router process (routed, gated)

 No terminal - must use something else:

 file system central logging facility
 Syslog is often used - provides central repository for system logging.

 syslogd daemon provides system logging services to "clients".
 Simple API for "clients"

A library provided by O.S.

 Standard programming interface provided by syslog () function:
#include <syslog.h> void syslog( int priority, const char *message,
. . . );
 Works like printf()

Unix domain socket
/dev/log
(via libc)
UDP socket port 514
/dev/klog syslogd
Filesystem
/var/log/messages
Console
Remote syslogd

 Think of syslog as a server that accepts messages.
 Each message includes a number of fields, including:
 a level indicating the importance (8 levels)

LOG_EMERG 0 kernel panic
 condition needing immediate






LOG ALERT 1 attention
LOG_CRIT 2
LOG_ERR 3
LOG_WARNING 4
LOG_NOTICE 5 attention
LOG_INFO 6
LOG_DEBUG 7 critical conditions errors warning messages not an error, but may need informational messages when debugging a system

 a
that indicates the type of process that sent the message:

LOG_MAIL, LOG_AUTH, LOG_USER,
LOG_KERN, LOG_LPR, . . .
 Timestamp (added by syslogd)
 uname –n (added by syslogd)
 A text
.

Dec 27 02:45:00 moet.colorado.edu netinfod [71]: cann’t lookup child
Dec 27 02:50:00 bruno ftpd [27876]: open of pid file failed: not a directory
Dec 27 02:50:47 anchor vmunix: spurious VME interrupt at processor level 5
Dec 27 02:52:17 bruno pingem[107]: moose.cs.colorado.edu has not answered 34 times
Dec 27 02:55:33 bruno sendmail [28040] : host name/address mismatch:
192.93.110.26 != bull.bull..fr

/ * c program: syslog using openlog and closelog */
#include <syslog.h> main ( )
{ openlog ( “SA-BOOK”, LOG_PID, LOG_USER); syslog ( LOG_WARNING, “Testing …. “); closelog ( );
}
On the host, this code produce the following log entry :
Dec 28 17:23:49 moet.colorado.edu SA-BOOK [84]: Testing...

 Log files are normally kept in /var/log
 setings in /etc/syslog.conf
 /etc/init.d/syslog restart
 Syslog logs the system and what is happening on it
 Logcheck is a handy utility which checks the contents of logs and mails anything unusual
 http://www.psionic.com/abacus/logcheck/

 Replaces syslog in many newer Linux distros
 Configuration and old input backwards compatible with syslog
 Implements the basic syslog protocol (RFC 3164)
 Anonymization, Encryption, Signatures
 Speed
 Rate-Limiting
 New inputs – systemd (init)
 New outputs – DB, compressed files

 A daemon is a type of background process
 To force a process to run in the background, just fork() and have the parent exit
 There are a number of ways to disassociate a process from any controlling terminal
 call
and then
 run a program in a new session

 Daemons should close all unnecessary descriptors
 often including stdin, stdout, stderr .
 Get set up for using syslog

Call openlog()
• Often change working directory.
OR take a risk
• Many POSIX-based operating systems provide a function called daemon() which performs some or all of the steps listed above. Unfortunately it has three significant drawbacks:



It is not available on all systems.
Its behaviour is not standardised (or necessarily well-documented).
Its behaviour is more difficult to customise.

 There can be many servers running as daemons - and idle most of the time.
 Much of the startup code is the same for these servers.
 Most of the servers are asleep most of the time, but use up space in the process table.

 The SuperServer is named inetd . This single daemon creates multiple sockets and waits for (multiple) incoming requests.
 inetd typically uses select to watch multiple sockets for input.
 When a request arrives, inetd will fork and the child process handles the client.

 Daemon inetd started at boot time
 Configuration file /etc/inetd.conf

Name (service name=port), type, protocol, wait-status, uid, server, arguments
# ftp stream tcp6 nowait root /usr/sbin/tcpd in.ftpd
telnet stream tcp6 nowait root /usr/sbin/tcpd in.telnetd
#
# Mail is a useful thing...
pop3 stream tcp nowait root /etc/mail/popper popper -s imap stream tcp nowait root /etc/mail/imapd imapd

 The child process closes all unnecessary sockets.
 The child dup ’s the client socket to descriptors 0,1 and 2 ( stdin, stdout, stderr ).
 The child exec ’s the real server program, which handles the request and exits.

 Servers that are started by inetd assume that the socket holding the request is already established (descriptors 0,1 or 2).
 inetd creates a socket for each listed service
 TCP servers started by inetd don’t call accept , so they must call getpeername if they need to know the address of the client.

 For each service, inetd needs to know:




 the port number and transport protocol wait/nowait flag.
login name the process should run as.
pathname of real server program.
command line arguments to server program.

 When modifying inetd.conf

Disable a service

Add a # at the beginning of the entry

Send hang-up to inetd


 kill –HUP <pid> (reload conf)
Enable a service
Change the path
Modify arguments

echo stream tcp echo dgram udp chargen stream tcp chargen dgram udp ftp stream tcp telnet stream tcp finger stream tcp nowait root internal wait root internal nowait root internal wait root internal nowait root /usr/sbin/ftpd ftpd -l nowait root /usr/sbin/telnetd telnetd nowait root /usr/sbin/fingerd fingerd
# Authentication auth stream tcp nowait nobody /usr/sbin/in.identd in.identd -l -e -o
# TFTP tftp dgram udp wait root /usr/sbin/tftpd tftpd -s /tftpboot

ftp 21/tcp # File Transfer Protocol telnet 23/tcp # Telnet smtp 25/tcp # Simple Mail Transfer Protocol tftp 69/udp # Trivial File Transfer Protocol www 80/tcp # World Wide Web ntp 123/tcp # Network Time Protocol ntp 123/udp # Network Time Protocol

 Specifying WAIT means that inetd should not look for new clients for the service until the child (the real server) has terminated
 TCP servers usually specify nowait - this means inetd can start multiple copies of the
TCP server program - providing concurrency

 Most UDP services run with inetd told to wait until the child server has died.
 Some UDP servers hang out for a while, handling multiple clients before exiting.
 inetd was told to wait – so it ignores the socket until the UDP server exits.

 Some versions of inetd have server code to handle simple services such as echo server, daytime server, chargen,
…

 Servers that are expected to deal with frequent requests are typically web, NFS.
run from inetd: mail,
 Many servers are written so that a command line option can be used to run the server from inetd .

 Some versions of Unix provide a service very similar to inetd called xinetd .

 configuration scheme is different (more features) basic idea (functionality) is the same…

# typical xinetd.conf
defaults
{ instances log_type
= 60
= SYSLOG daemon log_on_success = HOST PID log_on_failure = HOST cps = 25 30
} includedir /etc/xinetd.d
root# ls /etc/xinetd.d
chargen daytime-udp finger shell time-udp chargen-udp echo ftp telnet root# cat /etc/xinetd.d/telnet service telnet
{ disable = yes socket_type = stream wait = no user = root server = /usr/libexec/telnetd groups = yes flags = REUSE access_times = 8:00-18:00 only_from = 128.138.12.0/24
}

 Superservers listen on multiple network ports and start the appropriate service when a client connection arrives for that port.
 xinetd is a superserver gaining popularity

It is a revised version of inetd that creates a more secure environment

Shipped with Red Hat Linux
 xinetd lately is the most widely used superserver

Application level security is provided via TCP Wrappers - the tcpd program


Network Services
- Stand alone vs Inetd

The Inetd Model
- Network Super Daemon
- /etc/services : Maps the name of the service to a port number.
eg: ulistserv 372/tcp ulistproc
- /etc/inetd.conf : Main Configuration file for inetd.
eg: ftp stream tcp nowait root /usr/sbin/tcpd proftpd

The Xinetd Model
- Advanced Replacement for inetd
- More Secure and flexible with Advanced Access Control Mechanisms
- /etc/xinetd.conf : Main Configuration file for xinetd
- /etc/xinetd.d/ : Contains files for services managed by xinetd


Managing Services in Inetd and Xinetd
- For Inetd : Comment out corresponding service from inetd.conf
- Restart Inetd
# pkill –HUP inetd
- For Xinetd : Make changes in xinetd.conf and xinetd.d
- Access control Mechanisms for services can be specified
# /etc/rc.d/init.d/xinetd restart

Typical Services to be Blocked
- Finger, rwho, rsh , rlogin, rexec, echo, ntalk
- FTP, Telnet
- Use ssh, scp, sftp

 There are 65535 ports available
 Services tend to use <1024

These are “priviledged” ports, only root may listen on them
 If you have something running under a port you don't recognise,

Find out what it is

Decide if you need it

 netstat -an
 tells you what connections are active
 netstat -lp
 tells which ports are listening
 ps -ef
 lists the running process
 chkrootkit

 checks for signs of rootkits
Common rootkits install trojaned tools





Many aspects of system administration require things to be done on a routine basis

Rotating logs


 building help files checking disk space checking permissions
Remembering to do thing is error prone
Unix provides scheduling mechanism refereed to as cron.
Cron has two parts

Daemon - crond
 table of actions /etc/crontab

 the crond Daemon is started at boot time
 the daemon ‘wakes up’ every minute to check its table of actions
 if their is something to do -> run command
 if nothing to do --> go back to sleep for 1 min
 Cron table is a list (time,commnd) pairs. The format is
 minute hour day month dayofweek command

 Commands can be scheduled by
 minute (0 59)



Hour ( 0 to 23)
Day of the month (1 31)
Month ( 1 to 12)

Day of the week (0=Sunday 6 = sat, or use mon,tues,wed)
 Example
01 * * * * commnd2 # hourly at 1 minute past
* 1 * * * commnd2 # daily at 1 am
04 1 * * * commnd3 # run at 4 minute past 1 each

 Under Redhat Linux the cron table is used to execute a set of commands in some special directories


/etc/cron.hourly
/etc/cron.daily
 contains logrotate, makewhatis,slocate,tmpwatch


/etc/cron.weekly
/etc/cron.monthly

You can add you own commands to the appropriate directory, but remember they need to be ‘batch’ commands as they will run automatically

 Minute 0-59
 Hour 0-23
 Day 1-31
 Month 1-12
 Weekday 0-6 (0=Sunday)

* Matches everything

1-3 Matches range

1,5 Matches Series
 Special strings - @hourly (same as 0 * * * *), @daily,
@weekly, @monthly, @yearly, etc.
 Most special of all @reboot

15,45 10 * * 1-5 write garth % Hi Garth % get a job
30 2 * * 1 (cd /user/joe/p; make ) find /tmp –atime +3 –exec rm –f {} ‘;’
 Output mailed to owner of crontab file

User crontab
 crontab Replace ^C exit
 crontab –l List
 crontab –e Edit
 crontab –l > cronfile
 crontab cronfile

 cron.allow
- If this file exists, it must contain your username for you to use cron jobs.
cron.deny
- If the cron.allow file does not exist but this does then, you must not be listed here.
System crontab
 Just edit /etc/crontab as root, nowadays it reloads automatically

 The cron utility runs in the background and constantly checks the /etc/crontab file.
 The cron utility also checks the /var/cron/tabs directory, in search of new crontab files. These crontab files store information about specific functions which cron is supposed to perform at certain times.

 Cleaning the filesystem
 Distribution of config files
 Rotating log files
 Backups
 Heavy task offloading

 The cron utility uses two different types of configuration files, the system crontab and user crontabs.
 The only difference between these two formats is the sixth field. In the system crontab, the sixth field is the name of a user for the command to run as. This gives the system crontab the ability to run commands as any user. In a user crontab, the sixth field is the command to run, and all commands run as the user who created the crontab; this is an important security feature.

# /etc/crontab - root's crontab for FreeBSD #
# $FreeBSD: src/etc/crontab,v 1.32 2002/11/22 16:13:39 tom Exp
$
#
#
SHELL =/bin/sh
PATH =/etc:/bin:/sbin:/usr/bin:/usr/sbin
HOME =/var/log
#
#
#minute hour mday month wday who command
#
#
*/5 * * * * root /usr/libexec/atrun






Like most FreeBSD configuration files, the # character represents a comment. Comments cannot be on the same line as a command or else they will be interpreted as part of the command.
First, the environment must be defined. The equals (=) character is used to define any environment settings, e.g. SHELL, PATH, and HOME options. If the SHELL line is omitted, cron will use the default, which is sh. If the PATH variable is omitted, no default will be
used and file locations will need to be absolute. If HOME is omitted, cron will use the invoking users home directory.
A line defines a total of seven fields. Listed here are the values minute, hour, mday, month, wday, who, and command. All time fields must be numeric values, and follow the twenty-four hour clock. The who field is special, and only exists in the /etc/crontab file. This field specifies which user the command should be run as. When a user installs his or her crontab file, they will not have this option.
In the previous example: */5 listing, followed by several more * characters. The * characters mean “first-last”, and can be interpreted as every time. So, judging by this line, it is apparent that the atrun command is to be invoked by root every five minutes regardless of what day or month it is.
Commands can have any number of flags passed to them; however, commands which extend to multiple lines need to be broken with the backslash “\” continuation character.

TCP Wrappers

Effective Access Control Mechanism

Invisible Layer to Block or Permit Access to Services

Hostname, IPAddresses, Logging

/etc/hosts.allow
 /etc/hosts.deny

 TCP Wrappers - tcpd - is an application-level access control program




TCP Wrappers is not a firewall and should be used with one if Linux security issues exist

Run in user mode; accept the connection, then decides if reject
Configuration is done by two files: /etc/hosts.allow and /etc/hosts.deny

Host-based access control lists
Ensure proper and expected configuration by testing carefully before relying on it
Use transparently with inetd OR link explicitly a daemon with the libwrap shared library

Overhead...

Firewalls

Access control policy
 Work in the kernel mode, deal with individual packets

Isolates networks

Packet filtering
IP Tables

Chains (Input, Output, Forward)

Targets (Accept, Drop, Reject, Log)

Efficient Packet Filtering based on protocols, IP
Address, state/stateless etc
# iptables -A INPUT -s 160.36.172.1 -j DROP

 Ipfw (Linux 1.2 kernels)
 Ipfwadm (Linux 2.0 kernels)
 Ipchains (Linux 2.2 kernels)
 Iptables (Linux 2.4 kernels)
 Iptables (Linux 2.6 kernels)
 Iptables (Linux 3.* kernels)

iptables –A INPUT –p tcp –d 10.252.49.231 \
-–dport 22 –j ACCEPT iptables –A INPUT –i eth0 –m state \
--state RELATED,ESTABLISHED –j ACCEPT iptables –A INPUT –i lo –j ACCEPT iptables –P INPUT DROP

iptables –A FORWARD –m state \
--state RELATED,ESTABLISHED –j QUEUE iptables –A FORWARD –p tcp –m state \
--state NEW,RELATED –j QUEUE

 Modem connections / DHCP
 Doesn’t drop connections when address changes
 Makes all packets from internal look like they are coming from the modem machine/DHCP address
(outgoing interface’s address): echo 1 > /proc/sys/net/ipv4/ip_forward modprobe iptable_nat iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

 Linux uses the Netfilter/iptable package to add filtering rules to the IP module
To application From application filter
INPUT
Yes
Destination is local?
No filter
FORW ARD nat
PREROUTING
(DNAT) nat
OUTPUT filter
OUTPUT nat
POSTROUTING
(SNAT)
Incoming datagram
Outgoing datagram

 1:1 example: iptables –t nat –A POSTROUTING –s 10.0.1.2
–j SNAT --to-source 128.143.71.21
 Pooling of IP addresses: iptables –t nat –A POSTROUTING –s 10.0.1.0/24
–j SNAT --to-source 128.128.71.0–128.143.71.30
 ISP migration: iptables –t nat –R POSTROUTING –s 10.0.1.0/24
–j SNAT --to-source 128.195.4.0–128.195.4.254
 IP masquerading: iptables –t nat –A POSTROUTING –s 10.0.1.0/24
–o eth1 –j MASQUERADE
 Load balancing: iptables -t nat -A PREROUTING -i eth1 -j DNAT --todestination 10.0.1.2-10.0.1.4

 Translate source address iptables –t nat –A POSTROUTING
–o <outgoing-interface> -j SNAT
–-to-source <address>[-<address>][:port-port] iptables –t nat –A POSTROUTING –o eth1
-j SNAT –-to-source 10.252.49.231

 Translate destination address iptables –t nat –A PREROUTING
–i <incoming-interface> -j DNAT
--to-destination <address>[-<address>][:port-port] iptables –t nat –A PREROUTING -i eth0 –p tcp \
-d 10.252.49.77 –dport 80 –j DNAT \
--to-destination 10.252.49.231
iptables –t nat –A PREROUTING -i eth0 –p tcp \
-d 10.252.49.77 –dport 80 –j REDIRECT

 Source Policy Routing: Make sure Person A, who pays the lower rate, gets routed over the house modem instead of the DSL
 Split Access for Multiple Uplinks: Packets coming in from ISP A go back out ISP A
 Load Balancing: default route becomes a multipath path route, balance routes over 2 providers iptables –t nat –A PREROUTING –i eth0
–d 10.252.49.231 –p tcp –-dport 80 –j DNAT
–-to-destination 10.252.50.4-10.252.50.8

 First-In-First-Out (FIFO)
 no classes
 fast, easy to implement
 Priority Queuing
 all traffic in a high-priority class is sent before any in a lower priority one
 Class-based Queuing (CBQ)
 a number of bytes is sent from each class before going to the next class

 CBQ is an interface to the Linux tc command
 tc (traffic control)
 Other queuing systems besides CBQ are available

HBQ, TBF, SFQ

R T - V id e o
5 0 %
L in k ( P ip e )
T e x t , C G I
2 5 %
G I F , J P E G
2 5 %
C o n n . 1
5 0 %
C o n n . 2
1 5 %
C o n n . 3
1 0 %
C o n n . 4
1 2 . 5 %
C o n n . 5
1 2 . 5 %

 pfifo_fast – first in first out – 3 bands, packets in
Band 0 get handled, then Band 1, etc.
 Token Bucket Filter – Rate does not exceed some limit, but bursting is possible with enough tokens

Allows uploading without killing interactive sessions: tc qdisc add dev ppp0 root tbf rate 220kbit latency
50ms burst 1540
 Stochastic Fairness Queueing – less accurate but promotes fairness so no one conversation drowns out the others tc qdisc add dev ppp0 root sfq perturb 10
 red - Random Early Detection simulates physical congestion by randomly dropping packets when nearing configured bandwidth allocation. Well suited to very large bandwidth applications.

 Linux 2.4 kernel (2.4.21)
 bridging support built into 2.4 kernels

If you also want iptables support on the bridge must also install the ebtables-brnf patch for your kernel

Bridge is configured using tools from bridge-utils
 brctl addbr br0; brctl addif br0 eth0; brctl addif br0 eth3

 iplink set br0 up; ifconfig eth0 up ifconfig eth3 up ip addr add 142.103.66.4/24 brd + dev br0

ifconfig eth0 0.0.0.0 up ifconfig eth1 0.0.0.0 up brctl addbr br0 brctl addif br0 eth0 brctl addif br0 eth1
No Spanning Tree Protocol: brctl stp br0 off
Turn it on: ifconfig br0 0.0.0.0 up
Or give the bridge an IP address and turn it on: ifconfig br0 10.252.49.231 netmask 255.255.255.0 up route add default gw 10.252.49.1

 Security tool (Bastille / Titan / JASS)
 Host intrusion detection systems


Monitor changes in filesystems/memory
Record attributes and checksums in a secure location

Compare later and report anomalies
 (Network) Intrusion detection or prevention systems




Monitor host or whole network
Signature-Based Detection
Statistical anomaly-based detection
Stateful Protocol Analysis Detection

 Good free implementations for:

DNS

BIND v8/9, djbdns



SMTP
 sendmail, qmail , postfix, exim
POP/IMAP
 qpopper, uwimapd
HTTP

Apache, nginx

PHP, mySQL
“If it was hard to develop, it should be hard to install!”

 Later versions of BIND use the configuration file /etc/named.conf
 This file is divided into five sections: options, controls, three different zones and an include line, which refers to the rndc security file
 A zone is a part of the DNS domain tree for which the DNS server has authority to provide information
 Zone information is contained in files referred to in named.conf



Before Internet network started use DNS system there was hosts files.

However there are one main disadvantage of using host file - search time increase exponentially.

This is the main reason why Internet network started use DNS system.

By the way, DNS system let you use distributed administrative model in order to delegate administrative rights to other people.


You can imagine DNS system structure using image below:
"." (root) host wsu.ru
host gw.wsu.ru
host gw1.wsu.ru
ru wsu msu gw gw1 net com edu au
.
ru domain
.wsu.ru domain

 DNS zones com edu terra flora www gov
… mfg ntserver
Terraflora.com domain mfg.terraflora.com zone
… servers terraflora.com zone

 DNS request:



Required information for DNS requests
Making DNS requests
DNS requests types:

Recursive requests

Iterative requests

212.16.195.98
ns.wsu.ru
IP(crypt.iae.nsk.su) = ?
IP(crypt.iae.nsk.su) = ?
Authoritative server for nsk.su - ns.nsk.su server
IP(crypt.iae.nsk.su) = ?
Authoritative server for iae.nsk.su iaebox.iae.nsk.su
IP(crypt.iae.nsk.su) = ?
IP(crypt.iae.nsk.su) =
193.124.169.58
IP(crypt.iae.nsk.su) =
193.124.169.58
ada.wsu.ru
Root servers ns.nsk.su
iaebox.iae.nsk.su
ada.wsu.ru

 DNS system planning factors.
 Number of servers and system platforms
 Server types:





Primary server
Secondary servers
Cache servers
Forward servers
Stealth servers

 DNS database resource records (RR)
 DNS database RR forms and types
 Standard RR
 DNS database file structure
 IN-ADDR.ARPA zone for reverse address-toname translation

 RR format





TYPE contain RR type code
CLASS contain RR class code
TTL contain Time to Live value
RDLENGTH – data length
RDATA – data
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
NAME
TYPE
CLASS
TTL
RDLENGTH
RDATA

 DNS RR types












A
NS
MX
MD
MF
CNAME
SOA
WKS
SRV
TXT
PTR
…
• DNS CLASS types
– IN
– CS
– CH
– HS

 BIND server configuration acl – define access control list in order to control access to server resources
Controls – define control channel for rndc control utility.
Include can be used to merge a lot of configuration file in one.
Key – use information to check identity using TSIG technology.
Logging – use to control logging options of DNS server.
Options different DNS server options. Use mainly for global server configuration.
Server certain server configuration options.
trusted-keys used for DNSSEC protocol to hold trusted keys.
View - define view options.
Zone – define zone option.

Split DNS example:
… view "internal" { match-clients { 10.0.0.0 / 8 ; }; recursion yes; zone "example.com" { type master; file "example-internal.db";
};
}; view "external" { match-clients { any; }; recursion no; zone "example.com" { type master; file "example-external.db";
};
};
….

DNS configuration file example: logging { category lame-servers { null; };
}; options { directory "/var/named"; allow-transfer { 195.13.160.52;
195.244.128.2; 10.196.5.130; }; recursive-clients 2000; notify yes;
}; acl "internals" {
127.0.0.1; 10.196.0.0/16; 10.1.72.0/24;
10.129.24.0/24; 10.130.24.0/24;
}; view "internal" { match-clients { "internals"; }; recursion yes; zone "." IN { type hint; file "named.ca";
}; zone "0.0.127.in-addr.arpa" IN { type master;
file "named.local"; allow-update { none; };
}; zone "test.lv" { type master; file "test.lv.zone";
};
}; view "external" { match-clients { any; }; recursion no;
};
}; zone "." IN { type hint; file "named.ca";
}; zone "test.lv" { type master; file "test.lv.public.zone";

DNS server database file:
$ORIGIN .
$TTL 3600 ; 1 hour test.lv IN SOA ns1.test.lv. jurisk.test.lv. (
2006040301 ; serial
28800 ; refresh (8 hours)
1800 ; retry (5 minutes)
1209600 ; expire (2 weeks)
28800 ; minimum (1 hour)
)
NS ns1.test.lv.
A 10.196.5.131
MX 10 eproxy.test.lv.
MX 20 eproxy1.test.lv.
MX 30 eproxy2.test.lv.
$ORIGIN test.lv.
router A 10.196.5.1
eproxy A 10.196.5.187
eproxy1 A 10.196.5.188
eproxy2 A 10.196.5.189
ns1 A 10.196.5.131
mail CNAME ns1 nais A 10.196.2.11
;
; test WWW on Lattelekom servers
; www A 81.198.40.10
admin A 81.198.40.10
editor A 81.198.40.10
www A 81.198.40.11
tavro A 81.198.40.10
tekno A 81.198.40.11
$ORIGIN it.test.lv.
router A 10.196.5.1
$ORIGIN test.lv.
proxy2 A 10.196.5.8
help A 10.196.5.10
ssiahq01 A 10.196.5.31
nw1 A 10.196.5.58

Reverse DNS zone in-addr.arpa
$ORIGIN .
$TTL 3600 ; 1 hour
5.196.10.in-addr.arpa IN SOA ns1.test.lv. root.ns1.test.lv. (
2006012401 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
3600000 ; expire (5 weeks 6 days 16 hours)
3600 ; minimum (1 hour)
)
NS ns1.test.lv.
$ORIGIN 5.196.10.in-addr.arpa.
1 PTR router.it.test.lv.
7 PTR instructor.it2.test.lv.
8 PTR proxy2.test.lv.
10 PTR help.test.lv.
31 PTR ssiahq01.test.lv.
58 PTR nw1.test.lv.
60 PTR sandbox.test.lv.
77 PTR rs6000f50.test.lv.
119 PTR risc6000f30.test.lv.

 sudo /sbin/service named restart
Password:
Stopping named:
Starting named: [ OK ]
$ sudo tail /var/log/messages
Jan 28 22:36:22 womnibook named[11333]: loading configuration from '/etc/named.conf'
Jan 28 22:36:22 womnibook named[11333]: no IPv6 interfaces found
Jan 28 22:36:22 womnibook named[11333]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 28 22:36:22 womnibook named[11333]: listening on IPv4 interface eth0, 192.168.1.74#53
Jan 28 22:36:22 womnibook named[11333]: listening on IPv4 interface eth1, 192.168.2.5#53
Jan 28 22:36:22 womnibook named[11333]: command channel listening on 127.0.0.1#953
Jan 28 22:36:22 womnibook named[11333]: zone johannes.org/IN: loaded serial 142
Jan 28 22:36:22 womnibook named[11333]: running
Jan 28 22:36:22 womnibook named[11333]: zone johannes.org/IN: sending notifies (serial 142)
Jan 28 22:36:22 womnibook named: named startup succeeded

 Usefull utilities:






Dig
Host
Nslookup
Rndc
Named-checkzone
Name-checkconfig

qmail
Maturity Security Features Performance medium
Sendmail high high low high high high low
Postfix exim
Courier medium medium low high low medium medium high high high medium medium
Bron: Life with qmail, p. 5

 Sendmail is the most widely used email server




The sendmail package contains the sendmail daemon
Sendmail is started using a script in /etc/rc.d/init.d
Sendmail is configured using the file /etc/sendmail.cf
Most email administrators prefer to use the m4 program to configure sendmail

Mail Server
Email database
MDA
MTA
Workstation
MUA
SMTP
Mail Server
Email database
MTA
MDA
SMTP
Workstation
MUA
POP3/IMAP

Web server
Webmail client
(Squirre
Mail)
Mail Server
MUA
Email database
MTA
Workstation browser

Mail User
Agent
Mail
Transport
Agent
Mail
Transport
Agent
Mail User
Agent mbox
Mail
Delivery
Agent
 Message composed using an MUA
 MUA gives message to MTA for delivery


If local, the MTA gives it to the local MDA
If remote, transfer to another MTA
Mail
Delivery
Agent mbox

qmail-smtpd
qmail-inject qmail-queue
Incoming SMTP mail
Other incoming mail qmail-send qmail-rspawn qmail-lspawn qmail-remote qmail-local

tux:~# apt-get update tux:~# apt-get install qmail sh -c "start-stop-daemon --start --quiet --user root \
--exec /usr/bin/tcpserver -- \
0 pop-3 /usr/sbin/qmail-popup `hostname`.`dnsdomainname` \
/usr/bin/checkpassword /usr/sbin/qmail-pop3d Maildir &

 Configuration stored in
/var/qmail/control/
 Configure:







Relaying
Multiple host names
Virtual domains
Aliases qmail-users
Blackhole lists
Mailbox formaat

In March 1997, I offered $500 to the first person to publish a verifiable security hole in the latest version of qmail: for example, a way for a user to exploit qmail to take over another account.
My offer still stands. Nobody has found any security holes in qmail.
D.J.Bernstein
On November 1, 2007, Bernstein raised the reward to US$1000.

 Do as little as possible in setuid programs

Of 20 recent sendmail security holes, 11 worked only because the entire sendmail system is setuid

Only qmail-queue is setuid

Its only function is add a new message to the queue
 Do as little as possible as root

The entire sendmail system runs as root

Operating system protection has no effect

Only qmail-start and qmail-lspawn run as root.

 Parsing

Limited parsing of strings

Minimizes risk of security holes from configuration errors
 Libraries

Avoid standard C library, stdio

“Write bug-free code” (DJB)

 what is Apache?
 Apache’s functionality
 installing Apache
 directory structure
 configuration
 tools

 Apache
 Dynamic Content

CGI

PHP
 MySQL

Browser
1
4
Webserver
HTML
3
2

 ...is a software program that does the following



Accepts requests for web pages from a browser.
Looks for the requested pages on the server hard drive.
Sends a copy of the the requested web page to the browser.

A web server can only serve HTML and jpg/gif files
 In our case, we use a very popular web server called Apache.

 open-source
 very popular (more than 67% of the web sites)
 highly configurable and extensible with thirdparty modules
 runs on many operating systems (most of the
Unix)
 is actively being developed

 DBM databases for authentication
 customized responses to errors and problems
 unlimited flexible URL rewriting and aliasing
 Virtual Hosts
 Configurable Reliable Piped Logs

 mod_access

Access control based on client hostname or IP address
 mod_alias

Mapping different parts of the host filesystem in the document tree, and URL redirection
 mod_auth

User authentication using text files
 mod_autoindex

Automatic directory listings
 mod_cgi

Invoking CGI scripts

 mod_include

Server-parsed documents
 mod_mime

Determining document types using file extensions
 mod_proxy

Caching proxy abilities
 mod_rewrite

Powerful URI-to-filename mapping using regular expressions
 mod_usertrack

User tracking using Cookies
 mod_vhost_alias

Support for dynamically configured mass virtual hosting

 mod_ssl




This module provides strong cryptography for the Apache 1.3 webserver via the Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) protocols by the help of the Open Source
SSL/TLS toolkit OpenSSL.
Requires Apache 1.3.x and OpenSSL 0.9.x
Private and Public keys
Thawte (www.thawte.com), Versisign (www.verisign.com)

 Unix binary package

RPM

DEB
 Source
 Windows (MSI Installer)

$ ./configure --prefix=/usr/local/apache
$ make
$ make install
$ /usr/local/apache/bin/apachectl start

 ./configure –help

--show-layout
 show GNU style directory layout

--with-layout=GNU

Use GNU style directory layout


--enable-suexec

Enable suEXEC support for CGI and SSI
--add-module=/path/to/mod_foo.c
 compiles, installs and adds module as a
Dynamic Shared Object

arnis@perkons:~$ ps aux | grep apache root 289 0.0 0.2 8400 2564 ? Ss Nov15 0:02 /usr/local/apache/bin/httpd root 307 0.0 0.1 8764 1480 ? Ss Nov15 0:00 /usr/local/apachessl/bin/httpd -DSSL apache- 315 0.0 0.1 14768 1580 ? S Nov15 0:27 /usr/local/apachessl/bin/httpd -DSSL apache- 13822 0.0 0.2 15224 2644 ? S Nov15 0:26 /usr/local/apachessl/bin/httpd -DSSL apache 11290 0.0 0.3 16856 3112 ? S Nov17 0:31
/usr/local/apache/bin/httpd apache 498 0.2 0.8 12596 8484 ? S Nov18 8:54
/usr/local/apache/bin/httpd
....

 Debian

/etc/init.d/apache

Apache control script

/etc/apache

Apache configuration files


/var/www

Default Document Root
/usr/lib/cgi-bin

Default script directory






/var/log/apache
 log files (access.log, error.log)
/usr/sbin
 rotatelogs, ab (Apache Benchmark)
/usr/bin
 htpasswd, htdigest, dbmmanage
/usr/lib/apache/1.3

Apache modules
/usr/lib/apache/suexec

 Slackware






/usr/local/apache
/usr/local/apache/conf
/usr/local/apache/htdocs
/usr/local/apache/cgi-bin
/var/log/apache
/usr/local/apache/bin

LogFormat "%v %h %l %u %t \"%r\" %>s %b" common
CustomLog /usr/local/apache/logs/access_log common

%v – virtual host






%h – remote host
%u – user
%t - time
%r – HTTP request
%>s – status code
%b – size www.atlants.lv 159.148.85.46 - - [21/Nov/2004:17:23:36 +0200]
"GET /index.php?m=5 HTTP/1.1" 200 32257

ErrorLog /usr/local/apache/logs/error_log
LogLevel warn
[Sun Nov 21 09:13:42 2004] [error] PHP Fatal error: Call to undefined function PN_DBMsgError() in
/home/msaule/public_html/referer.
php on line 85
[Sun Nov 21 12:41:09 2004] [error] [client 81.198.145.117] File does not exist: /home/sms/public_html/favicon.ico
php on line 85
[Sun Nov 21 13:02:50 2004] [error] [client 66.249.66.173] File does not exist: /home/code/public_html/robots.txt
[Sun Nov 21 13:08:26 2004] [error] [client 81.198.176.114] File does not exist:
/home/refuser2/public_html/_vti_bin/owssvr.dll
[Sun Nov 21 13:08:26 2004] [error] [client 81.198.176.114] File does not exist:
/home/refuser2/public_html/MSOffice/cltreq.asp
[Sun Nov 21 13:09:07 2004] [error] [client 81.198.176.114] File does not exist:
/home/refuser2/public_html/_vti_bin/owssvr.dll
[Sun Nov 21 13:09:07 2004] [error] [client 81.198.176.114] File does not exist:
/home/refuser2/public_html/MSOffice/cltreq.asp

 Edit httpd.conf
 Check configuration “ apachectl configtest ”
 Restart Apache
 Check changes http://httpd.apache.org/docs/

 Virtual host
<VirtualHost *>
ServerName www.jrt.lv
ServerAlias www.jrt.com
CustomLog /usr/local/apache/logs/jrt_access_log common
ErrorLog /usr/local/apache/logs/jrt_error_log
DocumentRoot /home/jrt/public_html
</VirtualHost>

 .htaccess
AuthType Basic
AuthUserFile /home/someuser/passwd
AuthName "Admin" require valid-user
 htpasswd htpasswd -c <password file> <username> user1:Y90u499mUj6xE user2:DOrWgcNwzaQUQ

 Unix Threading
 New Build System
 Multiprotocol Support
 New Apache API
 IPv6 Support
 Filtering
 Multilanguage Error Responses
 Regular Expression Library Updated

Browser
1
6 Webserver
5
4
Script Engine
(PHP, Perl, ...)
3
HTML
&
Scripts
2

 Scripting engine
 CGI
 PHP
 Apache module vs. CGI

 Apache only sends content to the user
 What if I need some resources/information from server

Send e-mail


Store some information in file (guestbook)
Execute unix applications

And much more...
 We need programming language

 Script engine is a software program that does the following:



Accepts scripts passed along from the web server that are of the non-HTML type.
Processes these scripts.
Returns the result of this processing to the web server.

 Two ways how to server dynamic content


CGI

Apache module
 Many programming languages to use
PHP, Perl, Python, C, C++, shell scripts ...

A standard for running external programs from a World-
Wide Web HTTP server. CGI specifies how to pass arguments to the executing program as part of the
HTTP request. It also defines a set of environment variables. Commonly, the program will generate some
HTML which will be passed back to the browser but it can also request URL redirection.

 Shell script
#!/bin/bash echo "Content-type: text/plain" echo "" echo "Hello world!" echo "Today is:" `date`

 Perl script
#!/usr/bin/perl print "Content-type: text/plain\n\n"; print "Hello world!\n"; print "Today is: " . localtime() . "\n";

 mod_perl mod_perl brings together the full power of the Perl programming language and the Apache HTTP server. You can use Perl to manage Apache, respond to requests for web pages and much more.
 mod_php
PHP is a widely-used general-purpose scripting language that is especially suited for Web development and can be embedded into HTML
 mod_python, OpenASP Module, ...

 What is PHP?
 Installing PHP
 Configuring PHP

<html>
<head>
<title>Example</title>
</head>
<body>
<?php echo "Hi, I'm a PHP script!" ;
?>
</body>
</html>

 Pros


 easy to learn ideal for small projects widely used
 no strong typing
 Cons



 no strong typing code maintenance interpreted language executes in the Web server process
PHP

 Server-side scripting
 Command line scripting
 Client-side GUI applications

 Gentoo
# emerge \<apache-2
# USE="-*" emerge php mod_php
# ebuild /var/db/pkg/dev-php/mod_php-<your PHP version>/mod_php-<your PHP version>.ebuild config
# nano /etc/conf.d/apache Add "-D PHP4" to
APACHE_OPTS # rc-update add apache default
# /etc/init.d/apache start

 Source instalation

Install PHP
./configure --with-mysql --with-apxs=/www/bin/apxs make make install cp php.ini-dist /usr/local/lib/php.ini

Edit your httpd.conf to load the PHP module.
LoadModule php4_module libexec/libphp4.so
AddModule mod_php4.c

AddType application/x-httpd-php .php .phtml
Restart Apache

 php.ini read once at web server startup
; any text on a line after an unquoted semicolon
(;) is ignored
[php] ; section markers (text within square brackets) are also ignored
; Boolean values can be set to either: ; true, on, yes
; or false, off, no, none register_globals = off track_errors = yes
; you can enclose strings in double-quotes include_path = ".:/usr/local/lib/php"

 php.ini directives max_execution_time = 30 ; Maximum execution time of each script, in seconds max_input_time = 60 ; Maximum amount of time each script may spend parsing request data memory_limit = 8M ; Maximum amount of memory a script may consume (8MB)
; - Show all errors except for notices and coding standards warnings error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT display_errors = Off log_errors = On error_log = filename

 Apache configuration file
<VirtualHost 10.10.10.10>
DocumentRoot /home/someuser/public_html
ServerName www.somesite.lv
<Directory /home/someuser/public_html/> php_admin_value open_basedir
/home/someuser/:/tmp/:/usr/share/pear/ php_value auto_prepend_file
/home/someuser/includes/default.inc
php_value upload_max_filesize 10M
</Directory>
</VirtualHost>

 .htaccess file
AddType application/x-httpd-php .php3
php_value include_path
.:/home/someuser/includes:/home/someuser/public_html php_flag register_globals Off
 PHP scripts
<?
ini_set("display_errors", "true"); ini_set("error_log","/home/someuser/log/php.log");
...

 Apache module


Good performance
One user for all websites

Other user’s source files can be accessed
 CGI

PHP safe_mode

New process each time
 suEXEC – each website under its own user
 fastCGI

Browser
1
HTML
&
PHP
2
8
Webserver
7
4
PHP Engine
6
5
MySQL Database
Server
3

 About MySQL
 Installing MySQL
 MySQL directory structure
 MySQL commands
 Some examples
 PHPMyAdmin

 Open source
 Very fast
 Stable
 Easy to use
 Independant storage engines

Can be run with or without transaction control
 Security


SSL support
Resources configurable per user basis

 Subqueries
 New client-server protocol with prepared statements
 Unicode and UTF-8 support
 Query cashing
 Much more...

 Binary distribution shell> groupadd mysql shell> useradd -g mysql mysql shell> cd /usr/local shell> gunzip < /path/to/mysql-VERSION-OS.tar.gz | tar xvf shell> ln -s full-path-to-mysql-VERSION-OS mysql shell> cd mysql shell> scripts/mysql_install_db --user=mysql shell> chown -R root .
shell> chown -R mysql data shell> chgrp -R mysql .
shell> bin/mysqld_safe --user=mysql &

 Source distribution shell> groupadd mysql shell> useradd -g mysql mysql shell> gunzip < mysql-VERSION.tar.gz | tar -xvf shell> cd mysql-VERSION shell> ./configure --prefix=/usr/local/mysql shell> make shell> make install shell> cp support-files/my-medium.cnf /etc/my.cnf
shell> cd /usr/local/mysql shell> bin/mysql_install_db --user=mysql shell> chown -R root .
shell> chown -R mysql var shell> chgrp -R mysql .
shell> bin/mysqld_safe --user=mysql &

 Check instalation
 shell> bin/mysqladmin version
 Create system tables
 shell> bin/mysql_install_db --user=mysql
 Make nessesary databases and users


CREATE DATABASE
GRANT

 ./

MySQL server control scripts
 bin/

MySQL server, MySQL client and commandline tools
 data/

Databases – directories

Tables – files (MYD, MYI,FRM)
 var/log

Log files

 mysql

MySQL client
 mysqladmin

MySQL administration tool
 mysqldump

Tool for creating database dumps

 CREATE DATABASE <database name>
 DROP
 GRANT ALL PRIVILEGES on database.* to user@localhost IDENTIFIED BY ‘password’

Privilege type (ALL, ALTER, CREATE, DELETE, INSERT,
SELECT, GRANT, ...)

Privilege level (globa, database, table, column)

User and host (localhost, IP address, network, %)
 REVOKE

MySQL and SQLite Examples

phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the
Web (http://www.phpmyadmin.net/)
 CREATE/DROP databases
 CREATE/DROP/ALTER tables
 Delete/add/edit/search information
 Execute SQL queries
 Manage privileges
 Export data

<?php
// create new database (OO interface)
$db = new SQLiteDatabase ( "db.sqlite" );
// create table foo and insert sample data
$db -> query ( "BEGIN;
CREATE TABLE foo(id INTEGER PRIMARY KEY, name CHAR(255));
INSERT INTO foo (name) VALUES('Ilia');
INSERT INTO foo (name) VALUES('Ilia2');
INSERT INTO foo (name) VALUES('Ilia3');
COMMIT;" );
// execute a query
$result = $db -> query ( "SELECT * FROM foo" );
// iterate through the retrieved rows while ( $result -> valid ()) {
// fetch current row
}
$row = $result -> current (); print_r ( $row );
// proceed to next row
$result -> next ();
// not generally needed as PHP will destroy the connection unset( $db );
?>

<?php
// Connecting, selecting database
$link = mysql_connect ( 'mysql_host' , 'mysql_user' , 'mysql_password' ) or die( 'Could not connect: ' . mysql_error ()); echo 'Connected successfully' ; mysql_select_db ( 'my_database' ) or die( 'Could not select database' );
// Performing SQL query
$query = 'SELECT * FROM my_table' ;
$result = mysql_query ( $query ) or die( 'Query failed: ' . mysql_error ());
// Printing results in HTML echo "<table>\n" ; while ( $line = mysql_fetch_array ( $result , MYSQL_ASSOC )) { echo "\t<tr>\n" ; foreach ( $line as $col_value ) { echo "\t\t<td>$col_value</td>\n" ;
} echo "\t</tr>\n" ;
} echo "</table>\n" ;
// Free resultset mysql_free_result ( $result );
// Closing connection mysql_close ( $link );
?>