Title: Linux Services
1Linux Services
2Linux DHCP Server
- DHCP is an IP address dynamically assigned from
DHCP server. - PC client will most likely get its IP address at
boot time from the home router instead - The DHCP server RPM's filename usually starts
with the word dhcp followed by a version number - dhcp-3.0.1rc14-1.i386.rpm.
3The /etc/dhcpd.conf File
- When DHCP starts, it reads the file
/etc/dhcpd.conf. - The standard DHCP RPM package doesn't
automatically install a /etc/dhcpd.conf file, but
a sample copy of dhcpd.conf is in the following
directory - /usr/share/doc/dhcp-ltversion-numbergt/dhcpd.conf.sa
mple
4/etc/dhcpd.conf example file
- ddns-update-style interim
- ignore client-updates
- subnet 172.27.21.0 netmask 255.255.255.0
- --- default gateway
- option routers
172.27.21.254 - option subnet-mask
255.255.255.0 - option nis-domain
"cp.su.ac.th" - option domain-name
"cp.su.ac.th" - option domain-name-servers
202.28.72.66 - option domain-name-servers
202.44.135.9 - option time-offset -18000
Eastern Standard Time - option netbios-node-type 2
- range dynamic-bootp 172.27.21.200
172.27.21.250 - default-lease-time 21600
5How to get DHCP started
- Use the chkconfig command to get DHCP configured
to start at boot - Use the service command to instruct the
/etc/init.d/dhcpd script to start/stop/restart
DHCP after booting
root_at_bigboy tmp chkconfig dhcpd on
root_at_bigboy tmp service dhcpd
start root_at_bigboy tmp service dhcpd
stop root_at_bigboy tmp service dhcpd restart
6SAMBA
- Samba is a suite of utilities that allows your
Linux server to share files and other resources,
such as printers, with Windows clients.
7Get SMB started
- Configure Samba to start at boot time using the
chkconfig command - Start/stop/restart Samba after boot time using
the smb initialization script as in the examples
below - Note Unlike many Linux packages, Samba does not
need to be restarted after changes have been made
to its configuration file, as it is read after
the receipt of every client request.
root_at_bigboy tmp chkconfig smb on
root_at_bigboy tmp service smb start root_at_bigboy
tmp service smb stop root_at_bigboy tmp service
smb restart
8 The Samba Configuration File
The /etc/samba/smb.conf file is the main
configuration
Section Description
global General Samba configuration parameters
printers Used for configuring printers
homes Defines treatment of user logins
netlogon A share for storing logon scripts. (Not created by default.)
profile A share for storing domain logon information such as "favorites" and desktop icons. (Not created by default.)
9Samba's SWAT web interface
- SWAT, Samba's web based configuration tool to
enables smb.conf file without needing to
remember all the formatting. - Each SWAT screen is actually a form that covers a
separate section of the smb.conf file into which
admin fill in the desired parameters, each
parameter box has its own online help
10Samba SWAT Main Menu
11Basic SWAT Setup
- Root must always remember that SWAT edits the
smb.conf file but also strips out any comments
that may have manually entered into it
beforehand. - The original Samba smb.conf file has many
worthwhile comments in it, you should save a copy
as a reference before proceeding with SWAT. - For example, you could save the original file
with the name /etc/samba/smb.conf.original
root_at_tmp cp /etc/samba/smb.conf
/etc/samba/smb.conf.original
12Basic SWAT Setup
- The enabling and disabling, starting and stopping
of SWAT is controlled by xinetd via a
configuration file named /etc/xinetd.d/swat
service swat port 901
socket_type stream protocol
tcp wait no user
root server /usr/sbin/swat
log_on_failure USERID disable
no only_from localhost
13Basic SWAT Setup
- The disable parameter must be set to no to accept
connections. This can automatically be switched
between yes and no. - The default configuration only allows SWAT web
access from the VGA console only as user root on
port 901 with the Linux root password. - This means root have to enter "http//127.0.0.190
1" in browser to get the login screen. - root can make SWAT accessible from other servers
by adding IP address entries to the only_from
parameter of the SWAT configuration file. - An example of an entry to allow connections only
from 192.168.1.3 and localhost.
only_from localhost 192.168.1.3
14Controlling SWAT
- Same as all xinetd-controlled applications, the
chkconfig command automatically modifies the
disable field accordingly in the configuration
file and activates the change. - Before SWAT can be used, the xinetd program which
controls it must be activated in advance. - You can start/stop/restart xinetd after boot time
using the xinetd initialization
15xinetd Programs
- Many network enabled Linux applications do not
rely on themselves to provide restricted access
or bind to a particular TCP port - instead they often offload a lot of this work to
a program suite made just for this purpose,
xinetd - The xinetd RPM is installed by default in Fedora
Linux and uses /etc/xinetd.conf as its main
configuration file
16Controlling xinetd
- The starting and stopping of the xinetd daemon is
controlled by the by scripts in the /etc/init.d
directory and it is behavior at boot time is
controlled by chkconfig. - You can start/stop/restart xinetd after booting
by using the following commands - To get xinetd configured to start at boot you can
use the chkconfig command.
root_at_bigboy tmp service xinetd
start root_at_bigboy tmp service xinetd
stop root_at_bigboy tmp service xinetd restart
root_at_bigboy tmp chkconfig xinetd on
17Controlling xinetd-Managed Applications
- Xinetd-managed applications all store their
configuration files in the /etc/xinetd.d
directory. - Each configuration file has a disable statement
that can set to yes or no. This governs whether
xinetd is allowed to start them or not. - You don't have to edit these files to activate or
deactivate the application. The chkconfig command
does that automatically will also stops or starts
the application accordingly too
18Telnet
- Telnet is a program that allows users to log into
server and get a command prompt just as if they
were logged into the VGA console. - The Telnet server RPM is installed and disabled
by default on Fedora Linux. - One of the disadvantages of Telnet is that the
data is sent as clear text. - A more secure method for remote logins would be
via Secure Shell (SSH) which uses varying degrees
of encryption. - The older Telnet application remains popular.
Many network devices don't have SSH clients,
making telnet the only means of accessing other
devices and servers from them
19Installing The Telnet Server Software
- Older versions of RedHat had the Telnet server
installed by default. Fedora Linux does not - you will have to install it yourself.
- Most Linux software products are available in a
precompiled package format. Downloading and
installing packages - When searching for the file, the Telnet server
RPM's filename usually starts with the word
"telnet-server" followed by a version number as
in telnet-server-0.17-28.i386.rpm.
20Setting Up A Telnet Server
- To set up a Telnet server use the chkconfig
command to activate Telnet. - Use the chkconfig command to deactivate telnet,
even after the next reboot.
root_at_bigboy tmp chkconfig telnet on
root_at_bigboy tmp chkconfig telnet off
21Let Telnet Listen On Another TCP Port
- Letting telnet run on an alternate TCP port does
not encrypt the traffic, but it makes it less
likely to be detected as telnet traffic. - Remember that this is not a foolproof strategy
good port scanning programs can detect telnet and
other applications running on alternative ports.
22Let Telnet Listen On Another TCP Port
- Edit /etc/services file and add an entry for a
new service. Call it stelnet. - Copy the telnet configuration file called
/etc/xinetd.d/telnet and call it
/etc/xinetd.d/stelnet
Local services stelnet 7777/tcp
"secure" telnet
root_at_bigboy tmp cp /etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
23Let Telnet Listen On Another TCP Port
- Edit the new /etc/xinetd.d/stelnet file. Make the
new service stelnet and add a port statement for
TCP port 7777. - Use chkconfig to activate stelnet.
default on description The telnet server
serves telnet sessions unencrypted
username/password pairs for authentication. servic
e stelnet flags REUSE
socket_type stream wait
no user root server
/usr/sbin/in.telnetd log_on_failure
USERID disable no port
7777
root_at_bigboy tmp chkconfig stelnet on
24Let Telnet Allow Connections From Trusted
Addresses
- Root can restrict telnet logins access to
individual remote servers by using the only_from
keyword in the telnet configuration file. - Add a list of trusted servers to the
/etc/xinetd.d/telnet file separated by spaces - Restart telnet by
service telnet flags REUSE
socket_type stream wait
no user root server
/usr/sbin/in.telnetd
log_on_failure USERID disable
no only_from 192.168.1.100
127.0.0.1 192.168.1.200
chkconfig telnet off chkconfig telnet on
25Linux FTP
- The File Transfer Protocol (FTP) is used as one
of the most common means of copying files between
servers over the Internet. - Most web based download sites use the built in
FTP capabilities of web browsers and therefore
most server oriented operating systems usually
include an FTP server application as part of the
software suite. - Fedora linux ftp sever using default Very Secure
FTP Daemon (VSFTPD) package
26FTP overview
- FTP relies on a pair of TCP ports to get the job
done. It operates in two connection channels - FTP Control Channel, TCP Port 21 All commands
send and the ftp server's responses to those
commands will go over the control connection. - FTP Data Channel, TCP Port 20 This port is used
for all subsequent data transfers between the
client and server.
27How To Get VSFTPD Started
- With Fedora, Redhat, Ubunbtu and Debian You can
start, stop, or restart VSFTPD after booting by
using these commands - With Redhat / Fedora you can configure VSFTPD to
start at boot you can use the chkconfig command.
root_at_bigboy tmp /etc/init.d/vsftpd
start root_at_bigboy tmp /etc/init.d/vsftpd
stop root_at_bigboy tmp /etc/init.d/vsftpd restart
root_at_bigboy tmp chkconfig vsftpd on
28The Apache Web Server
- Apache is probably the most popular Linux-based
Web server application in use. - When searching for the file, the Redhat / Fedora
Apache RPM package's filename usually starts with
the word httpd followed by a version number, as
in httpd-2.0.48-1.2.rpm
29Get Apache started
- Use the chkconfig command to configure Apache to
start at boot - Use the httpdltcodegt init script in the
ltcodegt/etc/init.d directory to start,stop, and
restart Apache after booting
root_at_bigboy tmp chkconfig httpd on
root_at_bigboy tmp /etc/init.d/httpd
start root_at_bigboy tmp /etc/init.d/httpd
stop root_at_bigboy tmp /etc/init.d/httpd restart
30General Configuration Steps
- The configuration file used by Apache is
/etc/httpd/conf/httpd.conf in Redhat / Fedora
distributions - /etc/apache/httpd.conf in Debian / Ubuntu
distributions. - As for most Linux applications, you must restart
Apache before changes to this configuration file
take effect
31Where To Put Web Pages
- All the statements that define the features of
each web site are grouped together inside their
own ltVirtualHostgt section, or container, in the
httpd.conf file. - The most commonly used statements, or directives,
inside a ltVirtualHostgt container are - servername Defines the name of the website
managed by the ltVirtualHostgt container. This is
needed in named virtual hosting only, as I'll
explain soon. - DocumentRoot Defines the directory in which the
web pages for the site can be found.
32Where To Put Web Pages
- By default, Apache searches the DocumentRoot
directory for an index, or home, page named
index.html. - Example, if a servername of www.my-site.com with
a DocumentRoot directory of - /home/www/site1/
- Apache displays the contents of the file
/home/www/site1/index.html when someone enter
http//www.my-site.com in his browser.
33The Default File Location
- By default, Apache expects to find all its web
page files in the /var/www/html/ directory with
a generic DocumentRoot statement at the beginning
of httpd.conf - Apache will display Web page files as long as
they are world readable, all the files and
subdirectories in DocumentRoot should have the
correct permissions - Change the permissions on the /home/www directory
to 755, which allows all users, including the
Apache's httpd daemon, to read the files inside.
34Named Virtual Hosting
- Apache allow to make Web server host more than
one site per IP address by using Apache's named
virtual hosting feature. - Use the NameVirtualHost directive in the
/etc/httpd/conf/httpd.conf file to tell Apache
which IP addresses will participate in this
feature. - The ltVirtualHostgt containers in the file then
tell Apache where it should look for the Web
pages used on each Web site. - Admin must specify the IP address for which each
ltVirtualHostgt container applies.
35Named Virtual Hosting Example
ServerName localhost NameVirtualHost
97.158.253.26 ltVirtualHost gt DocumentRoot
/home/www/site1 lt/VirtualHostgt ltVirtualHost
97.158.253.26gt DocumentRoot /home/www/site2
ServerName www.my-site.com ServerAlias
my-site.com, www.my-cool-site.com lt/VirtualHostgt
ltVirtualHost 97.158.253.26gt DocumentRoot
/home/www/site3 ServerName www.test-site.com lt/
VirtualHostgt ltVirtualHost 97.158.253.26gt
DocumentRoot /home/www/site4 ServerName
www.another-site.com lt/VirtualHostgt
36Protect Web Page Directories With Passwords
- Use Apache's htpasswd password utility to create
username/password combinations independent of
system login password for Web page access. - Specify the location of the password file, and if
it does not yet exist, should include a -c, or
create, switch on the command line. - Placing the file in /etc/httpd/conf directory,
away from the DocumentRoot tree where Web users
could possibly view it.
37htpasswd Example
root_at_bigboy tmp htpasswd -c /etc/httpd/conf/.ht
passwd peter New password Re-type new
password Adding password for user
peter root_at_bigboy tmp root_at_bigboy tmp
htpasswd /etc/httpd/conf/.htpasswd paul New
password Re-type new password Adding password
for user paul root_at_bigboy tmp
38Protect Web Page Directories With Passwords
- Make the .htpasswd file readable by all users.
- Create a .htaccess file in the directory to which
you want password control with these entries.
root_at_bigboy tmp chmod 644 /etc/httpd/conf/.htpa
sswd
AuthUserFile /etc/httpd/conf/.htpasswd AuthGroupFi
le /dev/null AuthName EnterPassword AuthType
Basic require user peter
39Protect Web Page Directories With Passwords
- Set the correct file protections on new .htaccess
file in the directory /home/www. - Make sure your /etc/httpd/conf/http.conf file has
an AllowOverride statement in a ltDirectorygt
directive for any directory in the tree above
/home/www. - In this example below, all directories below
/var/www/ require password authorization.
root_at_bigboy tmp chmod 644 /home/www/.htaccess
ltDirectory /home/www/gt AllowOverride
AuthConfig lt/Directorygt
40Protect Web Page Directories With Passwords
- Make sure that a ltVirtualHostgt directive that
defines access to /home/www or another directory
higher up in the tree. - Restart Apache
ltVirtualHost gt ServerName 97.158.253.26
DocumentRoot /home/www lt/VirtualHostgt
41Linux firewall
- Linux uses iptable for firewall solutions
- A router that will use NAT and port forwarding to
both protect home network and have another web
server on home network while sharing the public
IP address of firewall
42iptable Features
- Integration with the Linux kernel with the
capability of loading iptables-specific kernel
modules designed for improved speed and
reliability. - Stateful packet inspection. This means that the
firewall keeps track of each connection passing
through it and in certain cases will view the
contents of data flows in an attempt to
anticipate the next action of certain protocols. - Filtering packets based on a MAC address and the
values of the flags in the TCP header.
43iptable Features
- System logging that provides the option of
adjusting the level of detail of the reporting. - Network address translation.
- Support for transparent integration with such Web
proxy programs as Squid. - A rate limiting feature that helps iptables block
some types of denial of service (DoS) attacks
44Start iptable
- Start iptable with
- Sample of iptable command
- iptables is being configured to allow the
firewall to accept TCP packets for routing when
they enter on interface eth0 from any IP address
and are destined for an IP address of
192.168.1.58 that is reachable via interface
eth1. - The source port is in the range 1024 to 65535 and
the destination port is port 80
root_at_bigboy tmp service iptables
start root_at_bigboy tmp service iptables
stop root_at_bigboy tmp service iptables restart
iptables -A FORWARD -s 0/0 -i eth0 -d
192.168.1.58 -o eth1 -p TCP \ --sport
102465535 --dport 80 -j ACCEPT
45Secure Remote Logins
- OpenSSH, which provides a number of ways to
create encrypted remote terminal and file
transfer connections between clients and servers.
- The OpenSSH Secure Copy (SCP) and Secure FTP
(SFTP) programs are secure replacements for FTP, - Secure Shell (SSH) is often used as a stealthy
alternative to TELNET
46Starting OpenSSH
- OpenSSH is installed by default during Linux
installations - SSH and SCP are part of the same application,
they share the same configuration file and are
governed by the same /etc/init.d/sshd startup
script - configure SSH to start at boot by using the
chkconfig command when running Fedora
root_at_bigboy tmp chkconfig sshd on
47The /etc/ssh/sshd_config File
- The SSH configuration file is called
/etc/ssh/sshd_config. By default SSH listens on
all NICs and uses TCP port 22. - start, stop, and restart SSH with service comand
The strategy used for options in the default
sshd_config shipped with OpenSSH is to specify
options with their default value where
possible, but leave them commented. Uncommented
options change a default value. Port
22 Protocol 2,1 ListenAddress
0.0.0.0 ListenAddress
48Other Linux services
- NTP
- Sendmail
- DNS
- MRTG
- Network File System (NFS)
- Etc.