频道栏目
首页 > 系统 > Linux > 正文

LinuxCBT feat. SUSE 10 Enterprise Edition Training Notes

2011-08-05 13:32:57           
收藏   我要投稿

 

LinuxCBT feat. SUSE 10 Enterprise Edition

Training Notes – 20061002.01

 

 

Table of Contents

Boot Process    4

Basic GNU/Linux/UNIX Command Line Interface (CLI) Utilities    4

Standard Linux Shell Rules    5

Secure Shell (SSH)    5

Virtual Network Computing (VNC)    6

RDesktop Client (RDP)     6

Name Resolution Utilities    7

NETSTAT    7

IFCONFIG    8

RPM    8

User & Group Creation/Management    8

File Permissions    8

Symbolic Links (Shortcuts)    10

Provisioning of additional file systems/mount points    10

RAID Partitions    11

Logical Volume Management - Disk Aggregation Mechanism    11

SWAP Storage Provisioning    12

SYSLOG-NG Implementation    12

Log Rotation    13

Cron - System Scheduler    13

Network Time Protocol (NTP)    14

BIND DNS Configuration    14

DHCPD - Server    15

Samba Services - Integrates Windows with Unix/Linux    16

Samba Web Administration Tool (SWAT)    16

Network File System (NFS)    17

Remote Synchronization (RSYNC)    18

Apache HTTPD - Web Server    18

Apache Logging    21

Virtual Hosts (VHOSTS)    21

MySQL Implementation    22

PHPMyAdmin - Implementation    25

Postfix MTA    25

Courier-MTA - IMAP    26

SquirrelMail - Web-based Mail integration    27

Pure-FTPD    27

Xen Virtualization    28

XINETD - Super Server    28

TCP Wrappers - tcpd    29

IPTables Implementation & Operation    30

IPTables Usage    30

Network Mapper (Nmap)    31

Nessus - Vulnerability Scanner    31

TCPDump - Packet Sniffer    32

Ethereal - Network Analysis Tool    32

Snort Network Intrusion Detection System (NIDS)    33

BASE Installation    34

 

 

 

 

 

Boot Process

 

1. BIOS - Initializes hardware

2. Grand Unified Boot Loader (GRUB) - Stage 1(Master Boot Record - 512 bytes) -> Stage 1.5(File system drivers (XFS,EXT2,EXT3,ReiserFS))

3. OS (Linux) Kernel - Initializes/Detects/provides support for hardware

4. INIT(PID=1) - Loads services for various run levels (cumulative)

 

###INIT - The First User-mode Process###

 /etc/inittab

 

Runlevel (0-6) Definitions:

0 - shutdown

1 - single user mode - NO Networking

2 - Multi-user, minus NFS & networking

3 - Multi-user

4 - Unused, reserved for ISVs, or for customization

5 - Multi-user with graphics (X11/X.org)

 

/etc/init.d/runlevel directory (/etc/init.d/rc5.d)

 - Contains symlinks to programs in /etc/init.d

  + prefixed with K(Kill) or S(Started)

   - Each service/daemon is started/killed in numerical order; i.e. K01acpid, K09apmd

 

 

Basic GNU/Linux/UNIX Command Line Interface (CLI) Utilities

 tty = reveals current Teletype Terminal (TTY)

 w = reveals currently logged-in sessions

 ls/dir(alias to ls -l)

 ls -lF - returns long format and '/' at the end of directories

 ls -lF | grep /

 touch - creates empty files / updates time stamps(atime/mtime) on objects

 rm - removes objects (files/directories/etc.)

 echo - echoes values and variables

 echo $? - returns exit status of previously-executed command

 set || env - reveals current shell variables

 pwd - returns working directory

 cd - changes directories; with no options, places us in HOME directory

 mkdir - creates a directory

 whoami - returns currently logged-in user

 su - switches users

 

BASH communicates user-status (privilged/non-privileged) via the prompt:

 1. prompt that terminates with '#' reflects 'root' user

 2. non '#' prompt indicates non-root user

 

 id - reveals id information (uid,gid,groups)

 cp - copies files(files/directories)

 mv - moves/renames files, and tries to preserve timestamp

 stat - returns properties (size,inode,atime,mtime,ctime,perms,etc.) of files

 

 

 

 

Standard Linux Shell Rules

STDIN - Standard In - Default = Keyboard - '<'

STDOUT - Standard Out - Default = Monitor - '>'

STDERR - Standard Error - Default = STDOUT - '2>'

ls deano.txt 2> error.txt

grep linuxcbt 2>&1

 

File Descriptors:

0 = STDIN

1 = STDOUT

2 = STDERR

 

Piping - permits the connection of STDOUT & STDIN

cat test2.txt | grep directories | grep removes

 

Command Chaining - permits execution of multiple commands

command1 && command2 - runs command2 IF command1 is successful (logical AND)

command1 || command2 - runs command2 IF command1 fails

command1 ; command2 ; command2 - all commands execute

 

###More Key Shell Commands###

 file - determines the type of file queried

 which - identifies location in path of queried program

 history - returns list of recently-run commands up to $HISTSIZE=1000

 ~/.bash_history - stores the user's history of commands

 ps -ef - returns ALL running programs - UID,PID,PPID,STIME,etc.

 top - returns top running programs

 

 

Common Clients - FTP,LFTP,Wget,SSH

 FTP - interactive client used to connect to FTP servers

 LFTP - supports many protocols (HTTP/FTP/HTTPS/etc.) and runs interactively/non-interactively(scripted)

 Wget - supports many protocols, however, runs non-interactively

wget http://192.168.1.197/SUSE10/suse/i586/MozillaFirefox-1.5.0.4-1.9.i586.rpm

 

wget ftp://linuxcbt:abc123@linuxcbtmedia1/1million.txt

 

 

###Other basic utilities###

tar with gzip & bzip2 support

tar -czvf 1million.tgz 1million.txt

tar -cjvf 1million.bz2 1million.txt

 

Secure Shell (SSH)

SSH - provides encrypted communications for Telnet/FTP-like sessions

 

First outbound SSH connection yields ~/.ssh/known_hosts (lists trusted hosts)

File is appended as new connections are established

 

PKI - Password-less Login

Must generate RSA/DSA PKI (Public/Private) keys - 'ssh-keygen'

Note: public key is used to encrypt information to recipient

Note: private key is used decrypt information received

Note: keys are user and host specific

 

ssh-copy-id -i ~/.ssh/id_rsa.pub linuxcbtsuse2

 

SCP - SFTP - SSH

 

SCP - performs non-interactive, LFTP/Wget-like, file transfers

 

scp source_file destination_file:

scp linuxcbtsuse2:path_to_file local_path (.//tmp)

 

 

SFTP - performs interactive, FTP-like transfers

sftp linuxcbtsuse2 - connects as 'linuxcbt' to remote system

sftp root@linuxcbtsuse2 - connects as 'root' to remote system

 

ALL sessions/transports are encrypted

 

Virtual Network Computing (VNC)

Note: Cross-platform capable

 - client (Windows/MAC OS X/Linux/Solaris/Unix)

 - client can differ from server

 

vncviewer - primary VNC client application

 

 

RDesktop Client (RDP)

 - Permits easy connections to Windows 2000/2003/TS4/XP Boxes

 

rdesktop -g 640x480 -a 16 192.168.1.102

 

 

Other key network utilities/clients

 

PING - uses ICMP to probe hosts on local and/or remote subnets

 - Default in Linux is to PING continuously

 - Default PING size = 64 bytes

 - Default interval = 1 second

 - Default Time To Live (TTL) = 64

 - PING sends ICMP(Echo) Packets & expects ICMP(Echo Reply) in return

 - ping linuxcbtsuse2

 

Traceroute - maps the network between 2 hosts by displaying routers

Note: traceroute determines that host is router when the TTL is decremented,

and, indicates as such in its output

 

traceroute destination - traceroute 192.168.1.102

Note: some firewalls will NOT decrement the TTLs in ICMP packets

 

Matt's Traceroute (MTR)

 

Address Resolution Protocol (ARP) - reveals ARP table - layer-2 addresses

arp

 

 

ARP resolution example:

linuxcbtsuse2 (Layer-4) -> 192.168.1.197 (Layer-3) -> 00:12:3F:10:C6:93 (Layer-2)

 

www.insecure.org - Nmap - to find list of security utilities

 

 

 

 

Name Resolution Utilities

 

/etc/nsswitch.conf - controls the resolution source/order

 

ping linuxcbtsuse2 -> hosts(/etc/hosts) -> DNS

 

/etc/nsswitch.conf

 -hosts:          files(/etc/hosts) dns(/etc/resolv.conf)

 

DIG - dig

 - queries standard DNS servers

 - dig linuxcbtsuse2.linuxcbt.internal

 - dig www.linuxcbt.com - queries local DNS server for this forward record

 - dig linuxcbt.com mx - returns MX record type

 - dig -x 192.168.1.100 - performs reverse query

 - dig @ns1.linuxgenius.com www.linuxcbt.com

 

 - host www.linuxcbt.com - returns A|CNAME records & IP address

 - hostname - returns local short hostname

 - hostname -f returns Fully-Qualified Domain Name (FQDN)

 

 

NETSTAT

 - displays open sockets - client(1)SYN -> server(2)SYN-ACK -> client(3)ACK -> ESTABLISHED

Usage:

 - netstat - displays open sockets with name resolution

 - netstat -n displays open sockets without name resolution

 

Note: names are resolved using a combination of /etc/hosts & DNS

Note: services(ftp/http/etc.) are resolved via /etc/services

Note: protocols(tcp/ip/udp/unix/etc.) are resolved via /etc/protocols

client <-> server

man netstat - explore socket states

Important states:

 - ESTABLISHED

 - LISTEN

 - SYN_SENT - waiting for SYNACK from remote system

 - SYN_RECV - unable to respond to SYN_SENT

 - FIN_WAIT1 - awaiting shutdown of socket

 

 -netstat -a - reveals ALL protocols

 -netstat -i - displays network interfaces

 -netstat -s - displays protocol stats

 -netstat -rn

 -netstat -nl - netstat -ntl - netstat -nul

 

 

IFCONFIG

 -ifconfig eth2 down - downs the eth2 interface

 -ifconfig -a - displays ALL(active/inactive) interfaces

 -ifconfig eth2 172.20.10.1

Note: changes to inactive interfaces usually activates the interface

Note: ommitting the subnet mask when defining an interface will cause Linux to derive both subnet mask and broadcast addresses based on class rules.

 -ifconfig eth2 172.20.10.1 netmask 255.255.255.0

Alias/sub-interface configuration:

 -ifconfig eth0:1 192.168.1.41 /24 - 255.255.255.0

 -ifconfig eth0:2 192.168.1.42

 

Note: /etc/sysconfig/network - stores interface and global network configuration files

 

 

RPM

 - permits the categorization/installation/upgrade/freshen/removal of packages

Query existing packages:

 -rpm -qa - lists ALL installed packages

 - rpm -ql name_of_package; i.e. rpm -ql rdesktop

 - rpm -qpl package_name - queries package on file system

 

Install packages:

 -rpm -ivh - installs packages

 -rpm -Uvh - upgrades/installs packages

 

Remove packages:

 -rpm -e - removes package

 

Freshen packages:

 - package will be updated ONLY if it already exists

 -rpm -Fvh package_name

 

User & Group Creation/Management

Note: /etc/passwd is the default user database

 -linuxcbt:x:1000:100:linuxcbt:/home/linuxcbt:/bin/bash

 -username:shadow_file(x):UID:GID(Primary):Description/Full Name:Home Directory:Shell

Note: /etc/skel houses template files to be copied to ALL newly-created users using YaST

 

Manual user creation:

 -useradd username

 

Manual group creation:

 -groupadd groupname

 

Note: create group(s) first, then create user, assigning user to group(s)

 

usermod/groupmod

 

File Permissions

10-bits represent permissions and file type

Directory = drwxrwxrwx = 777 = FULL permissions

File = - rwx rwxrwx = 777 = FULL permissions

 

bit 1 = placeholder for object type (file/directory/character/block device/etc.)

bits 2,3,4 = placeholder for permissions for the owner of the object

bits 5,6,7 = placeholder for permissions associated with group owner of the object

bits 8,9,10 = placeholder for ALL else

 

 

drwxr-xr-x 2 linuxcbt users       168 2006-09-08 11:22 temp2

rwx=7, r-x=5, r-x=5 = 755

-rw-r--r-- 1 linuxcbt users      1736 2006-09-06 12:01 test2.txt

rw-=6, r--=4, r--=4 = 644

 

Note: As per the default umask, default for directories = 755, and files = 644

Note: directories require 'x' permission to permit entry

 

umask = 0022

Effective default permissions = Total permissions(777) - umask(0022)

 

777 = 0777

0777

0022

0755 = effective default directory permissions

0644 = rw, r, r

 

The 'x' bit applied to files means the file is executable, however, applied to directories, permits entry into the directory.

 

Octal values for permissions:

r = 4

w = 2

x = 1

Total = 7

 

Change permissions using 'chmod'

-rw-r--r-- 1 linuxcbt users    588895 2006-09-08 15:27 Salaries.xls

rw,r = 640

 

chmod 640 Sal* && ls -l Sal*

 

Note: root ALWAYS has access to ALL files

chmod 600 Sal* && ls -l Sal*

chmod 744 temp2

 

ls -ld temp2 - enumerates permissions, ownership, etc. associated with 'temp2' directory

 

chmod u+rw,g+r,o+r = 644

 

u = user/owner of object

g = group ""

o = other ""

a = u,g,o

 

chmod a-r Salaries.txt

 

Change Ownership of objects (files & directories) using 'chown'

chown linuxcbt test.txt

chown user.group object

chown linuxcbt.project1 test.txt

 

SETUID

Used to impersonate another user; usually root

test_script.pl, test_script.sh

 

 

-rw-r--r-- 1 linuxcbt users    588895 2006-09-08 15:27 Salaries.xls

0644

Note: leading bit can represent SETUID(4) & SETGID(2)

 

chmod 4644 Salaries.xls

 

SETUID FILE:

-rwSr--r-- 1 linuxcbt project1 588895 2006-09-08 15:27 Salaries.xls

 

i.e. /bin/su = SETUID executable

 

stat object name - returns permissions/metadata about the object

 

 

SETGID

Used to force permissions on directories

chmod 2770 project1 && ls -ld project1

 

Sticky

Used to allow users to share a directory but ONLY manipulate their files: /tmp

 

'chgrp' is used to change group ownership

 

 

Symbolic Links (Shortcuts)

Note: 2-types exist; Soft & Hard

 

Soft Links:

 - Ability to reference objects(files & directories) withing & across file system

 

ln -s  source destination

 

 

Note: Soft links reference human-readable file names

Note: Hard links reference distinct Inodes

 

ln source destination - within the SAME file system, creates a HARD link

 

 

Provisioning of additional file systems/mount points

new mount point = /app1

 

2 - shell utilities can be used to create partitions:

 1. fdisk -l

 2. parted - defaults to first disk

 

Note: Extended partitions occupy the remaining space on disk

Note: You may create an extended partition without 3 primary partitions

 

Typical disk layout on i386-compatible systems:

 1. Primary

 2. Primary

 3. Primary

 4. Extended - occupies remaining cylinders on disk

    - n number of logical partitions begining with #5; i.e. /dev/sdb5

 

Note: newly-created mount points need NOT exist off the root of the file system

Note: every file system contains a 'lost+found' directory to house orphaned files

 

RAID Partitions

/, /boot = standard(ext3/reiserfs) non-LVM, non-RAID partitions

All other partitions/mount points should be RAID/LVM

 

RAID-0 - Partitions - Offers speed, but NO REDUNDANCY

 - Requires at least 2 partitions/disks

 - Creates a partition that spans 2 partitions/disks

Note: Create RAID/LVM partitions using separate disks to realize performance benefits

 

 - Must create unformatted partition types of 0xFD(Linux RAID) or 0x83(Linux)

 - RAID-0 partitions need NOT be identical in size

Note: DO NOT format individual RAID component partitions

 

RAID-0 (10GB) - /raidvolumes/app2

 -/dev/sdb6 (5GB)

 -/dev/sdc7 (5GB)

Note: first RAID volume is created @ /dev/md0 (/raidvolumes/app2)

 

 

RAID-1 - Partition (5GB) - /raidvolumes/app3

 -/dev/sdb7 (5GB)

 -/dev/sdc8 (5GB)

/dev/md1

 

 

RAID-5 Partition (10GB) - /raidvolumes/app4

 -/dev/sda3 (5GB)

 -/dev/sdb8 (5GB)

 -/dev/sdc9 (5GB)

/dev/md2

 

Logical Volume Management - Disk Aggregation Mechanism

 - Facilitates the aggregation of various sized volumes into usable storage

 - Allows dynamic resizing volumes

 - Use LVM/RAID for non-root (/) and non-boot (/boot) mount points

 

Create LVM, underlying/supporting partitions(0x8e/0x83) and DO NOT FORMAT

 

LVM-VOL1 - 27GB

 -/dev/sda3 (10GB)

 -/dev/sdb5 (5GB)

 -/dev/sdc7 (12GB)

 

Volume Group(system) - Consists of n volumes

 -n logical volumes (typically 1-to-1)

 

Volume groups facilitate the aggregation of partitions/disks

Logical volumes facilitate the segmentation of volume groups

 

File system structure for LVM-managed volumes:

/dev/Volume Group Name(represents all partitions/disk)/Logical Volumes(user-accessible)

 

SWAP Storage Provisioning

free -m

swapon -s - displays current swap space(file(s)/partition(s))

 

Swap Files

 - dd if=/dev/zero of=/swapfile1 bs=1024 count=524288

 - mkswap /swapfile1

 - swapon /swapfile1

 - update /etc/fstab

  + /swapfile1 swap swap defaults 0 0

 

 

SYSLOG-NG Implementation

Extends traditional Syslog capabilities

 

Note: Facilities and Levels are supported to route messages

 - Facility - identifies unique source of message

 - Levels - identifies the severity of the message

   +Debug

   +Info

   +Notice

   +Warning

   +Error

   +Crit

   +Alert

   +Emerg

 

Note: Standard SYSLOG-NG message consists of the following components:

 1. Source - where to get messages (Unix Syslog socket/UDP(514))

 2. Filtering rules (facilities/levels/pattern matching)

 3. Destination (file/other syslog/syslog-ng hosts(UDP/TCP)/Console(TTYs), Unix Datagrams)

 

Note: Network listening using UDP is disabled by default

 

level(error..emerg)

 

Note: 'log' directive combines the 3 important components of Syslog-NG:

 1. source

 2. filter

 3. destination

 

 

Note: edit /etc/syslog-ng/syslog-ng.conf to enable UDP listener

 

###Filter to receive info. from Local2###

filter f_cisco_pix { facility(local2); };

 

###Destination for info. sent to facility local2###

destination d_cisco_pix { file("/var/log/ciscopix.log"); };

 

###Log Statement to invoke the routing of messages to facility local2###

log { source(src); filter(f_cisco_pix); destination(d_cisco_pix); };

 

###Log to remote host###

 

destination d_cisco_pix { file("/var/log/ciscopix.log"); udp("192.168.1.197"); };

 

 

Log Rotation

/etc/logrotate.conf - includes all files in /etc/logrotate.d

man logrotate

/var/log/ciscopix.log {

    daily

    compress

    dateext

    #maxage 365

    rotate 1000

    #size=+2048k

    notifempty

    missingok

    copytruncate

    postrotate

    /etc/init.d/syslog reload

    endscript

}

 

logrotate -f /etc/logrotate.conf - forces log rotation

 

Cron - System Scheduler

 1. Schedule using global scheduler - /etc/crontab (hourly,daily,weekly,monthly)

 2. Schedule on a per-user basis - /var/spool/cron (root,linuxcbt,etc.) - crontab

 

Note: Cron checks the modification time of global and per-user file/directory every minute

 

Note: /etc/cron.allow and cron.deny are used to control access to cron

 

m(0-59) h(0-23) dom(1-31) m(1-12) dow(Sun,Mon,Tue or 0-7) user_to_run_job_as command_to_run

Note: for Day of Week (dow) field 0 & 7 are both Sunday

 

 

 

###Global Contab Entry###

#m h dom m dow    user    command

*/1 * *   * *    root    ping -c 3 linuxcbtsuse2 >> /root/ping_linuxcbtsuse2.txt

*/5 12-16 *   * *    root    ping -c 3 linuxcbtsuse2 >> /root/ping_linuxcbtsuse2.txt

 

###Per-user Crontabs:###

m(0-59) h(0-23) dom(1-31) m(1-12) dow(Sun,Mon,Tue or 0-7) command_to_run

 

*/1 * *   * *    ping -c 3 linuxcbtsuse2 >> /home/linuxcbt/ping_linuxcbtsuse2.txt

 

 

Network Time Protocol (NTP)

 1. Synchronizes your SUSE box

 2. creates a hierarchy of synchronizations hosts

 

There are 16 Strata

 1 - most accurate - external time sources (GPS/Radio) are connected

 2 - relies upon 1 for synch.

 3 - relies upon 2 ...

 

Note: Try to synch with at least 3 clocks

 

 1 - Externally-connected time source

   +2 - 0.pool.ntp.or, 1.pool.ntp.org, ntp0.cornell.edu

     -3 Our Clock

       +4 Internal hosts relying upon our Stratum-3 clock

 

chkconfig ntp on - enables upon subsequent reboots NTP service

Note: NTP defaults to localhost for time synchronization

 

ntpq -np - returns current servers used to synch time

 

 

 

BIND DNS Configuration

Not installed by default

 

/etc/named.conf - primary configuration file of BIND(caching-only/Primary/Secondary)

 

BIND runs in the following modes:

 1. Caching-only - resolves Internet queries

 2. Primary - authoritative for 1 or more zones

 3. Secondary - authoritative secondary server for 1 or more zones

 

client -> linuxcbtsuse1 -> /etc/resolv.conf - > perform query -> return results

 

Configured linuxcbtsuse2 with BIND and started as a caching-only server

 

 

/etc/named.conf

 

Note: configure 'forwarders' directive to influence named servers used to resolve queries. Otherwise, name servers listed in /etc/resolv.conf will be used.

 

. = root - top-level domain

 com = 2nd-level domain

 edu

 mil

 gov

 

0.0.127.in-addr.arpa

1.168.192.in-addr.arpa

 

zone "linuxcbt.internal" in {

        type master;

        file "linuxcbt.internal.zone";

};

 

zone "1.168.192.in-addr.arpa" in {

        type master;

        file "master/192.168.1.zone";

};

 

 

###Slave configuration - linuxcbtsuse2(.197)

zone "linuxcbt.internal" in {

        type slave;

        masters { 192.168.1.40; };

    file "slave/linuxcbt.internal.zone";

};

 

zone "1.168.192.in-addr.arpa" in {

        type slave;

        masters { 192.168.1.40; };

    file "slave/192.168.1.zone";

};

 

Note: Zone information from primary is stored by default in-memory, slave

 

 

DHCPD - Server

 

Note: Automatic configuration of Layer-3 IP-address information

Uses broadcasts and UDP to exchange configuration information

DORA

D = Discovery - client broadcasts(All FFFFs) for DHCP server on subnet

O = Offer (IP Address configuration information)

R = Response

A = Acknowledgement from server that client accepted offer

 

DHCP Configuration includes global, subnet-specific and optionally host-specific info

 

Use YaST2 or configure manually

 

YaST requires the specification of DHCP interfaces, in order to service the subnet connected to the interface

 

Note: Default SuSE DHCP Server runs in chrooted environment

 

DHCPD's root = /var/lib/dhcp

 

host linuxcbtwin2 {

 hardware ethernet 00:10:a4:ed:a0:4d; # appears in DORA process

 fixed-address 192.168.1.102;

}

 

###Very Secure File Transfer Protocol Daemon (VSFTPD)###

Note: Current version of SUSE Enterprise does not supply a YaST object for management

Note: VSFTPD can be invoked with/without XINETD

Note: Default authentication permits 'anonymous' access only

Note: '/srv/ftp' is default 'anonymous' location as per home directory for 'ftp' in /etc/passwd

Note: FTP supports PASSIVE & ACTIVE connections. VSFTPD supports both, by default

 

Note: FTP connections consist of Control and Data channels

Passive - client -> server(21), then client instructs server to listen to high port for data connection

 

Active - client -> server(21), then server makes connection to port on client to construct data connections, which is generally denied by most firewalls

 

Disable anonymous access by setting appropriate /etc/vsftpd.conf directives

 

Samba Services - Integrates Windows with Unix/Linux

Note: /home shares are dynamically generated for users who connect successfully

Note: /etc/samba/smb.conf - default configuration file for Samba

Note: Samba authenticates users using 2 authentication sources:

 1. /etc/samba/smbpasswd - contains Windows-encrypted users/passwords, and, maps Samba users to local Linux users

 2. /etc/passwd - stores Linux users

Note: File/directory access rests with Linux OS

 

Flow of permissions:

 1. Samba client(Windows/Linux/Unix) submits Samba User

 2. Samba Server attempts to equate submitted user to local Linux user

  a. if successful, Samba server performs I/O as mapped user

  b. if unsuccessful, Samba server attempts to map submitted user as guest

  c. if guest mapping fails, access is denied

 

Note: /etc/samba/smbusers - maps Samba users to Linux users

Note: use 'smbpasswd -a username' to add Samba users, whom are mapped to Linux users

 

###Samba Authentication Modes###

 1. User - uses /etc/samba/smbpasswd - maintained with 'smbpasswd' utility

 2. Server - authentication via a Windows server

 3. Domain - authenticates against an NT-style domain (PDC/BDC)

 4. ADS - authenticates against Active Directory (AD) Domain controllers

 5. Share - authenticates per-share - passwords are tied to shares

 

 

###Other Samba Clients###

 -smbclient - facilitates puts/gets from Samba shares and other features

 smbclient -U administrator //linuxcbtwin2/public1

 smbclient -U administrator -L linuxcbtwin2

 

 -smbtar - facilitates tarring/backup of remote shares

 smbtar -s linuxcbtwin2 -x public1 -t public1.tar

 

 -smbtree - enumerates remote shares

 

 

Samba Web Administration Tool (SWAT)

 - Facilitates web-based administration of Samba via TCP:901

 - Provides its own HTTPD server

 - Controlled by XINETD - /etc/xinetd.d/swat, rcxinetd restart

 - Must authenticate as 'root' after restarting XINETD with SWAT enabled

 - SWAT defaults to BASIC HTTP authentication, which is passed in the clear

 - optionally, install 'samba-doc' package

 

 

###Active Directory (AD) Installation and Integration with Samba###

 -use 'dcpromo' from Windows to promote it to an AD server

 - Setup Microsoft's DNS on AD server for simplicity

 - Optionally, configure appropriate BIND zones

 - Define FQDN for AD root 'ad.linuxcbt.internal'

 - Define NETBIOS name of workgroup for legacy systems 'LINUXGENIUS'

 - Configure AD server to consult itselft for DNS '127.0.0.1'

 

Join SUSE Enterprise box to AD domain using YaST2

 1. Network Services

 2. Windows Domain Membership

 3. Confirm ability to use remote (AD) users using 'getent passwd'

 

Note: winbind daemon facilitates enumeration and usage of remote AD users

 

/etc/nsswitch.conf

 

###Samba File System (SMBFS) Driver##

 -facilitates transparent mounting of remote SMB/CIFS shares

 

\\linuxcbtwin2\public1 - /LINUXGENIUS/linuxcbtwin2/public1

 

use 'mount' to mount remote SMB/CIFS shares:

mount -t smbfs -o username=administrator,password=abc123,rw //linuxcbtwin2/public1 /LINUXGENIUS/linuxcbtwin2/public1

 

mount -t cifs -o user=administrator,password=abc123,rw //linuxcbtwin2/public1 /LINUXGENIUS/linuxcbtwin2/public1

 

Hide CIFS credentials in /root

nano .cifs_creds

user = administrator

password = abc123

 

mount -t cifs -o credentials=/root/.cifs_creds,rw //linuxcbtwin2/public1 /LINUXGENIUS/linuxcbtwin2/public1

 

 

 

Network File System (NFS)

Note: NFS is managed by the 'portmap' service; use 'rcportmap to control'

Note: YaST/YaST2, can be used to import/export NFS shares

Note: NFS with Linux 2.6, supports versions 2,3,4, and, TCP & UDP

Note: Use NFS on LANs

Note: Specify subnets/IPs in Hosts field to restrict hosts that may connect to your NFS share

Note: The default '*' Hosts value, permits ALL connected users with privileges to mount NFS-exported shares

 

Note: 'root_squash' option for NFS-shares, equates remote 'root' user to local 'nobody' user

Note: 'sync' option reduces likelihood of data-corruption by ensuring that file I/O has completed on NFS server before rendering result/exit status to NFS client

 

Confirm NFS status using the following:

 1. ps -ef | grep -i nfs

 2. rcportmap status - portmap controls NFS/NIS, and allows dynamic allocation of ports

 3. rpcinfo -p

 

Note: server-exported share '/app1', need NOT be the same name of the mount point on NFS client

 

 

###Mount remote share on NFS client###

mount linuxcbtsuse1:/app1 /app1

Note: YaST/YaST2 NFS-exported directories are stored in '/etc/exports'

Note: use 'exportfs -a' to re-export items listed in '/etc/exports'

 

 

 

Remote Synchronization (RSYNC)

Installed by default

Synchronizes remote and optionally local directories and or files

 

rsync operates in 2 modes:

 1. uses transport such as SSH to sync data. - requires rsync on target system

 2. uses 'rsyncd' to authenticate and facilitate transfer of files

 

1-client, 'rsync' is used to connect to both modes

 

rsync -bazv

-b(backup - preserves existing files with ~ suffix or deletes), -a(archives stat info.)

-z(compression), -v(verbose)

 

Note: rsync client is required on both client and server when using SSH transport

 

rsync -bazv -e ssh source destination

rsync -bazv -e ssh /app2 root@linuxcbtsuse2: - syncs local /app2 with remote system and backs-up target files as necessary

 

rsync -bazv -e ssh /app2 root@linuxcbtsuse2:/

 

###Synch local with remote system###

rsync -azv -e ssh root@linuxcbtsuse2:/app2 /

 

#!/bin/bash

###Synchronizes local /app2 with remote /app2

 rsync -azv -e ssh root@linuxcbtsuse2:/app2 /

###END

 

###rsyncd server - /etc/rsyncd.conf - binds to TCP:873###

Note: to contact rsyncd server using rsync client, specify '::' in host field

Note: rsync currently does NOT support synchronization between 2 remote hosts

 

rsync -azv -e ssh /app2 root@linuxcbtsuse2::/

 

 

 

Apache HTTPD - Web Server

>70% of ALL web servers run Apache

Apache is cross-platform capable; available for Linux/Solaris/AIX/Windows/MAC OSX/etc.

 

Install via YaST - Patterns - Select 'Web and LAMP Server' - (Apache/MySQL/PHP/Python Modules)

 

###Apache2.2 Directory Layout###

/etc/apache2 - primary apache2.2 configuration directory

/etc/apache2/default-server.conf - config file for main HTTP server (NON-Virtual-Host)

/etc/apache2/errors.conf - error-handling

/etc/apache2/httpd.conf - Main Apache configuration file (includes other files)

/etc/apache2/uid.conf - controls credentials used by subsequent Apache processes

/etc/apache2/vhosts.d - houses Virtual Hosts files *.conf

/etc/apache2/vhosts.d/vhost-ssl.template - Sample SSL template

/etc/apache2/listen.conf - houses TCP-related bindings

/usr/lib/apache - houses dynamically-loaded modules *.so files

/usr/share/apache2/error - houses default error messages

/etc/apache2/mod_log_config.conf - houses variables to be expanded in Apache's log files

it maps log formats(on the left) to nicknames(on the right)

Nicknames can be referenced wherever a virtual host is defined

Difference between 'common(CLF)' and 'combined' is that combined provides everything provided by common + 'User Agent' and 'Referrer'.

 

/etc/apache2/default-server.conf - config file for main HTTP server (NON-Virtual-Host)

 

DocumentRoot "/srv/www/htdocs" - maps web space to file system space for default pages

i.e. http://linuxcbtsuse2.linuxcbt.internal -> /srv/www/htdocs

 

<Directory "/srv/www/htdocs"> - describes attributes of document root

 Applicable Directives

</Directory>

 

 

Aliases - are like symlinks in the web space. They map a web space location to another location in the file system that is usually outside of the web root

 

alias /temp /srv/www/temp

<Directory "/srv/www/temp"> - describes attributes of document root

 Applicable Directives

</Directory>

 

Note: Apache's Directory/File permissions flow downward

 

ScriptAlias - specifies the location where CGI scripts may be executed safely

ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"

 

mod_userdir = http://linuxcbtsuse1.linuxcbt.internal/~linuxcbt/index.html - /home/linuxcbt/public_html/index.html

 

Note: Apache, in prefork mode, spawns 6 processes:

 1. Apache manager, which runs as 'root'

 2. 2-6 (5-child processes), run as non-privileged, 'wwwrun' user - these child processes service HTTP connections

 

http://localhost/manual - returns manual with appropriate (browser-driven)

 

 

### Key Apache Directives - Directory, Alias, Files, Location ###

Note: These directives influence Apache's permissions to serve content

 

<Directory "physical_directory_location /srv/www/htdocs">

 

</Directory>

DirectoryIndex index.html index.html.var - influences default document to be served

Note: Changes made to *.conf files require at least a 'reload' of the 'rcapache2' services and sometimes a full 'restart'

 

Note: IP address(es), short name, FQDN(linuxcbtsuse1.linuxcbt.internal) all lead to the default server referenced in /etc/apache2/default-server.conf, unless overidden via VHOST

 

###Order of evaluation when permitting/denying access to directory###

Order allow,deny

Allow from all

 

Order allow,deny

Allow from 172.20.20.0/255.255.255.0 192.168.1.0/255.255.255.0 127.0.0.1

Deny from all

 

 

 

Alias fakename physical_location

Alias /htdocs2 /srv/www/htdocs2

 

<Directory "/srv/www/htdocs2">

        Options Indexes

        AllowOverride None

        Order allow,deny

        Allow from all

</Directory>

 

 

<files noaccess.html>

 

</files>

 

Note: <files> applied within <directory> block affects the directory and below

Note: <files> applied outside of <directory> block impacts the ENTIRE server

 

<files noaccess.html>

    Order allow,deny

        Deny from all

</files>

 

 

<Location /templocation> - webspace directory permissions

    Order allow,deny

        Deny from all

</Location>

i.e. /status

 

###Redirect Directive - sends traffic to alternate location###

HTTP error messages are grouped into the following categories:

 1. 200 - Good errors - no problems - content has been served

 2. 300 - Redirect errors - used to indicate that content has been moved

 3. 400 - Client errors

 4. 500 - Server errors

 

If users access oursite/htdocs2, send them to /htdocs3

Redirect /htdocs2 http://linuxcbtsuse1.linuxcbt.internal/htdocs3

Redirect 301 /htdocs2 http://linuxcbtsuse1.linuxcbt.internal/htdocs3

Redirect permanent /htdocs2 http://linuxcbtsuse1.linuxcbt.internal/htdocs3

 

Note: Directory directives supports basic wildcards; i.e. '*', '?'

 

###.htaccess files###

/srv/www/htdocs/temp1/.htaccess

Note: Update primary *.conf file to permit 'AllowOverride ALL'

Note: There is a slight performance hit when using .htaccess, because Apache parses the file each time content is requested from the directory

 

 

Apache Logging

/var/log/apache2

 -rcapache2.out - yields the results of testing the configuration file(httpd.conf)

 -error_log - stores errors, usually 200-500 and other

 -access_log - stores hits to the server

 

Note: Apache defaults to default files for Virtual Hosts that do not have log routing defined

 

/etc/apache2/mod_log_config.conf

 

LogFormat is used to concatenate and associate Apache log variables with nicknames

Nicknames are referenced in server/host configurations

LogFormat "%h %l %u %t \"%r\" %>s %b"                   common

 

Note: Values that return empty, are reflected with the '-' character

 %h - connecting host's address

 %l - uses ident to return information about the connecting client/user

 %u - connected/attempted HTTP-authenticated user

 %t - timestamp of connection -

    day(2-digit)/Month(3-letters)/Year(4-digits):Hour:Minute:Second -TimeZone

 %r - reflects request method (GET/POST/etc.)

 %>s - represents status code returned to client - 200-500

 %b - size of the returned content to the client - this represents zero bytes with '-'

 %B - returns the same as %b but returns '0' for zero bytes

 

LogFormat "%h %l %u %t \"%r\" %>s %b \(signifies continuing line)

\"%{Referer}i\" \"%{User-Agent}i\""                     combined

 

%{Referer} - returns site that referred this content (page/image/PDF/etc.)

%{User-Agent} - Connecting browser; i.e. (Blackberry/IE/Firefox/Safari/etc.)

 

172.20.20.1 - - [15/Sep/2006:16:18:15 -0400] "GET /index2.html HTTP/1.1" 404 1045 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.4) Gecko/20060527 SUSE/1.5.0.4-1.9 Firefox/1.5.0.4"

 

 

Virtual Hosts (VHOSTS)

2-Types of VHosts:

 1. IP-based - require 1-IP/site and can facilitate SSL/site

 2. Name-based - requires 1-IP/ALL Sites but only 1 SSL site may operate

 

IP1 - 192.168.1.40 - default server

 

ifconfig eth0:1 192.168.1.41

IP2 - 192.168.1.41 - site1 - maps(DocumentRoot) to /srv/www/site1

IP2 - 172.20.20.1 - site2 - maps(DocumentRoot) to /srv/www/site2

IP3 - 192.168.1.42 - site3 - maps(DocumentRoot) to /srv/www/site3

 

Modify /etc/apache2/listen.conf to listen to the new IP address(es)

Note: logio is NOT loaded by default. Use YaST to add module.

 

Name-based Virtual Hosts

 - permits the sharing of IP addresses across VHosts

 

Requirements:

 1. Listen 192.168.1.40:80 - Listen 80(ALL IPs, Port 80)

 2. NameVirtualHost 192.168.1.40:80

 3. DNS MUST be properly configured

 

###SSL Configuration###

Requirements:

 1. /etc/sysconfig/apache2 - APACHE_SERVER_FLAGS '-DSSL'

 2. restart apache

 3. Generate appropriate certificates (private/public key pair)

   a. /usr/bin/gensslcert - creates keys based on system's FQDN and generic info

   b. /usr/share/doc/packages/apache2/certificate.sh - prompts for values

 4. restart apache and test connectivity using HTTPS

 5. cp /etc/apache2/vhosts.d/vhost-ssl-template to working file

 

Key SSL files:

 1. server.crt (Server's certificate - public key)

 2. server.key (Server's private key)

 3. server.csr (Certificate Signing Request - sent to CA(CACert.org, Verisign, Thawte, GoDaddy)

 

 

###Webalizer - Log analysis of Apache###

Note: Default /etc/webalizer.conf, parses standard 'access_log' file

Note: Move /etc/webalizer.conf to /etc/webalizer/webalizer.conf

Note: Copy webazlier.conf to something that reflects the site being processed

Note: Log files should be processed chronologically

Note: Webalizer is limited to a 12-month history

 

Setup Basic HTTP AUTH

 1. Configure /etc/apache2/default-server.conf

<Location /webalizer>

 AuthType Basic

 AuthName "Restricted"

 AuthUserFile /etc/apache2/webalizer_passwords

 Require valid-user

</Location>

 

 2. Generate password file using 'htpasswd2 -c webalizer_passwords linuxcbt'

 

###Redirect /webalizer to SSL-protected site###

Redirect /webalizer https://linuxcbtsuse1.linuxcbt.internal/webalizer

 

###PHP Scripts Integration###

Create PHP script in Document Root of web site:

MUST include opening '<?' and closing '?>' PHP tags in PHP scripts

Note: PHP scripts, served by Apache, do NOT need the 'x' permissions

 

Note: use '<? phpinfo(); ?>' - to return usefule PHP/Apache/Linux info

 

Note: consult '/etc/php5/apache2/php.ini' to tweak PHP Module settings (memory/etc.)

 

Note: install 'php5-mysql' package to allow PHP to talk to MySQL.

 

 

MySQL Implementation

 

/etc/my.cnf - global MySQL configuration file

 

/usr/sbin/mysqld - Main daemon

/var/lib/mysql - Primary root directory for DBs

 -Below /var/lib/mysql are directories representing DBs

 

 

/usr/bin/mysql - primary client(interactive/non-interactive) used to connect to MySQLD

 

 

 

mysql - connects the currently-logged-in Linux/Unix user to the server

 

mysqld - supports, by default:

 1. passwordless root(DBMS super-user) authentication

 2. anonymous, passwordless, authentication

 

Note: Change both 'root' accounts' password and remove anonymous access

Note: A proper MySQL username consists of the following:

 1. username

 2. hostname

i.e. root@localhost, root@linuxcbtsuse1.linuxcbt.internal

 

###Alternate way for DBA to change user's password###

set password for 'root'@'localhost' = password('abc123');

 

 

###Disable anonymous access###

delete from mysql.user where user = '';

 

Note: Flush Privileges after dropping and changing accounts or risk permitting access based on former credentials until the server(mysqld) is restarted

Use: 'flush privileges;'

Note: in standard MySQL installations, non-privileged Linux/Unix users are aliased to 'anonymous'

 

 

###Delete superfluous DBs###

drop database test;

 

###Privileges scope###

mysql - DB used to manage system settings and credentials

mysql.user - Global level permissions table

mysql.host - impacts the host

mysql.tables_priv - impacts table-level permissions

mysql.columns_priv - effects column-level permissions

 

 

###Create new user###

 1. Create DB - 'create database contacts;'

 2. Create user with permissions associated with DB

    grant all on contacts.* to 'linuxcbt'@'localhost' identified by 'abc123';

 3. CREATE USER username;

 

###Drop/Delete Users###

 1. DROP USER username;

 

Note: MySQL evaluates credentials based on 3 components:

 1. user

 2. hostname

 3. password

 

###Define users who may login to MySQL from a remote system###

 1. grant all on contacts.* to 'linuxcbt'@'%' identified by 'abc123';

 2. grant all on *.* to 'root'@'%' identified by 'abc123';

 

Note: '%' is a wildcard to mean 'ANY', similar to '*' in the shell environment

Note: '%' is permitted in the 'host' field/column and NOT in the 'user' column of the privileges tables

 

 

###Key Show Commands###

show grants; - reveal permissions

show databases; - enumerates Databases that you have privileges to see

use DB; show tables; - lists tables in a given database

 

show engines; - returns list of supported(compiled-in) table storage engines

show status; - returns key running variables

show processlist; - returns running queries and connections

 

Note: MySQL binaries search for configuration files in a specific order:

 1. Global config file - /etc/my.cnf

 2. Per-user config file - ~/.my.cnf

 3. Command-line - overrides ALL previously-set directives

 

Note: each program(MySQL binary) searches for distinct blocks in the config files

mysqld --verbose --help - returns options and variables that can be set in global and per-user configuration files

 

name=value - defines how variables are set in config files

 

###Execute MySQL query, returning results to STDOUT (batch-run/non-interactive invocation)

mysql -pabc123 -e 'show databases' - returns list of DBs to STDOUT

 

 

###Backup databases###

mysqldump -p all-databases

mysqldump -p --all-databases > all_dbs.sql - dump ALL DBs in ASCII text format to a file

mysqldump -p --database mysql - returns code to recreate 'mysql' DB & tables

 

 

###Creation of 'people' table to store contacts###

DB(Contacts)

 - Table(people)

  -first_name

  -last_name

  -bus_phone1

  -email

  -PRIMARY KEY

 

CREATE TABLE `people` (

`first_name` char(30), `last_name` char(30), bus_phone1 char(20), email char(40),

PRIMARY KEY (`email`)

);

 

Note: use 'describe people' to return the structure of the 'people' table

 

 

###Import contacts into 'people' table from externally-created text file###

Note: Create file named 'people.txt'. mysqlimport strips '.txt' suffix and matches file name to table name.

Note: Import using 'mysqlimport'

 

mysqlimport -pabc123 --local -d contacts people.txt

 

###PHP code to query 'contacts.people' and dump info to HTML###

Steps:

 1. Create connection object (host,user,password,DB)

 2. Define query

 3. Define result set variable

 4. loop through result-set and return results to the browser

 

 

<?

 

#Step 1:

$conn1 = new mysqli(localhost, linuxcbt, abc123, contacts);

 

#Step 2:

$query1 = "select first_name, last_name, email FROM people";

 

#Step3:

$result1 = $conn1->query($query1);

 

#Step 4:

 ###Execute if result-set is NOT empty###

if ( $result1=$conn1->query($query1)) {

 

 ###Echo column headers###

 echo "Full Name ", "E-Mail", "<br>";

 

 ###Loop through Result Set###

 While ($obj1 = $result1->fetch_object()) {

  echo $obj1->first_name, "  ", $obj1->last_name , "  ", $obj1->email, "<br>";

 } #Terminates loop-through result-set

 

} #Terminates conditional check for result-set

 

?>

 

 

PHPMyAdmin - Implementation

Used to graphically, via a browser, manage MySQL instances

www.phpmyadmin.net

Note: Requires PHP-MySQL support on your Apache server

tar -xjvf phpMyAdmin-2.8.2.4.tar.bz2

 

Note: create symlink or alias to link to the current version PHPMyAdmin. This provides a consistent URL. i.e. http://linuxcbtsuse1.linuxcbt.internal/phpmyadmin

ln -s phpMyAdmin-2.8.2.4 phpmyadmin

 

 

Postfix MTA

Note: is a distributed, non-monolithic MTA (many binaries)

Note: Postfix does NOT permit outside network relaying by default

/etc/postfix/main.cf - Primary Postfix config file

/etc/postfix/master.cf - houses config for Postfix daemons

/etc/postfix/transport - governs message routing based on domain/etc.

/etc/postfix/virtual - houses virtual mappings for Virtual domains

/usr/bin/mailq - enumerates the contents of the mail queue

/usr/bin/newaliases - updates the aliases DB (/etc/aliases)

/usr/sbin/sendmail - drop-in replacement for 'Sendmail's' 'sendmail' binary

 

Key directives:

$myhostname = linuxcbtsuse1.linuxcbt.internal (Default FQDN)

user@linuxcbtsuse1.linuxcbt.internal - i.e. linuxcbt@linuxcbtsuse1.linuxcbt.internal

 

$mydomain = linuxcbt.internal (Default derivative of FQDN)

 

$myorigin = FQDN - sets the outbound domain in e-mails

 

$mydestination = controls domains that are considered local - i.e. root@linuxcbtsuse1.linuxcbt.internal

 

$mynetworks - permits relaying from trusted hosts/subnets - Default accepts messages from localhost and local subnet

 

$home_mailbox = Mailbox || Maildir - controls local delivery using either protocol

Mailbox - /var/spool/mail/user

Maildir = ~/Maildir/

 

Note: Most Mail User Agents (MUAs) such as Mutt, send messages using 'sendmail' binary

Note: when using 'su' the 'MAIL' shell variable does NOT change

 

Note: Postfix defaults to SysLog for logging using the mail facility: /var/log/mail

Note: If DNS fails, Postfix fails, unless routing has been configured in /etc/postfix/transport

 

Note: postconf dumps running Postfix configuration

 

Note: After modifying lookup files such as /etc/postfix/transport, update the DB file using 'postmap filename' i.e. 'postmap /etc/postfix/transport'

 

 

Courier-MTA - IMAP

 

Requirements:

 1. Courier Authlib - Authentication library for ALL Courier application

 2. Courier IMAP

 3. GNU C Compiler

 

AuthLib Installation:

http://courier-mta.org/authlib

 Steps:

  1. ./configure

  2. make

  3. make install (as root) - /usr/local/sbin

  4. make install-configure (as root)

  5. /usr/local/sbin/authdaemond start

 

 

IMAP Installation:

http://courier-mta.org/imap

 Steps:

  1. ./configure

  2. make (produces binaries)

  3. make install (as root) - copies files to /usr/lib/courier-imap

  4. make install-configure (as root)

  5. /usr/lib/courier-imap/libexec/imapd.rc start - starts IMAPD

 

 

Note: Courier IMAP requires Maildir/ directory in user's $HOME

 

###Postfix - Maildir/ config###

nano /etc/postfix/main.cf

 

couriertcpd - analagous to XINETD because it is a super-server

 

Note: Courier IMAP provides the following daemons:

 1. IMAPD - TCP:143 - Clear-text access

 2. IMAPD-SSL - TCP:993 - Encrypted access

 3. POP3 - TCP:110 - Clear-text access to download messages

 4. POP3-SSL - TCP:995 - Encrypted access to download messages

 5. SYSV INIT Scripts - source code directory

 

chkconfig courier-authlib on

chkconfig courier-imap on

 

 

 

SquirrelMail - Web-based Mail integration

Steps:

 1. Download from www.squirrelmail.org

 2. Extract and untar: tar -xjvf squirrelmail-1.4.8...

 3. Configure to use Courier - using squirrelmail/config/conf.pl

 4. Change permissions on squirrelmail/data sub-directory to be owned by 'wwwrun'

 4. Symlink 'squirrelmail' to 'squirrelmail-1.4.8...' directory

 5. Test logging into mail

 

###Connection logic to mailbox from client###

Browser -> SquirrelMail(PHP) -> Courier IMAP -> ~/Maildir/

 

 

###Moved Default SquirrelMail 'data' directory outside of WebRoot###

mkdir /var/squirrelmail/data

chown -R wwwrun /var/squirrelmail

 

 

Pure-FTPD

Features:

 1. Lightweight

 2. Fast

 3. Secure

 4. SSL/TLS on the control connection

 5. Bandwidth throttling

 6. Runs in standalone and XINETD modes

 

/etc/pure-ftpd/pure-ftpd.conf - Primary configuration files

/usr/sbin/pure-ftpd - primary binary

Note: pure-ftpd defaults users to their home directories (chroot)

Note: by default, ONLY 'anonymous' connections are permitted

Note: 'anonymous' access works like VSFTPD; it is based on the 'ftp' user in /etc/passwd

Note: by default, pure-ftpd logs ONLY using 'syslog'

Note: the CLF/W3C/Stats log files do NOT log verbose FTP activity, however, 'syslogd' does

 

###Enable FTP support in Syslog###

Requires: filter, destination, and, log directives

 

###Syslog-NG Configuration###

filter f_ftp { facility(ftp); };

destination d_ftp { file("/var/log/pure-ftp-syslog.log"); };

log { source(src); filter(f_ftp); destination(d_ftp); };

 

FTP Client -> FTP Server(21 - Control Connection - Clear Text)

Note: TLS Encryption applies solely to Control Connection - typically TCP:21

Note: TLS does NOT protect the Active/Passive data connection

 

Requirements:

 1. Generate(use notes from docs) or use existing PEM file or certificate

 2. modify pure-ftpd.conf file to permit TLS

 

 

 

Xen Virtualization

Features:

 1. Provides a Virtual Machine Server (VM Server) - Hosts VMs - domain(0)

 2. Virtual Machines (VMs) - instances of Operating Systems

 3. Virtual Machine Monitor - Software layer running between SUSE(domain 0) & Hardware

 

Hardware <- VM Server -> VMM -> Virtual Machines (1..n)

 

Note: ample hardware (CPU power, RAM, Disk) is necessary to use Xen

 

Xen Supports 2 Modes:

 1. Fully Virtual - runs slower - Supports most OSs, requires Hardware-assisted virtualization (AMD & Intel VT) - devices are emulated and requires more resources

 

 2. Paravirtual - runs faster - Only SUSE Products (10.1 & higher, SUSE Ent. 10) - special 'Xen drivers' are used to emulate hardware, resulting in faster performance

 

 Note: this mode is considered 'VM-Aware' Mode

 

Note: Installation of Xen, modifies /boot/grub/menu.lst - to include Xen boot option

 

 

###Post VM Server Installation Checks###

xm list - returns domain 0 - confirms if Xen is operable

 

xm shutdown vm1 - shuts the VM server 'vm1'

xm destroy vm1 - destroys configuration of 'vm1'

 

 

 

XINETD - Super Server

Note: Successor to traditional 'INETD' with extensions

Client -> TCP:901(SWAT) -> XINETD -> SWAT

Features:

 1. Spawns managed daemons(SWAT, pure-ftpd, VNC, etc.) when necessary

 2. Access-time ACLS - restricting connectivity to managed services during specifc periods

 3. Connections per second (CPS) - limits rush of traffic/flooding

 4. Limits number of instances of spawned process

 

/etc/xinetd.conf - primary config file

/etc/xinetd.d - includes contents of the directory

Note: scope-level config files override directives discovered in global /etc/xinetd.conf

 

/usr/sbin/itox && /usr/sbin/xconv.pl - converts INETD files/entries to XINETD format

 

XINETD

 -/etc/xinetd.conf

  -INCLUDES contents of /etc/xinetd.d/*

 

XINETD config block resembles the following:

service_name

{

    n number of directives (name = value pairs)

 

}

 

service2_name

{

    name = value pairs

}

 

'man xinetd.conf' to examine all possible directives

 

 

XINETD - interacts natively with TCP Wrappers

Note: increase security of XINETD-protected services by usin the following directives:

 1. interface = 127.0.0.1

 2. only_from = 127.0.0.1

 

 

TCP Wrappers - tcpd

Controls access to protected services, inluding XINETD and non-XINETD-controlled services

Note: TCP Wrappers provides protection dynamically

 

TCP Wrappers order of processing:

1. /etc/hosts.allow

   - swat:127.0.0.1 192.168.1.40 - daemon:client_list combo - GRANT ACCESS

 

2. /etc/hosts.deny

    - swat:127.0.0.1 192.168.1.40 - DENY ACCESS

    - IF NO MATCH - GRANT ACCESS

 

Note: TCP Wrappers uses the name of the daemon as its token

 

Note: TCP Wrappers permits placing ALL rules in one file(/etc/hosts.allow) providing we use the following syntax:

 - daemon_name(swat) : client_list(127.0.0.1,192.168.1.0) : ALLOW | DENY

 - daemon_list(swat,pure-ftpd,etc.) : client_list... : ALLOW | DENY

 

Note: The 3rd field of a TCP Wrappers rule may optionally contain a reference to invoke a shell script

 

Note: TCP Wrappers rules are executed immediately without having to reload/restart services

 

###Security Strategy###

 1. Application Security - User authentication, port-bindings, etc.

 2. XINETD - Wraps your application - Connection throttling, access times, logging, etc.

 3. TCP Wrappers - Dynamic, kernel-based filtration to applications

 4. Netfilter/IPTables - Stateful firewall

 

Netfilter is the firewall compiled into the Linux kernel

IPTables is a front-end, user-space utility used to manage Netfilter

 

Kernel -> Netfilter -IPTables - User

 

IPTables Implementation & Operation

Features:

 1. Operates primarily @ Layers 3(Network) & 4(Transport) of the OSI model

   a. IP = 192.168.1.40(Layer-3) - Note: 2^32 IPv4 addresses are available

    a1. Mutexed into 2^16 ports = 1-65535 - Layer-4 ports (80, 901, 22, 23, 21, ...)

 2. Modular - it is extended via plug-ins/modules

 3. Provides '/usr/sbin/iptables' - primary utility, used to manage Netfilter

 4. '/usr/sbin/iptables-save & restore' to backup and restore rules for reuse

 5. Changes made happen instantly/dynamically

 

Note: IPTables consists of tables & chains

 Table - 3 default tables

 NAT

 -Chains

 Mangle

 -Chains

 Filter(Default Table)

 -Chains

  -INPUT - focuses on traffic inbound to a process

  -OUTPUT - focuses on traffic outbound/leaving the system

  -FORWARD - focuses on traffic being routed through the system (1 interface to another)

 

 

IPTables Usage

iptables -L - lists the current rule-set for the default chain(Filter)

Default policy applied to chains is 'ACCEPT' - this permits traffic to flow uninhibited

 

iptables -L -t nat

Note: You cannot remove the default tables (Filter, NAT, Mangle)

Note: The 'Forward' chain of the 'Filter' table does not work unless IP forwarding has been enbaled

 

 

iptables -A chain_name - appends rule to bottom of the list

iptables -D chain_name rule_num - deletes rule at number

iptables -F chain_name - flushes rules in chain

iptables -P chain_name DROP - changes the policy to DROP

iptables -N new_chain_name - defines a new chain

iptables -E old_chain_name new_chain_name - renames a chain

iptables -Z chain_name - zeroes counters

 

###Rule to deny inbound access to Samba SWAT###

i.e. iptables -A INPUT --protocol --dport -s Jump Target(ACCEPT/DROP/DENY/LOG)

iptables -A INPUT -p tcp --dport 901 -s 192.168.1.102 -j DROP

iptables -A INPUT -p tcp --dport ssh -s 192.168.1.102 -j DROP

iptables -F INPUT

 

###Save/Restore Rules###

iptables-save > `date +%F`.iptables.rules - saves rules to disk

iptables-restore 2006-09-21.iptables.rules - reinstates rules

 

 

###Filter inbound ICMP echo-request traffic###

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

iptables -A INPUT -p icmp --icmp-type echo-reply -j DROP

 

 

###Filter outbound ICMP echo-request traffic###

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP

 

###SuSE Firewall2 - Graphical IPTables/Netfilter Management###

Note: SuSE Firewall2 changes default policies to 'DROP'

 

 

 

 

Network Mapper (Nmap)

Note: http://www.insecure.org

rpm -Uvh nmap-version*

/usr/bin/nmap - primary utility - available to ALL users

Note: non-privileged users can use Nmap in a limited capacity (TCP-connect scans), with no stealth, in comparison to 'root'

 

NmapFE - GUI front-end, which executes Nmap via the shell

 

###Nmap usage###

nmap

nmap localhost - scans localhost using SYN(if 'root') TCP-Connect(if 'non-root') - performs TCP-scan

 

nmap 192.168.1.40

nmap -v 192.168.1.40

nmap -v -sU 192.168.1.0/24

nmap -v -sU -p 67 192.168.1.0/24

nmap -v -O 192.168.1.197

nmap -v -oN nmap.scan.1 192.168.1.0/24

 

 

Nessus - Vulnerability Scanner

Nessus scans hosts, determines available services, and, vulnerabilities

www.nessus.org

 

Note: Nessus is Client/Server App. NessusD runs on Linux Server, client runs on: Windows/Linux/Mac/Solaris/etc.

 

Note: place Nessus server in location on network that has access to entire network

 

Register with Tenable Networks:

rpm -Uvh Nessus-3.0.3-suse10.0.i586.rpm

Note: Must apply activation code in order to receive feeds(definitions)

/opt/nessus//sbin/nessus-add-first-user - adds first user to Nessus

/opt/nessus//sbin/nessus-add-user - adds additional users to Nessus

0.0.0.0:1241 - Nessus binds to TCP:1241 by default on ALL IP addresses

 

Nessus Client can be used to connect to multiple NessusD back-end servers via scopes

 

 

TCPDump - Packet Sniffer

Note: TCPDump produces, optionally, a TCPDump-compliant file, which is readable by many clients, including:

 1. TCPDump

 2. Ethereal

 3. Snort NIDS

 

/usr/sbin/tcpdump - is the single binary used to sniff on interfaces

 

###Usage###

tcpdump

control-C to kill

 

tcpdump -v - executes in verbose mode and returns capture synopsis

tcpdump -v -n - disables name resolution

 

tcpdump -vv - increases verbosity

 

tcpdump -v -i eth2

tcpdump -D - returns possible sniffing interfaces

tcpdump -v -i any - listens to ALL interfaces, non-promiscuous mode

 

tcpdump -v -c 5 - captures 5 packets and exits

tcpdump -q - runs in quiet mode

tcpdump -v -e - returns link header(MAC info) info

 

tcpdump -v -w capture.out - writes to capture.out file

tcpdump -v -r capture.out - replays packets in file

 

 

Note: 3 Qualifiers can be used to filter traffic:

 1. Type - host|net|port

 2. Dir - src, dst, src or dst, src and dst

 3. Proto - ip, tcp, udp, etc.

 

tcpdump -v host 192.168.1.102

tcpdump -v src 192.168.1.102

tcpdump -v -r capture.out

 

Ethereal - Network Analysis Tool

Features:

 1. Sniffer

 2. Saves sniffed traffic in TCPDump format

 3. Analyzes TCPDump-formatted data

 4. Correlates streams of packets

 

/usr/bin/ethereal - primary utility

 

Snort Network Intrusion Detection System (NIDS)

Features/Modes:

 1. Sniffer - i.e. TCPDump

 2. Packet Logger - i.e. TCPDump

 3. NIDS

 

Requires:

 1. pcre-devel*

 2. libpcap

 3. mysql-devel* (optional to support DBMS logging with MySQL)

 

Download GPG signature and MD5 checksum files

gpg --verify snort-2.6.0.2.tar.gz.sig

 

 

###Compilation process###

 1. ./configure --

 2. make

 3. make install

 

Snort - Sniffer Mode

snort -v - dumps basic headers - timestamp, and, IP header

snort -vd - dumps application layer

snort -ve - dumps layer-2 info (MAC)

snort -vde - dumps layers 2-7

 

Snort - Logger Mode - Sniffer Mode with output sent to Screen and/or file

snort -v -L - dumps ALL layers, minus physical to a TCPDump-compliant file

snort -v -l ./ - creates snort.log.timestamp in current directory

snort -v -b -l ./ - Binary Logging

snort -b -l ./ - Binary logging with NO ASCII output to STDOUT - drops less data

 

Snort - NIDS Mode with BASE

Steps:

 1. Reconfigure Snort with --enable-dynamicplugin option

 2. groupadd snort && useradd -g snort snort

 3. Setup /etc/snort directory tree with config files and rules

 4. Configure MySQL

 5. Invoke Snort in NIDS mode

 6. Download & configure BASE

 

1. make clean && ./configure --with-mysql --enable-dynamicplugin

2. make && make install

 

$HOME_NET 192.168.1.0/24

$RULE_PATH /etc/snort/rules

ouput database: log, mysql...

 

mysql

 - create database snort;

 - grant ALL on snort.* to snort@localhost identified by 'snortabc123';

 - grant ALL on snort.* to snort identified by 'snortabc123';

 

mysql -pabc123 < create_mysql snort

 

NIDS Mode Invocation

/usr/local/bin/snort -c /etc/snort.conf -i eth0 -g snort -D -daemonizes

 

Download and extract rules files to /etc/snort/rules

 

 

BASE Installation

Requirements:

 1. php support for MySQL

 2. php gd support - optional

 3. adodb - sourceforge.net - /srv/www/adodb

 

Note: BASE extends 'snort' DB schema

上一篇: LinuxCBT_Deb5x_Edition_Notes
下一篇:安装nginx+mysql+php
相关文章
图文推荐

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站