Linux Services Sirak Kaewjamnong Linux DHCP Server DHCP is an IP address dynamically assigned from DHCP server. PC client will most likely get its IP address at boot time from the home router instead The DHCP server RPM's filename usually starts with the word dhcp followed by a version number dhcp-3.0.1rc14-1.i386.rpm. 2 The /etc/dhcpd.conf File When DHCP starts, it reads the file /etc/dhcpd.conf. The standard DHCP RPM package doesn't automatically install a /etc/dhcpd.conf file, but a sample copy of dhcpd.conf is in the following directory /usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample 3 /etc/dhcpd.conf example file ddns-update-style interim; ignore client-updates; subnet 172.27.21.0 netmask 255.255.255.0 { # --- default gateway option routers option subnet-mask option option option option option # 172.27.21.254; 255.255.255.0; nis-domain "cp.su.ac.th"; domain-name "cp.su.ac.th"; domain-name-servers 202.28.72.66; domain-name-servers 202.44.135.9; time-offset -18000; # Eastern Standard Time option netbios-node-type 2; range dynamic-bootp 172.27.21.200 172.27.21.250; default-lease-time 21600; max-lease-time 43200; } } 4 How to get DHCP started Use the chkconfig command to get DHCP configured to start at boot: [root@bigboy tmp]# chkconfig dhcpd on Use the service command to instruct the /etc/init.d/dhcpd script to start/stop/restart DHCP after booting [root@bigboy tmp]# service dhcpd start [root@bigboy tmp]# service dhcpd stop [root@bigboy tmp]# service dhcpd restart 5 SAMBA Samba is a suite of utilities that allows your Linux server to share files and other resources, such as printers, with Windows clients. 6 Get SMB started Configure Samba to start at boot time using the chkconfig command: [root@bigboy tmp]# chkconfig smb on Start/stop/restart Samba after boot time using the smb initialization script as in the examples below: [root@bigboy tmp]# service smb start [root@bigboy tmp]# service smb stop [root@bigboy tmp]# service smb restart Note: Unlike many Linux packages, Samba does not need to be restarted after changes have been made to its configuration file, as it is read after the receipt of every client request. 7 The Samba Configuration File The /etc/samba/smb.conf file is the main configuration Section [global] [printers] Description General Samba configuration parameters Used for configuring printers [homes] Defines treatment of user logins [netlogon] A share for storing logon scripts. (Not created by default.) [profile] A share for storing domain logon information such as "favorites" and desktop icons. (Not created by default.) 8 Samba's SWAT web interface SWAT, Samba's web based configuration tool to enables smb.conf file without needing to remember all the formatting. Each SWAT screen is actually a form that covers a separate section of the smb.conf file into which admin fill in the desired parameters, each parameter box has its own online help 9 Samba SWAT Main Menu 10 Basic SWAT Setup Root must always remember that SWAT edits the smb.conf file but also strips out any comments that may have manually entered into it beforehand. The original Samba smb.conf file has many worthwhile comments in it, you should save a copy as a reference before proceeding with SWAT. For example, you could save the original file with the name /etc/samba/smb.conf.original [root@tmp]# cp /etc/samba/smb.conf /etc/samba/smb.conf.original 11 Basic SWAT Setup The enabling and disabling, starting and stopping of SWAT is controlled by xinetd via a configuration file named /etc/xinetd.d/swat service swat { port = 901 socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/swat log_on_failure += USERID disable = no only_from = localhost } 12 Basic SWAT Setup The disable parameter must be set to no to accept connections. This can automatically be switched between yes and no. The default configuration only allows SWAT web access from the VGA console only as user root on port 901 with the Linux root password. This means root have to enter "http://127.0.0.1:901" in browser to get the login screen. root can make SWAT accessible from other servers by adding IP address entries to the only_from parameter of the SWAT configuration file. An example of an entry to allow connections only from 192.168.1.3 and localhost. only_from = localhost 192.168.1.3 13 Controlling SWAT Same as all xinetd-controlled applications, the chkconfig command automatically modifies the disable field accordingly in the configuration file and activates the change. Before SWAT can be used, the xinetd program which controls it must be activated in advance. You can start/stop/restart xinetd after boot time using the xinetd initialization 14 xinetd Programs Many network enabled Linux applications do not rely on themselves to provide restricted access or bind to a particular TCP port instead they often offload a lot of this work to a program suite made just for this purpose, xinetd The xinetd RPM is installed by default in Fedora Linux and uses /etc/xinetd.conf as its main configuration file 15 Controlling xinetd The starting and stopping of the xinetd daemon is controlled by the by scripts in the /etc/init.d directory and it is behavior at boot time is controlled by chkconfig. You can start/stop/restart xinetd after booting by using the following commands: [root@bigboy tmp]# service xinetd start [root@bigboy tmp]# service xinetd stop [root@bigboy tmp]# service xinetd restart To get xinetd configured to start at boot you can use the chkconfig command. [root@bigboy tmp]# chkconfig xinetd on 16 Controlling xinetd-Managed Applications Xinetd-managed applications all store their configuration files in the /etc/xinetd.d directory. Each configuration file has a disable statement that can set to yes or no. This governs whether xinetd is allowed to start them or not. You don't have to edit these files to activate or deactivate the application. The chkconfig command does that automatically will also stops or starts the application accordingly too 17 Telnet Telnet is a program that allows users to log into server and get a command prompt just as if they were logged into the VGA console. The Telnet server RPM is installed and disabled by default on Fedora Linux. One of the disadvantages of Telnet is that the data is sent as clear text. A more secure method for remote logins would be via Secure Shell (SSH) which uses varying degrees of encryption. The older Telnet application remains popular. Many network devices don't have SSH clients, making telnet the only means of accessing other devices and servers from them 18 Installing The Telnet Server Software Older versions of RedHat had the Telnet server installed by default. Fedora Linux does not you will have to install it yourself. Most Linux software products are available in a precompiled package format. Downloading and installing packages When searching for the file, the Telnet server RPM's filename usually starts with the word "telnet-server" followed by a version number as in telnet-server-0.1728.i386.rpm. 19 Setting Up A Telnet Server To set up a Telnet server use the chkconfig command to activate Telnet. [root@bigboy tmp]# chkconfig telnet on Use the chkconfig command to deactivate telnet, even after the next reboot. [root@bigboy tmp]# chkconfig telnet off 20 Let Telnet Listen On Another TCP Port Letting telnet run on an alternate TCP port does not encrypt the traffic, but it makes it less likely to be detected as telnet traffic. Remember that this is not a foolproof strategy; good port scanning programs can detect telnet and other applications running on alternative ports. 21 Let Telnet Listen On Another TCP Port 1. Edit /etc/services file and add an entry for a new service. Call it stelnet. # Local services stelnet 7777/tcp 2. # "secure" telnet Copy the telnet configuration file called /etc/xinetd.d/telnet and call it /etc/xinetd.d/stelnet: [root@bigboy tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet 22 Let Telnet Listen On Another TCP Port 3. Edit the new /etc/xinetd.d/stelnet file. Make the new service stelnet and add a port statement for TCP port 7777. # default: on # description: The telnet server serves telnet sessions # unencrypted username/password pairs for authentication. service stelnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no port = 7777 } 4. Use chkconfig to activate stelnet. [root@bigboy tmp]# chkconfig stelnet on 23 Let Telnet Allow Connections From Trusted Addresses Root can restrict telnet logins access to individual remote servers by using the only_from keyword in the telnet configuration file. Add a list of trusted servers to the /etc/xinetd.d/telnet file separated by spaces: service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = no only_from = 192.168.1.100 127.0.0.1 192.168.1.200 } Restart telnet by # chkconfig telnet off # chkconfig telnet on 24 Linux FTP The File Transfer Protocol (FTP) is used as one of the most common means of copying files between servers over the Internet. Most web based download sites use the built in FTP capabilities of web browsers and therefore most server oriented operating systems usually include an FTP server application as part of the software suite. Fedora linux ftp sever using default Very Secure FTP Daemon (VSFTPD) package 25 FTP overview FTP relies on a pair of TCP ports to get the job done. It operates in two connection channels FTP Control Channel, TCP Port 21: All commands send and the ftp server's responses to those commands will go over the control connection. FTP Data Channel, TCP Port 20: This port is used for all subsequent data transfers between the client and server. 26 How To Get VSFTPD Started With Fedora, Redhat, Ubunbtu and Debian You can start, stop, or restart VSFTPD after booting by using these commands: [root@bigboy tmp]# /etc/init.d/vsftpd start [root@bigboy tmp]# /etc/init.d/vsftpd stop [root@bigboy tmp]# /etc/init.d/vsftpd restart With Redhat / Fedora you can configure VSFTPD to start at boot you can use the chkconfig command. [root@bigboy tmp]# chkconfig vsftpd on 27 The Apache Web Server Apache is probably the most popular Linux-based Web server application in use. When searching for the file, the Redhat / Fedora Apache RPM package's filename usually starts with the word httpd followed by a version number, as in httpd2.0.48-1.2.rpm 28 Get Apache started Use the chkconfig command to configure Apache to start at boot: [root@bigboy tmp]# chkconfig httpd on Use the httpd<code> init script in the <code>/etc/init.d directory to start,stop, and restart Apache after booting: [root@bigboy tmp]# /etc/init.d/httpd start [root@bigboy tmp]# /etc/init.d/httpd stop [root@bigboy tmp]# /etc/init.d/httpd restart 29 General Configuration Steps The configuration file used by Apache is /etc/httpd/conf/httpd.conf in Redhat / Fedora distributions /etc/apache*/httpd.conf in Debian / Ubuntu distributions. As for most Linux applications, you must restart Apache before changes to this configuration file take effect 30 Where To Put Web Pages All the statements that define the features of each web site are grouped together inside their own <VirtualHost> section, or container, in the httpd.conf file. The most commonly used statements, or directives, inside a <VirtualHost> container are: servername: Defines the name of the website managed by the <VirtualHost> container. This is needed in named virtual hosting only, as I'll explain soon. DocumentRoot: Defines the directory in which the web pages for the site can be found. 31 Where To Put Web Pages By default, Apache searches the DocumentRoot directory for an index, or home, page named index.html. Example, if a servername of www.my-site.com with a DocumentRoot directory of /home/www/site1/ Apache displays the contents of the file /home/www/site1/index.html when someone enter http://www.my-site.com in his browser. 32 The Default File Location By default, Apache expects to find all its web page files in the “/var/www/html/” directory with a generic DocumentRoot statement at the beginning of httpd.conf Apache will display Web page files as long as they are world readable, all the files and subdirectories in DocumentRoot should have the correct permissions Change the permissions on the /home/www directory to 755, which allows all users, including the Apache's httpd daemon, to read the files inside. 33 Named Virtual Hosting Apache allow to make Web server host more than one site per IP address by using Apache's named virtual hosting feature. Use the NameVirtualHost directive in the /etc/httpd/conf/httpd.conf file to tell Apache which IP addresses will participate in this feature. The <VirtualHost> containers in the file then tell Apache where it should look for the Web pages used on each Web site. Admin must specify the IP address for which each <VirtualHost> container applies. 34 Named Virtual Hosting Example ServerName localhost NameVirtualHost 97.158.253.26 <VirtualHost *> DocumentRoot /home/www/site1 </VirtualHost> <VirtualHost 97.158.253.26> DocumentRoot /home/www/site2 ServerName www.my-site.com ServerAlias my-site.com, www.my-cool-site.com </VirtualHost> <VirtualHost 97.158.253.26> DocumentRoot /home/www/site3 ServerName www.test-site.com </VirtualHost> <VirtualHost 97.158.253.26> DocumentRoot /home/www/site4 ServerName www.another-site.com </VirtualHost> 35 Protect Web Page Directories With Passwords Use Apache's htpasswd password utility to create username/password combinations independent of system login password for Web page access. Specify the location of the password file, and if it does not yet exist, should include a -c, or create, switch on the command line. Placing the file in /etc/httpd/conf directory, away from the DocumentRoot tree where Web users could possibly view it. 36 htpasswd Example [root@bigboy tmp]# htpasswd -c /etc/httpd/conf/.htpasswd peter New password: Re-type new password: Adding password for user peter [root@bigboy tmp]# [root@bigboy tmp]# htpasswd /etc/httpd/conf/.htpasswd paul New password: Re-type new password: Adding password for user paul [root@bigboy tmp]# 37 Protect Web Page Directories With Passwords Make the .htpasswd file readable by all users. [root@bigboy tmp]# chmod 644 /etc/httpd/conf/.htpasswd Create a .htaccess file in the directory to which you want password control with these entries. AuthUserFile /etc/httpd/conf/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword AuthType Basic require user peter 38 Protect Web Page Directories With Passwords Set the correct file protections on new .htaccess file in the directory /home/www. [root@bigboy tmp]# chmod 644 /home/www/.htaccess Make sure your /etc/httpd/conf/http.conf file has an AllowOverride statement in a <Directory> directive for any directory in the tree above /home/www. In this example below, all directories below /var/www/ require password authorization. <Directory /home/www/*> AllowOverride AuthConfig </Directory> 39 Protect Web Page Directories With Passwords Make sure that a <VirtualHost> directive that defines access to /home/www or another directory higher up in the tree. <VirtualHost *> ServerName 97.158.253.26 DocumentRoot /home/www </VirtualHost> Restart Apache 40 Linux firewall Linux uses “iptable” for firewall solutions A router that will use NAT and port forwarding to both protect home network and have another web server on home network while sharing the public IP address of firewall 41 iptable Features Integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability. Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. Filtering packets based on a MAC address and the values of the flags in the TCP header. 42 iptable Features System logging that provides the option of adjusting the level of detail of the reporting. Network address translation. Support for transparent integration with such Web proxy programs as Squid. A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks 43 Start iptable Start iptable with: [root@bigboy tmp]# service iptables start [root@bigboy tmp]# service iptables stop [root@bigboy tmp]# service iptables restart Sample of iptable command iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \ --sport 1024:65535 --dport 80 -j ACCEPT iptables is being configured to allow the firewall to accept TCP packets for routing when they enter on interface eth0 from any IP address and are destined for an IP address of 192.168.1.58 that is reachable via interface eth1. The source port is in the range 1024 to 65535 and the destination port is port 80 44 Secure Remote Logins OpenSSH, which provides a number of ways to create encrypted remote terminal and file transfer connections between clients and servers. The OpenSSH Secure Copy (SCP) and Secure FTP (SFTP) programs are secure replacements for FTP, Secure Shell (SSH) is often used as a stealthy alternative to TELNET 45 Starting OpenSSH OpenSSH is installed by default during Linux installations SSH and SCP are part of the same application, they share the same configuration file and are governed by the same /etc/init.d/sshd startup script configure SSH to start at boot by using the chkconfig command when running Fedora [root@bigboy tmp]# chkconfig sshd on 46 The /etc/ssh/sshd_config File The SSH configuration file is called /etc/ssh/sshd_config. By default SSH listens on all NICs and uses TCP port 22. # # # # The strategy used for options in the default sshd_config shipped with OpenSSH is to specify options with their default value where possible, but leave them commented. Uncommented options change a default value. #Port 22 #Protocol 2,1 #ListenAddress 0.0.0.0 #ListenAddress :: start, stop, and restart SSH with service comand 47 Other Linux services NTP Sendmail DNS MRTG Network File System (NFS) Etc. 48