Linux Services - PowerPoint PPT Presentation

1 / 48
About This Presentation
Title:

Linux Services

Description:

Use Apache's htpasswd password utility to create username/password combinations ... sport 1024:65535 --dport 80 -j ACCEPT. 45. Secure Remote Logins ... – PowerPoint PPT presentation

Number of Views:63
Avg rating:3.0/5.0
Slides: 49
Provided by: SirakNo
Category:
Tags: linux | services

less

Transcript and Presenter's Notes

Title: Linux Services


1
Linux Services
  • Sirak Kaewjamnong

2
Linux DHCP Server
  • DHCP is an IP address dynamically assigned from
    DHCP server.
  • PC client will most likely get its IP address at
    boot time from the home router instead
  • The DHCP server RPM's filename usually starts
    with the word dhcp followed by a version number
  • dhcp-3.0.1rc14-1.i386.rpm.

3
The /etc/dhcpd.conf File
  • When DHCP starts, it reads the file
    /etc/dhcpd.conf.
  • The standard DHCP RPM package doesn't
    automatically install a /etc/dhcpd.conf file, but
    a sample copy of dhcpd.conf is in the following
    directory
  • /usr/share/doc/dhcp-ltversion-numbergt/dhcpd.conf.sa
    mple

4
/etc/dhcpd.conf example file
  • ddns-update-style interim
  • ignore client-updates
  • subnet 172.27.21.0 netmask 255.255.255.0
  • --- default gateway
  • option routers
    172.27.21.254
  • option subnet-mask
    255.255.255.0
  • option nis-domain
    "cp.su.ac.th"
  • option domain-name
    "cp.su.ac.th"
  • option domain-name-servers
    202.28.72.66
  • option domain-name-servers
    202.44.135.9
  • option time-offset -18000
    Eastern Standard Time
  • option netbios-node-type 2
  • range dynamic-bootp 172.27.21.200
    172.27.21.250
  • default-lease-time 21600

5
How to get DHCP started
  • Use the chkconfig command to get DHCP configured
    to start at boot
  • Use the service command to instruct the
    /etc/init.d/dhcpd script to start/stop/restart
    DHCP after booting

root_at_bigboy tmp chkconfig dhcpd on
root_at_bigboy tmp service dhcpd
start root_at_bigboy tmp service dhcpd
stop root_at_bigboy tmp service dhcpd restart
6
SAMBA
  • Samba is a suite of utilities that allows your
    Linux server to share files and other resources,
    such as printers, with Windows clients.

7
Get SMB started
  • Configure Samba to start at boot time using the
    chkconfig command
  • Start/stop/restart Samba after boot time using
    the smb initialization script as in the examples
    below
  • Note Unlike many Linux packages, Samba does not
    need to be restarted after changes have been made
    to its configuration file, as it is read after
    the receipt of every client request.

root_at_bigboy tmp chkconfig smb on
root_at_bigboy tmp service smb start root_at_bigboy
tmp service smb stop root_at_bigboy tmp service
smb restart
8
The Samba Configuration File

The /etc/samba/smb.conf file is the main
configuration
Section Description
global General Samba configuration parameters
printers Used for configuring printers
homes Defines treatment of user logins
netlogon A share for storing logon scripts. (Not created by default.)
profile A share for storing domain logon information such as "favorites" and desktop icons. (Not created by default.)
9
Samba's SWAT web interface
  • SWAT, Samba's web based configuration tool to
    enables smb.conf file without needing to
    remember all the formatting.
  • Each SWAT screen is actually a form that covers a
    separate section of the smb.conf file into which
    admin fill in the desired parameters, each
    parameter box has its own online help

10
Samba SWAT Main Menu
11
Basic SWAT Setup
  • Root must always remember that SWAT edits the
    smb.conf file but also strips out any comments
    that may have manually entered into it
    beforehand.
  • The original Samba smb.conf file has many
    worthwhile comments in it, you should save a copy
    as a reference before proceeding with SWAT.
  • For example, you could save the original file
    with the name /etc/samba/smb.conf.original

root_at_tmp cp /etc/samba/smb.conf
/etc/samba/smb.conf.original
12
Basic SWAT Setup
  • The enabling and disabling, starting and stopping
    of SWAT is controlled by xinetd via a
    configuration file named /etc/xinetd.d/swat

service swat port 901
socket_type stream protocol
tcp wait no user
root server /usr/sbin/swat
log_on_failure USERID disable
no only_from localhost
13
Basic SWAT Setup
  • The disable parameter must be set to no to accept
    connections. This can automatically be switched
    between yes and no.
  • The default configuration only allows SWAT web
    access from the VGA console only as user root on
    port 901 with the Linux root password.
  • This means root have to enter "http//127.0.0.190
    1" in browser to get the login screen.
  • root can make SWAT accessible from other servers
    by adding IP address entries to the only_from
    parameter of the SWAT configuration file.
  • An example of an entry to allow connections only
    from 192.168.1.3 and localhost.

only_from localhost 192.168.1.3
14
Controlling SWAT
  • Same as all xinetd-controlled applications, the
    chkconfig command automatically modifies the
    disable field accordingly in the configuration
    file and activates the change.
  • Before SWAT can be used, the xinetd program which
    controls it must be activated in advance.
  • You can start/stop/restart xinetd after boot time
    using the xinetd initialization

15
xinetd Programs
  • Many network enabled Linux applications do not
    rely on themselves to provide restricted access
    or bind to a particular TCP port
  • instead they often offload a lot of this work to
    a program suite made just for this purpose,
    xinetd
  • The xinetd RPM is installed by default in Fedora
    Linux and uses /etc/xinetd.conf as its main
    configuration file

16
Controlling xinetd
  • The starting and stopping of the xinetd daemon is
    controlled by the by scripts in the /etc/init.d
    directory and it is behavior at boot time is
    controlled by chkconfig.
  • You can start/stop/restart xinetd after booting
    by using the following commands
  • To get xinetd configured to start at boot you can
    use the chkconfig command.

root_at_bigboy tmp service xinetd
start root_at_bigboy tmp service xinetd
stop root_at_bigboy tmp service xinetd restart
root_at_bigboy tmp chkconfig xinetd on
17
Controlling xinetd-Managed Applications
  • Xinetd-managed applications all store their
    configuration files in the /etc/xinetd.d
    directory.
  • Each configuration file has a disable statement
    that can set to yes or no. This governs whether
    xinetd is allowed to start them or not.
  • You don't have to edit these files to activate or
    deactivate the application. The chkconfig command
    does that automatically will also stops or starts
    the application accordingly too

18
Telnet
  • Telnet is a program that allows users to log into
    server and get a command prompt just as if they
    were logged into the VGA console.
  • The Telnet server RPM is installed and disabled
    by default on Fedora Linux.
  • One of the disadvantages of Telnet is that the
    data is sent as clear text.
  • A more secure method for remote logins would be
    via Secure Shell (SSH) which uses varying degrees
    of encryption.
  • The older Telnet application remains popular.
    Many network devices don't have SSH clients,
    making telnet the only means of accessing other
    devices and servers from them

19
Installing The Telnet Server Software
  • Older versions of RedHat had the Telnet server
    installed by default. Fedora Linux does not
  • you will have to install it yourself.
  • Most Linux software products are available in a
    precompiled package format. Downloading and
    installing packages
  • When searching for the file, the Telnet server
    RPM's filename usually starts with the word
    "telnet-server" followed by a version number as
    in telnet-server-0.17-28.i386.rpm.

20
Setting Up A Telnet Server
  • To set up a Telnet server use the chkconfig
    command to activate Telnet.
  • Use the chkconfig command to deactivate telnet,
    even after the next reboot.

root_at_bigboy tmp chkconfig telnet on
root_at_bigboy tmp chkconfig telnet off
21
Let Telnet Listen On Another TCP Port
  • Letting telnet run on an alternate TCP port does
    not encrypt the traffic, but it makes it less
    likely to be detected as telnet traffic.
  • Remember that this is not a foolproof strategy
    good port scanning programs can detect telnet and
    other applications running on alternative ports.

22
Let Telnet Listen On Another TCP Port
  • Edit /etc/services file and add an entry for a
    new service. Call it stelnet.
  • Copy the telnet configuration file called
    /etc/xinetd.d/telnet and call it
    /etc/xinetd.d/stelnet

Local services stelnet 7777/tcp
"secure" telnet
root_at_bigboy tmp cp /etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
23
Let Telnet Listen On Another TCP Port
  1. Edit the new /etc/xinetd.d/stelnet file. Make the
    new service stelnet and add a port statement for
    TCP port 7777.
  2. Use chkconfig to activate stelnet.

default on description The telnet server
serves telnet sessions unencrypted
username/password pairs for authentication. servic
e stelnet flags REUSE
socket_type stream wait
no user root server
/usr/sbin/in.telnetd log_on_failure
USERID disable no port
7777
root_at_bigboy tmp chkconfig stelnet on
24
Let Telnet Allow Connections From Trusted
Addresses
  • Root can restrict telnet logins access to
    individual remote servers by using the only_from
    keyword in the telnet configuration file.
  • Add a list of trusted servers to the
    /etc/xinetd.d/telnet file separated by spaces
  • Restart telnet by

service telnet flags REUSE
socket_type stream wait
no user root server
/usr/sbin/in.telnetd
log_on_failure USERID disable
no only_from 192.168.1.100
127.0.0.1 192.168.1.200
chkconfig telnet off chkconfig telnet on
25
Linux FTP
  • The File Transfer Protocol (FTP) is used as one
    of the most common means of copying files between
    servers over the Internet.
  • Most web based download sites use the built in
    FTP capabilities of web browsers and therefore
    most server oriented operating systems usually
    include an FTP server application as part of the
    software suite.
  • Fedora linux ftp sever using default Very Secure
    FTP Daemon (VSFTPD) package

26
FTP overview
  • FTP relies on a pair of TCP ports to get the job
    done. It operates in two connection channels
  • FTP Control Channel, TCP Port 21 All commands
    send and the ftp server's responses to those
    commands will go over the control connection.
  • FTP Data Channel, TCP Port 20 This port is used
    for all subsequent data transfers between the
    client and server.

27
How To Get VSFTPD Started
  • With Fedora, Redhat, Ubunbtu and Debian You can
    start, stop, or restart VSFTPD after booting by
    using these commands
  • With Redhat / Fedora you can configure VSFTPD to
    start at boot you can use the chkconfig command.

root_at_bigboy tmp /etc/init.d/vsftpd
start root_at_bigboy tmp /etc/init.d/vsftpd
stop root_at_bigboy tmp /etc/init.d/vsftpd restart
root_at_bigboy tmp chkconfig vsftpd on
28
The Apache Web Server
  • Apache is probably the most popular Linux-based
    Web server application in use.
  • When searching for the file, the Redhat / Fedora
    Apache RPM package's filename usually starts with
    the word httpd followed by a version number, as
    in httpd-2.0.48-1.2.rpm

29
Get Apache started
  • Use the chkconfig command to configure Apache to
    start at boot
  • Use the httpdltcodegt init script in the
    ltcodegt/etc/init.d directory to start,stop, and
    restart Apache after booting

root_at_bigboy tmp chkconfig httpd on
root_at_bigboy tmp /etc/init.d/httpd
start root_at_bigboy tmp /etc/init.d/httpd
stop root_at_bigboy tmp /etc/init.d/httpd restart
30
General Configuration Steps
  • The configuration file used by Apache is
    /etc/httpd/conf/httpd.conf in Redhat / Fedora
    distributions
  • /etc/apache/httpd.conf in Debian / Ubuntu
    distributions.
  • As for most Linux applications, you must restart
    Apache before changes to this configuration file
    take effect

31
Where To Put Web Pages
  • All the statements that define the features of
    each web site are grouped together inside their
    own ltVirtualHostgt section, or container, in the
    httpd.conf file.
  • The most commonly used statements, or directives,
    inside a ltVirtualHostgt container are
  • servername Defines the name of the website
    managed by the ltVirtualHostgt container. This is
    needed in named virtual hosting only, as I'll
    explain soon.
  • DocumentRoot Defines the directory in which the
    web pages for the site can be found.

32
Where To Put Web Pages
  • By default, Apache searches the DocumentRoot
    directory for an index, or home, page named
    index.html.
  • Example, if a servername of www.my-site.com with
    a DocumentRoot directory of
  • /home/www/site1/
  • Apache displays the contents of the file
    /home/www/site1/index.html when someone enter
    http//www.my-site.com in his browser.

33
The Default File Location
  • By default, Apache expects to find all its web
    page files in the /var/www/html/ directory with
    a generic DocumentRoot statement at the beginning
    of httpd.conf
  • Apache will display Web page files as long as
    they are world readable, all the files and
    subdirectories in DocumentRoot should have the
    correct permissions
  • Change the permissions on the /home/www directory
    to 755, which allows all users, including the
    Apache's httpd daemon, to read the files inside.

34
Named Virtual Hosting
  • Apache allow to make Web server host more than
    one site per IP address by using Apache's named
    virtual hosting feature.
  • Use the NameVirtualHost directive in the
    /etc/httpd/conf/httpd.conf file to tell Apache
    which IP addresses will participate in this
    feature.
  • The ltVirtualHostgt containers in the file then
    tell Apache where it should look for the Web
    pages used on each Web site.
  • Admin must specify the IP address for which each
    ltVirtualHostgt container applies.

35
Named Virtual Hosting Example
ServerName localhost NameVirtualHost
97.158.253.26 ltVirtualHost gt DocumentRoot
/home/www/site1 lt/VirtualHostgt ltVirtualHost
97.158.253.26gt DocumentRoot /home/www/site2
ServerName www.my-site.com ServerAlias
my-site.com, www.my-cool-site.com lt/VirtualHostgt
ltVirtualHost 97.158.253.26gt DocumentRoot
/home/www/site3 ServerName www.test-site.com lt/
VirtualHostgt ltVirtualHost 97.158.253.26gt
DocumentRoot /home/www/site4 ServerName
www.another-site.com lt/VirtualHostgt
36
Protect Web Page Directories With Passwords
  • Use Apache's htpasswd password utility to create
    username/password combinations independent of
    system login password for Web page access.
  • Specify the location of the password file, and if
    it does not yet exist, should include a -c, or
    create, switch on the command line.
  • Placing the file in /etc/httpd/conf directory,
    away from the DocumentRoot tree where Web users
    could possibly view it.

37
htpasswd Example
root_at_bigboy tmp htpasswd -c /etc/httpd/conf/.ht
passwd peter New password Re-type new
password Adding password for user
peter root_at_bigboy tmp root_at_bigboy tmp
htpasswd /etc/httpd/conf/.htpasswd paul New
password Re-type new password Adding password
for user paul root_at_bigboy tmp
38
Protect Web Page Directories With Passwords
  • Make the .htpasswd file readable by all users.
  • Create a .htaccess file in the directory to which
    you want password control with these entries.

root_at_bigboy tmp chmod 644 /etc/httpd/conf/.htpa
sswd
AuthUserFile /etc/httpd/conf/.htpasswd AuthGroupFi
le /dev/null AuthName EnterPassword AuthType
Basic require user peter
39
Protect Web Page Directories With Passwords
  • Set the correct file protections on new .htaccess
    file in the directory /home/www.
  • Make sure your /etc/httpd/conf/http.conf file has
    an AllowOverride statement in a ltDirectorygt
    directive for any directory in the tree above
    /home/www.
  • In this example below, all directories below
    /var/www/ require password authorization.

root_at_bigboy tmp chmod 644 /home/www/.htaccess
ltDirectory /home/www/gt AllowOverride
AuthConfig lt/Directorygt
40
Protect Web Page Directories With Passwords
  • Make sure that a ltVirtualHostgt directive that
    defines access to /home/www or another directory
    higher up in the tree.
  • Restart Apache

ltVirtualHost gt ServerName 97.158.253.26
DocumentRoot /home/www lt/VirtualHostgt
41
Linux firewall
  • Linux uses iptable for firewall solutions
  • A router that will use NAT and port forwarding to
    both protect home network and have another web
    server on home network while sharing the public
    IP address of firewall

42
iptable Features
  • Integration with the Linux kernel with the
    capability of loading iptables-specific kernel
    modules designed for improved speed and
    reliability.
  • Stateful packet inspection. This means that the
    firewall keeps track of each connection passing
    through it and in certain cases will view the
    contents of data flows in an attempt to
    anticipate the next action of certain protocols.
  • Filtering packets based on a MAC address and the
    values of the flags in the TCP header.

43
iptable Features
  • System logging that provides the option of
    adjusting the level of detail of the reporting.
  • Network address translation.
  • Support for transparent integration with such Web
    proxy programs as Squid.
  • A rate limiting feature that helps iptables block
    some types of denial of service (DoS) attacks

44
Start iptable
  • Start iptable with
  • Sample of iptable command
  • iptables is being configured to allow the
    firewall to accept TCP packets for routing when
    they enter on interface eth0 from any IP address
    and are destined for an IP address of
    192.168.1.58 that is reachable via interface
    eth1.
  • The source port is in the range 1024 to 65535 and
    the destination port is port 80

root_at_bigboy tmp service iptables
start root_at_bigboy tmp service iptables
stop root_at_bigboy tmp service iptables restart
iptables -A FORWARD -s 0/0 -i eth0 -d
192.168.1.58 -o eth1 -p TCP \ --sport
102465535 --dport 80 -j ACCEPT
45
Secure Remote Logins
  • OpenSSH, which provides a number of ways to
    create encrypted remote terminal and file
    transfer connections between clients and servers.
  • The OpenSSH Secure Copy (SCP) and Secure FTP
    (SFTP) programs are secure replacements for FTP,
  • Secure Shell (SSH) is often used as a stealthy
    alternative to TELNET

46
Starting OpenSSH
  • OpenSSH is installed by default during Linux
    installations
  • SSH and SCP are part of the same application,
    they share the same configuration file and are
    governed by the same /etc/init.d/sshd startup
    script
  • configure SSH to start at boot by using the
    chkconfig command when running Fedora

root_at_bigboy tmp chkconfig sshd on
47
The /etc/ssh/sshd_config File
  • The SSH configuration file is called
    /etc/ssh/sshd_config. By default SSH listens on
    all NICs and uses TCP port 22.
  • start, stop, and restart SSH with service comand

The strategy used for options in the default
sshd_config shipped with OpenSSH is to specify
options with their default value where
possible, but leave them commented. Uncommented
options change a default value. Port
22 Protocol 2,1 ListenAddress
0.0.0.0 ListenAddress
48
Other Linux services
  • NTP
  • Sendmail
  • DNS
  • MRTG
  • Network File System (NFS)
  • Etc.
Write a Comment
User Comments (0)
About PowerShow.com