Linux Services

advertisement
Linux Services
Sirak Kaewjamnong
Linux DHCP Server



DHCP is an IP address dynamically
assigned from DHCP server.
PC client will most likely get its IP
address at boot time from the home
router instead
The DHCP server RPM's filename
usually starts with the word dhcp
followed by a version number

dhcp-3.0.1rc14-1.i386.rpm.
2
The /etc/dhcpd.conf File


When DHCP starts, it reads the file
/etc/dhcpd.conf.
The standard DHCP RPM package doesn't
automatically install a /etc/dhcpd.conf file, but
a sample copy of dhcpd.conf is in the following
directory

/usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample
3
/etc/dhcpd.conf example file
ddns-update-style interim;
ignore client-updates;
subnet 172.27.21.0 netmask 255.255.255.0 {
# --- default gateway
option routers
option subnet-mask
option
option
option
option
option
#
172.27.21.254;
255.255.255.0;
nis-domain
"cp.su.ac.th";
domain-name
"cp.su.ac.th";
domain-name-servers
202.28.72.66;
domain-name-servers
202.44.135.9;
time-offset
-18000; # Eastern Standard Time
option netbios-node-type 2;
range dynamic-bootp 172.27.21.200 172.27.21.250;
default-lease-time 21600;
max-lease-time 43200;
}
}
4
How to get DHCP started

Use the chkconfig command to get DHCP
configured to start at boot:
[root@bigboy tmp]# chkconfig dhcpd on

Use the service command to instruct the
/etc/init.d/dhcpd script to start/stop/restart DHCP
after booting
[root@bigboy tmp]# service dhcpd start
[root@bigboy tmp]# service dhcpd stop
[root@bigboy tmp]# service dhcpd restart
5
SAMBA

Samba is a suite of utilities that
allows your Linux server to share
files and other resources, such as
printers, with Windows clients.
6
Get SMB started

Configure Samba to start at boot time using the
chkconfig command:
[root@bigboy tmp]# chkconfig smb on

Start/stop/restart Samba after boot time using
the smb initialization script as in the examples
below:
[root@bigboy tmp]# service smb start
[root@bigboy tmp]# service smb stop
[root@bigboy tmp]# service smb restart

Note: Unlike many Linux packages, Samba does
not need to be restarted after changes have been
made to its configuration file, as it is read after
the receipt of every client request.
7
The Samba Configuration File
The /etc/samba/smb.conf file is the main configuration
Section
[global]
[printers]
Description
General Samba configuration parameters
Used for configuring printers
[homes]
Defines treatment of user logins
[netlogon]
A share for storing logon scripts.
(Not created by default.)
[profile]
A share for storing domain logon information such as "favorites" and
desktop icons.
(Not created by default.)
8
Samba's SWAT web interface


SWAT, Samba's web based configuration
tool to enables smb.conf file without
needing to remember all the formatting.
Each SWAT screen is actually a form that
covers a separate section of the smb.conf
file into which admin fill in the desired
parameters, each parameter box has its
own online help
9
Samba SWAT Main Menu
10
Basic SWAT Setup


Root must always remember that SWAT
edits the smb.conf file but also strips out
any comments that may have manually
entered into it beforehand.
The original Samba smb.conf file has
many worthwhile comments in it, you
should save a copy as a reference before
proceeding with SWAT.

For example, you could save the original file
with the name /etc/samba/smb.conf.original
[root@tmp]# cp /etc/samba/smb.conf /etc/samba/smb.conf.original
11
Basic SWAT Setup

The enabling and disabling, starting and
stopping of SWAT is controlled by xinetd
via a configuration file named
/etc/xinetd.d/swat
service swat
{
port
= 901
socket_type
= stream
protocol
= tcp
wait
= no
user
= root
server
= /usr/sbin/swat
log_on_failure += USERID
disable
= no
only_from
= localhost
}
12
Basic SWAT Setup


The disable parameter must be set to no to accept
connections. This can automatically be switched
between yes and no.
The default configuration only allows SWAT web
access from the VGA console only as user root on
port 901 with the Linux root password.


This means root have to enter "http://127.0.0.1:901"
in browser to get the login screen.
root can make SWAT accessible from other servers
by adding IP address entries to the only_from
parameter of the SWAT configuration file.

An example of an entry to allow connections only
from 192.168.1.3 and localhost.
only_from = localhost 192.168.1.3
13
Controlling SWAT



Same as all xinetd-controlled applications,
the chkconfig command automatically
modifies the disable field accordingly in
the configuration file and activates the
change.
Before SWAT can be used, the xinetd
program which controls it must be
activated in advance.
You can start/stop/restart xinetd after
boot time using the xinetd initialization
14
xinetd Programs



Many network enabled Linux applications
do not rely on themselves to provide
restricted access or bind to a particular
TCP port
instead they often offload a lot of this
work to a program suite made just for
this purpose, xinetd
The xinetd RPM is installed by default in
Fedora Linux and uses /etc/xinetd.conf as
its main configuration file
15
Controlling xinetd


The starting and stopping of the xinetd daemon is
controlled by the by scripts in the /etc/init.d
directory and it is behavior at boot time is
controlled by chkconfig.
You can start/stop/restart xinetd after booting by
using the following commands:
[root@bigboy tmp]# service xinetd start
[root@bigboy tmp]# service xinetd stop
[root@bigboy tmp]# service xinetd restart

To get xinetd configured to start at boot you can
use the chkconfig command.
[root@bigboy tmp]# chkconfig xinetd on
16
Controlling xinetd-Managed Applications



Xinetd-managed applications all store
their configuration files in the
/etc/xinetd.d directory.
Each configuration file has a disable
statement that can set to yes or no. This
governs whether xinetd is allowed to start
them or not.
You don't have to edit these files to
activate or deactivate the application. The
chkconfig command does that
automatically will also stops or starts the
application accordingly too
17
Telnet





Telnet is a program that allows users to log into
server and get a command prompt just as if they
were logged into the VGA console.
The Telnet server RPM is installed and disabled by
default on Fedora Linux.
One of the disadvantages of Telnet is that the
data is sent as clear text.
A more secure method for remote logins would be
via Secure Shell (SSH) which uses varying
degrees of encryption.
The older Telnet application remains popular.
Many network devices don't have SSH clients,
making telnet the only means of accessing other
devices and servers from them
18
Installing The Telnet Server Software

Older versions of RedHat had the Telnet
server installed by default. Fedora Linux
does not



you will have to install it yourself.
Most Linux software products are
available in a precompiled package
format. Downloading and installing
packages
When searching for the file, the Telnet
server RPM's filename usually starts with
the word "telnet-server" followed by a
version number as in telnet-server-0.1728.i386.rpm.
19
Setting Up A Telnet Server

To set up a Telnet server use the
chkconfig command to activate Telnet.
[root@bigboy tmp]# chkconfig telnet on

Use the chkconfig command to deactivate
telnet, even after the next reboot.
[root@bigboy tmp]# chkconfig telnet off
20
Let Telnet Listen On Another TCP Port


Letting telnet run on an alternate TCP
port does not encrypt the traffic, but it
makes it less likely to be detected as
telnet traffic.
Remember that this is not a foolproof
strategy; good port scanning programs
can detect telnet and other applications
running on alternative ports.
21
Let Telnet Listen On Another TCP Port
1.
Edit /etc/services file and add an entry
for a new service. Call it stelnet.
# Local services
stelnet
7777/tcp
2.
# "secure" telnet
Copy the telnet configuration file called
/etc/xinetd.d/telnet and call it
/etc/xinetd.d/stelnet:
[root@bigboy tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet
22
Let Telnet Listen On Another TCP Port
3.
Edit the new /etc/xinetd.d/stelnet file. Make the new service
stelnet and add a port statement for TCP port 7777.
# default: on
# description: The telnet server serves telnet sessions
# unencrypted username/password pairs for authentication.
service stelnet
{
flags
= REUSE
socket_type = stream
wait
= no
user
= root
server
= /usr/sbin/in.telnetd
log_on_failure += USERID
disable
= no
port
= 7777
}
4.
Use chkconfig to activate stelnet.
[root@bigboy tmp]# chkconfig stelnet on
23
Let Telnet Allow Connections From
Trusted Addresses


Root can restrict telnet logins access to individual
remote servers by using the only_from keyword
in the telnet configuration file.
Add a list of trusted servers to the
/etc/xinetd.d/telnet file separated by spaces:
service telnet
{
flags
= REUSE
socket_type = stream
wait
= no
user
= root
server
= /usr/sbin/in.telnetd
log_on_failure += USERID
disable
= no
only_from
= 192.168.1.100 127.0.0.1 192.168.1.200
}

Restart telnet by
# chkconfig telnet off
# chkconfig telnet on
24
Linux FTP



The File Transfer Protocol (FTP) is used as
one of the most common means of
copying files between servers over the
Internet.
Most web based download sites use the
built in FTP capabilities of web browsers
and therefore most server oriented
operating systems usually include an FTP
server application as part of the software
suite.
Fedora linux ftp sever using default Very
Secure FTP Daemon (VSFTPD) package
25
FTP overview

FTP relies on a pair of TCP ports to
get the job done. It operates in two
connection channels


FTP Control Channel, TCP Port 21: All
commands send and the ftp server's
responses to those commands will go
over the control connection.
FTP Data Channel, TCP Port 20: This
port is used for all subsequent data
transfers between the client and server.
26
How To Get VSFTPD Started

With Fedora, Redhat, Ubunbtu and Debian You
can start, stop, or restart VSFTPD after booting
by using these commands:
[root@bigboy tmp]# /etc/init.d/vsftpd start
[root@bigboy tmp]# /etc/init.d/vsftpd stop
[root@bigboy tmp]# /etc/init.d/vsftpd restart

With Redhat / Fedora you can configure VSFTPD
to start at boot you can use the chkconfig
command.
[root@bigboy tmp]# chkconfig vsftpd on
27
The Apache Web Server


Apache is probably the most popular
Linux-based Web server application in
use.
When searching for the file, the Redhat /
Fedora Apache RPM package's filename
usually starts with the word httpd
followed by a version number, as in httpd2.0.48-1.2.rpm
28
Get Apache started

Use the chkconfig command to configure Apache
to start at boot:
[root@bigboy tmp]# chkconfig httpd on

Use the httpd<code> init script in the
<code>/etc/init.d directory to start,stop, and
restart Apache after booting:
[root@bigboy tmp]# /etc/init.d/httpd start
[root@bigboy tmp]# /etc/init.d/httpd stop
[root@bigboy tmp]# /etc/init.d/httpd restart
29
General Configuration Steps



The configuration file used by Apache is
/etc/httpd/conf/httpd.conf in Redhat /
Fedora distributions
/etc/apache*/httpd.conf in Debian /
Ubuntu distributions.
As for most Linux applications, you must
restart Apache before changes to this
configuration file take effect
30
Where To Put Web Pages


All the statements that define the features of each
web site are grouped together inside their own
<VirtualHost> section, or container, in the
httpd.conf file.
The most commonly used statements, or
directives, inside a <VirtualHost> container are:


servername: Defines the name of the website
managed by the <VirtualHost> container. This is
needed in named virtual hosting only, as I'll explain
soon.
DocumentRoot: Defines the directory in which the
web pages for the site can be found.
31
Where To Put Web Pages


By default, Apache searches the
DocumentRoot directory for an index, or
home, page named index.html.
Example, if a servername of www.my-site.com
with a DocumentRoot directory of
/home/www/site1/
Apache displays the contents of the file
/home/www/site1/index.html when someone
enter http://www.my-site.com in his browser.
32
The Default File Location


By default, Apache expects to find all its
web page files in the “/var/www/html/”
directory with a generic DocumentRoot
statement at the beginning of httpd.conf
Apache will display Web page files as long
as they are world readable, all the files
and subdirectories in DocumentRoot
should have the correct permissions

Change the permissions on the /home/www
directory to 755, which allows all users,
including the Apache's httpd daemon, to read
the files inside.
33
Named Virtual Hosting




Apache allow to make Web server host more than
one site per IP address by using Apache's named
virtual hosting feature.
Use the NameVirtualHost directive in the
/etc/httpd/conf/httpd.conf file to tell Apache
which IP addresses will participate in this feature.
The <VirtualHost> containers in the file then tell
Apache where it should look for the Web pages
used on each Web site.
Admin must specify the IP address for which each
<VirtualHost> container applies.
34
Named Virtual Hosting Example
ServerName localhost
NameVirtualHost 97.158.253.26
<VirtualHost *>
DocumentRoot /home/www/site1
</VirtualHost>
<VirtualHost 97.158.253.26>
DocumentRoot /home/www/site2
ServerName www.my-site.com
ServerAlias my-site.com, www.my-cool-site.com
</VirtualHost>
<VirtualHost 97.158.253.26>
DocumentRoot /home/www/site3
ServerName www.test-site.com
</VirtualHost>
<VirtualHost 97.158.253.26>
DocumentRoot /home/www/site4
ServerName www.another-site.com
</VirtualHost>
35
Protect Web Page Directories With
Passwords



Use Apache's htpasswd password utility to
create username/password combinations
independent of system login password for
Web page access.
Specify the location of the password file,
and if it does not yet exist, should include
a -c, or create, switch on the command
line.
Placing the file in /etc/httpd/conf
directory, away from the DocumentRoot
tree where Web users could possibly view
it.
36
htpasswd Example
[root@bigboy tmp]# htpasswd -c /etc/httpd/conf/.htpasswd peter
New password:
Re-type new password:
Adding password for user peter
[root@bigboy tmp]#
[root@bigboy tmp]# htpasswd /etc/httpd/conf/.htpasswd paul
New password:
Re-type new password:
Adding password for user paul
[root@bigboy tmp]#
37
Protect Web Page Directories With
Passwords

Make the .htpasswd file readable by all
users.
[root@bigboy tmp]# chmod 644 /etc/httpd/conf/.htpasswd

Create a .htaccess file in the directory to
which you want password control with
these entries.
AuthUserFile /etc/httpd/conf/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user peter
38
Protect Web Page Directories With
Passwords

Set the correct file protections on new .htaccess
file in the directory /home/www.
[root@bigboy tmp]# chmod 644 /home/www/.htaccess


Make sure your /etc/httpd/conf/http.conf file has
an AllowOverride statement in a <Directory>
directive for any directory in the tree above
/home/www.
In this example below, all directories below
/var/www/ require password authorization.
<Directory /home/www/*>
AllowOverride AuthConfig
</Directory>
39
Protect Web Page Directories With
Passwords

Make sure that a <VirtualHost> directive
that defines access to /home/www or
another directory higher up in the tree.
<VirtualHost *>
ServerName 97.158.253.26
DocumentRoot /home/www
</VirtualHost>

Restart Apache
40
Linux firewall

Linux uses “iptable” for firewall
solutions

A router that will use NAT and port
forwarding to both protect home
network and have another web server
on home network while sharing the
public IP address of firewall
41
iptable Features



Integration with the Linux kernel with the
capability of loading iptables-specific
kernel modules designed for improved
speed and reliability.
Stateful packet inspection. This means
that the firewall keeps track of each
connection passing through it and in
certain cases will view the contents of
data flows in an attempt to anticipate the
next action of certain protocols.
Filtering packets based on a MAC address
and the values of the flags in the TCP
header.
42
iptable Features




System logging that provides the option
of adjusting the level of detail of the
reporting.
Network address translation.
Support for transparent integration with
such Web proxy programs as Squid.
A rate limiting feature that helps iptables
block some types of denial of service
(DoS) attacks
43
Start iptable

Start iptable with:
[root@bigboy tmp]# service iptables start
[root@bigboy tmp]# service iptables stop
[root@bigboy tmp]# service iptables restart

Sample of iptable command
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \
--sport 1024:65535 --dport 80 -j ACCEPT


iptables is being configured to allow the firewall to
accept TCP packets for routing when they enter on
interface eth0 from any IP address and are destined
for an IP address of 192.168.1.58 that is reachable
via interface eth1.
The source port is in the range 1024 to 65535 and
the destination port is port 80
44
Secure Remote Logins



OpenSSH, which provides a number of
ways to create encrypted remote terminal
and file transfer connections between
clients and servers.
The OpenSSH Secure Copy (SCP) and
Secure FTP (SFTP) programs are secure
replacements for FTP,
Secure Shell (SSH) is often used as a
stealthy alternative to TELNET
45
Starting OpenSSH



OpenSSH is installed by default during
Linux installations
SSH and SCP are part of the same
application, they share the same
configuration file and are governed by the
same /etc/init.d/sshd startup script
configure SSH to start at boot by using
the chkconfig command when running
Fedora
[root@bigboy tmp]# chkconfig sshd on
46
The /etc/ssh/sshd_config File

The SSH configuration file is called
/etc/ssh/sshd_config. By default SSH listens on all
NICs and uses TCP port 22.
#
#
#
#
The strategy used for options in the default sshd_config shipped with
OpenSSH is to specify options with their default value where
possible, but leave them commented. Uncommented options change a
default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

start, stop, and restart SSH with service comand
47
Other Linux services






NTP
Sendmail
DNS
MRTG
Network File System (NFS)
Etc.
48
Download