Week 14
advertisement
Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security Objectives • • • • • Identify and configure common network services Configure routing and firewalls Describe the different facets of Linux security Increase the security of a Linux computer Outline measures that can be used to detect a Linux security breach Linux+ Guide to Linux Certification, 2e 2 Network Services • Processes that provide some type of valuable service for client computers on network • Must identify types and features of network services before they can be configured • Important to configure network-related services, such as routing and firewalls Linux+ Guide to Linux Certification, 2e 3 Identifying Network Services • Port: Number uniquely identifying a network service – Ensure that packets delivered to proper service – Range from 0 to 65534 • /etc/services file: Lists ports and associated protocol • Well-known port: Ports from 0 to 1024 – Used by common networking services Linux+ Guide to Linux Certification, 2e 4 Identifying Network Services (continued) Table 15-1: Common well-known ports Linux+ Guide to Linux Certification, 2e 5 Identifying Network Services (continued) • Internet Super Daemon (xinetd): Initializes and configures many networking services • Standalone daemons: Daemons normally started at boot-up – e.g., Apache Web server – Configure themselves without assistance – ntsysv utility can configure most standalone daemons to start in various runlevels Linux+ Guide to Linux Certification, 2e 6 Identifying Network Services (continued) Figure 15-1: Interacting with network services Linux+ Guide to Linux Certification, 2e 7 Configuring Common Network Services Table 15-2: Common network services Linux+ Guide to Linux Certification, 2e 8 Configuring Common Network Services (continued) Table 15-2 (continued): Common network services Linux+ Guide to Linux Certification, 2e 9 Configuring Common Network Services (continued) Table 15-2 (continued): Common network services Linux+ Guide to Linux Certification, 2e 10 Configuring Common Network Services (continued) Table 15-2 (continued): Common network services Linux+ Guide to Linux Certification, 2e 11 Configuring Common Network Services (continued) Table 15-2 (continued): Common network services Linux+ Guide to Linux Certification, 2e 12 Configuring DNS • Zone: Portion of DNS administered by one or more DNS servers • Forward lookup: FQDN resolved to IP address • Reverse lookup: IP address resolved to FQDN Linux+ Guide to Linux Certification, 2e 13 Configuring DNS (continued) Figure 15-2: The DNS lookup process Linux+ Guide to Linux Certification, 2e 14 Configuring DNS (continued) • Iterative query: Resolved without use of top-level DNS servers • Recursive query: Resolved with the use of top-level DNS servers • DNS cache file: Contains IP addresses of top-level DNS servers Linux+ Guide to Linux Certification, 2e 15 Configuring DNS (continued) • Master or primary DNS server: Contains read/write copy of zone • Slave or secondary DNS server: Contains readonly copy of zone • Zone transfer: Copying zone resource records from master to slave DNS server Linux+ Guide to Linux Certification, 2e 16 Configuring DNS (continued) Table 15-3: Common zone configuration files Linux+ Guide to Linux Certification, 2e 17 Configuring DNS (continued) Table 15-3 (continued): Common zone configuration files Linux+ Guide to Linux Certification, 2e 18 Configuring DHCP • Send DHCP broadcast on network – Request IP configuration information • DHCP server leases IP address to client computer for a period of time – Ensures each client has unique IP address • /etc/dhcpd.conf file: Configure computer as a DHCP server – List appropriate IP address range for network Linux+ Guide to Linux Certification, 2e 19 Configuring Apache • Most common Web server • Document root directory: Stores default HTML content for a Web server – /var/www/html on Fedora Linux – Default document is index.html • /etc/httpd/conf/httpd.conf: Default configuration file • Directive: Line within a configuration file Linux+ Guide to Linux Certification, 2e 20 Configuring Apache (continued) Table 15-4: Common httpd.conf directives Linux+ Guide to Linux Certification, 2e 21 Configuring Samba • SaMBa daemon: Emulates SMB protocol • Windows computers advertise computer names using NetBIOS protocol – Can use NetBIOS name daemon to create and advertise NetBIOS name • Connect Windows computers to Linux server • smbpasswd command: Generate Samba passwords Linux+ Guide to Linux Certification, 2e 22 Configuring Samba (continued) • /etc/samba/smb.conf: Default Samba configuration file • /etc/rc.d/init.d/smb start: Start Samba and NetBIOS name daemons – Restart if smb.conf changed Linux+ Guide to Linux Certification, 2e 23 Configuring NFS • Create directory containing information to share • Edit /etc/exports file: – Add line listing directory to be shared and options • Run exportfs –a – Update list of exported filesystems • Restart the NFS processes Linux+ Guide to Linux Certification, 2e 24 Configuring FTP • Very secure FTP daemon (vsftpd): Packaged with Fedora Linux • To configure (assuming logon as “user1”): – Create directory below user1’s home directory to host the files • Ensure user1 owns directory – Run /etc/rc.d/init.d/vsftpd start • Start vsftpd daemon Linux+ Guide to Linux Certification, 2e 25 Configuring NIS • Network Information Service (NIS): Coordinate common configuration files across several computers – Computers belong to a NIS domain, use NIS map to access configuration information – Most commonly used for password databases Linux+ Guide to Linux Certification, 2e 26 Configuring NIS (continued) • Define the NIS domain via domainname <NIS_ domain_name> command • Add “ NISDOMAIN=‘NIS_domain’ ” to /etc/sysconfig/network file – Configure NIS domain at boot time • Add “domain <NIS_domain> server <NIS_server>” to /etc/yp.conf file – Query specific NIS server Linux+ Guide to Linux Certification, 2e 27 Configuring the Secure Shell Daemon • Secure Shell daemon (sshd): Allows use of ssh utility to log in to network servers • /etc/ssh/sshd_config file: Contains configuration options • Uses challenge-response authentication by default Linux+ Guide to Linux Certification, 2e 28 Configuring the Secure Shell Daemon (continued) • Supported encryption standards: – – – – – Triple Data Encryption Standard (3DES) Advanced Encryption Standard (AES) Blowfish Carlisle Adams Stafford Tavares (CAST) ARCfour Linux+ Guide to Linux Certification, 2e 29 Routing and Firewall Services • Network services not provided entirely by network daemons – Provided by Linux kernel – Do not listen to a particular port Linux+ Guide to Linux Certification, 2e 30 Routing • Route table: Indicates which networks are connected to network interfaces • Route command: Manipulate the route table • Multihomed hosts: Computers with multiple network interfaces • IP forwarding: Forwarding TCP/IP packets between networks • Routing: Forwarding data packets between networks Linux+ Guide to Linux Certification, 2e 31 Routing (continued) • Enabling routing: – Place number 1 in /proc/sys/net/ipv4/ip_forward file – Place “net.ipv4.ip_forward = 1” in /etc/sysctl.conf file Linux+ Guide to Linux Certification, 2e 32 Routing (continued) • Large networks may have several routers • route add <route> command: Add entries to route table • route del <route> command: Remove entries from route table • Can use ip command to add entries to route table Linux+ Guide to Linux Certification, 2e 33 Routing (continued) Figure 15-3: A sample routed network Linux+ Guide to Linux Certification, 2e 34 Routing (continued) • Contents of route table lost when computer powered off – Add to /etc/rc.d/rc.local file • Most routers configured with a default gateway – For packets addressed to destinations not in route table • traceroute command: Troubleshoot routing – Displays routers between current and remote computer Linux+ Guide to Linux Certification, 2e 35 Firewall Services • netfilter/iptables: Used to create a firewall – Discard network packets according to chains of rules • Chains: Specify general type of network traffic to apply rules to • Rules: Match network traffic to be allowed or dropped Linux+ Guide to Linux Certification, 2e 36 Firewall Services (continued) • Three chain types: – INPUT chain: Incoming packets – FORWARD chain: Packets passing through computer – OUTPUT chain: Outgoing packets • iptables command: Creates rules for a chain Linux+ Guide to Linux Certification, 2e 37 Firewall Services (continued) Table 15-5: Common iptables commands Linux+ Guide to Linux Certification, 2e 38 Security • Linux systems typically available across networks such as the Internet • Should improve local and network security • Understand how to detect intruders who breach the system Linux+ Guide to Linux Certification, 2e 39 Securing the Local Computer • Limit access to computer itself – Prevent malicious users from accessing files • Server closet: Secured room to store servers • Remove floppy and CD-ROM devices from workstations • Ensure BIOS prevents booting from USB ports Linux+ Guide to Linux Certification, 2e 40 Securing the Local Computer (continued) • Ensure BIOS password is set • Set boot loader password in LILO or GRUB configuration file • Limit access to graphical desktops and shells • Minimize root user’s time logged in Linux+ Guide to Linux Certification, 2e 41 Securing the Local Computer (continued) • nohup command: Prevents other commands from exiting when parent process killed • su (switch user) command: Switch current user account to another • sudo command: Perform commands as another user via entries in /etc/sudoers file Linux+ Guide to Linux Certification, 2e 42 Protecting Against Network Attacks • Always a possibility that crackers can manipulate a network service • Buffer overrun: Network service altered in memory • Minimize number of running network services • nmap (network mapper) command: Scan ports on network computers – See what network services are running Linux+ Guide to Linux Certification, 2e 43 Protecting Against Network Attacks (continued) • Enable encryption on essential network services • Ensure network service daemons not run as root user when possible • New network service versions usually include fixes for known network attacks – Keep network services up-to-date Linux+ Guide to Linux Certification, 2e 44 Protecting Against Network Attacks (continued) • TCP wrapper: Run network daemon with additional security via /etc/hosts.allow and /etc/hosts.deny files • Examine permissions for files and directories associated with system and network services Linux+ Guide to Linux Certification, 2e 45 Detecting Intrusion • Log files can contain information or irregularities indicating an intrusion • Review system log files associated with authentication • Pluggable Authentication Module (PAM): Handles authentication requests by daemons – Log file in /var/log/secure Linux+ Guide to Linux Certification, 2e 46 Detecting Intrusion (continued) • Check /var/log/wtmp log file – Lists users who receive BASH shells • Tripwire: Monitors files and directories • Intrusion Detection System (IDS): Detect unauthorized access Linux+ Guide to Linux Certification, 2e 47 Detecting Intrusion (continued) Table 15-6: Common Linux intrusion detection systems Linux+ Guide to Linux Certification, 2e 48
