Gnu FDL Oo Lpi 102 0.2

Study Guide for
Linux System Administration II

Lab work for LPI 102
released under the GFDL by LinuxI
Copyright (c) 2005 LinuxIT.

Permission is granted to copy, distribute andor modi!y this document
under the terms o! the "#$ %ree &ocumentation License, 'ersion (.2
or any )ater *ersion pub)ished by the %ree +o!t,are %oundation-
,ith the In*ariant +ections being .istory, /c0no,)edgements, ,ith the
%ront1Co*er Texts being 2re)eased under the "%&L by LinuxIT3.
see full GFDL li!ense a"reement on #$1%&
LinuxI e!hni!al 'du!ation (entre
Introdu!tion
__________________________________________________________
Introduction:
A!knowled"ements
The original material was made available by LinuxIT's technical training centre
www.linuxit.com. Many thanks to Andrew Meredith for suggesting the idea in the first
place. A special thanks to all the students who have helped dilute the technical aspects of
Linux administration through their many uestions! this has led to the inclusion of more
illustrations attempting to introduce concepts in a userfriendly way. "inally! many thanks
to #aul Mc$nery for the technical advice and for starting off some of the most difficult
chapters such as the ones covering the % server &'(')! modems &'(*)! security &'(*) and
the Linux kernel &'(*).
The manual is available online at http+,,savannah.nongnu.org,pro-ects,lpi.manuals,. Thank
you to the /avannah 0olunteers for assessing the pro-ect and providing us with the 1eb
space.
)istory
"irst release &version (.() 2ctober *((3. 4eviewed by Adrian Thomasset.
/econd release &revision') 5anuary *((3. 4eviewed by Andrew Meredith
4elease &version '.'.test) March *((6. 4eviewed by Adrian Thomasset.
4eviewed in 5anuary.5une *((7 by Adrian Thomasset
Audien!e
This course is designed as a 3 to 6 days practical course preparing for the L#I '(* exam.
It is recommended that candidates have at least one year experience doing Linux
administration professionally. 8owever for those who are ready for a challenge the
training is designed to provide as much insight and examples as possible to help non
specialists understand the basic concepts and command sets which form the core of Linux
computing.
he LPI (ertifi!ation Pro"ram
There are currently two L#I certification levels. The first level L#I9.' is granted after
passing both exams L#I '(' and L#I '(*. /imilarly passing the L#I *(' and L#I *(*
exams will grant the second level certification L#I9.*.
There are no pre.reuisites for L#I '(' and '(*. 8owever the exams for L#I9.* can only
be attempted once L#I9.' has been obtained.

'xam *e"istration
_____________________________________________________________________
iii
Introdu!tion
__________________________________________________________
In order to register for an L#I exam you first need to get a uniue L#I at www.lpi.org. :ou
will also need to register with one of the testing organisations such as www.vue.com or
www.prometric.com
+o Guarantee
The manual comes with no guarantee at all.
*esour!es
www.lpi.org
www.linux.praxis.de
www.lpiforums.com
www.tldp.org
www.fsf.org
www.linuxit.com
+otations
9ommands and filenames will appear in the text in bold.
The 45 symbols are used to indicate a non optional argument.
The 67 symbols are used to indicate an optional argument
Commands that can be typed directly in the shell are highlighted as below
command
or
command
_____________________________________________________________________
iv
Contents
_____________________________________________________________________
he Linux ,ernel$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1
'. ;ernel 9oncepts ...................................................................................................................................... *
*. The Modular ;ernel.................................................................................................................................. 3
3. 4outine ;ernel 4ecompilation.................................................................................................................. 7
6. $xercises and /ummary........................................................................................................................ ''
-ootin" Linux$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1.
'. <nderstanding 4unlevels....................................................................................................................... '7
*. /ervices and 4untime 9ontrol /cripts .................................................................................................. '=
3. The -oys of inittab................................................................................................................................... '>
6 LIL2 and ?4<@...................................................................................................................................... 'A
7. "rom boot to bash.................................................................................................................................. **
=. $xercises and /ummary........................................................................................................................ *6
/ana"in" Grou#s and 0sers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 21
'. 9reating new users................................................................................................................................. *B
*. 1orking with groups............................................................................................................................... *>
3. 9onfiguration files.................................................................................................................................. 3(
6. 9ommand options.................................................................................................................................. 3*
7. Modifying accounts and default settings................................................................................................ 3*
=. $xercises and /ummary........................................................................................................................ 36
+etwork (onfi"uration$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ %1
'. The Cetwork Interface............................................................................................................................ 3B
*. 8ost Information..................................................................................................................................... 3>
3. /top and /tart Cetworking...................................................................................................................... 3A
6. 4outing................................................................................................................................................... 6(
7. 9ommon Cetwork Tools......................................................................................................................... 6*
(P2IP +etworks$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ .3
'. @inary Cumbers and the Dotted Euad................................................................................................... 6A
*. @roadcast Address! Cetwork Address and Cetmask............................................................................. 6A
3. Cetwork 9lasses..................................................................................................................................... 7'
6. 9lassless /ubnets.................................................................................................................................. 7*
7. The T9#,I# /uite................................................................................................................................... 73
=. T9#,I# /ervices and #orts.................................................................................................................... 76
B. $xercices and /ummary........................................................................................................................ 7=
+etwork Ser4i!es$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 5&
'. The inetd daemon &old).......................................................................................................................... 7>
*. The xinetd Daemon................................................................................................................................ 7A
3. Telnet and "T#...................................................................................................................................... =(
3. T9# wrappers ........................................................................................................................................ ='
6. /etting up C"/....................................................................................................................................... =*
7. /M@ and CM@........................................................................................................................................ =6
=. DC/ services.......................................................................................................................................... ==
B. /endmail main 9onfiguration................................................................................................................. B'
>. The Apache server................................................................................................................................. B3
A. $xercises and /ummary........................................................................................................................ B6
_____________________________________________________________________
v
Contents
_____________________________________________________________________
-ash S!ri#tin"$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ &3
'. The bash environment............................................................................................................................ BA
*. /cripting $ssentials................................................................................................................................ >'
3. Logical evaluations................................................................................................................................. >*
6. "low 9ontrol and Loops.......................................................................................................................... >3
7. $xpecting user input............................................................................................................................... >7
=. 1orking with Cumbers........................................................................................................................... >7
B. $xercises and /ummary........................................................................................................................ >=
-asi! Se!urity$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33
'. Local /ecurity......................................................................................................................................... >A
*. Cetwork /ecurity.................................................................................................................................... A'
3. The /ecure /hell.................................................................................................................................... A7
6. Time 9onfiguration................................................................................................................................. AB
7. $xercises and /ummary...................................................................................................................... '((
Linux System Administration$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 102
'. Logfiles and configuration files............................................................................................................. '(3
*. Log <tilities........................................................................................................................................... '(7
3. Automatic Tasks................................................................................................................................... '(=
6. @ackups and 9ompressions................................................................................................................. '(>
7. Documentation..................................................................................................................................... ''(
=. $xercises and /ummary...................................................................................................................... ''6
_____________________________________________________________________
vi
he Linux ,ernel
___________________________________________________________
The Linux Kernel
Prere6uisites
<nderstand shell tools and commands &see L#I '(')
$xperience compiling and installing software from source &see L#I '(')
Goals
Manage Linux kernel modules
9onfigure the kernel source
9ompile and install a kernel
(ontents
he Linux ,ernel$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1
'. ;ernel 9oncepts ...................................................................................................................................... *
*. The Modular ;ernel.................................................................................................................................. 3
3. 4outine ;ernel 4ecompilation.................................................................................................................. 7
3.' /ource extraction........................................................................................................................... 7
3.* ;ernel 9onfiguration...................................................................................................................... =
3.3 ;ernel 9ompilation........................................................................................................................ B
3.6 Installing a Cew ;ernel.................................................................................................................. >
3.7 The full kernel version .................................................................................................................. A
3.7 Initial 4amdisks............................................................................................................................. A
3.= 2ptional....................................................................................................................................... '(
3.B 4e.installing LIL2........................................................................................................................ '(
6. $xercises and /ummary........................................................................................................................ ''
_____________________________________________________________________
'
he Linux ,ernel
___________________________________________________________
1$ ,ernel (on!e#ts
The two different types of Linux kernel are+
A7 /onolithi!
A monolithic kernel is one which has support for all hardware! network! and filesystem
compiled into a single image file.
-7 /odular
A modular kernel is one which has some drivers compiled as ob-ect files! which the kernel can load
and remove on demand. Loadable modules are kept in 2lib2modules.
The advantage of a modular kernel is that it doesnFt always need to be recompiled when hardware is added
or replaced on the system. Monolithic kernels boot slightly faster than modular kernels! but do not
outperform the modular kernel
_____________________________________________________________________
*
he Linux ,ernel
___________________________________________________________
2$ he /odular ,ernel
Many components of the Linux kernel may be compiled as modules which the kernel can dynamically load
and remove as reuired.
The modules for a particular kernel are stored in 2lib2modules2Gkernel.versionH.
The best components to modularise are ones not reuired at boot time! for example peripheral devices
and supplementary file systems.
;ernel modules are controlled by utilities supplied by the modutils package+
lsmod list currently loaded modules
rmmod remove a single module
insmod insert a single module
modprobe insert a module and dependencies listed in modules$de#
modinfo list information about the author! license type and module parameters
Many modules are dependant on the presence of other modules. A flat file database of module
dependencies 2lib2modules2Gkernel.versionH2modules$de# is generated by the depmod command. This
command is run at boot time &for example by the rc.sysinit script).
.. modprobe will load any module and dependent modules listed in modules$de# &or !onf$modules)
/earch for example for modules that will be loaded at the same time as tvaudio.
grep tvaudio /lib/modules/kernel-version/modules.dep
/lib/modules/kernel-version/kernel/drivers/media/video/tvaudio.o: \
/lib/modules/kernel-version/kernel/drivers/i2c/i2c-core.o
This means that the module i2c-core.o will also be loaded when using mod#robe. This dependency is also
apparent when listing the module with lsmod+
lsmod
Module Size Used by Not tainted
tvaudio 16796 0 (unused)
i2c-core 19236 0 [tvaudio]

.. /etc/modules.conf is consulted for module parameters &I4E and I2 ports) but most often contains a list
of aliases. These aliases allow applications to refer to a device using a common name. "or example the first
ethernet device is always referred to as eth0 and not by the name of the particular driver.
_____________________________________________________________________
3
he Linux ,ernel
___________________________________________________________
/ample 2et!2modules$!onf file
alias eth0 e100
alias usb-core usb-uhc
alias sound-slot-0 i810_audio
alias char-major-108 ppp_generic
alias ppp-compress-18 ppp_mppe
# 100Mbps full duplex
options eth0 e100_speed_duplex=4
--modinfo will give information about modules.
modinfo tvaudio
filename: /lib/modules/kernel-version/kernel/drivers/media/video/tvaudio.o
description: "device driver for various i2c TV sound decoder / audiomux chips"
author: "Eric Sandeen, Steve VanDeBogart, Greg Alexander, Gerd Knorr"
license: "GPL"
parm: debug int
parm: probe short array (min = 1, max = 48), description "List of
adapter,address pairs to scan additionally"
parm: probe_range short array (min = 1, max = 48), description "List of
adapter,start-addr,end-addr triples to scan additionally"
parm: ignore short array (min = 1, max = 48), description "List of
adapter,address pairs not to scan"
parm: ignore_range short array (min = 1, max = 48), description "List
of adapter,start-addr,end-addr triples not to scan"
parm: force short array (min = 1, max = 48), description "List of
adapter,address pairs to boldly assume to be present"
parm: tda9874a_SIF int
parm: tda9874a_AMSEL int
parm: tda9874a_STD int
parm: tda8425 int
parm: tda9840 int
To get information only about parameter option use modinfo 8#! to get information about the license type
use modinfo 8l ! etc.
.. kmod is a mechanism that allows the kernel to automatically load modules as needed &one seldom needs
to insert modules manually). This is in fact a statically compiled &resident) module that needs to be
configured before compiling the kernel. The command used by the kernel to load the modules is defined in
2#ro!2sys2kernel2mod#robe.

_____________________________________________________________________
6
he Linux ,ernel
___________________________________________________________
%$ *outine ,ernel *e!om#ilation
3.1 Source extraction
The kernel source is stored in the /usr/src/linux directory tree! which is a symbolic link to the
/usr/src/kernel!"ersion# directory. 1hen extracting a new kernel source archive it is recommended to+

remove the symbolic link to the old kernel source directory tree
rm linux
;ernel sources which have been packaged as an 4#M often create a link called linux828.
extract the new source archive &e.g linux-2.4.20.tar.bz2)
tar xjf linux-2.4.29.tar.bz2
+ote7 The archived *.* series kernels create a directory called linux instead of linux-version. This is
why the first step is important! otherwise you may overwrite an old source tree with the new one. /ince
kernel *.6 the name of the directory is linux-version.
create a symbolic link called linux from the newly created directory
ln -s linux-2.4.20 linux
The kernel is almost ready to be configured now! but first we need to make sure that all old binary files
are cleared out of the source tree! and this is done with the make mrproper command.
9arnin"7 this command will also delete the kernel configuration file $!onfi" discussed later.
cd /usr/src/linux
make mrproper
+ote7 mrproper is a /candinavian brand of cleaner that gets things Icleaner than cleanJ! it is one step
beyond Imake cleanJ.
3.$ Kernel %onfi&uration
"irst edit the /akefile and make sure that the I$%T4A0$4/I2CJ variable is different from the existing
version+
_____________________________________________________________________
7
he Linux ,ernel
___________________________________________________________
0$4/I2C K *
#AT98L$0$L K 6
/<@L$0$L K *(
$%T4A0$4/I2C K -test
The kernel is now ready to be configured. This essentially means creating a configuration file called $!onfi".
This is done from the kernel source tree directory 2usr2sr!2linux with any of the following
make menuconfi&
make xconfi&
make confi&
All these methods will save the configuration file as 2usr2sr!2linux2$!onfi"

It is often easier to configure a new kernel using an older .config file by using the make oldconfi&
command. This will prompt the user only for new features in the kernel source tree &if the kernel is newer or
has been patched).
+oti!e7 /ome distributions such as 4ed8at have a !onfi"s subdirectory containing files to be used as
$!onfi" files with predefined configurations.
To enable kernel features &with make menu!onfi") you will enter the top level category by moving with the
arrow keys and pressing enter to access the desired category. 2nce in the particular category! pressing the
space bar will change the kernel support for a feature or driver.
#ossible support types are
supported &statically compiled) :;<
modular &dynamically compiled) :/<
not supported : <
The same choices are available with the other menu editors !onfi" and x!onfi".
roubleshootin"7 The make menu!onfi" target needs the n!urses header files. These are provided by
the n!urses8de4el package and must be installed for this target to work.
_____________________________________________________________________
=
he Linux ,ernel
___________________________________________________________
Fig 2: The make xconfig top level menu:
3.3 Kernel %ompilation
make !lean
The make command gets instructions from the /akefile and will build what is needed. If some files are
already present make will use them as is. In particular files with ;$o extensions. To make sure that all the
configuration options in $!onfi" are used to rebuild the files needed one has to run make !lean &this deletes
L.o files)
+oti!e7 you do not need to do Imake cleanJ at this stage if you already prepared the source directory with
Imake mrproperJ
make de#
2nce the kernel configuration is complete! it is necessary to reflect these choices in all the subdirectories of
the kernel source tree. This is done with the make dep command. The files named .depend containing
paths to header files present in the kernel source tree &,usr,src,linux,include) are generated this way.
The kernel itself is compiled with one of the commands+

make 'Ima&e
make b'Ima&e
1hen the command exits without any errors! there will be a file in the 2usr2sr!2linux2 directory called
4mlinux. This is the uncompressed kernel.
_____________________________________________________________________
B
he Linux ,ernel
___________________________________________________________
The two other commands will write an additional file in 2usr2sr!2linux2ar!h2i%312boot2 called =Ima"e and
b=Ima"e respectively. These are compressed kernels using gMip and bMip*. /ee the next section Installin&
the (e) Kernel to find out how to proceed with these files.
make modules
The modules are compiled with make modules.
make modules*install
2nce the modules are compiled they need to be copied to the corresponding subdirectory in 2lib2modules.
The make modules*install command will do that.
The seuence of commands are depicted in "ig 3.
Kernel compilation commands:
ma0e dep
ma0e c)ean
ma0e b8Image
ma0e modu)es
ma0e modu)es9insta))
3.+ Installin& a (e) Kernel
The new kernel can be found in /usr/src/linux/arch/i3,-/boot/b'Ima&e! depending on your architecture of
your system. This file must be copied to the /boot directory! and named "mlinu'!.full8kernel84ersion/
cp usrsrc)inuxarchi:;<bootb8Image boot*m)inu814full-kernel-
version>
Cext the 2et!2lilo$!onf or 2boot2"rub2"rub$!onf file needs to be edited to add our newly compiled kernel to
the boot menu. 9opy the IimageJ section from your existing kernel and add a new image section at the
bottom of the file! as shown below+
Editing the /etc/lilo.conf file
_____________________________________________________________________
>
he Linux ,ernel
___________________________________________________________
prompt
timeout=50
message=/boot/message
image=/boot/vmlinuz
label=linux
root=/dev/hda6 'xistin" se!tion
read-only
image=/boot/vmlinuz-<full-kernel-version>
label=linux-new Added se!tion
root=/dev/hda6
read-only
..........snip...............................
The symbol table for the various kernel procedures can be copied to the ,boot directory+
cp usrsrc)inux+ystem.map boot+ystem.map14full-kernel-version5
3.0 The full kernel "ersion
2n a system! the version of the running kernel can be printed out with
uname 8r
This kernel version is also displayed on the virtual terminals if the >k option is present in 2et!2issue.
3.0 Initial 1amdisks
If any dynamically compiled kernel modules are reuired at boot time &e.g a scsi driver! or the filesystem
module for the root partition) they will be loaded using an initial ramdisk.
The initial ramdisk is created with the mkinitrd command which only takes two parameters+ the filename!
and the kernel version number.
If you use an initial ramdisk then you will need to add an initrd2 line in your /etc/lilo.conf
m0initrd bootinitrd1full-version.img full-version
3.- 3ptional
_____________________________________________________________________
A
he Linux ,ernel
___________________________________________________________
It is recommended to copy the 2usr2sr!2linux2$!onfi" file to 2boot2!onfi"!.full!kernel!"ersion/, -ust to
keep track of the capabilities for the different kernels that have been compiled.
3.4 1e!installin& LIL3
"inally lilo needs to be run in order to update the boot loader . "irst lilo can be run in test mode to see if
there are any errors in the configuration file+

C2TI9$
The LIL2 bootloader needs to be updated using lilo every time a changed is made in 2et!2lilo$!onf

_____________________________________________________________________
'(
he Linux ,ernel
___________________________________________________________
.$ 'xer!ises and Summary
"iles Description
,etc,modules.conf used by mod#robe before inserting a module
,lib,modules,Gkernel-versionH, directory where the modules for given kernel version are
stored
,lib,modules,Gkernel-versionH,modules.dep list of module dependencies created by de#mod
9ommand Description
depmod de#mod?3@ N kernel modules can provide services &called OsymbolsO) for other
modules to use &using $%#24TP/:M@2L in the code). If a second module
uses this symbol! that second module clearly depends on the first module.
De#mod creates a list of module dependencies! by reading each module under
,lib,modules,version and determining what symbols it exports! and what
symbols it needs. @y default this list is written to modules$de# in the same
directory
insmod insmod?3@ N a trivial program to insert a module into the kernel+ if the filename
is a hyphen! the module is taken from standard input. Most users will want to
use mod#robe?3@ instead! which is cleverer
make clean delete all ob-ect files in the source tree
make config configure the Linux kernel
make dep creates a list of extra headers in files called .depend needed to satisfy module
dependencies
make menuconfig configure the Linux kernel using a menu
make modules compile all the external,dynamic modules for this kernel
make modulesPinstall install the compiled modules in 2lib2module2kernel-version
make oldconfig create a default $!onfi" if it doesn't exist. If a .config file already exists the
chosen configuration is unchanged. If the source tree has changed! for example
after a patch &see L#I *(') or the .config file corresponds to an older kernel!
then extra configuration options must be supplied
make xconfig configure a Linux kernel using a menu
lsmod list all dynamically loaded modules
modinfo print information about a kernel module such as the author &8a)A the description
&8d)! the license &8l) or parameters &8#)
modprobe mod#robe?3@ . will automatically load all base modules needed in a module
stack! as described by the dependency file modules.dep. If the loading of one of
these modules fails! the whole current stack of modules loaded in the current
session will be unloaded automatically
rmmod rmmod?3@ N tries to unload a set of modules from the kernel! with the restriction
that they are not in use and that they are not referred to by other modules
_____________________________________________________________________
''
he Linux ,ernel
___________________________________________________________
@efore starting with the exercises make sure you donFt have an existing kernel tree in /usr/src/. If you
do! pay attention to the ,usr,src,linux symbolic link.
1$ Manually recompile the kernel following the compilation steps.
. ?et the kernel.version$sr!$r#m package from an "T# mirror site or a 9D. Installing this package will also
give you a list of dependencies! such as the "!! compiler or binutils package if they haven't yet been met.
. Install the package with Bi &this will put all the code in ,usr,src, )
. ?o into the 2usr2sr!2linux8version directory and list the !onfi"s directory
. 9opy the kernel config file that matches your architecture into the current directory and call it .config
. 4un
ma0e o)dcon!ig
at the command line to take into account this new .config file.
. $dit the Makefile and make sure the version is not the same as your existing kernel. :ou can get
information on your current kernel by running uname a at the command line or list the /lib/modules
directory.
. 4un
ma0e menucon!ig &or menu or xcon!ig)
and remove I/DC support from the kernel.

. 1hen you exit the above program the .con!ig file is altered but the changes have not yet taken place in
the rest of the source tree. :ou next need to run
ma0e dep
. "inally to force new ob-ect files &.o) to be compiled with these changes you delete all previously compiled
code with
ma0e c)ean
. :ou can now build the kernel the modules and install the modules with+
ma0e b8Image modu)es modu)es9insta))
. The modules are now installed in the /lib/modules/version directory. The kernel is called b=Ima"e
and is in the following directory+
_____________________________________________________________________
'*
he Linux ,ernel
___________________________________________________________
/usr/src/linux/arch/i386/boot/
1e need to manually install this kernel &* steps)+
?i@
cp usrsrc)inuxarchi:;<bootb8Image boot*m)inu814full-kernel-version5
?ii@ That was easyQ 1e next edit the bootloader configuration file+
if you are using LIL2! edit /etc/lilo.conf and add an RimageF paragraph that will tell LIL2
where to find this kernel and the root filesystem. 4un /sbin/lilo and reboot
if your are using ?4<@! edit /boot/grub/grub.conf or /boot/grub/menu.lst
2$ /ince we downloaded the 0erne)1version.src.rpm package we can now use this package to
recompile a R4ed8at preconfiguredF kernel. Cotice that although no intervention is needed you wonFt be able
to change the .con!ig menu.
. "irst rebuild the compiled binary package with
rpm 11rebui)d 0erne)1version.src.rpm &...waitQ)
. This will eventually generate the kernel-version.i368.rpm in /usr/src/redhat/RPM/i386/.
. Cext! upgrade you kernel with the 4#M manager using the B0 option.
_____________________________________________________________________
'3
-ootin" Linux
____________________________________________________________________________
5ootin& Linux
Prere6uisites
Cone
Goals
Manage services &e.g mail! webserver! etc) using runlevels
<nderstand the role of the init process and its configuration file 2et!2inittab
4ecognise the three phases of the booting process+ @ootlloader! ;ernel and Init
(ontents
-ootin" Linux$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 1.
'. <nderstanding 4unlevels....................................................................................................................... '7
*. /ervices and 4untime 9ontrol /cripts .................................................................................................. '=
3. The -oys of inittab................................................................................................................................... '>
6 LIL2 and ?4<@...................................................................................................................................... 'A
7. "rom boot to bash.................................................................................................................................. *3
=. $xercises and /ummary........................................................................................................................ *6
_____________________________________________________________________
14
-ootin" Linux
____________________________________________________________________________
C4er4iew
Taking a closer look at the booting process helps troubleshooting when dealing with both hardware and
software problems.
1e first focus on the role of the init program and its' associated configuration file 2et!2inittab. The role of
LIL2 or ?4<@ is investigated in greater depth. "inally we summarise the booting process. The document
O"rom #ower to @ash #romptO written by ?reg 2';eefe as well as the boot&B) manpage are both good
references for this module.
1$ 0nderstandin" *unle4els
<nlike most non.<CI% operating systems which only have * modes of functionality &on and off)! <CI%
operating systems! including Linux! have different runlevels such as OmaintenanceO runlevel or Omulti.userO
runlevel! etc.
4unlevels are numbered from ( to = and will vary from one Linux distribution to another. The description for
each runlevel functionality is sometimes documented in 2et!2inittab.
$xample Linux runlevels
4unlevel ( shuts down the machine safely
the operating system will also attempt to poweroff the system if possible
4unlevel ' is sin"le user mode
only one terminal is available for the &single) user root
all other users are logged out
4unlevel * is multi8user mode! but does not start C"/
most network services like email or web services are also stopped
4unlevel 3 is full multi8user mode. /elected network services are all on
4unlevel 6 is not defined and generally unused
4unlevel 7 is like runlevel 3 but runs a ispla! "anager as #ell
4unlevel $ restarts the machine safel!
8ighlighted runlevels 0! 1 and 1 offer to the same functionalities for all Linux flavours.
I+I (ontrols *unle4els
@oth init and telinit are used to switch from one runlevel to another. 4emember that init is the first program
launched after the kernel has accessed the root device.
At boot time init is instructed which runlevel to reach in 2et!2inittab with the line+
id=5=initde!au)t=

1hen the system is started it is possible to change runlevels by invoking init &or telinit which is a symbolic
link pointing at init).
_____________________________________________________________________
15
-ootin" Linux
____________________________________________________________________________
"or example we switch to runlevel 6 with either of the next commands+
init >
te)init >
The #ID for init is always '''. It is possible to find out which runlevel the system is currently in with the
command runle4el
.
run)e*e)
! "
The first number is the previous runlevel &or C if not applicable) and the second number is the current
runlevel.
2$ Ser4i!es and *untime (ontrol S!ri#ts
$ach runlevel is characterised by a set of services that are either started or stopped. The services are
controlled by runtime control scripts kept in 2et!2r!$d2init$d or 2et!2init$d. $ach rc.script will control the
daemon associated with the service using an argument.
$xample+ restarting the a#a!he server+
etcrc.dinit.dhttpd restart
$xpected arguments
restart do stop the start
stop stop the daemon associated with the service
start start the service
status return the status of the services &running or stopped)
%!pical services in ,etc,rc.d,init.d,
_____________________________________________________________________
16
-ootin" Linux
____________________________________________________________________________
)s etcrc.dinit.d
anacron cups identd kadmin krb7kdc mcserv nscd random smb xfs
apmd dhcpd innd kdcrotate kudMu named ntpd rawdevices snmpd xinetd
arpwatch functions ipchains keytable ldap netfs pcmcia rhnsd suid
atd gpm iptables killall linuxconf network portmp rwhod sshd
autofs halt irda kprop lpd nfs pgsl sendmail syslog
crond httpd isdn krb7*6 marsrv nfslock pppoe single tux
2nce a service is started it will run until a new runlevel is started.
Sele!tin" Ser4i!es #er *unle4el

1e will follow what happens when we switch from one runlevel to another.
/ay you want to be in runlevel *! you would type+
sbininit 2
This in turn forces init to read its configuration file 2et!2inittab. 1e will look at this file in detail in the next
section. "or now we are concerned with the single line in 2et!2inittab that will start all the services++
L2=2=,ait=etcrc.drc 2
The I2et!2r!$d2r! 2J command will start scripts in 2et!2r!$d2r!2.d starting with an S and will stop of services
starting with a K. The next sample listing shows that the htt#d deamon will be stopped! while the syslo"d
daemon
)s etcrc.drc2.d 1) ? egrep @httpd?sys)og@
)r,xr,xr,x ( root root (5 Aar 2: 2(=0( etcrc.drc2.d#$"httpd 15 ..init.dhttpd
)r,xr,xr,x ( root root (< Aar 20 20=0: etcrc.drc2.d$%s&slog 15 ..init.dsys)og
2ne can also see that the scripts are s!m&olic links pointing to the rc.scripts in 2et!2r!$d2init$d.
Therefore! if you don't want a process to run in a given runlevel C you can delete the corresponding symlink
in ,etc,rc.d,rC.d beginning with a / and add one beginning with a ;.
*untime 'ditors &not an L#I ob-ective)
_____________________________________________________________________
17
-ootin" Linux
____________________________________________________________________________
A runtime editor will automatically manage these symbolic links allowing a system administrator to switch a
service on or off per runlevel as needed. 2nce again different distributions use different tools. /ince the L#I
certification is vendor independent none of these tools are examinable.

%$ he Doys of inittab
As promised we next take a closer look at 2et!2inttab.
The file has the following structure+
id 7 runle4el 7 a!tion 7 !ommand
The 2et!2inittab file
id=:=initde!au)t=
B +ystem initia)i8ation.
si==sysinit=etcrc.drc.sysinit
)0=0=,ait=etcrc.drc 0
)(=(=,ait=etcrc.drc (
):=:=,ait=etcrc.drc :
)>=>=,ait=etcrc.drc >
)<=<=,ait=etcrc.drc <
11111111111111111111111snip1111111111111111111111111111111111
B Trap CTCL1/LT1&DLDTD
ca==ctr)a)tde)=sbinshutdo,n 1t: 1r no,
11111111111111111111111snip1111111111111111111111111111111111
B Cun gettys in standard run)e*e)s
(=2:>5=respa,n=sbinmingetty tty(
2=2:>5=respa,n=sbinmingetty tty2
:=2:>5=respa,n=sbinmingetty tty:
>=2:>5=respa,n=sbinmingetty tty>
5=2:>5=respa,n=sbinmingetty tty5
<=2:>5=respa,n=sbinmingetty tty<
B Cun xdm in run)e*e) 5
x=5=respa,n=etcE((pre!dm Fnodaemon
The id field can be anything. If a runle4el is specified then the !ommand and the reuired a!tion will be
performed only at that specific runlevel. If no number is specified then the line is executed at an! run level.
4ecognisable features in the ,etc,inittab file+
The default runle"el: this is set at the beginning of the file with the id id and the action initdefault. Cotice
that no command is given. This line simply tells init what the default runlevel is.
6irst pro&ram called by init: ,etc,rc.d,rc.sysinit. This script sets system defaults such as the #AT8
variable! determines if networking is allowed! the hostname! etc ...
_____________________________________________________________________
18
-ootin" Linux
____________________________________________________________________________
7efault runle"el ser"ices: If the default runlevel is 3 then only the line Ol3O will be executed. The action is
OwaitO! no other program is launched until all services in run level 3 are running.
The &etty terminals: The lines with id's '.to.= launch the virtual terminals. This is where you can alter the
number of virtual terminals.
1unle"el 0: The final line in inittab launches the %window manager if runlevel 7 is reached.
4emarks+
'. :ou can set a modem to listen for connections in inittab. If your modem is linked to ,dev,tty/' then the
following line will allow data connections &no fax) after * rings+
+(=(2:>5=respa,n=sbinmgetty 1& 1x 2 de*tty+(
*. 1hen making changes to 2et!2inittab you need to force init to reread this configuration file. This is most
easily done using+
sbininit G
. LILC and G*0-
During boot.up! boot loaders need to know where the kernel is &usually in ,boot) and which device is the
root.device.
@22TL2AD$4 ....H ;$4C$L ....H , ....H ,sbin,init
Alternatively! a boot loader can load a 4AM disk into memory containing scripts and kernel modules needed
to access the root device. This will be the case when the root.device is handled by non.resident &also called
dynamic) modules.
@22TL2AD$4 .....H ICIT4D ....H ;$4C$L ....H , ....H ,sbin,init
9ommon dynamic modules
ext% Third extended filesystem type
_____________________________________________________________________
19
-ootin" Linux
____________________________________________________________________________
l4m Logical volume support
raidx software raid level x support
s!si /9/I support

Installin" LILC
The bootloader LIL2 is installed by 2sbin2lilo &the bootloader mapper or installer) which in turn reads
configuration options from the file 2et!2lilo$!onf.
.
LIL2 cannot read filesystems! only offsets on the physical disks. Therefore the mapper will read information
from the 2et!2lilo$!onf file &e.g which second stage bootloader to use! which kernel or which initial ram disk)
and will translate this information using a system of maps for LIL2 to read at boot time.
The main options in 2et!2lilo$!onf are specified here
bootL where LIL2 should be installed &,dev,hda is the M@4)
install which second stage to install &boot$b is the default)
#rom#t give the user a chance to choose an 2/ to boot
default name of the image that will be booted by default
timeout used with prompt! causes LIL2 to pause &units are ','( of a sec)
ima"eL path to the kernel to boot &one can use RotherF to chain load)
labelL name of the image. This is the name a user can type at the boot prompt
rootL the name of the disk device which contains the root filesystem 2
read8onlyL mount the root filesystem read.only for fs!k to work properly
a##end give kernel parameters for modules that are statically compiled.
linear2lba% these options are mutually exclusive. @oth ask LIL2 to read the disk using Linear
@lock Addressing. linear is typically used for very large disks. lba%2 is used to allow boot time
access to data beyond the first '(*6 cylinders &also see p.$rror+ 4eference source not found)
Installin" G*0-
The ?4<@ boot loader is installed with the command "rub8install. 9onfiguration options are stored in the
file 2boot2"rub2menu$lst or 2boot2"rub2"rub$!onf. <nlike LIL2! ?4<@ is a small shell that can read
certain filesystem. This allows ?4<@ to read information in the "rub$!onf or menu$lst files.
Main sections in 2boot2"rub2"rub$!onf+or menu$lst
'. ?eneral,?lobal
default image that will boot by default &the first entry is ()
timeout prompt timeout in seconds
*. Image
_____________________________________________________________________
20
-ootin" Linux
____________________________________________________________________________
title name of the image
root where the *
nd
stage bootloader and kernel are e.g &hd(!() is ,dev,hda
kernel path for the kernel starting from the previous root e.g ,vmlinuM
ro read.only
root the filesystem root
initrd path to the initial root disk
-ootloader C#tions
It is possible to give parameters at boot time to both LIL2 and ?4<@. @oth loaders have a limited interface
which can read user input.
#assing parameters at the LIL2 prompt+
boot= )inux s
#assing parameters at the ?4<@ prompt+
2nce the ?4<@ boot loader has successfully started you will see the main menu screen with a list of menu
titles.
Do the following+
'. press 'e' to edit a given menu title
*. scroll down to the line containing 'kernel' and press 'e' again
3. you can add any options here
6. to boot with the current options type '&' N 2therwise -ust press return to get the unaltered line back
Cotice that pressing the $/9 key will bring you back to a previous stage. :ou can navigate back to the main
menu this way.
Alternatively the boot loader configuration files &lilo$!onf or "rub$!onf) can be used to save these option
Passin" init #arameters +
@oot loaders can passe the runlevel parameter to init. 2nce the kernel is loaded! it will start 2sbin2init by
default which then takes over the booting process.
9ommon runlevels are sAsin"leASA1A2A%A.A5
If no parameters are given! init will launch the default runlevel specified in 2et!2inittab.
Passin" ,ernel #arameters +
;ernel options are of the form item'value.
9ommon kernel parameters
a!#iE enable,disable A9#I
initE tell the kernel which program to start from the root device
_____________________________________________________________________
21
-ootin" Linux
____________________________________________________________________________
memE specify amount of 4AM to use
rootE specify the root device
9arnin"F The boot loader kernel parameters are passed to the resident kernel modules only.

In 2et!2lilo$!onf kernel parameters are declared with the a##end option.
Examples
append= "pci=bisoirq"
append=ram=16M
append=/dev/hdc=ide-scsi (for CD writers)
During bootup all kernel messages are logged to 24ar2lo"2dmes" by default. This file can either be read or
flushed to stdout with the 2bin2dmes" utility.

5$ From boot to bash
1e can now attempt to go through each stage of the booting process.
1$ -oot Loader sta"e7
If the bootloader is successful it will start it's second stage which displays a prompt or a splash image with a
list of operating systems or kernels to boot
_____________________________________________________________________
22
-ootin" Linux
____________________________________________________________________________
If an initial ram disk is specified it is loaded here.
The kernel is loaded into memory
2$ ,ernel Sta"e
The kernel is loaded from the medium! specified in the lilo$!onf2"rub$!onf configuration file. As it loads it
is decompressed. If an initial ramdisk is loaded! extra modules are loaded here
The kernel will scan the hardware in the system+ 9#<! 4AM! #9I bus! etc
The kernel then mounts the root device as read.only.
"rom here on programs in 2bin and 2sbin are made available.
The kernel then loads 2sbin2init . the first 'userspace' process.
%$ he I+I sta"e
Init reads 2et!2inittab and follows the instructions
the default runlevel is read
the r!$sysinit is run+
. alll local filesystems are mounted or! if needed! an integrity check &f s!k) is performed in
accordance with entries in 2et!2fstab
. uotas are started! etc ...
next init goes into the default runlevel 2et!2r!$d2r! (
the "ettys start and the boot process is over
The prompt to login is now managed by the gettys on the ttys. After the user has typed in their username
and pressed returnS
bin)ogin is started.
The user is prompted by ,bin,login for the password. The user enters a password and presses return.
The password the user is compared to the password in ,etc,passwd or ,etc,shadow.
_____________________________________________________________________
23
-ootin" Linux
____________________________________________________________________________
1$ 'xer!ises and Summary
Files
"iles Description
,etc,init.d directory containing all the scripts used to stop and start services at boot time
,etc,inittab inittab?5@ . The inittab file describes which processes are started at boot.up and during
normal operation. Init distinguishes multiple runlevels! each of which can have its own set
of processes that are started
(ommands
9ommands Description
init init?3@ N is the parent of all processes. Its primary role is to create processes from a script
stored in the file 2et!2inittab
shutdown shutdown?3@ N brings the system down in a secure way. All logged.in users are notified that
the system is going down! and login&') is blocked. It is possible to shut the system down
immediately or after a specified delay. All processes are first notified that the system is
going down by the signal /I?T$4M. This gives programs like vi&') the time to save the
file being edited! mail and news processing programs a chance to exit cleanly! etc.
shutdown does its -ob by signalling the init process! asking it to change the runlevel
*eferen!es
Take a look at the boot?&@ manpage! it covers most of what we did in this module
_____________________________________________________________________
24
-ootin" Linux
____________________________________________________________________________
'xer!i!es
1$ <se init to change you current runlevel &e.g switch between runlevel 3 and 7).
8ow do you know what your current runlevel isT
2$ $nable the 9trlUAltUDel in runlevel 3 only.
8ow can you force init to read itsF configuration fileT
%$ Add a new login prompt on ttyB.
.$ <se dmes" to read the chipset of your ethernet card.
5$ Investigate differences between shutdown! halt and reboot.
1hich option to shutdown will force an fs!k at the next bootT
1$ <se the tools !hk!onfi" or ntsys4 to disable the sshd daemon in runlevel *!3!6! and 7
0erify that the symbolic links in the rc*.d! rc3.d! rc6.d and rc7.d directories have changed.
&$ 4eboot the system. At the boot prompt give the appropriate initE parameter to skip 2sbin2init and start a
simple bash session.
_____________________________________________________________________
25
/ana"in" Grou#s and 0sers
__________________________________________________________
8ana&in& 9roups and :sers
Prere6uisites
Cone
Goals
Manage user accounts
Manage group accounts
Modify accounts settings
(ontents
/ana"in" Grou#s and 0sers$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 21
'. 9reating new users................................................................................................................................. *B
*. 1orking with groups............................................................................................................................... *>
3. 9onfiguration files.................................................................................................................................. 3(
6. 9ommand options.................................................................................................................................. 3*
7. Modifying accounts and default settings................................................................................................ 3*
_____________________________________________________________________
26
__________________________________________________________
1$ (reatin" new users
/tep '+ 9reate an account
The 2usr2sbin2useradd command adds new users to the system and the symbolic link adduser points to it.
/yntax+
useradd 'options( login-name
$xample+ add a user with login.name ru!us
useradd ru!us
Default values will be used when no options are specified. :ou can list these values with useradd BD.
Default options listed with useradd BD
"CH$PI(00
.HADIhome
I#/CTI'DI1(
DEPICDI
+.DLLIbinbash
+JDLIetcs0e)
Cotice that this information is also available in the file 2et!2default2useradd
/tep *+ Activate the account with a new password
To allow a user to access his or her account the administrator must allocate a password to the user using
the #asswd tool.
/yntax+
pass)d login-name
These steps create a new user. This has also defined the userFs environment such as a home director! and
a default shell. The user has also been assigned to a group! his primar! group.
_____________________________________________________________________
27
__________________________________________________________
2$ 9orkin" with "rou#s
$very new user is assigned to an initial &or primar!) group. Two conventions exist.
Traditionally this primar! group is the same for all users and is called users with a group id &?ID) of 100.
Many Linux distributions adhere to this convention such as /use and Debian.
The <ser #rivate ?roup scheme &<#?) was introduced by 4ed8at and changes this convention without
changing the way in which <CI% groups work. 1ith <#? each new user belongs to their own primar! group.
The group has the same name as the login.name &default)! and the ?ID is in the 7(( to =(((( range &same
as <IDs).
As a conseuence! when using the traditional scheme for groups the userFs umask &see L#I '(') is set to
022! whereas in the <#? scheme the umask is set to 002.
@elonging to groups
A user can belong to any number of groups. 8owever at any one time &when creating a file for example)
only one group is the effective group.
The list of all groups a user belongs to is obtained with either the "rou#s or id commands.
$xample for user root+
List all ID's :
id
V uidI0(root) gidI0(root) groupsI0(root), ((bin), 2(daemon), :(sys),
>(adm), <(dis0), (0(,hee)), <00(sa)es)
List all groups :
groups
V root bin daemon sys adm dis0 ,hee) sa)es
_____________________________________________________________________
28
__________________________________________________________
5oining a group
5oining a group changes the userFs effective group and starts a new session from which the user can then
logout. This is done with the new"r# command.
$xample+ -oining the sales group
ne,grp sa)es
If the "rou#s command is issued! the first group on the list would no longer be root but sales.
9reating and deleting groups
The "rou#add tool is used to add new groups. It will add an entry in the 2et!2"rou# file.
$xample+ 9reate the group devel
groupadd de*e)

The "rou#del tool is used to delete groups. This will remove relevant entries in the 2et!2"rou# file.
$xample+ Delete the group devel
groupde) de*e)

Adding a user to a group
Administration tasks can be carried out with the "#asswd tool. 2ne can add &8a) or remove &8d) users from
a group and assign an administrator &8A). The tool was originally designed to set a single password on a
group! allowing members of the same group to login with the same password. "or security reasons this
feature no longer works.
$xample+ Add rufus to the group devel
gpass,d 1a ru!us de*e)
_____________________________________________________________________
29
__________________________________________________________
%$ (onfi"uration files
The /etc/pass)d and /etc/shado) files+
The names of all the users on the system are kept in 2et!2#asswd. This file has the following stucture+
'. Login name
*. #assword &or x if using a shadow file)
3. The <ID
6. The ?ID
7. Text description for the user
=. The user's home directory
B.The user's shell
These B fields are separated by colons. As in the example below.
/etc/pass#d entr! #ith encr!pted pass#d:
george:$1$K05gMbOv$b7ryoKGTd2hDrW2sT.h:Dr G Micheal:/home/georges:/bin/bash
In order to hide the encrypted passwords from ordinary users you should use a shadow file. The
2et!2shadow file then holds the user names and encrypted passwords and is readable only by root.
If you don't have a shadow file in ,etc then you should issue the following command+
usrsbinp,con* &passwd .H shadow)
This will leave an 'x' in the *
nd
field of ,etc,passwd and create the ,etc,shadow file. If you don't wish to use
shadow passwords you can do so using
usrsbinp,uncon* &shadow .H passwd)
(aution+ 1hen using a shadow password file the 2et!2#asswd file may be world readable &=66) and the
2et!2shadow file must be more restricted &=(( or even 6((). 8owever when using #wun!on4 make sure to
change the permissions on 2et!2#assword &=(( or 6(().
The /etc/&roup and &shado) files+
_____________________________________________________________________
30
__________________________________________________________
In the same way! information about groups is kept in 2et!2"rou#. This file has 6 fields separated by colons.
'. ?roup name
*. The group password &or x if gshadow file exists)
3. The ?ID
6. A comma separated list of members
$xample 2et!2"rou# entry+
java:x:550:jade, eric, rufus
As for users there is a 2et!2"shadow file that is created when using shadow group passwords. The utilities
used to switch backwards and forward from shadow to non.shadow files are as follow
/usr/sbin/grpconv creates the ,etc,gshadow file
/usr/sbin/grpunconv deletes the gshadow file
The /etc/lo&in.defs and /etc/skel/ files
The ,etc,login.defs file contains the following information+
the mail spool directory+
MAILPDI4
password aging controls+
#A//PMA%PDA:/! #A//PMICPDA:/! #A//PMA%PL$C! #A//P1A4CPA?$
max,min values for automatic <ID selection in useradd+
<IDPMIC! <IDPMA%
max,min values for automatic ?ID selection in "rou#add+
?IDPMIC! ?IDPMA%
automatically create a home directory with useradd+
94$AT$P82M$
The ,etc,skel directory contains default files that will be copied to the home directory of newly created users+
$bashr!! $bashG#rofiles! ...
.$ (ommand o#tions
useradd ?o#tions@
_____________________________________________________________________
31
__________________________________________________________
8! comment &"ull Came)
8d path to home directory
8" initial group &?ID). The ?ID must already exist
8G comma separated list of supplementary groups
8u userFs <ID
8s userFs default shell
8# password &md7 encrypted! use uotesQ)
8e account expiry date
8k the skel directory
8n switch off the <#? group scheme
"rou#add ?o#tions@
8" assign a ?ID
5$ /odifyin" a!!ounts and default settin"s
All available options while creating a user or a group can be modified. The usermod utility has the following
main options+
usermod ?o#tions@
8d the users directory
8" the users initial ?ID
8l the user's login name
8u the user's <ID
8s the default shell.
Cotice these options are the same as for useradd.
Likewise! you can change details about a group with the "rou#mod utility. There are mainly two options+
"rou#mod ?o#tions@
8" the ?ID
8n the group name.
Locking an account
A userFs account can be locked by prefixing an exclamation mark to the userFs password. This can
also be done with the following command line tools+
Lo!k 0nlo!k
#asswd 8l #asswd 8u
_____________________________________________________________________
32
__________________________________________________________
usermod 8L usermod 80
1hen using shadow passwords! replace the x with a ;
A less useful option is to remove the password entirely with #asswd 8d.
"inally! one can also assign 2bin2false to the userFs default shell in 2et!2#asswd.
9hanging the password expiry dates+
@y default a userFs password is valid for AAAAA days! that is *B3!A years &default #A//PMA%PDA:/). The
user is warned for B days that his password will expire &default #A//P1A4CPA?$) with the following
message as he logs in+
Karning= your pass,ord ,i)) expire in < days
There is another password aging policy number that is called #A//PMICPDA:/. This is the minimum
number of days before a user can change his passwordS it is set to Mero by default.
The !ha"e tool allows an administrator to change all these options.
<sage+ chage 6 1) 7 6 1m min9days 7 6 1A max9days 7 6 1K ,arn 7
6 1I inacti*e 7 6 1D expire 7 6 1d )ast9day 7 user
The first option Bl lists the current policy values for a user. 1e will only discuss the B' option. This locks an
account at a given date. The date is either in <CI% days or in ::::,MM,DD format.
Cotice that all these values are stored in the 2et!2shadow file! and can be edited directly.
4emoving an account+
A userFs account may be removed with the userdel command line. To make sure that the userFs home
directory is also deleted use the .r option.
userdel -r jade
_____________________________________________________________________
33
__________________________________________________________
Files
"ile Description
,etc,group contains the names of all the groups on the system
,etc,gshadow contains &optionally) passwords associated to a group
,etc,login.defs contains predefined values needed when adding a new user such as the minimum and
maximum <ID and ?ID! the minimum password length! etc
,etc,passwd #asswd?5@ N text file that contains a list of the systemFs accounts! giving for each account
some useful information like user ID! group ID! home directory! shell! etc. 2ften! it also
contains the encryptedpasswords for each account. It should have general read
permission &many utilities! like ls&') use it to map user IDs to user names)! but write
access only for the superuser
,etc,shadow shadow?5@ N contains the encrypted password information for userFs accounts and
optional the password aging information
,etc,skel, directory containing files and directories to be copied into the home directory of every
newly created user

(ommands
9ommands Description
chage !ha"e?1@ N changes a user's password expiry information
gpasswd "#asswd?1@ N administer the ,etc,group file
groupadd add a new group to the system
groupmod modify an exiting group
groups print out all the groups a user belongs to
id print out the <ID as well as the ?IDs of all the groups a user belongs to
passwd change the password for an account
useradd add a new user to the system
usermod modify an existing user account
1$ (reatin" users
<se adduser to create a user called tux with user ID =(( and group ID 77(
<se usermod to change this userFs home directory.
Does the new directory need to be createdT &8int+ check the effect of the 8m flag)
Is the content of /etc/skel copied to the new directoryT
<se usermod to add tux to the group wheel.
2$ 9orkin" with "rou#s
_____________________________________________________________________
34
__________________________________________________________
9reate a group called sales using "rou#add.
Add tux to this group using "#asswd.
Login as tux and -oin the group sales using new"r#.
%$ (onifi"uration files
Add a user to the system by editing ,etc,passwd and ,etc,group
9reate a group called share and add user tux to this group by manually editing ,etc,group
.$ /odifyin" an A!!ount
9hange the expiry date for user tuxFs account using usermod.
Lock the userFs account. &<se tools or edit ,etc,shadow ...)
#revent the user from login in by changing the userFs default shell to ,bin,false
9hange the #A//PMA%PDA:/ for user tux to ' in ,etc,shadow
5$ (han"in" default settin"s
<se useradd -D to change the system's default settings such that every new user will be
assigned ,bin,sh instead of ,bin,bash. &Cotice that this will change the file in ,etc,defaults,)
$dit ,etc,login.defs and change the default #A//PMA%PDA:/ so that new users need to change their
password every 7 days
_____________________________________________________________________
35
+etwork (onfi"uration
___________________________________________________________
(et)ork %onfi&uration
Prere6uisites
8ardware configuration &see L#I '(')
Goals
9onfigure a Linux system for networking
<nderstand routing
<se network troubleshouting tools
(ontents
+etwork (onfi"uration$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ %1
'. The Cetwork Interface............................................................................................................................ 3B
*. 8ost Information..................................................................................................................................... 3>
3. /top and /tart Cetworking...................................................................................................................... 3A
6. 4outing................................................................................................................................................... 6(
7. 9ommon Cetwork Tools......................................................................................................................... 6*
_____________________________________________________________________
36
___________________________________________________________
1$ he +etwork Interfa!e
The network interface card &CI9) must be supported by the kernel. To determine which card you are using
you can get information from dmes"! 2#ro!2interru#ts! 2sbin2lsmod. or 2et!2modules$!onf
$xample+
dmesg
V Linux Tu)ip dri*er *ersion 0.L.(> (%ebruary 20, 200()
PCI= Dnab)ing de*ice 00=0!.0 (000> 15 000M)
PCI= %ound ICN (0 !or de*ice 00=0!.0
eth0= Lite1Hn ;2c(<; P#IC re* :2 at 0x!;00, 00=/0=CC=&:=<D=0%, ICN (0.
eth0= AII transcei*er B( con!ig :000 status M;2L ad*ertising 0(e(.
cat /proc/interrupts
V 0= ;M2L<02 ET1PIC timer
(= > ET1PIC 0eyboard
2= 0 ET1PIC cascade
M= 0 ET1PIC parport0
;= ( ET1PIC rtc
(0= <22>(M ET1PIC eth0
((= 0 ET1PIC usb1uhci
(>= (>:0>0 ET1PIC ide0
(5= (;0 ET1PIC ide(
/sbin/lsmod
V Aodu)e +i8e $sed by
tu)ip :M:<0 ( (autoc)ean)
"rom the example above we see that the $thernet cardFs chipset is Tulip! the i,o address is (xf>(( and the
I4E is '(. This information can be used either if the wrong module is being used or if the resources &i,o or
I4E) are not available.
_____________________________________________________________________
37
___________________________________________________________
This information can either be used to insert a module with a different i,o address &using the mod#robe or
insmod utilities) or can be saved in 2et!2modules$!onf &this will save the settings for the next system boot).
2$ )ost Information
The following files are used to store networking information.
2et!2resol4$!onf contains a list of DC/ servers
nameserver 192.168.1.108
nameserver 192.168.1.1
search linuxit.org

2et!2)CS+A/' or 2et!2hostname is used to give a name to the #9
2ne can also associate a name to a network interface. This is done in differently across distributions.
2et!2hosts contains your machine's I# number as well as a list of known hosts

# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost localhost.localdomain
# other hosts
192.168.1.108 mesa mesa.domain.org
192.168.1.119 pico
2et!2sys!onfi"2network defines if networking must be started. &can also contain the 82/TCAM$
variable)
NETWORKING=yes
HOSTNAME=mesa.domain.org
GATEWAY=192.168.1.1
GATEWAYDEV=
2et!2sys!onfi"2network8s!ri#ts2if!f"8eth0 The configuration parameters for eth(
DEVICE=eth0
BOOTPROTO=none
BROADCAST=192.168.1.255
IPADDR=192.168.1.108
_____________________________________________________________________
38
___________________________________________________________
NETWORK=192.168.1.0
ONBOOT=yes
USERCTL=no
%$ Sto# and Start +etworkin"
W "rom the command line
The main tool used to bring up the network interface is 2sbin2if!onfi". 2nce initialised the kernel module
aliased to eth( in 2et!2modules$!onf &e.g tulip.o) is loaded and assigned an I# and netmask value.
As a result the interface can be switched on and off without loosing this information as long as the kernel
module is inserted.
$xamples+ <sing if!onfi".
/sbin/ifconfig eth0 1!"1#$"10"1 netmask !%%"!%%"1!$"0
/sbin/ifconfig eth0 do&n
/sbin/ifconfig eth0 up
Another tool is 2sbin2ifu#. This utility reads the systemFs configuration files in 2et!2sys!onfi"2 and assigns
the stored values for a given interface. The script for eth0 is called if!f"8eth0 and has to be configured. If a
boot protocol such as D89# is defined then ifu# will start the interface with that protocol.
$xamples+ <sing ifu#.
/sbin/ifup eth0
/sbin/ifup ppp0
/sbin/ifdo&n eth0
W. <sing the network script
At boot time the ethernet card is initialised with the 2et!2r!$d2init$d2network script. All the relevant
networking files are sourced in the 2et!2sys!onfi"2 directory.
In addition the script also reads the sys!tl options in 2et!2sys!tl$!onf! this is where you can configure the
system as a router &allow I# forwarding in the kernel). "or example the line+
net.ipv6.ipPforward K '
will enable ip forwarding and the file 2#ro!2sys2net2i#4.2i#Gforward will contain a one.
_____________________________________________________________________
39
___________________________________________________________
The network script is started with the following command
/etc/rc"d/init"d/net&ork restart
W. 4enewing a D89# lease
The following tools can uery the D89# server for a new I#+
#um#
dh!#!lient
A client daemon exists called dh!#!d &do not confuse this with the D89# server daemon dh!#d)
.$ *outin"
A noticeable difference when using a system script such as ifu# rather than if!onfi" on its own! is that the
systemFs routing tables are set in one case and not in the other.
This is because either the 2et!2sys!onfi"2network file is read! where a default "ateway is stored! or the
D89# server has sent this information together with the I# number. The routing tables are configured!
checked and changed with the 2sbin2route tool.
4outing examples+
Add a static route to the network '(.(.(.( through the device eth' and use 'A*.'=>.'.'(> as the gateway for
that network+
/sbin/route add -net 10"0"0"0 g& 1!"1#$"1"10$ dev eth1
Add a default gateway+
/sbin/route add default g& 1!"1#$"1"1 eth0
Listing the kernel routing table+

/sbin/route -n
( 'ernel I( routing table
Destination )ate&a* )enmask Iface
1!"1#$"1"0 0"0"0"0 !%%"!%%"!%%"0 eth0
10"1"$"0 1!"1#$"1"10$ !%%"0"0"0 eth1
1!+"0"0"0 0"0"0"0 !%%"0"0"0 lo
0"0"0"0 1!"1#$"1"1 0"0"0"0 eth0
Default Gateway+
_____________________________________________________________________
40
___________________________________________________________
In the last listing! the Destination field is a list of networks. In particular! (.(.(.( means RanywhereF. 1ith this
in mind! there are two I#Fs in the ?ateway field. 1hich one is the default gateway T
To avoid having to enter static routes by hand special daemons "ated or routed are run to dynamically
update routing tables across a network
If you belong to the 'A*.'=>.'(.( network and you add a route to the 'A*.'=>.'.( network you may find that
machines in the latter network are not responding. This is because no route has been set from the
'A*.'=>.'.( network back to your hostQQ This problem is solved using dynamic routing.
Permanent Stati! *outes
If you have several networks with more than one gateway you can use the 2et!2sys!onfi"2stati!8routes
&instead of routing daemons). These routes will be added at boot time by the network script.
+amin" +etworks
<sing the 2et!2networks file it is possible to assign names to network numbers &for network numbers see
T9#,I# Cetworks on p. 6>).
2et!2networks format
net,or01name net,or01number a)iases
"or example! the network number(0.0.0.0 can be called o!!ice.org! following the above format. It is
then possible to use network names with tools like route as below+
route add 1net o!!ice.org netmas0 255.0.0.0
) routing scenario+
_____________________________________________________________________
41
___________________________________________________________
5$ (ommon +etwork ools
8ere is a short list of tools helpful when trouble shouting network connections.
pin&7
This tool sends an I9M# DC.H9CDN$D+T datagram to a host and expects an I9M# DC.H9CD+PH#+D.
2ptions for #in"
8b ping a broadcast address
8! # send # packets
86 uiet mode+ display only start and end messages
t!#dum#+
This is a tool used to analyse network traffic by capturing network packets. The following commands
illustrate some options+
Let tcpdump autodetect network interface
tcpdump
/pecify a network interface to capture packets from
tcpdump 1i ,)an0
?ive an expression to match
tcpdump host (L2.(<;.(0.( and port ;0
_____________________________________________________________________
42
___________________________________________________________
Cotice that in a switched environment the switch may be configured to send packets to a given network
interface only if those packets were addressed to that interface. In that case it is not possible to monitor the
whole network.
netstat:
:ou may get information on current network connections! the routing table or interface statistics depending
on the options used.
2ptions for netstat+
8r same as ,sbin,route
8I display list of interfaces
8n donFt resolve I# addresses
8# returns the #ID and names of programs &only for root)
84 verbose
8! continuous update
$xample+ 2utput of netstat N.inet Nn +
V /cti*e Internet connections (,o ser*ers)
Proto Cec*1N +end1N Loca) /ddress %oreign /ddress +tate
tcp 0 0 (L2.(<;.(.(0=(:L (L2.(<;.(.(5:=(LL2 D+T/OLI+.D&
tcp 0 0 (L2.(<;.(.(0=22 (L2.(<;.(.(:;=(((> D+T/OLI+.D&
tcp 0 0 (L2.(<;.(.(0=;0 (L2.(<;.(.M(=(;;5; TIAD9K/IT
In the above listing you can see that the local host has established connections on ports '3A! ** and >(.
arp:
Display the kernel address resolution cache.
$xample+
arp
V /ddress .Ktype .Kaddress I!ace
(L2.(<;.(.M( ether 00=0>=C(=&M=C/=2& eth0
_____________________________________________________________________
43
___________________________________________________________
traceroute:
Displays the route taken from the local host to the destination host. Traceroute forces intermediate routers
to send back error messages &I9M# TIAD9DECDD&D&) by deliberately setting the ttl &time to live) value too
low. After each TIM$P$%$$D$D notification tra!eroute increments the ttl value! forcing the next packet to
travel further! until it reaches itsF destination.
2ptions for tra!eroute+
8f tt) change the initial time to live value to tt) instead of '
8n do not resolve I# numbers
84 verbose
8w sec set the timeout on returned packets to sec
_____________________________________________________________________
44
___________________________________________________________
Files
"ile Description
,etc,resolv.conf file containing a list of DC/ servers used to resolve computer host names
,etc,sysctl.conf configuration file for the sysctl tool used to customise kernel settings in 2#ro!2sys2
,
proc,sys,net,ipv6,i
pPforward
file containing information about the kernel forwarding status. The kernel will either
forward or not packets that are addressed to a different host depending if the file
contains a ' or a (
(ommands
9ommand Description
arp print the kernel A4# cache
dhcpcd a D89# client daemon
dhcpclient a D89# client daemon
ifconfig if!onfi"?3@ N is used to configure the kernel.resident network interfaces. It is used at boot
time to set up interfaces as necessary
netstat netstat?3@ N print information about network connections! routing tables! interface
statistics! etc
ping #in"?3@ N uses the I9M# protocolFs mandatory $982P4$E<$/T datagram to elicit an
I9M# $982P4$/#2C/$ from a host or gateway. $982P4$E<$/T datagrams
&RRpingsFF) have an I# and I9M# header! followed by a struct timeval and then an arbitrary
number of RRpadFF bytes used to fill out the packet
pump #um#?3@ N is a daemon that manages network interfaces that are controlled by either the
D89# or @22T# protocol. 1hile pump may be started manually! it is normally started
automatically by the ,sbin,ifup script for devices configured via @22T# or D89#
route route?3@ N manipulates the kernelFs I# routing tables. Its primary use is to set up static
routes to specific hosts or networks via an interface after it has been configured with the
ifconfig&>) program. 1hen the add or del options are used! route modifies the routing
tables. 1ithout these options! route displays the current contents of the routing tables
sysctl sys!tl?3@ N is used to modify kernel parameters at runtime. The parameters available are
those listed under ,proc,sys,
traceroute tra!eroute?3@ . utiliMes the I# protocol Rtime to liveF field and attempts to elicit an I9M#
TIM$P$%9$$D$D response from each gateway along the path to some host
1$ In the *outin" S!enario section of this chapter give the routing table for the LACFs gateway.
2$ /tart your network interface manually
i!con!ig eth0 (L2.(<;.0.,
List the kernel modules. Make sure that the eth( module is loaded &check ,etc,modules.conf).
%$ /top the network interface with+
_____________________________________________________________________
45
___________________________________________________________
&i) i!con!ig eth0 do,n
0erify that you can bring the interface back up without entering new information+
&ii) i!con!ig eth0 up
.$ /top the interface and remove the kernel module &rmmod module). 1hat happens if you repeat step
3&ii)T
5$ Divide the class into two networks A &'A*.'=>.'.() and @ &'(.(.(.().
First Senario B at least % hosts
Try accessing machines across networks &this shouldn't workQ)
9hoose an existing machine to be the gateway &on either network)
If you choose the router to be on the existing 'A*.'=>.'.( network then do the following on that
router+
_____________________________________________________________________
46
___________________________________________________________
.. create an aliased interface on the '(.(.(.( network &x is any available number)
i!up eth0=( (0.0.0.,
.. allow I# forwarding
echo ( 5 procsysnetip*>ip9!or,ard

.. add a route to the other network using the gateway machine &you will need to know either the eth(
or eth(+' setting of the gateway depending on which network you are on).
Se!ond s!enario B at least . hosts
Make sure the routers force routing through the aliased interface. "or example on router AS
route add 1net (L2.(<;.(.02> g, (M2.(<.0.(0 de* eth0=0
_____________________________________________________________________
47
(P2IP +etworks
____________________________________________________________
T%;/I; (et)orks
Prere6uisites
Cetwork configuration &p. 3=)
Goals
<nderstand formal T9#,I# network concepts
Manage subnets
<nderstand the four layer T9#,I# model
Introduce service port numbers
(ontents
(P2IP +etworks$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ .3
'. @inary Cumbers and the Dotted Euad................................................................................................... 6A
*. @roadcast Address! Cetwork Address and Cetmask............................................................................. 6A
3. Cetwork 9lasses..................................................................................................................................... 7'
6. 9lassless /ubnets.................................................................................................................................. 7*
7. The T9#,I# /uite................................................................................................................................... 73
=. T9#,I# /ervices and #orts.................................................................................................................... 77
B. $xercices and /ummary........................................................................................................................ 7=
_____________________________________________________________________
48
(P2IP +etworks
____________________________________________________________
1$ -inary +umbers and the Dotted Huad
*inar! num&ers
'( K *
'
'(( K *
*
'(' K *
*
U ' ''' K '(( U ('( U (('
This means that a binary number can easily be converted into a decimal as follows+
'((((((( K *
B
K '*>
('(((((( K *
=
K =6
(('((((( K *
7
K 3*
((('(((( K *
6
K '=
(((('((( K *
3
K >
((((('(( K *
*
K 6
(((((('( K *
'
K *
(((((((' K *
(
K '
The Dotted Euad +
The familiar I# address assigned to an interface is called a dotted uad. In the case of an ipv.6 address this
is 6 bytes &6 times > bits) separated by dots.
De!imal -inary
'A*.'=>.'.' ''((((((.'('('(((.((((((('.((((((('

2$ -road!ast AddressA +etwork Address and +etmask
An I# number contains information about both the host address &or interface) and network address.
The Cetmask
A netmask is used to define which part of the I# address is used for the network! it is also called a subnet
mask.
) +$ &it and +, &it netmask+
*77.*77.(.( '=.bit ' ' ' ' ' ' ' ' $ ' ' ' ' ' ' ' ' $ ( ( ( ( ( ( ( ( $ (
*77.*77.'*>.( 'B.bit ' ' ' ' ' ' ' ' $ ' ' ' ' ' ' ' ' $ 1 ( ( ( ( ( ( ( $ (
The netmask is usually given in decimal.
$xample+ with a '=.bit netmask the following I#s are on the same networks+

_____________________________________________________________________
49
(P2IP +etworks
____________________________________________________________
(('((((( $ '((((((( $
(((((((1 $ ((((((('
(('((((( $ '((((((( $
(((((((0 $ ((((((''
This means that any bits that are changed inside the box &>U>K'= bits) will change the network address and
the interfaces will need a gateway to connect to each other.
In the same way! any bits that are changed ouside the box will change the interface address without
changing networks.
"or example with a *6.bit netmask the above two I#s would be on different neworks+
(('((((( $ '((((((( $ (((((((1 $
((((((('
(('((((( $ '((((((( $ (((((((0 $
((((((''

The Cetwork Address
$very network has a number which is needed when setting up routing. The network number is a portion of
the dotted uad. The host address portion is replaced by MeroFs.
Typical network address+ 'A*.'=>.'.(
The @roadcast Address
A machineFs broadcast address is a range of hosts,interfaces that can be accessed on the same network.
"or example a host with the broadcast address '(.'.*77.*77 will access any machine with an I# address of
the form '(.'.x.x. Typical broadcast+ 'A*.'=>.'.*77
The dotted uad revisited
/imple logical operations can be applied to the broadcast! netmask and network numbers.
To retrieve the network address from an I# number simply ACD the I# with the netmask..
Cetwork Address K I# ACD Cetmask
/imilarly the broadcast address is found with the network address 24 Rnot MA/;F.
@roadcast Address K Cetwork 24 notXCetmaskY
8ere ACD and 24 are logical operations on the binary form of these addresses
$xample+
Take the I# 1I2$113$%$5 with a net mask 255$255$255$0. 1e can do the following operations+
Cetwork address K I# ACD MA/;
''((((((. '('('(((.((((((''.((((('(' &'A*.'=>.3.7)
_____________________________________________________________________
50
(P2IP +etworks
____________________________________________________________
ACD
''''''''.''''''''.''''''''.(((((((( &*77.*77.*77.((()
PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
''((((((.'('('(((.((((((''.(((((((( &1I2$113$%$0)
@roadcast Address K I# 24 C2T.MA/;
''((((((. '('('(((.((((((''.((((('(' &'A*.'=>.3.7)
24
((((((((.((((((((.((((((((.'''''''' &(((.(((.(((.*77)
PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
''((((((.'('('(((.((((((''.'''''''' &1I2$113$%$255)
It is clear from the above example that an I# number together with a netmask is enough to retrieve all the
information relative to the network and the host.
%$ +etwork (lasses
W 4eserved I# addresses
"or private networks a certain number of I# addresses are allocated which are never used on the Internet.
These reserved I#Fs are typically used for LACFs.
The following table displays the various private,reserved classes.
Table'+ 4eserved addresses
1 9lass A '(.x.x.x
11 9lass @ 'B*.'=.x.x .. 'B*.3'.x.x
255 9lass 9 'A*.'=>.o.x
W I# classes
(lass A+ >.bit network address and *6.bit host address
The first byte of the I# number is reserved for the network address. /o the default subnet mask would be
255$0$0$0. The 3 remaining bytes are available to set host interfaces.
/ince *77.*77.*77 and (.(.( are invalid host numbers there are *
*6
N * K '= BBB *'6 possible hosts.
I# numbers have the first byte ranging from 1 to 12&. This corresponds to a binary range of (((((((' to
('''''''. The first two bits of a class A address can be set to I00J or I01J.
(lass -+ '=.bit network address and '=.bit host address
The two first bytes of the I# number are reserved for the network address. The default subnet mask is
255$255$0$0. There are *
'=
N * K =7 736 possible hosts.
The first byte ranges from 123 to 1I1. Cotice that the binary range of the first byte is '((((((( to
'(''''''. That is the first two bits of a class @ address are always set to I10J.
_____________________________________________________________________
51
(P2IP +etworks
____________________________________________________________
(lass (+ *6.bit network address and >.bit host address
The three first bytes are reserved for the network address. The default subnet mask is 255$255$255$0. There
are *
>
N * K *76 possible hosts.
The first byte ranges from 1I2 to 22%. This corresponds to a binary range from ''(((((( to ''('''''.
"rom this we conclude that the first two bits of a class 9 address is always set to I11J.
.$ (lassless Subnets
/ubneting occurs when bits reserved for hosts are used for the network. This is determined by the netmask
and results in networks being split.
"or example a regular class A netmask *77.(.(.( can be altered to allow the first '.bit of the second byte to
be part of the network. This results in a A.bit network address and a *3.bit host address I#.
The binary netmask looks like
''''''''.'(((((((.((((((((.(((((((( or *77.'*>.(.(
Slash +otation
A network can be described using a slash notation. The following notations are euivalent+
'(.(.(.(,A
network '(.(.(.(! netmask *77.'*>.(.(
1e will take the example of a class 9 address 1I2$113$1$0. 1e investigate a *7.bit then a *=.bit network.
$0!bit net)ork
Cetmask+ ''''''''.''''''''.''''''''.10000000 or *77.*77.*77.'*>
/ince Cetwork K I# ACD Cetmask! we see from the netmask that two network addresses can be formed
depending on the hosts range+
'. 8ost addresses in the 'A*.'=>.'.0xxxxxxx range result in a 'A*.'=>.'.0 network. 1e say the network
number is (
*. 8ost addresses in the 'A*.'=>.'.1xxxxxxx range result in a 'A*.'=>.'.123 network. 1e say the network
number is '*>
-n &oth cases su&stitution of the x.s &!e /eros or ones have a special meaning

Cetwork address /ubstitute with (Fs /ubstitute with 'Fs
0 Cetwork+ ( @roadcast+ '*B
123 Cetwork+ '*> @roadcast+ *77
_____________________________________________________________________
52
(P2IP +etworks
____________________________________________________________
1e are left with the task of counting the number of hosts on each network. /ince the host address is B.bit
long and we exclude * values &all 'Fs and all (Fs) we have *
B
N * K '*= hosts on each network or a total of
*7* hosts.
Cotice that if the default subnet mask *77.*77.*77.( is used we have *76 available host addresses. In the
above example 'A*.'=>.'.'*B and 'A*.'=>.'.'*> are taken for the first broadcast and second network
respectively! this is why only *7* host addresses can be used.
218bit network
Cetmask+ ''''''''.''''''''.''''''''.11000000 or *77.*77.*77.'A*
8ere again depending on the hostFs address 6 different network addresses can be determined with the ACD
rule.
'. 8ost addresses in the 'A*.'=>.'.00xxxxxx range result in a 'A*.'=>.'.0 network.
*. 8ost addresses in the 'A*.'=>.'.01xxxxxx range result in a 'A*.'=>.'.1. network.
3. 8ost addresses in the 'A*.'=>.'.10xxxxxx range result in a 'A*.'=>.'.123 network.
6. 8ost addresses in the 'A*.'=>.'.11xxxxxx range result in a 'A*.'=>.'.1I2 network.
/ubstituting the xFs with 'Fs in the numbers above give us the corresponding broadcast addresses+
'A*.'=>.'.=3! 'A*.'=>.'.'*B! 'A*.'=>.'.'A'! 'A*.'=>.'.*77
$ach subnet has *
=
N * K =* possible hosts or a total of *6>.
5$ he (P2IP Suite
T9#,I# is a suite of protocols used on the Internet. The name is meant to describe that several protocols
are needed in order to carry data and programs accross a network. The main two protocols are T9#
ransmission (ontrol Proto!ol and I# Internet Proto!ol.
To simplify! I# handles packets or datagrams only &destination address! siMe...) whereas T9# handles the
connection between two hosts. The idea is that protocols relay each other! each one doing itsF specialised
task. In this context one speaks of the T9#,I# stack.
The protocols intervene therefore at various layers of the networking process.
The 6 layer T9#,I# model +
Application application level &"T#! /MT#! /CM#)
Transport handles hosts &T9#! <D#)
Internet routing &I#! I9M#! I?M#! A4#)
Cetwork Access network cards! e.g $thernet! token ring Z

_____________________________________________________________________
53
(P2IP +etworks
____________________________________________________________
W #rotocol 2verview
I#
The Internet #rotocol &I#) is the transport for T9#! <D#! and I9M# data. I# #rovides
an unreliable connectionless service! allowing all integrity to be handled by one of the
upper layer protocols! I.e. T9#! or some application.specific devices. There is no
guarantee that a datagram will reach the host using I# alone. The I# protocol handles
the addressing and the routing between networks. I# is the datagram delivery service.
T%; Transmission 9ontrol #rotocol &T9#) provides a reliable connection orientated service
to applications that use it. T9# is connection orientated and checks on each host the
order in which the packets are sent,received and also verifies that all the packets are
transmitted. Applications such as telnet or ftp use the T9# protocol and donFt need to
handle issues over data loss etc Z
:7; The <ser Datagram #rotocol provides direct access to I# for application programs but
unlike T9#! is connectionless and unreliable. This provides less overhead for
applications concentrated on speed. If some form of packet accounting is needed this
has to be provided by the application.
I%8; The Internet 9ontrol Message #rotocol is used by routers and hosts to report on the
status of the network. It uses I# datagrams and is itself connectionless
;;; The #oint to #oint #rotocol establishes a T9#,I# connection over phone lines. It can
also be used inside encrypted connections such as pptp.

1$ (P2IP Ser4i!es and Ports
The list of known services and their relative ports is generally found in 2et!2ser4i!es. The official list of
services and associated ports is managed by the IACA &Internet Assigned Cumbers Authority).
/ince the port field is a '=.bit digit there are =7737 available numbers. Cumbers from ' to '(*3 are
privileged ports and are reserved for services run by root. Most known applications will listen on one of
these ports.
_____________________________________________________________________
54
(P2IP +etworks
____________________________________________________________
1e will look at the output of portscans. @eware that unauthorised portscanning is illegal although many
people use them.

8ere is the output of a portscan+
Port +tate +er*ice
2(tcp open !tp
22tcp open ssh
2:tcp open te)net
25tcp open smtp
M0tcp open gopher
MLtcp open !inger
;0tcp open http
This shows open ports! these are ports being used by an application.
The ,etc,services main ports+
ftp-data %*/tcp
ftp %$/tcp
ssh %%/udp
ssh %%/tcp
telnet %3/tcp
smtp %"/tcp mail
domain "3/tcp
domain "3/udp
http 8*/tcp B ,,, is used by some bro0en
pop-3 $$*/tcp + Post,ffice -.3
sunrpc (((tcp
s!tp ((5tcp
uucp1path ((Mtcp
nntp $$./tcp usenet + !et)ork !e)s /ransfer
ntp (2:tcp B #et,or0 Time Protoco)
netbios1ns (:Mtcp nbns
netbios1ns (:Mudp nbns
netbios1dgm (:;tcp nbdgm
netbios1dgm (:;udp nbdgm
netbios-ssn $3./tcp nbssn
imap $03/tcp + imap net)ork mail protocol
#eK+ (>>tcp ne,s B Kindo, +ystem
snmp $6$/udp
snmp1trap (<2udp
&$ 'xer!i!es and Summary
_____________________________________________________________________
55
(P2IP +etworks
____________________________________________________________
*e"isterin" a ser4i!e with xinetd
1$ 1rite a bash script that echoFs I1elcomeJ to stdout. /ave it in 2usr2sbin2hi
#!/bin/bash
echo Welcome
9hange the permission on the script to make it executable.
2$ In 2et!2xinetd$d create a new file called fud"e with the following+
ser*ice !udge
P
soc0et9type I stream
ser*er Iusrsbinhi
user I root
,ait I no
disab)e I no
Q
%$ Add a service called fud"e in 2et!2ser4i!es that will use port =((((.
.$ 4estart xinetd and telnet to port =((((
5$ :ou have been assigned a range of I#s on the >3.'(.''.(,*B network.
8ow many networks have the same first 3 bytes as yoursT
8ow many hosts are on your networkT
1hat is the broadcast address for this first networkT

_____________________________________________________________________
56
+etwork Ser4i!es
__________________________________________________________
(et)ork Ser"ices
Prere6uisite
@ooting Linux &p.'6)
Cetwork 9onfiguration &p. 3=)
Goals
<nderstand the difference between inetd and xinetd
<se the libwra# or IT9# wrapperJ mechanism to secure services
9onfigure C"/ and /M@ shares
9onfigure network services+ DC/ &@ICD)! /endmail and Apache
(ontents
+etwork Ser4i!es$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 5&
'. The inetd daemon &old).......................................................................................................................... 7>
*. The xinetd Daemon................................................................................................................................ 7A
3. Telnet and "T#...................................................................................................................................... =(
3. T9# wrappers ........................................................................................................................................ =*
6. /etting up C"/....................................................................................................................................... =3
7. /M@ and CM@........................................................................................................................................ =6
=. DC/ services.......................................................................................................................................... ==
B. /endmail main 9onfiguration................................................................................................................. B'
>. The Apache server................................................................................................................................. B3
A. $xercises and /ummary........................................................................................................................ B6
_____________________________________________________________________
57
+etwork Ser4i!es
__________________________________________________________
Cetwork services can either continuously run as standalone applications which listen for connections and
handle clients directly or they can be called by the network daemon inetd &old) or xinetd.
1$ he inetd daemon ?old@
This daemon is started at boot time and listens for connections on specific ports. This allows the server to
run a specific network daemon only when needed.
"or example! the telnet service has a daemon 2usr2sbin2in$telnetd which handles telnet sessions. Instead
of running this daemon all the time inetd is instructed to listen on port *3. These instructions are set in
2et!2inetd$!onf.
%he inetd daemon
The fields of 2et!2inetd$!onf contain the following+
_____________________________________________________________________
58
+etwork Ser4i!es
__________________________________________________________
ser*ice1name valid name from 2et!2ser4i!es
soc0et type stream for T9# and dgram for <D#
protoco) valid protocol from 2et!2#roto!ols
!)ag no,ait if multithreaded and ,ait if single.threaded
usergroup run application as user or group.
program usually tcpd
argument the name of the program to be run for this service
$xample+
pop1: stream tcp no,ait root usrsbintcpd ipop:d
+oti!e7 The 2et!2ser4i!es file is used to make the correspondence between service names and socket port
numbers. The fields in services are as follows+
ser1ice-name port/protocol 'aliases(

2$ he xinetd Daemon
This is the most recent version of inetd. The t!#d daemon is no longer used! instead xinetd does
everything. 9onfiguration is done either through a single file 2et!2xinetd$!onf or by editing individual files in
2et!2xinetd$d2 corresponding to the services being monitored by xinetd. It is possible to migrate from the
old inetd configuration file to the configuration files for the modern xinetd. Cothing else needs to be done.
/tructure of service file in xinetd.d
/ervice.name [
disable K yes,no
socketPtype K stream for T9# and dgram for <D#
protocol K valid protocol from 2et!2#roto!ols
wait K Gyes or noH
userK the user the application runs as
groupK the group the application runs as
serverK the name of the program to be run for this service
\
%$ elnet and FP
_____________________________________________________________________
59
+etwork Ser4i!es
__________________________________________________________
Telnet and ftp are common examples of services using the inetd,xinetd mechanism to listen for incoming
connections.
'L+' is the name of the application layer protocol used to establish a 3bi1directiona)
communication !aci)ity3 &4"9>76). 2Its primary goa) is to a))o, a standard method
o! inter!acing termina) de*ices and termina)1oriented processes to each other3.
The server runs a telnet daemon &usually in$telnetd) and communications are initiated from the client using
a telnet client &called telnet too). "or 4#M based machines the server package is called telnet8ser4er and
the client package is called telnet.
2nce the telnet8ser4er package is installed the configuration files 2et!2inetd$!onf or ,et!2xinetd$!onf need
the following options+
,etc,inetd.conf &for the inetd daemon)
te)net stream tcp no,ait root usrsbintcpd in.te)netd
,etc,xinted.conf &for the xinetd daemon)
ser*ice te)net
P
disab)e I no
!)ags I CD$+D
,ait I no
user I root
ser*er I usrsbinin.te)netd
)og9on9!ai)ure RI $+DCI&
Q
The next command attempts to connect to the host 'A*.'=>.'(.*3. Cotice that the content of 2et!2issue$net
is also displayed+
te)net (L2.(<;.(0.2:
/r&ing $.%.$68.$*.%3...
2onnected to )s**$ 3$.%.$68.$*.%34.
5scape character is 67(6.
8edora 2ore release 3 39eidelberg4
#ernel %.6.$$-$.$0:823 on an i686
login;
FP is the Ifiles transfer protocolJ. The ob-ectives of this application layer protocol stated in 4"9A7A are
2() to promote sharing o! !i)es (computer programs andor data), 2) to encourage
indirect or imp)icit (*ia programs) use o! remote computers, :) to shie)d a user
_____________________________________________________________________
60
+etwork Ser4i!es
__________________________________________________________
!rom *ariations in !i)e storage systems among hosts, and >) to trans!er data
re)iab)y and e!!icient)y3
There are several ftp servers available for Linux. In these notes we choose to configure 4sft#d &very safe
"T# server) which is available as a package of the same name. There are many "T# clients provided by
the packages ft#! n!ft#! lft# or "ft# &graphical).
The 4sft#d can be started as a stand alone server &recommended) but can also use inetd or xinetd to
handle incoming connections with the following options
,etc,vsftpd,vsftpd.conf
)istenI#H
,etc,inetd.conf
!tp stream tcp no,ait root usrsbintcpd usrsbin*s!tpd
,etc,xinetd.conf
ser*ice !tp
P
,ait I no
user I root
ser*er I usrsbin*s!tpd
nice I (0
disab)e I yes
Q
It is possible to log onto an "T# server either as an anomymous user or as a regular system user &e.g a user
with an entry in 2et!2#asswd). Anonymous "T# allows a user to login with the username.password pair
anonymous and emai)1address. A regular user will initially have access to his or her home directory
where as anonymous users can only browse the contents of 24ar2ft#2.
!tp (L2.(<;.(0.2:
2onnected to $.%.$68.$*.%3.
%%* 31s8/Pd %.*.$4
"3* Please login )ith <5R and P=.
#5R>5R,:-0 re?ected as an authentication t&pe
!ame 3$.%.$68.$*.%3;tux4
_____________________________________________________________________
61
+etwork Ser4i!es
__________________________________________________________
%$ (P wra##ers
If programs have been compiled with the libwrap library then they can be listed in the files 2et!2hosts$allow
and 2et!2hosts$deny. The libwra# library will verify these files for matching hosts.
Default format for 2et!2hosts$JallowAdenyK +
DAEMON ; hosts '5@25P/ hosts ( '; spa)n command(
2ne can also use these files to log unauthorised services. This can also help as an early warning system.
8ere are a few examples.
?etting information about a host+
,etc,hosts.allow
in.telnetd+ L29AL! .my.domain
,etc,hosts.deny
in.telnetd+ ALL + spawn &,usr,sbin,safePfinger Nl ]^h _ mail root)
4edirect to a bogus service or Ihoney potJ +
,etc,hosts.allow
in.telnetd+ ALL + twist ,dtk,Telnetd.pl
The last example comes from the dtk &Deception Tool ;it) that can be downloaded from
http+,,all.net,dtk,download.html
The inetd and xinetd daemons as well as some stand alone servers such as sshd and 4sft#d have been
dynamically compiled with libwrap+
)dd usrsbinxinetd ? grep )ib,rap
)ib,rap.so.0 I5 usr)ib)ib,rap.so.0 (0x00:da000)
)dd usrsbinxinetd ? grep )ib,rap
)ib,rap.so.0 I5 usr)ib)ib,rap.so.0 (0x00:da000)
)dd usrsbin*s!tpd ? grep )ib,rap
)ib,rap.so.0 I5 usr)ib)ib,rap.so.0 (0x0020>000)
_____________________________________________________________________
62
+etwork Ser4i!es
__________________________________________________________
.$ Settin" u# +FS
(lient settin"s
"or a Linux client to mount remote file systems
'. the nfs file system must be supported by the kernel
*. the #ortma# daemon must be running.
The portmapper is started by the 2et!2r!$d2init$d2#ortma# script. The mount utility will mount the
filesystem.
"or example we can create a new directory called 2mnt2nfs and mount a shared directory from the server
nfs.server called ,shared,dir . This can be done by adding the following line to 2et!2fstab
,etc,fstab
n!s1ser*er=shareddir mntn!s n!s de!au)ts 0 0
If no entry is set in 2et!2fstab then the complete command would be+
mount -t nfs nfs-server:/shared/dir /mnt/nfs
Ser4er settin"s
A C"/ server needs #ortma# to be running before starting the nfs server. The nfs server should be started
or stopped with the 2et!2r!$d2init$d2nfs script.
The main configuration file is 2et!2ex#orts.
/ample ,etc,exports file
usr)oca)docs S.)oca).org(r,, no9root9sGuash) S(ro)
The ,usr,local,docs directory is exported to all hosts as read.only! and read.write to all hosts in the .local.org
domain.
The default rootPsuash option which avoids the root user &uid K () on the client to access the share on the
server can be changed with the noProotPsuash option.

The ,etc,exports file matches hosts such as L.machine.com where as ,etc,hosts.allow,deny match hosts
such as .machine.com
If the 2et!2ex#orts file has been changed then the ex#ortfs utility should be run. If existing directories in
,etc,exportfs are modified then it may be necessary to unmount all nfs shares before remounting them all.
Individual directories are made available for mounting with ex#ortfs.
_____________________________________________________________________
63
+etwork Ser4i!es
__________________________________________________________
<nexporting and exporting all directories in ,etc,exports+
export!s 1ua - export!s 1a

5$ S/- and +/-
Linux machines can access and provide 1indows shared resources &directories and printers). The protocol
used for this is the M/ 1indows /erver Message @lock S/-. /amba is the most common Linux tool which
provides client and server software.
From the (ommand Line
The smb!lient utility is used to list shared resources. 4emote directories are typically mounted with
smbmount although Rmount Nt smbfsF can also be used.
$xamples+
/end a pop up message to the winA>desk computer
smbc)ient 1A ,inL;des0
Mount the shared directory of the winserv computer
smbmount ,inser*ershared mnt,inser*ershared
The /amba server is configured with the 2et!2smb$!onf file. The server is stopped and started with the
2et!2r!$d2init$d2smb script. Cotice that smb will also starts the +/- services. This is the Cet@I2/ Message
@lock which enables name resolution in the 1indows realm.
"igure'+ Cautilus @rowsing /M@ shares+
_____________________________________________________________________
64
+etwork Ser4i!es
__________________________________________________________
Main entries in 2et!2smb$!onf +
6g)oba)7
,or0group I LI#$EIT
os )e*e) I 2
0erne) op)oc0s I #o
security I user
encrypt pass,ords I Tes
guest account I nobody
map to guest I Oad $ser
6homes7
comment I .ome &irectories
read on)y I #o
create mas0 I 0<>0
directory mas0 I 0M50
bro,seab)e I #o
6printers7
comment I /)) Printers
path I *artmp
create mas0 I 0<00
printab)e I Tes
bro,seab)e I #o
S9A and 9ebmin G0I (onfi"uration
_____________________________________________________________________
65
+etwork Ser4i!es
__________________________________________________________
If you install the swat package then you can administrate a samba server via a web.based ?<I on port A('.
Another popular general administration tool is webmin. It can be downloaded at www.webmin.com
C2TI9$
The configuration file ,etc,samba,smb.conf is a good source of documentation. All options are
explained and can be switch on by deleting the comment character `L` Also read the
smb$!onf?5@ manpage

1$ D+S ser4i!es
Findin" a +ame with 2et!2nsswit!h$!onf
The file 2et!2nsswit!h$!onf &previously 2et!2host$!onf) holds all the information needed by an application
to find a name. The types of names are designated by a keyword.
9ommon Cames
keyword description
pass,d user names
group group names
hosts host names
net,or0s network names
Cames are searched in a number of 'databases'. $ach database can be accessed by a specialised library.
"or example there will be libraries called libnssPfiles! libnssPnis and libnssPdns to deal with each databases
listed below.
9ommon databases
keyword description
!i)es flat files! generally in ,etc
nis a map from a CI/ server
dns a DC/ server
CAM$T
_____________________________________________________________________
66
application
,etc,nsswitch.conf
files
libnssPfiles
+etwork Ser4i!es
__________________________________________________________

/ample ,etc,nsswitch.conf
hosts= !i)es dns
net,or0s= !i)es nis )dap
The first line indicates that files &here 2et!2hosts) should be ueried first and then a DC/ server if this fails.
The second line instructs to use the 2et!2networks file for network information.
he *esol4er
1hen a program needs to resolve a host name using a DC/ server it uses a library called a resolver. The
resolver will first consult the 2et!2resol4$!onf file and determine which DC/ server to contact.
/ample ,etc,resolv.conf
search example.com
nameserver 'A*.'=>.'*3.'
If the resolver needs to use a domain name server &DC/) then it will consult the 2et!2resol4$!onf file for a
list of available servers to uery from.
he 2et!2hosts file
1ith a small number of networked computers it is possible to convert decimal I# numbers into names using
the ,etc,hosts file. The fields are as follows+
AP machine machine.domain alias
_____________________________________________________________________
67
nis
dns
libnssPnis
libnssPdns
libresolv
,etc,resolv.conf

list of DC/ servers
+etwork Ser4i!es
__________________________________________________________
$xample ,etct,hosts file+
192.168.1.233 io io.my.domain
61.20.187.42 callisto callisto.physics.edu
)ierar!hi!al stru!ture
Came servers have a hierarchical structure. Depending on the location in the fully ualified domain name
&"EDM) a domain is called top.level! second.level or third.level.
$xample top.level domains
!om 9ommercial organisations
edu </ educational institutions
"o4 </ government institutions
mil </ military institutions
net ?ateways and network providers
or" Con commercial sites
uk <; sites
y#es of D+S ser4ers
Domains can be further divided into sub.domains. This limits the amount of information needed to
administer a domain. aones have a master domain name server &previously called a #rimary DC/) and
one or several sla4e domain name servers &previously called se!ondary). Administration of a name server
consists of updating the information about a particular Mone. The master servers are said to be
authoritative.

D+S (onfi"uration Files
In old versions of @ICD &prior to @ICD version >) the configuration file was 2et!2named$boot. 1ith @ICD
version > the 2et!2named$!onf file is used instead. 2ne can use the named8boot!onf$#l utility to convert
old configuration files.
%he /etc/named.&oot file+
directory ,var,named
cache . named.ca
primary myco.org named.myco
primary (.(.'*B.in.addr.arp named.local
primary '.'=>.'A*.in.addr.arp named.rev
_____________________________________________________________________
68
+etwork Ser4i!es
__________________________________________________________
The first line defines the base directory to be used. The name.ca file will contain a list of DC/ I# addresses
for uerying external addresses. The third line is optional and contains records for the local LAC. The two
next entries are for reverse lookups.
In 2et!2named$!onf+
cache is replaced by hint
secondar! is replaced by slave
primar! is replaced by master.
Applying these changes to @ICD6 configuration files will generate @ICD> and @ICDA files such as the
following.
The ,etc,named.conf file+
options [
directory I,var,namedJS
\S
Mone I.J [
type hintS
file Inamed.caJS
\S
Mone Imyco.orgJ [
type masterS
file Inamed.mycoJS
\S
Mone I'.'=>.'A*.in.addr.arpJ [
type masterS
file Inamed.revJS
\S
Mone I(.(.'*B.in.addr.arpaJ [
type masterS
file Inamed.localJS
\S
D+S =one files
In this example the server is set as a caching.only server. All the Mone files contain resource records.
/ample named$lo!al Mone file+
] IC /2A localhost. root.localhost. &
*(('(**B(( S /erial
*>>(( S 4efresh
'66(( S 4etry
3=((((( S $xpire
_____________________________________________________________________
69
+etwork Ser4i!es
__________________________________________________________
>=6(( ) S Minimum
IC C/ localhost.
' IC #T4 localhost.
This is a very simple Mone file but it gives us enough information to understand the basic mechanism of a
name server.
The M sign will resolve to the related Mone declared in 2et!2named$!onf. This allows any Mone file to be
used as a template for further Mones &see the exercises).
Table'+9ommon 4ecord Types
C/ /pecify the Mones primary name server
#T4 4everse mapping of I# numbers to hostnames
M% Mail exchange record
A Associate an I# address with a hostname
9CAM$ Associate an alias with the hostFs main name
Table*+ aone parameters
] IC /2A /tart 2f Authority. Identifies the Mone followed by options enclosed in
brackets.
serial Is manually incremented when data is changed. /econdary servers uery
the master serverFs serial number. If it has changed! the entire Mone file
is downloaded
refresh Time in seconds before the secondary server should uery the /2A
record of the primary domain. This should be at least a day.
retry Time interval in seconds before attempting a new Mone transfer if the
previous download failed
expire Time after which the secondary server discards all Mone data if it contact
the primary server. /hould be a week at least
minimum This is the ttl for the cached data. The default is one day &>=6((
seconds) but should be longer on stable LACs

estin"
8ere we only check the records of type /N. 2ther types are A+O! A or +S.
9heck local domain+ di" and host do the same thing except that di" will printout results that can be
used in a Mone file+
dig @127.0.0.1 gogo.com MX
host -t mx gogo.com 127.0.0.1
_____________________________________________________________________
70
+etwork Ser4i!es
__________________________________________________________
<se local caching server to uery any domain+ replace the domain gogo.com in the commands above
with any other domain you wish to uery.
&$ Sendmail main (onfi"uration
/endmail is the most popular mail transfer agent &MTA) on the Internet. It uses the /imple Mail Transfer
#rotocol &/MT#) and runs as a daemon listening for connections on port *7.
The sendmail script which stops or starts the sendmail daemon is usually located in the 2et!2r!$d2init$d2
directory.
(onfi"uration Features
The main configuration file is 2et!2mail2sendmail$!f &or 2et!2sendmail$!f). 8ere you can specify the name
of the server as well as the names of the hosts from which and to which mail relay is allowed.
9A*+I+G
:ou do not need to know how to write sendmail.cf rules. In fact all the rules can be generated using the
sendmail$m. or sendmail$m! macro file to produce a sendmail$!f file by running the following
m6 sendmail.mc H sendmail.cf
This process is not part of the L#I ob-ectives
sendmail$!f options
(w the mailer hostname. 9an also contain a list of hostnames or domain names the
mailer will assume but it is better to use "w for this
Fw path to the file containing domain names sendmail will receive mail for
Ds address for 'smart host' ! this is a mailer that will relay our outgoing mail
"iles in 2et!2mail
a!!ess list of hosts authorised to use the server to relay mail
lo!al8host8names list of domain names
Aliases and mail forwardin"
The 2et!2aliases file contains two fields as follows+
a)ias= user
"or example if the mail server has a regular <CI% account for user foo then maill addressed to mr.foo will
reach this user only if the following line is included in 2et!2aliases+
mr.!oo= !oo
_____________________________________________________________________
71
+etwork Ser4i!es
__________________________________________________________
2r if you want to forward all mail to an external address+
mr.!oo= !ooUsomeisp.net

"or other options see the manpage aliases?5@.
1hen changes to the 2et!2aliases file are made the newaliases command must be run to rebuild the
database 2et!2aliases$db.
1hen mail is addressed to a local user &say foo) then this user can choose to forward this mail to a list of
other users using a local file P2$forward &one address per line).
In L#I *(* we will see that mail can also be forwarded to a file! a pipe or an include file.

he /ail Hueues
1hen mail is accepted by the server it is concatenated in a single file with the name of the user. These files
are stored in 24ar2s#ool2mail2.
Depending on the Mail <ser Agent used &mutt! pine! elm ...)! a user can either store these messages in his
home directory or download them on another machine.
All outgoing mail is spooled in 24ar2s#ool2m6ueue
If the network is down or very slow! or if many messages are being sent! then mail accumulates in the mail
ueue 24ar2s#ool2m6ueue. :ou can uery the ueue with the mail6 utility or sendmail Bb#.
An administrator can flush the serverFs ueue with sendmail B6.
*e"isterin" a /ailer for a Domain
"inally in order to use a domain name as a valid email address an M% record needs to be added on an
authoritative name server for your domain &usually your I/#).
"or example if mai).company.com is a mail server! then in order for it to receive mail such as
VoeUcompany.com you should have the following configuration+
'. Add company.com to ,etc,mail,local.host.names
*. company.com AE (0 mai).company.com in a DC/ Mone file
3$ he A#a!he ser4er
(onfi"uration Files
The 2et!2htt#d2!onf2htt#d$!onf file contains all the configuration settings
_____________________________________________________________________
72
+etwork Ser4i!es
__________________________________________________________
2lder releases of apache had two extra files! one called a!!ess$!onf where restricted directories were
declared! and another file called srm$!onf specifying the serverFs root directory.
9onfiguration 8ighlights+

ServerType standalone/inetd
ServerRoot /etc/httpd
DocumentRoot /var/www/html
<Directory /var/www/cgi-bin>
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
<VirtualHost 122.234.32.12>
DocumentRoot /www/docs/server1
ServerName virtual.mydomain.org
</VirtualHost>
*unnin" A#a!he
To stop and start the server one can use the 2et!2r!$d2init$d2htt#d script. 2n a busy server it is preferable to
use a#a!he!tl especially with the "ra!eful option which will restart the server only when current
connections have been dealt with.
The main log files are in 24ar2lo"2htt#d2. It may be useful for security reasons to regularly check the
error9)og and access9)og files.
_____________________________________________________________________
73
+etwork Ser4i!es
__________________________________________________________
I$ 'xer!ises and Summary

Files
"ile Description
,etc,hosts.allow
,etc,hosts.deny
file used by the libwrap library to determine access to a service from a given host!
network or domain
,etc,aliases aliases?5@ . file describes user ID aliases used by sendmail. $ach line is of the
form name= addr9(, addr92, ... where name is a local username to alias
and addr9n can be another alias! a local username! a local file name! a
command! an include file! or an external address
,etc,exports ex#orts?3@ N the file ,etc,exports serves as the access control list for file systems
which may be exported to C"/ clients. It is used by exportfs&>) to give information
to mountd&>) and to the kernel based C"/ file server daemon nfsd&>)
,etc,host.conf main configuration filefor the resolver
,etc,hosts database of host I#s and names
,etc,inetd.conf configuratiion file for the inetd daemon
,etc,mail,L directory containing all the sendmail configuration files
,etc,named.boot name of the @ICD6 version of named
,etc,named.conf name of the @ICD> and A versions of named
,etc,nsswitch.conf nsswit!h$!onf?5@ N /ystem Databases and Came /ervice /witch configuration
file.
,etc,resolv.conf list of DC/ servers used by the resolver to determine host names
,etc,sendmail.cf the main configuration file for sendmail
9w option within sendmail.cf that specifies the name of the server &may be a domain
name)
Ds option to specify a smarthost in sendmail.cf
"w option setting the name of the file that contains all the names of the mail server
,etc,smb.conf main configuration file for the samba server smbd
,etc,xinetd.conf configuration file for the xinetd daemon
,var,spool,mail, directory containing received mail for local users
,var,spool,mueue spool directory for outgoing mail
b,.forward file containing a list of addresses where valid local account mail is forwarded to
,
etc,httpd,conf,access.
conf
configuration file containing web directories that need extra identification
mechanisms such as htaccess &old)
,
etc,httpd,conf,httpd.co
nf
main configuration file for web server daemon htt#d
,
etc,httpd,conf,srm.con
f
configuration file defining the document root of the web server &old)
_____________________________________________________________________
74
+etwork Ser4i!es
__________________________________________________________
(ommands
9ommand Description
apachectl a#a!he!tl?3@ N apache 8TT# server control interface. 2n the command line the script
will simply pass all the given arguments to the htt#d server
dig di"?1@ N &domain information groper) is a flexible tool for interrogating DC/ name
servers. It performs DC/ lookups and displays the answers that are returned from the
name server&s) that were ueried
host host?1@ N a simple utility for performing DC/ lookups. It is normally used to convert
names to I# addresses and vice versa
exportfs exportfs&>) N command is used to maintain the current table of exported file systems for
C"/. This list is kept in a separate file named ,var,lib,nfs,xtab which is read by
mountd when a remote host reuests access to mount a file tree! and parts of the list
which are active are kept in the kernelFs export table
inetd see xinetd
mail mail6?1@ N prints a summary of the mail messages ueued for future delivery
portmap #ortma#?3@ N is a server that converts 4#9 program numbers into DA4#A protocol port
numbers. It must be running in order to make 4#9 calls. 1hen an 4#9 server is
started! it will tell portmap what port number it is listening to! and what 4#9 program
numbers it is prepared to serve. 1hen a client wishes to make an 4#9 call to a given
program number! it will first contact portmap on the server machine to determine the port
number where 4#9 packets should be sent. #ortmap must be started before any 4#9
servers are invoked
smbclient smb!lient?1@ N is a client that can FtalkF to an /M@,9I"/ server. It offers an interface
similar to that of the ftp program &see ftp&')). 2perations include things like getting
files from the server to the local machine! putting files from the local machine to the
server! retrieving directory information from the server and so on
smbmount smbmount?3@ N mounts a Linux /M@ filesystem. It is usually invoked as
mount.smbfs by the mount&>) command when using the O.t smbfsO option. This
command only works in Linux! and the kernel must support the smbfs filesystem
sendmail sendmail?3@ N sends a message to one or more recipients! routing the message over
whatever networks are necessary. /endmail does internetwork forwarding as necessary
to deliver the message to the correct place
xinetd xinetd?3@ N performs the same function as inetd+ it starts programs that provide Internet
services. Instead of having such servers started at system initialiMation time! and be
dormant until a connection reuest arrives! xinetd is the only daemon process started
and it listens on all service ports for the services listed in its configuration file. 1hen a
reuest comes in! xinetd starts the appropriate server. @ecause of the way it
operates! xinetd &as well as inetd) is also referred to as a super.server
Settin& up a 7(S master ser"er
As an exercise we will install the @ICDA rpm package bindI8I$1$%8252$i%31$r#m and configure a domain
called gogo.com.

1$ 9arry out the following alterations in 2et!2named$!onf+
9opy,#aste the following paragraphs and alter as follows+
_____________________________________________________________________
75
+etwork Ser4i!es
__________________________________________________________
Mone OlocalhostO in [ &ecomes
type masterS
file Oa2C$"IL$.for.localhostOS
\
Mone Ogogo.comO in [
type masterS
file Ogogo.MoneOS
\
Mone O(.(.'*B.in.addr.arpaO in [ &ecomes
type masterS
file Oa2C$"IL$.for.'*B.(.(OS
\S
Mone O*.'=>.'A*.in.addr.arpaO in [
type masterS
file O'A*.'=>.*.MoneOS
\S
2$ In 24ar2named7
cp WH#D%ILD1!or1(2M.0.0 (L2.(<;.2.8one
cp WH#D%ILD1!or1)oca)host gogo.8one
%$ 9hange the appropriate fields in the new Mone files. Add a host called harissa.
.$ Add the line Inameserver '*B.(.(.'J to 2et!2resol4$!onf.
5$ <se host to resolve harissa.gogo.com

<pache administration
@asic configurations in ,etc,httpd,conf,httpd.conf
'. 9hange the port directive Port from 30 to 3030. &If you are using http* then change the Listen directive).
*. 9heck that apache is responding with telnet lo!alhost 3030. :ou should get+
Trying (2M.0.0.(...
Connected to )oca)host.)inuxit.org.
Dscape character is XY7X.
Cext type RG' 2F to download the index file.
3. /et IStartSer4erQ to '7. 4estart the htt#d and check that '7 processes are started &instead of the
default >)
I# based virtual server

:our ethernet card must be aliased to a new I# &say ne#--0)
i!con!ig eth0=0 ne&-I(

Add the following paragraph to 2et!2htt#d2!onf2htt#d$!onf+
_____________________________________________________________________
76
+etwork Ser4i!es
__________________________________________________________
4'irtua).ost ne&-I(5
&ocumentCoot *ar,,,htm)*irtua)
+er*er#ame )))$
4'irtua).ost5
Settin& up a shared S85 directory
In most cases you wonFt need to add smbusers to the system to do this. /imply edit smb$!onf and add the
following+
6pub)ic7
comment I Dxamp)e +hared &irectory
path I homesamba
guest o0 I yes
,riteab)e I yes
/etting up a shared printer+
6g)oba)7
111 snip 111
printcap name I etcprintcap
)oad printers I yes
6printers7
comment I /)) Printers
path I *arspoo)samba
bro,seab)e I no
B +et pub)ic I yes to a))o, user Xguest accountX to print
guest o0 I yes
,ritab)e I no
printab)e I yes
_____________________________________________________________________
77
-ash S!ri#tin"
__________________________________________________________
5ash Scriptin&
Prere6uisite
Cone
Goals
4eview the main configuration files associated with the bash shell
1rite and execute shell scripts
/yntax for logical evaluations! flow controls and loops
Miscellaneous features &Cot part of the L#I '(* ob-ectives)
(ontents
-ash S!ri#tin"$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ &3
'. The bash environment............................................................................................................................ BA
*. /cripting $ssentials................................................................................................................................ >'
3. Logical evaluations................................................................................................................................. >*
6. "low 9ontrol and Loops.......................................................................................................................... >3
7. $xpecting user input............................................................................................................................... >7
=. 1orking with Cumbers........................................................................................................................... >7
B. $xercises and /ummary........................................................................................................................ >=
_____________________________________________________________________
,1
-ash S!ri#tin"
__________________________________________________________
1$ he bash en4ironment
Rariables
1hen you type a command at the prompt the bash shell will use the PA) variable to find which
executable on the system you want to run. :ou can check the value of path using the echo command+
echo ZP/T.
usrbin=bin=usrsbin=usrE((C<bin=usr)oca)bin=sbin=usr)oca)sbin
In fact many variables are needed by the shell to accommodate for each userFs environment. "or example
P9D! )C/'! '*/ and DISPLAO are such variables.
To initialise and declare a variable the syntax is as follows+
'/CI/OLDI'/L$D
4emember not to put any spaces around the RKF sign. 2nce a variable is declared and initialised it can be
referenced by using the dollar symbol in front as here+
echo Z'/CI/OLD
This declares a local variable &only available for the current process) that can be listed with set. It is
possible to get an exported variable &available to all child processes spawned after the variable has been
defined) using ex#ort. $xported variables are listed with the en4 command.
1hen a shell session is started a number of configuration files are read and most of the variables are set.
To free a variable from its current value use unset.
(onfi"uration files
2ne can distinguish configuration files which are read at login time and configuration files which are read for
each new bash session.
The profiles
The first file to be read at login is 2et!2#rofile! after that the shell will search for the files P2$bashG#rofileA
P2$bashGlo"in and P2$#rofile and execute the commands from the first available on. "or every new shell
&for example if an xterm emulator is started) these profiles are not read again.
(ontents+ the profiles are used to define exported variable &e.g #AT8) that will be available for every
subseuent program.
The bashrc files
_____________________________________________________________________
,2
-ash S!ri#tin"
__________________________________________________________
The runtime control files P2$bashr! and 2et!2bashr! are sourced every time a shell is started

(ontents7 the runtime control files will store aliases and functions.
Cotice that non.interactive shells read neither of these files. Instead a @A/8P$C0 variable pointing to the
file to be sourced is declared in the script.
Fun!tion syntax
function-name &)
[
command+S
command2S
\
:ou can test which files are being read by adding an echo Pro!i)e line in 2et!2#rofile! the type+
bash Co profile is read! you shouldnFt see anything
bash 1)ogin This forces bash to act as a login bash! the word
Pro!i)e should show up.
The following commands control the way bash starts+
bash 1norc
bash 1nopro!i)e
+oti!e that any new bash session will inherit the parentFs global variables defined in 2et!2#rofile and
P2$bashG#rofile.
(ontrollin" readline
The ?C< library readline is used by programs that expect user input. It also offers extensive vi and emacs
style editing functionality.
$xample+ the readline default editor setting for bash is emacs. 2ne can for example use S' to go to the end
of a line. 1hat happens when we next start! as below! a shell without editing supportT
bash 11noediting
The files 2et!2in#utr! or P2$in#utr! are used to control the readline library. 2ne can for example link a
keyboard combination to an action.
$xample options for in#utr!+
set editing.mode vi change the initial editor style &default is emacs)
9ontrol.o+ OH outputO bind the seuence 9trlUo will cause the string IH output J to be printed
TA@+ complete automatically complete commands and file names &is set by default)
set bell.style none input errors are not audible &other option is audi&le3
"inally! when a user logs out! the shell will read commands from P2$bashGlo"out if it exists. This file usually
contains the clear command which clears the screen once the shell exits.
_____________________________________________________________________
10
-ash S!ri#tin"
__________________________________________________________
2$ S!ri#tin" 'ssentials
he s!ri#t file
A shell script is a list of instructions saved in a flat file. 2nly two things are necessary.
'. The scriptFs first line must be TF2bin2bash &for a bash script)
*. The file must be readable and executable &with B77 permission for example)
Assuming the script is in your current directory it can be started with
.script1name

C2TI9$
The interpreter specified after the TF sign &pronounce she.bangQ) is used to read the commands in the
script. If no interpreter is specified then the shell will attempt to interpret the commands itself.

Alternative methods
bash script-name start a new interactive bash which will run the script then exit
source script1name force your current shell to run the script
. script1name same as sour!e
exec .script1name same as $2s!ri#t8name except that the current shell will exit one the script
has run
Passin" 4ariables to the s!ri#t
0ariables entered at the command line are referenced inside the script as c' for the first argument! c* for
the second! etc Z
$xample script! mycat+
B[binbash
cat Z(
This script is expecting one argument! a file! and will display the content of the file using !at. To run this
script on the lilo.conf file! you would run+
.mycat etc)i)o.con!
_____________________________________________________________________
1+
-ash S!ri#tin"
__________________________________________________________
Another way of passing variables to a script is by letting the script prompt the user for input interactively.
This is achieved using the read command. The default name of the read variable is *'PLO. 8ere is the
modified script+
Interactively passing+
B[binbash
echo 1n @Khich !i)e sha)) I disp)ay \@
read
cat ZCDPLT
or
read 1p 2%i)e to disp)ay= 2 %ILD#/AD
cat Z%ILD#/AD
S#e!ial Rariables
/pecial variables can only be referenced and are automatically set by bash. These are the most common
special variables you will encounter+
U; List of all variables entered at the command line
UT Cumber of arguments entered at the command line
U0 The name of the script
UF #ID of the most recent background command
UU #ID of the current shell
UV $xit code of the last command
"or the positional parameters c'! c* etc Z there is a shift operator which renames each parameter in a
cyclic way as follows.
c* becomes c'
c3 becomes c* Z etc
This can be summarised as U?nW1@ Un
%$ Lo"i!al e4aluations
Logical statements are evaluated with the test command or the brackets : <. In both case the result is stored
in the UV variable such that+
if the statement is true then UV is (
if the statement is false then UV is not (
8ere are some examples to illustrate+
using test using : < meaning
test Nf ,bin,bash X .f ,bin,bash Y test if ,bin,bash is a file
test .x ,etc,passwd X .x ,bin,passwd Y test if ,etc,passwd is executable
_____________________________________________________________________
12
-ash S!ri#tin"
__________________________________________________________
2ne can evaluate more than one statement at a time using the XX &24) and YY &ACD) logical operators on
the command line. "or example we could test if 2bin2bash is executable and in 2et!2inittab exists+
test -x /bin/bash && test -f /etc/inittab
[ -e /bin/kbash ] || [ -f /etc/passwd ]
This is the same as using the flags 8o and 8a within the test operator for example
test -x /bin/bash -a -f /etc/inittab
[ -e /bin/kbash -o -f /etc/passwd ]
.$ Flow (ontrol and Loo#s
if then
/yntax+ if 92CDITI2C S then
command'
command*
fi
#!/bin/bash
if [ -x /bin/bash ] ; then
echo The file /bin/bash is executable
)hile loop
/yntax+ while 92CDITI2C is trueS do
command
done
$xample+ Aligne '( hashes &d) then exit
B[binbash
CH$#TDCI0
_____________________________________________________________________
14
-ash S!ri#tin"
__________________________________________________________
,hi)e 6 ZCH$#TDC 1)t (00 7- do
echo 1n @B@
s)eep (
)et CH$#TDCICH$#TDCR(
done
:ntil loop
/yntax+ until 92CDITI2C is falseS do
command
done
$xample+ /ame as above! notice the 9 style increment for 92<CT$4
B[binbash
CH$#TDCI20
unti) 6 ZCH$#TDC 1)t (0 7- do
echo 1n @B@
s)eep (
)et CH$#TDC1I(
done
for loop
/yntax for 0A4IA@L$ in /$TS do
command
done
$xample+ the set '/$T' can be the lines of a file
B[binbash
!or )ine in ]cat etc)i)o.con!]- do
IA/"DIZ(echo Z)ine ? grep image)
i! 6 2ZIA/"D3 [I 23 7- then
echo Jerne) con!igured to boot= Z)ine
!i
done
5$ 'x#e!tin" user in#ut
_____________________________________________________________________
15
-ash S!ri#tin"
__________________________________________________________
1e assume that the script is waiting for user input! depending on the answer! the rest of the program will
execute something accordingly. There are two possible ways to achieve this+ sele!t and !ase.
:sin& case
/yntax+ case c0A4IA@L$ in
678-6E+@ command+ LL
678-6E2@ command2 LL
esac
:sin& select
/yntax+ select 0A4IA@L$ in /$TS do
if X c0A4IA@L$ K 982I9$ YS then
command
fi
if X c0A4IA@L$ K 982I9$ YS then
command
fi
done
1$ 9orkin" with +umbers
1hile shell scripts seamlessly handle character strings! a little effort is needed to perform very basic
arithmetic operations.
5inary operations
Adding or multiplying numbers together can be achieved using either ex#r or the U?? @@ construct.
Example+
expr M R :- expr 2 ^S (0- expr >0 >- expr :0 F ((
Z((MR:))- Z((2S(0))- Z((>0>))- Z((:01(())

%omparin& "alues
%est operators:
+umbers Strin"s
8lt Z &sort strings lexicographically)
8"t [ &sort strings lexicographically)
8le +2a
8"e +2a
8e6 EE
8ne FE
&$ 'xer!ises and Summary
Files
_____________________________________________________________________
19
-ash S!ri#tin"
__________________________________________________________
"iles Description
,etc,bashrc a system wide startup file for interactive bash sessions &used for setting up the #/'
prompt)
,etc,inputrc startup file for the readline library used by the shell to read and edit user input. This file
combines keyboard combinations with editing commands but can also be used to
associate keyboard combinations to any command &macro)
,etc,profile system wide configuration file for bash. It contains exported variables such as the #AT8
and is always read at login
b,.bashPprofile the user's customised configuration file for bash. It contains exported variables an is
always read at login
b,.bashrc the user's customised startup file for bash. It is read every time a new interactive shell is
started unless the Nnorc option is given
b,.inputrc the user's customised startup file for the readline library
S!ri#tin" items
Item Description
c&& )) operator used to substitute the result of a numerical evaluation in a command line
expr perform a numerical evaluation
for loop see p.B*
if then see p.B'
until loop see p.B*
while loop see p.B'
(ommands
9ommand Description
test test?1@ N check file types and compare values
unset &bash built.in) command that removes a variable value or a function
env print all exported &global) variables defined in the current shell
export &bash built.in) command that makes a variable part of the environment of subseuent
processes
set &bash built.in) command that when started with no arguments prints the value of all shell
variables defined

+. 8n the command line export the varia&le %E:%
export TEST=old
*. 1rite the script
#!/bin/bash
_____________________________________________________________________
1$
-ash S!ri#tin"
__________________________________________________________
echo old variable: $TEST
export TEST=new
echo exported variable: $TEST
3. 1hat is the value of $TEST once the script has runT
6. The following script called testPshell will print the #ID of the shell that is interpreting it
testPshell
#!/bin/bash
if [ -n $(echo $0 |grep test) ]; then
echo The PID of the script is: $$
else
echo The PID of the interpreter is: $$
fi
7) /et the permissions to B77 and test the following commands
test_shell
./test_shell
bash test_shell
. test_shell
source test_shell
exec ./test_shell
_____________________________________________________________________
1,
-asi! Se!urity
________________________________________________________
5asic Security
Prere6uisites
Cone
Goals
2verview of local and network security issues
<nderstand the secure shell
9onfigure a CT# server
(ontents
-asi! Se!urity$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 33
'. Local /ecurity......................................................................................................................................... >A
*. Cetwork /ecurity.................................................................................................................................... A'
3. The /ecure /hell.................................................................................................................................... A7
6. Time 9onfiguration................................................................................................................................. AB
7. $xercises and /ummary........................................................................................................................ AA
________________________________________________________________________________

11
-asi! Se!urity
________________________________________________________
1$ Lo!al Se!urity
he -ICS
If anyone has access to a rescue disks or a linux disk that boots from a floppy or a 9D42M it is extremely
easy to gain read access to any files on the system. To prevent this the @I2/ should be set to boot only off
the hard drive. 2nce this is done set a password on the @I2/.
LILC
LIL2 can be given options at boot time. In particular some Linux distributions will not ask for a password
when starting the system in single user mode or runlevel '.
There are two options that should be added to the /etc/lilo.conf+
the restricted option prompts the user for a password
the pass)ord2== option! set the password string.

4estricted means that LIL2 cannot be given any parameters without the OpasswordO specified in lilo$!onf.
boot=/dev/hda
install=/boot/boot.b
prompt
timeout=50
password="password"
restricted
File #ermissions
To prevent attackers causing too much damage it is recommended to take the following steps.
') Make vital system tools immutable! or logfiles append.only+
chattr -i /bin/login
chattr -i /bin/ps
chattr -a /var/log/messages
*) Make directories ,tmp and ,home nosuid or noexec+
;ines to &e changed in /etc/fsta&
tmp tmp ext2 nosuid ( 2
/home /home e,t! noe,ec 1 !
________________________________________________________________________________

12
-asi! Se!urity
________________________________________________________
3) "ind all files on the system that don't belong to a user or a group+
find / -nouser .o .nogroup
find / -perm -/000
Lo" Files
The main logs are
24ar2lo"2messa"es + contains information logged by the syslo"d daemon
24ar2lo"2se!ure. + contains information on failed logins! added users! etc.
The last tool lists all successful logins and reboots. The information is read from the 24ar2lo"2wtm# file.
The who and w tools list all users currently logged onto the system using the 24ar2run2utm# file.
0ser Limits
1hen the 2et!2nolo"in file is present &can be empty) it will prevent all users from login in to the system
&except user root). If the nolo"in file contains a message this will be displayed after a successful
authentication.
In the 2et!2se!urity2 directory are a collection of files that allow administrators to limit user 9#< time!
maximum file siMe! maximum number of connections! etc
2et!2se!urity2a!!ess$!onf + dissallow logins for groups and users from specific locations.
2et!2se!urity2limits$!onf
The format of this file is
GdomainH Gt!peH GitemH GvalueH
domain a user name! a group name &with ]group)
ty#e hard or soft
item core . limits the core file siMe &;@)
data . max data siMe &;@)
fsi/e . maximum filesiMe &;@)
memlock . max locked.in.memory address space &;@)
nofile . max number of open files
cpu . max 9#< time &MIC)
proc . max number of processes
as . address space limit
maxlogins . max number of simultaneous logins for this user
priorit! . the priority to run user process with
locks . max number of file locks the user can hold
________________________________________________________________________________

20
-asi! Se!urity
________________________________________________________
2$ +etwork Se!urity
In this section we breakdown the network security into host based security and port based security.
)ost -ased Se!urity
Access to resources can be granted based on the host reuesting the service. This is handled by
tcpPwrappers. The lib)rap library also known as tcpPwrappers provides host based access control lists for
a variety of network services. Many services! such as xinetd! sshd! and portmap! are compiled against the
libwrap library thereby enabling tcp*)rapper support for these services.
1hen a client connects to a service with tcpPwrapper support! the 2et!2hosts$allow and 2et!2hosts$deny
files are parsed to challenge the host reuesting the service. @ased on the outcome the service will either
be granted or denied.
The hostsPaccess files have *! optionally 3 colon separated fields. The first field is the name of the process!
the second is the fully ualified host name or domain name with a Oleading dotO! I# address or subnet with a
Otrailing dotO. 1ildcards like ALL and $%9$#T are also accepted.
The syntax for the /etc/hosts.>allo) ? deny@ file is as follows+
ser1ice ; hosts '5@25P/( hosts
$xample+
,etc,hosts.deny
ALL+ ALL $%9$#T .example.com
,etc,hosts.allow
ALL+ L29AL 'A*.'=>.(.
in.ftpd+ ALL
sshd+ .example.com
TcpPwrappers can run a command locally upon a host match in the hostPaccess files.
This is accomplished with the s#awn command. 1ith the use of the ^ character! substitutions can be made
for the host name and the service.
$xample+
,etc,hosts.deny
ALL+ ALL + spawn &,bin,echo `date` from ^c for ^d HH ,var,log,tcpwrap.log)
"or more information on the use of ^ substitutions see the hostsGa!!ess ?5@ man page.
Port -ased Se!urity
________________________________________________________________________________

2+
-asi! Se!urity
________________________________________________________
1ith packet filtering functionality built into the Linux kernel! it is possible to limit access to resources by
creating rulesets with utilities such as ipchains and iptables! which are able to evaluate a packet entering
any of its network interfaces. The rules determine what happens to each packet.
1e will cover i#!hains and i#tables separately. 8owever I#!hains and i#tables share the following
options
.A Append rule to a chain
.D Delete a rule
.# 9hange the default #olicy for a chain
.I Insert
." "lush the rules&s) in a chain
.C 9reate a user defined chain
.% Delete a user defined chain
.L List
88 ipchains
There are three built in chains in i#!hains+
input! !or,ard and output
These chains! respectively are evaluated when the packets
') enter the network interface
*) transit to another interface or host
3) exit the network interface and have been either generated by the local host or forwarded
TA4?$T/+
The possible actions &or TA4?$T/) are A99$#T!D$C:!4$5$9T!MA/E! 4$DI4$9T and 4$T<4C! or can
possibly point to another user defined chain. Targets are specified with the 8D flag.
$xample+ )ll packets from +22.+$1.0.295 #ill &e logged and denied
ipchains 1/ input 1s (L2.(<;.0.25> F1)og 1V &D#T
#2LI9:+ If a packet has gone through all the rules in a specific chain unaltered then it will be dealt with by
the default policy rule for that chain. 0alid policy targets are D$C: &silently drop the packets) or A99$#T.
$xample+ :et the polic! for all chains to D$C:
ipchains -P input DENY
ipchains -P forward DENY
ipchains -P output DENY
88 iptables
________________________________________________________________________________

22
-asi! Se!urity
________________________________________________________
2ne of the main differences with i#!hains is that the filtering rules &decisions to allow or deny a packet!
etc..) have been separated from packet alteration operations &network address translation &CAT)! etc). This
has been achieved by introducing independent tables! each table is assigned a specific role and each table
contains its own built.in chains.
"igure+ The Cetfilter kernel framework for i#tables
I#tables has three tables each containing the following built.in chains+
filter+ this table is the default and deals with filtering rules using its built.in chains IC#<T!
2<T#<T and "241A4D
nat+ only network address translation &CAT) operations are defined in this table. The built.in
chains are #4$42<TIC?! #2/T42<TIC? and IC#<T
mangle+this table handles packet alterations other than natting. There are two built.in chains
#4$42<TIC? and 2<T#<T.
+CI('+ the built.in chains for i#tables are all in <##$49A/$QQ

TA4?$T/+ Different targets are valid depending on the table.
0alid targets for the filter table are D42#! 4$5$9T! A99$#T or MI4424.
0alid targets for the nat table are 4$DI4$9T &in the #4$42<TIC? and 2<T#<T chains)!
MA/E<$4AD$ &in the #2/T42<TIC? chain)!
DCAT &in the #4$42<TIC? and 2<T#<T chains) and
/CAT &in the #2/T42<TIC? and 2<T#<T chains).
$xample+ )ll packets from +22.+$1.0.295 #ill &e logged and denied
________________________________________________________________________________

24
-asi! Se!urity
________________________________________________________
iptab)es 1/ I#P$T 1s (L2.(<;.0.25> 1V LH"
iptab)es 1/ I#P$T 1s (L2.(<;.0.25> 1V &CHP
#2LI9:+ The iptables chain policy can be set to either D42#! A99$#T or MI4424

$xample+ %he default polic! is set to drop all packets
iptab)es 1P I#P$T &CHP
iptab)es 1P %HCK/C& &CHP
iptab)es 1P H$TP$T &CHP
88 more back&round
1ith the development of the *.6 Linux kernel came the development of the Cetfilter pro-ect! which uses the
iptables utility to manage firewall rules. Another ma-or difference between iptables and ipchains is that
iptables has support for evaluating the packets based on their state in terms of other packets that have
passed through the kernel. It is this stateful packet evaluation that makes iptables far superior.
$xample+ ')en! all packets on the IC#<T chain:
ipchains 1P I#P$T &D#T
*) )ccept esta&lished connections that have &een initiated &! the host:
ipchains 1/ I#P$T 1m state F1state D+T/OLI+.D& 1V /CCDPT
$xample+ ) *asic script that #ill #ork as a gate#a!. 7ere are the highlights:
- allo# -0 for#arding:
echo <+< = /proc/s!s/net/ipv5/ip>for#ard
________________________________________________________________________________

25
-asi! Se!urity
________________________________________________________
- mas?uerade:
@-0%)*;E: -t nat -) 08:%A8B%-CD -o @-CE%>-F)6E -E "):FBEA)E
- allo# connections to port 10 8C;G:
@-0%)*;E: -) -C0B% -p %60 -i @-CE%>-F)6E -m state --state CEH --dport http -E )66E0%
dQ,bin,sh
d 0ariables
I#TA@L$/KO,sbin,iptablesO
LACPI"A9$KOeth(O
IC$TPI"A9$KOeth'O
IC$TPI#KO'.*.3.6O
L29AL82/TPI#KO'*B.(.(.',3*O
LACPI#KO'A*.'=>.(.',3*O
LACP@9A/TKO'A*.'=>.(.(,*6O
d /etup I# Masuerading
echo O'O H ,proc,sys,net,ipv6,ipPforward
cI#TA@L$/ .t nat .A #2/T42<TIC? .o cIC$TPI"A9$ .- MA/E<$4AD$
d /pecify the default policy for the built in chains
cI#TA@L$/ .# IC#<T D42#
cI#TA@L$/ .# "241A4D D42#
cI#TA@L$/ .# 2<T#<T D42#
d /pecify IC#<T 4ules
cI#TA@L$/ .A IC#<T .i QcIC$TPI"A9$ .- A99$#T
cI#TA@L$/ .A IC#<T .p T9# .i cIC$TPI"A9$ .m state ..state C$1 ..dport http .- A99$#T
cI#TA@L$/ .A IC#<T .m state ..state $/TA@LI/8$D!4$LAT$D .- A99$#T
d /pecify "241A4D 4ules
cI#TA@L$/ .A "241A4D .i cLACPI"A9$ .- A99$#T
cI#TA@L$/ .A "241A4D .m state ..state $/TA@LI/8$D!4$LAT$D .- A99$#T
d /pecify 2<T#<T 4<L$/
cI#TA@L$/ .A 2<T#<T .p ALL .s cL29AL82/TPI# .- A99$#T
cI#TA@L$/ .A 2<T#<T .p ALL .s cLACPI# .- A99$#T
%$ he Se!ure Shell
________________________________________________________________________________

29
-asi! Se!urity
________________________________________________________
The secure shell is a secure replacement for telnet and remote tools like rlo"inA rsh and r!#. The daemon
sshd is started on the server using the rc.script 2et!2init$d2sshd. The ssh service uses port ** and clients
connect using the ssh tool.
W )ost Authenti!ation
1ith ssh both the host and the user authenticate. The host authentication is done by swapping keys. The
hostFs public and private keys are usually kept in 2et!2ssh if you are using 2pen//8. Depending on the
protocol used the host key file will be called ssh>host>ke! for #rotocol ' and ssh>host>rsa>ke! or
ssh>host>dsa>ke! for #rotocol *. $ach of these keys have their corresponding public key! for example
ssh>host>ke!.pu&.
1hen an ssh client connects to a server! the server will give the hosts public key. At this stage the user will
be prompted with something like this+
The authenticity o! host Xneptune ((0.0.0.;)X canXt be estab)ished.
C+/ 0ey !ingerprint is ;!=2L=c2=b;=b5=b2=e:=eM=ec=;L=;0=b:=db=>2=0M=!>.
/re you sure you ,ant to continue connecting (yesno)\
If you accept to continue the connection the serverFs public key will be added to the local
c82M$,.ssh,knownGhosts file.
W 0ser Authenti!ation ?usin" #asswords@
Then the user is prompted for the password for his account on the remote server and logs in.
W 0ser Authenti!ation ?usin" keys@
The user authentication can also involve swapping keys. "or this the user will need to generate a pair of
private,public keys. "or example+
ssh-ke*gen -t dsa -b 10!/
will generate a '(*6 bit D/A key. @y default these keys will be saved in c82M$,.ssh and in this example
are called idGdsa and idGdsa$#ub.
If we assume we have a idGdsa$#ub key we can RplantF this key on a remote account and avoid typing
passwords for further connections. To do this we need to copy the content of the file idGdsa$#ub into a file
called authori=edGkeys2 kept in the remote c82M$,.ssh directory.
WARNING
All private keys in 2et!2ssh2; and P2$ssh2; should have a permission of =((
W sshd !onfi"uration file
________________________________________________________________________________

2$
-asi! Se!urity
________________________________________________________
/ample ,etc,ssh,sshdPconfig file+
BPort 22
BProtoco) 2,(
BListen/ddress 0.0.0.0
BListen/ddress ==
B .ostJey !or protoco) *ersion (
B.ostJey etcsshssh9host90ey
B .ostJeys !or protoco) *ersion 2
B.ostJey etcsshssh9host9rsa90ey
B.ostJey etcsshssh9host9dsa90ey
Wssh !onfi"uration file
/ample ,etc,ssh,sshPconfig or c82M$,.ssh,config file+
B .ost S
B %or,ardE(( no
B Chosts/uthentication no
B ChostsC+//uthentication no
B C+//uthentication yes
B Pass,ord/uthentication yes
B .ostbased/uthentication no
B Chec0.ostIP yes
B Identity%i)e _.sshidentity
B Identity%i)e _.sshid9rsa
B Identity%i)e _.sshid9dsa
B Port 22
B Protoco) 2,(
B Cipher :des
+CI('
The sshd daemon has been compiled with libwrap. 1e can see this with the following+
ldd ,usr,sbin,sshd _ grep wrap
libwrap.so.( KH ,usr,lib,libwrap.so.( &(x((B7f((()
This means that sshd is a valid entry for 2et!2hosts$allow or 2et!2hosts$deny.
.$ ime (onfi"uration
he System date
________________________________________________________________________________

2,
-asi! Se!urity
________________________________________________________
The system date can be changed with the date command.The syntax is+
date MMDDhhmm99::X.ssY
he )arware (lo!k
The hardware clock can be directly changed with the hw!lo!k utility. The main options are+
.r or N.show prints the current times
.w or N.systohc set the hardware clock to the current system time
.s or N.hctosys set the system time to the current hardware clock time
ime \ones
In addition to <9T time some countries apply I day light savingJ policies which add or remove an hour at a
given date every year. These policies are available on a liniux system in 2usr2share2=oneinfo2. @y copying
the appropriate Mone file to 2et!2lo!altime on can enforce a particular Mone policy.
"or example if we copy ,usr,share,Moneinfo,8ongkong to ,etc,localtime the next time we run date this will
give us the time in 8ongkong. This is because date will read 2et!2lo!altime each time it is run.
0sin" +P
The 9oordinated <niversal Time &<T9) is a standard used to keep track of time based on the $arth's
rotation about it's axis. 8owever because of the slight irregularities of the rotation leap seconds need to be
inserted into the <T9 scale using atomic clocks.
/ince computers are not euipped with atomic clocks the idea is to use a protocol to synchroniMe computer
clocks across the Internet. CT# stands for +etwork ime Proto!ol and is one such protocol.
9omputers that are directly updated by an atomic clock are called primary time servers and are used to
update a larger number of secondary time servers. This forms a tree structure similar to the DC/ structure.
The root servers are on the first level or stratum! the secondary server on the second and so on.
6onfiguring a client to ?uer! an C%0 server+
An CT# daemon called nt#d is used to regularly uery a remote time server. All that is needed is a ser4er
entry in 2et!2nt#$!onf pointing to a public or corporate CT# server. #ublic CT# servers can be found online.
The CT# protocol can also estimate the freuency errors of the hardware clock from a seuence of ueries!
this estimate is written to a file referred to by the driftfile tag.
________________________________________________________________________________

21
-asi! Se!urity
________________________________________________________
Mininal ,etc,ntp.conf file
ser*er ntp2.some,here.com
dri!t!i)e *ar)ibntpdri!t
C2TI9$+ on some systems the driftfile tag is pointing to 2et!2nt#$drift or 2et!2nt#2drift.

2nce nt#d is started it will itself be an CT# server providing services on port '*3 using <D#.
8ne off ?ueries+
The nt# package also provides the nt#date tool which can be use to set the time from the command line:
ntpdate ntp2.some,here.com

________________________________________________________________________________

22
-asi! Se!urity
________________________________________________________


Files
"iles Description
,etc,fstab noexec N mount option which prevents any executables to execute from the
device
nosuid N mount option which prevents the /<ID and /?ID bits to take effect
&see L#I'(')
,etc,localtime contains the time Mone policy used to determine the system time &with date)
,etc,ntp.conf configuration file for the CT# daemon nt#d
,etc,ntp.drift or
,etc,ntp,drift
file used by nt#d to keep track of the hardware clock drift
,etc,security,access.conf file used to grant or deny access based on the user's name and the origin &local
tty or remote host). 2ne can also specify a CI/ group using Igroup notation
,etc,security,limits.conf file used to impose resource limits on login &see the file itself for details)
,etc,ssh directory containing configuration files for both the ssh client and the sshd
server
,usr,share,Moneinfo, collection of time Mone files. Depending on the user's location one of these files
is copied to 2et!2lo!altime
,var,log,messages the main system log file
,var,log,secure log file containing information about failed logins or user accounts
,var,log,wtmp the wtmp file records all logins and logouts.
,var,run,utmp utm#?5@ N the utmp file allows one to discover information about who is
currently using the system. There may be more users currently using the
user's private key used during the user authentication process of an ssh
sessionhe system! because not all programs use utmp logging
c82M$,.ssh directory containing knownhosts! authori=edGkeys2! idGdsa and idGdsa$#ub
authoriMedPkeys* contains a list a public id keys from remote users that are authorised to use this
account &via ssh)
idPdsa the user's private key used during the user authentication process of an ssh
session
idPdsa.pub the user's public key used during the user authentication process of an ssh
session N this key must be present in the authoriMedPkeys* file of the account
one is attempting to ssh to
knownPhosts list of server public keys used for host authentication
sshPconfig configuration file for ssh
sshdPconfig configuration file for sshd
(ommands
________________________________________________________________________________

+00
-asi! Se!urity
________________________________________________________
(ommand Des!ri#tion
chattr change file attributes on an ext*,3 filesystem &see !hattr?1@ for details)
date print or set the system time
hwclock uery or set the hardware clock
ipchains
iptables i#tables?3@ N administration tool for I#v6 packet filtering and CAT
last last?1@ N searches back through the file ,var,log,wtmp and displays a list of all users logged
in &and out) since that file was created. The pseudo user reboot logs in each time the
system is rebooted. Thus last reboot will show a log of all reboots since the log file was
created
ntpd the CT# daemon
ntpdate nt#date?1@ N sets the local date and time by polling the Cetwork Time #rotocol &CT#)
server&s) given as the server arguments to determine the correct time. It must be run as root
on the local host
ssh ssh?1@ N program for logging into a remote machine and for executing commands on a
remote machine. It is intended to replace rlogin and rsh! and provide secure encrypted
communications between two untrusted hosts over an insecure network. %'' connections
and arbitrary T9#,I# ports can also be forwarded over the secure channel
ssh.keygen ssh8key"en?1@ N generates ! manages and converts authentication keys for ssh&'). ssh.
keygen can create 4/A keys for use by //8 protocol version ' and 4/A or D/A keys for
use by //8 protocol version *.>3
sshd sshd?3@ N daemon program that listens for ssh connections from clients. It is normally
started at boot from ,etc,rc. It forks a new daemon for each incoming connection. The
forked daemons handle key exchange! encryption! authentication! command execution! and
data exchange
who who?1@ N show who is logged on
1$ <se 2et!2hosts$deny to disable sshd service from everywhere
2$ "ind all files in 2usr2 that have the /<ID bit set
%$ Log onto a remote host using ssh and authenticate using a pair of public,private keys
.$ <se i#!hains &resp. i#tables) to deny access for all incoming! outgoing and forward traffic by default
5$ 9onfigure nt#d

________________________________________________________________________________

+0+
Linux System Administration
__________________________________________________________
Linux System <dministration
Prere6uisites
Cone
Goals
9ustomise system logging system
9onfigure !ron and at
<nderstand backup tools and strategies
"inding documentation
(ontents
Linux System Administration$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 101
'. Logfiles and configuration files............................................................................................................. '(*
*. Log <tilities........................................................................................................................................... '(6
3. Automatic Tasks................................................................................................................................... '(7
6. @ackups and 9ompressions................................................................................................................. '(B
7. Documentation..................................................................................................................................... ''(
=. $xercises and /ummary...................................................................................................................... ''3
_______________________________________________________________________
+02
__________________________________________________________
C4er4iew
1e will concentrate on the main tasks of system administration such as monitoring log files! scheduling
-obs using at and !ron. This also includes an overview of the documentation available &man#a"es and
online resources) as well as some backup concepts.
1$ Lo"files and !onfi"uration files
The /"ar/lo&/ directory
This is the directory where most logfiles are kept. /ome applications generate their own log files &such as
suid or samba). Most of the system logs are managed by the syslo"d daemon. 9ommon system files are +
cron keeps track of messages generated when !ron executes
mail messages relating to mail
messages logs all messages except private authentication authpriv! cron! mail and news
secure logs all failed authentications! users added,deleted etc
The most important log file is messa"es where most activities are logged.
The /etc/syslo&.conf file
1hen syslo"d is started it reads the 2et!2syslo"$!onf configuration file by default. 2ne can also start
syslo"d with 8f and the path to an alternative config file. This file must contain a list of items followed by a
priority! followed by the path to the log.file+
item$.priorit&$ B item%.priorit&% /path-to-log-file

0alid items are +
auth and auth#ri4 user general and private authentication
!ron cron daemon messages
kern kernel messages
mail
news
user user processes
uu!#

0alid priorities are+ &from highest to lowest)
emer"
alert
_______________________________________________________________________
+04
__________________________________________________________
!rit
err
warnin"
noti!e
info
debu"
;
none

#riorities are minimalQ All higher priorities will be logged too. To force a priority to be info only you need to
use an 'E] sign as in+
user.Kinfo ,var,log,userPactivity
Listing of ,etc,syslog.conf
d Log all kernel messages to the console.
d Logging much else clutters up the screen.
dkern.L ,dev,console
d Log anything &except mail) of level info or higher.
d Don't log private authentication messagesQ
L.infoSmail.noneSnews.noneSauthpriv.none ,var,log,messages

d The authpriv file has restricted access.
authpriv.L ,var,log,secure

d Log all the mail messages in one place.
mail.L ,var,log,maillog

d Log cron stuff
cron.L ,var,log,cron

d $verybody gets emergency messages! plus log them on another
d machine.
L.emerg L
L.emerg ]'(.'.'.*76

d /ave boot messages also to boot.log
localB.L ,var,log,boot.log
d
news.Kcrit ,var,log,news,news.crit
news.Kerr ,var,log,news,news.err
news.notice ,var,log,news,news.notice
2$ Lo" 0tilities
The lo&&er command
_______________________________________________________________________
+05
__________________________________________________________
The first utility lo""er conveniently logs messages to the ,var,log,messages file+
If you type the following+
logger program myscipt ERR
The end of 24ar2lo"2messa"es should now have a message similar to this+
5ul 'B 'A+3'+(( localhost penguin+ program myscript $44
local settin&s
The lo""er utility logs messages to ,var,log,messages by default. There are local items defined that can
help you create your own logfiles as follows. lo!al0 to lo!al& are available items for administrators to use.
The availability depends on the system &4ed8at lo!al& logs boot.time information in ,var,log,boot.log). Add
the following line to 2et!2syslo"$!onf+
local6.L ,dev,ttyA
4estart the syslo"d or force it to re.read its' configuration file as follows+
killall -HUP syslogd
The next command will be logged on the ,dev,ttyA
logger -p local4.notice "This script is writing to /dev/tty9"
An interesting device is the ,dev,speech this is installed with the "estival tools.
lo&rotate
The log files are updated using lo"rotate. <sually lo"rotate is run daily as a cron -ob. The configuration file
2et!2lo"rotate$!onf contains commands to create or compress files.
Listing of logrotate.conf
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
_______________________________________________________________________
+09
__________________________________________________________
# send errors to root
errors root
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
compress
# RPM packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own lastlog or wtmp -- we'll rotate them here
/var/log/wtmp {
monthly
create 0664 root utmp
rotate 1
}
%$ Automati! asks
:sin& cron
The program responsible for running crons is called !rond. $very minute the !rond will read specific files
containing command to be executed. These files are called cronta&s.
<ser crontabs are in 24ar2s#ool2!ron2GusernameH. These files should not be edited directly by non.root
users and need to be edited using the !rontab tool &see below).
The system crontab is 2et!2!rontab. This file will periodically exectute all the scripts in 2et!2!ron$; this
includes any symbolic link pointing to scripts or binaries on the system.
To manipulate !ron entries one uses the !rontab utility. /cheduled tasks are view with the 8l option as seen
below+
crontab -l
# DO NOT EDIT THIS FILE - edit the master and reinstall
# (/tmp/crontab.1391 installed on Tue Jul 17 17:56:48 2001)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
0 * * 07 2 /usr/bin/find /home/penguin -name core -exec rm {} \;
Does the user root have any crontabsT
/imilarly the 8e option will open your default editor and lets you enter a cron entry.
<ser root can use the 8u to view and change any user's cron entries
To delete your crontab file use !rontab 8r.
This is the format for crontabs +
_______________________________________________________________________
+0$
__________________________________________________________
/inutes?085I@ )ours?082%@ Day of /onth?18%1@ /onth?1812@ Day of 9eek?081@ !ommand
#ermissions+
@y default only the root user can use !rontab. The files 2et!2!ron$deny and 2et!2!ron$allow
are available to allow or disallow the creation of crontabs for users listed in ,etc,passwd.
Schedulin& )ith AatB
The at -obs are run by the atd daemon. At -obs are spooled in 24ar2s#ool2at2
The at command is used to schedule a one off task with the syntax
at 'time(
1here time can be expressed as+
now
%am W 2days
midni"ht
10715 A#r 12
teatime
"or a complete list of valid time formats see ,usr,share,doc,at.xxx,timespec.
:ou can list commands that are scheduled with at6 or at 8l. The at -obs are saved in ,var,spool,at,+
ls /var/spool/at/
a0000(00!d2>>d spoo)
1hen using at6 you should have a list of -obs proceeded by a number. :ou can use this number to deueue
it+
at0
( 200(10M1(M (;=2( a root
"rom the at6 listing we see that the -ob number is 1! so we can remove the -ob from the spool as follows+
atrm 1
#ermissions+
_______________________________________________________________________
+0,
__________________________________________________________
@y default at is restricted to the root user. To override this you must either have an empty 2et!2at$deny
or have a 2et!2at$allow with the appropriate names.
.$ -a!ku#s and (om#ressions
5ackup strate&ies
There are three main strategies to back up a system+
Full+ copy all files
-ncremental+ The first incremental copies all files added or changed since the last full
backup! and subseuently copies all the files added or changed since the last
incremental backup
ifferential+ 9opies all files added or changed since the last full backup
$xample+ If you made a full backup and 3 differential backups before a crash! how many tapes would you
need to restore T
%reatin& archi"es )ith tar
The main option to create an archive with tar is 8!. :ou can also specify the name of the archive as the first
argument if you use the 8f flag.
tar -cf home"tar /home/
If you don't specify the file as an argument tar 8! will simply output the archive as standard output+
tar -c /home/ > home"tar
Cxtractin& archi"es )ith tar
$xtracting is straight forward. 4eplace the 8! flag with an 8x. This will cause the archive file to create
directories if necessary and copy the archived files in your current directory. To redirect the output of the
extracted archive into the directory ,usr,share,doc! for example! you can do+
tar ,f backeddocs"tar -1 /usr/share/doc
%ompressions
All archives can be compressed using different compression utilities. These flags are available when
creating! testing or extracting an archive+
tar o#tion !om#ression ty#e
\ compress
= gMip
_______________________________________________________________________
+01
__________________________________________________________
D bMip*.
The cpio utility
The !#io utility is used to copy files to and from archives. List of files must be given to !#io either through a
pipe &as when used with find) or via a file redirection such as withS
. $xtract an archive on a tape+

cpio -i 2 /dev/tape
. 9reate an archive for the ,etc directory+
find /etc 3 cpio -o > etc"cpio
The dump and restore utilities
"inally! it is also possible to perform backups using dum#. 4emember that the field after the options in
2et!2fstab is used to specify if a device should be backed up or not using dum#. An entire device can be
backed up this way. 8owever dum# can also back directories
1hen backing up an entire device &not a directory) Information about the previous full or incremental
backups is stored in 2et!2dum#dates. Dump can automatically do up to A incremental backups.
@y default dum# will save the archive to /dev/st0. @ackups are recovered with the restore utility.
dump -0 -f /tmp/etc.dump /etc

:ou can test this archive with
restore -t -a -f /tmp/etc.dump
$xtract all the files with
restore -x -a -f /tmp/etc.dump
or you can interactively extract a list of files &that gets interactively created too)+
_______________________________________________________________________
+02
__________________________________________________________
restore -i -a -f /tmp/etc.dump
restore > add etc/passwd etc/group
restore > extract
restoring ./etc/group
restoring ./etc/passwd
set owner/mode for '.'? [yn] y
restore > ^ D
-a!kin" u# with dd
4emember from L#I '(' that the dd tool can make an image of a device preserving everything including+
the underlying filesystem
the boot sector &first 7'* k@)
The image can be saved to a file or a device. The same is true retrieving the image.
/yntax+
dd ifEFIL'2D'RI(' ofEFIL'2D'RI('
9hat to ba!ku#
The following table extracted from the "8/ document is used to determine how often specific directories
need to be backed up:
shareable unshareable
static ,usr! ,opt ,etc! ,boot
"ariable ,var,mail ,var,run! ,var,spool,mail
5$ Do!umentation
/an#a"es and the whatis database
The manpages are organised in sections
CAM$ the name of the item followed by a short one line description.
/:C2#/:/ the syntax for the command
D$/94I#TI2C a longer description
2#TI2C/ a review of all possible options and their function
"IL$/ files that are related to the current item &configuration files etc)
/$$ AL/2 other manpages related to the current topic
These are the main sections one can expect to find in a manpage.
_______________________________________________________________________
++0
__________________________________________________________
The whatis database stores the CAM$ section of all the manpages on the system. This is done through a
daily !ron. The whatis database has the following two entries+
name3ke&4 one line description
The syntax for whatis is+
)hatis CstringD
The output is the full CAM$ section of the manpages where string matched namedJke!3
2ne can also use the man command to uery the whatis database. The syntax is
man -k CstringD
This command is similar to a#ro#os. <nlike whatis this will uery both the InameJ and the Ione line
descriptionJ entries of the database. If the string matches a word in any of these fields the above uery will
return the full CAM$ section.
$xample+ &the matching string has been highlighted)
&hatis lilo
lilo (;) 1 insta)) boot )oader
lilo.con! 6)i)o7 (5) 1 con!iguration !i)e !or )i)o
man -k lilo
grubby (;) 1 command )ine too) !or con!iguring grub, lilo, and elilo
lilo (;) 1 insta)) boot )oader
lilo.con! 6)i)o7 (5) 1 con!iguration !i)e !or lilo
The "8/ recommends manpages to be kept in 2usr2share2man. 8owever additional locations can be
searched using the MAC#AT8 environment variable set in 2et!2man$!onfi". $ach directory is further
divided into subdirectories corresponding to manpage sections.
Manpage /ections
/ection ' Information on executables
/ection * /ystem calls! e.g mkdir&*)
/ection 3 Library calls! e.g stdio&3)
/ection 6 Devices &files in ,dev)
/ection 7 9onfiguration files and formats
/ection = ?ames
/ection B Macro packages
/ection > Administration commands
_______________________________________________________________________
+++
__________________________________________________________
To access a specific section C one has to enter+
man N command
$xamples+
man mkdir
man ! mkdir
man crontab
man % crontab
Info #a"es
The "8/ recommends info pages be kept in 2usr2share2info. These pages are compressed files that can be
read with the info tool.
The original ?C< tools used info pages rather than manpages. /ince then most info pages have been
rewritten as manpages. 8owever information about ?C< pro-ects such as "!! or "lib! is still more
extensive in the info pages compared to the manpages.
Installed do!uments
?C< pro-ects include documents such as a "AE! 4$ADM$! 98AC?$L2? and sometimes user,admin
guides. The formats can either be A/9II text! 8TML! Late% or postscript.
These documents are kept in the 2usr2share2do!2 directory.
)C9Cs and he Linux Do!umentation ProDe!t
The Linux Documentation #ro-ect provides many detailed documents on specific topics. These are
structured guides explaining concepts and implementations. The website <4L is www.tldp.org.
The LD# documents are freely redistributable and can be contributed too using a ?#L type licence.
0senet +ews Grou#s
The main newsgroups for Linux are the !om#$os$linux$; groups &e.g comp.os.linux.networking!
comp.os.linux.security ...). 2nce you have setup a news reader to connect to a news server &usually
available through an I/# or a <niversity campus) one downloads a list of all existing discussion groups and
subscribes,unsubscribes to a given group.

There are many experienced as well as new users which rely on the newsgroups to get information on
specific tasks or pro-ects. Take the time to answer some of these uestions if you feel you have the relevant
experience.
+otifyin" 0sers about the System
_______________________________________________________________________
++2
__________________________________________________________
It is possible to print information for users login onto the system such as the sysadmin's contact details or
the state of the system using either 2et!2issue &2et!2issue$net for telnet users) or 2et!2motd.
The issue file is printed on the login terminals &ttys) by min"etty and can be used to publish the companies
warning regarding the usage of the computer euipment! contact details or even some A/9II art. The same
information can be made available through a display manager &see L#I '('). The issue.net file is visible at
a telnet login prompt! it should generally not contain information about the system &2/ type! kernel version!
etc)
The filename motd stand for Omessage of the dayO and is only visible after a successful login.
_______________________________________________________________________
++4
__________________________________________________________

FIles
File Des!ri#tion
,etc,at.allow!
at.deny
at$allow?5@ N determine which user can submit commands for later execution via
at&') or batch&'). The format of the files is a list of usernames! one on each line.
1hitespace is not permitted. The superuser may always use at. If the file
,etc,at.allow exists! only usernames mentioned in it are allowed to use at. If
,etc,at.allow does not exist! ,etc,at.deny is checked
,etc,cron.allow!
cron.deny
!rontab?1@ N If the cron.allow file exists! then you must be listed therein in order
to be allowed to use this command. If the cron.allow file does not exist but the
cron.deny file does exist! then you must not be listed in the cron.deny file in order
to use this command. If neither of these files exists! only the super user will be
allowed to use this command
,etc,crontab /ystem crontab file read by the !rond daemon whenever its modified time is
changed
,etc,dumpdates /tores information about the last full or incremental dumps
,etc,issue Message printed by the min"etty program at the login prompt on a tty
,etc,issue.net Message printed by the telnet daemon at the login prompt
,etc,logrotate.conf 9onfiguration file for lo"rotate
,etc,motd Message displayed by lo"in after a successful login
,etc,syslog.conf 9onfiguration file for syslo"d
,usr,share,info Directory where info pages are stored
,usr,share,man Directory where the various sections of the manpages are stored
,var,spool,at, Directory containing spooled at and bat!h -obs
,var,spool,cron, Directory containing user defined crontabs. The crontab file has the name of the user
that created it and can only be edited with the !rontab 8e command
(ommands
(ommand Des!ri#tion
apropos a#ro#os?1@ N searches a set of database files containing short descriptions of system
commands for keywords and displays the result on the standard output
at at?1@ N read commands from standard input or a specified file which are to be executed at
a later time
atd atd?3@ N run -obs ueued by at for later execution
at at&') . lists the user's pending -obs! unless the user is the superuserS in that case!
everybody's -obs are listed. The format of the output lines &one for each -ob) is+ 5ob
number! date! hour! -ob class
atrm deletes -obs! identified by their -ob number
cron or crond cron&>) N 9ron searches ,var,spool,cron for crontab files which are named after
accounts in ,etc,passwdS crontabs found are loaded into memory. 9ron also searches
for ,etc,crontab and the files in the ,etc,cron.d directory! which are in a different format
_______________________________________________________________________
++5
__________________________________________________________
(ommand Des!ri#tion
crontab file loaded by !rond. It is also the name of the program used to edit crontabs created by
users in 24ar2s#ool2!ron
dd copy files and devices with optional modifications such as block siMe & see info !oreutils
dd)
dump dum#?3@ N examines files on an ext*,3 filesystem and determines which files need to
be backed up
info read info documentation stored in 2usr2share2info
logger allows shell scripts to log messages with syslo"d
logrotate lo"rotate?3@ N is designed to ease administration of systems that generate large
numbers of log files. It allows automatic rotation! compression! removal! and mailing
of log files. $ach log file may be handled daily! weekly! monthly! or when it grows too
large
man .k same as a#ro#os
restore restore files or file systems from backups made with dump
syslogd The system logger. #rograms can send messages to syslo"d which include information
such as the date and the host name. The configuration file 2et!2syslo"$!onf is used to
customise where messages are logged &e.g file! device or remote logger)
tar tar?1@ N an archiving program designed to store and extract files from an archive file
known as a tarfile. A tarfile may be made on a tape drive! however! it is also common to
write a tarfile to a normal file
whatis whatis?1@ N search the whatis database for complete words
Logging
'. 9hange ,etc,syslog.conf to output some of the logs to ,dev,ttyA &make sure you restart syslo"d and that
the output is properly redirected)
*. Add a custom local7 item with critical priority to ,ect,syslog.conf and direct the output to ,dev,tty'(.
4estart syslogd and use logger to write information via local7.
3. 4ead the 2et!2r!$d2init$d2syslo" script and change 2et!2sys!onfi"2syslo" to allow remote hosts to send
log outputs.
/cheduling
6.9reate a cron entry which starts xclock every * minutes. 4emember that !ron is unaware of system
variables such as PA) and DISPLAO.
7. <se at.to start xclock in the next five minutes.
Archiving
=. <se find to list all files that have been modified during the past *6 hours.
_______________________________________________________________________
++9
__________________________________________________________
&hint+ 4edirect the output of !ind 1mtime F( to a file)
B.<se !#io to create an archive called Incrementa).cpio.
&ans+ <se the file created above and do !at "IL$ _ !#io Bo4 H Incremental.cpio)
> <se tar to create an archive of all files last accessed or changed 7 mins ago. &8ICT+ use find to create a
list of files! then save the list to a file. The tar tool has a switch to take input from a file.
A. Test the archive before extracting it.
'(. $xtract the archive you have -ust created.
_______________________________________________________________________
++$
Settin" u# PPP
__________________________________________________________
Settin& up ;;;
Prere6uisites
8ardware 9onfiguration &see L#I '(')
Goals
9onfigure a modem for dial up
<nderstand the roles of the ###d daemon and the !hat script
9onfigure options in 2et!2###2o#tions such as hardware flow control or persistent connections
(ontents
Settin" u# PPP$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 111
'. Dectecting Modems.............................................................................................................................. ''B
*. Dialup 9onfiguration ............................................................................................................................ ''>
3. pppd and chat ...................................................................................................................................... ''A
6. ###D peers.......................................................................................................................................... '*(
7. 1vdial.................................................................................................................................................. '*'
=. $xercises and /ummary...................................................................................................................... '**
__________________________________________________________________________
++,
Settin" u# PPP
__________________________________________________________
1$ De!te!tin" /odems
Linux assumes in general that serial modems are connected to a serial port &one of the ,dev,tty/# devices).
/o you first need to find out which serial port the modem is connected to.
The setserial B" command will uery the serial ports. If the resource is not available then the <A4T value
will be unknown.
/ample output for setserial +
setseria) 1g de*tty+601:7
de*tty+0, $/CT= (<550/, Port= 0x0:!;, ICN= >
de*tty+(, $/CT= (<550/, Port= 0x02!;, ICN= :
de*tty+2, $/CT= un0no,n, Port= 0x0:e;, ICN= >
de*tty+:, $/CT= un0no,n, Port= 0x02e;, ICN= :
"or non.serial modems it is possible to get information about available resources in 2#ro!2#!i. 8ere the i,o
and I4E settings can be transferred to a free 2de42ttyST device. This is achieved with the following * lines+
setseria) de*tty+2 port 0x2000 irG :
setseria) de*tty+2 autocon!ig
The last line simply deals with setting up the proper <A4T settings.
These settings will be lost at the next boot and can be saved in 2et!2r!$serial. This script is one of the last
scripts executed by r!$sysinit at boot time.
The r!$serial script +
B[binbash
TTTIde*tty+2
PHCTI0x2000
ICNI:
echo @+etting up +eria) Card ...@
binsetseria) ZTTT port ZPHCT irG ZICN 25de*nu))
binsetseria) ZTTT autocon!ig 25de*nu))

__________________________________________________________________________
++1
Settin" u# PPP
__________________________________________________________
2$ Dialu# (onfi"uration
2nce the modem is known to be connected to a serial device it is possible to send modem specific
instruction such as A\ or AD. 2ne tool that will act as a terminal interface is mini!om.
minicom screenshot+
Another common tool is w4dial!onf. This tool will automatically scan for modems on the tty/Fs and create a
configuration file called 2et!2w4dial$!onf. The next command will create or update the configuration file
wvdialconf /etc/wvdial.conf
This file is used to handle password authentication and initialise the ###d daemon once the connection is
established. If a dialer called "G-:0 is defined in w4dial$!onf then the connection is started using
wvdial MYISP
__________________________________________________________________________
++2
Settin" u# PPP
__________________________________________________________
%$ ###d and !hat
"irst of all the !hat script is used to communicate with a remote hostFs modem. It is a series of expect,send
strings. The format is+
êx#e!ted 6uery_ ânswer_
$xpected ueries from the modem are+
^ ^ ^C,_ ^(C++'(_ ^lo"in_ ^#assword_ Î/'C0_ ^[_
The script is read seuentially and starts with the empty uery ^ ^ which is matched with the command
Â\_. 2nce the modem is initialised it sends back the uery ^C,_. To this the script will answer with a
ÂD_ dialing command. This conversation goes on and on until the ^[_ prompt is reached at which stage
one can run ###d.
:ample chat script+
X/OHCTX XO$+TX
X/OHCTX XDCCHCX
X/OHCTX X#H C/CCIDCX
X/OHCTX X#H &I/LTH#DX
X/OHCTX XIn*a)id LoginX
X/OHCTX XLogin incorrectX
XX X/TWX
XHJX X/T&T0((M2:>(2(2X
XCH##DCTX XX
Xogin=X XadrianX
Xord=X Xadrianpass,dX
XTIADH$TX X5X
X5X pppd
2f course this is one way of doing things. 2ne can also start ###d manually and then invoke the chat script
as follows+
pppd de*tty+2 ((5200 ^
nodetach ^
)oc0 ^
debug ^
crtscts ^
asyncmap 0000000 ^
connect @usrsbinchat 1! etcsyscon!ignet,or01scriptschat1ppp0@
The lines below the ###d commands can be saved in 2et!2###2o#tions. This file contains most of the
features which make the strength and flexibility of ###d.
The main options for 2et!2###2o#tions are listed in the next table.
__________________________________________________________________________
+20
Settin" u# PPP
__________________________________________________________
C#tion Des!ri#tion
crtscts use hardware flow control using the 4T/ and 9T/ signals
noauth do not reuire the peer to authenticate itself
persist do not exit after a connection is terminated but try to reconnect
reGuire1chap use 2et!2###2!ha#8se!rets for authentication
2nce a serial connection is established the ###d daemon will start the ### protocol. At this point a network
interface called pppC is assigned an I# address with the script 2et!2###2i#8u#.
1hen a connection is terminated the ###d daemon releases the I# with the 2et!2###2i#8down script.
.$ PPPD #eers
There is a directory called #eers in 2et!2###2. In this directory one can create a file that contains all the
necessary command line options for ###d. In this way peer connections can be started by all users.
@elow is an example of a ### peer file+
d This option!i)e ,as generated by pppcon!ig 2.0.(0.
hide1pass,ord
noauth
connect @usrsbinchat 1! etcsyscon!ignet,or01scriptschat1ppp0@
de*tty+0
((5200
de!au)troute
noipde!au)t
user u02
The previous peer file &called uk*) would be used as follows+
B pppd ca)) u02
This will dial the number specified in the Ichat scriptJ and authenticate as the user Iuk*J. #lease noteCote
that this reuires a corresponding entry in the 2et!2###2!ha#8se!rets! and 2et!2###2#a#8se!rets. The
format for pap and chap secrets is as follows+
B +ecrets !or authentication using C./P
B c)ient ser*er secret IP addresses
u02 S @u02@ S
This format allows different passwords to be used if you connect to different servers. It also allows you to
specify an I# address. This is probably not going to work when connecting to an I/#! but when making
private connections! you can specify I# addresses if there is a need. 2ne example would be where you
need to audit your network activity! and want to specify which users get a certain I# address.
5$ 94dial
This is the default method used by 4ed 8at to connect to a dial up network. To configure wvdial! it is easier
to use one of the configuration tools provided with either ?nome or ;D$. They configure the
__________________________________________________________________________
+2+
Settin" u# PPP
__________________________________________________________
2et!2w4dial$!onf file.
@elow is a sample wvdial.conf file+
XModem(Y
Modem K ,dev,tty/(
@aud K ''7*((
Dial 9ommand K ATDT
Init' K ATa
"low9ontrol K 8ardware &94T/9T/)
XDialer <;*Y
<sername K uk*
#assword K uk*
#hone K (>67=(A'3B(
Inherits K Modem(
To use wvdial from the command line! you would execute it with the following syntax+
B ,*dia) 4dia)er1name5
In the example configuration file the following command would dial the connection called Iuk*J
B ,*dia) u02
__________________________________________________________________________
+22
Settin" u# PPP
__________________________________________________________
Files
File Des!ri#tion
,etc,ppp,options options used by the ###d daemon &additional options can be passed on the command
line
,etc,ppp,chap.
secrets
contains login information available when using the challenge handshake
authentication protocol &98A#)
,etc,ppp,pap.
secrets
contains login information available when using the password authentication protocol
&#A#)
,etc,ppp,peers, contains files with connection information &user name! chat script) as well as ###d
options
,etc,wvdial.conf configuration file used by w4dial
(ommands
(ommand Des!ri#tion
chat !hat?3@ N The chat program defines a conversational exchange between the
computer and the modem. Its primary purpose is to establish the connection between
the #oint.to.#oint #rotocol Daemon &pppd) and the remote pppd process
minicom program used to communicate over a serial connection. 9an be given a phone
number! user name and password. 2nce the connection is established mini!om acts
as a terminal
pppd ###d?3@ N ### is the protocol used for establishing internet links over dial.up
modems! D/L connections! and many other types of point.to.point links. The ###d
daemon works together with the kernel ### driver to establish and maintain a ### link
with another system &called the peer) and to negotiate Internet #rotocol &I#)
addresses for each end of the link. #ppd can also authenticate the peer and,or
supply authentication information to the peer.
wvdial w4dial?1@ N wvdial is an intelligent ### dialer! which means that it dials a modem and
starts ### in order to connect to the Internet. It is something like the chat&>) program!
except that it uses heuristics to guess how to dial and log into your server rather
than forcing you to write a login script
__________________________________________________________________________
+24
Printin"
__________________________________________________________
;rintin&
Prere6uisite
Cone
Goals
<nderstand the ?C< printing tools used to submit and administrate print -obs
9onfigure a LP*n" print spooler
(ontents
Printin"$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ 12%
'. "ilters and gs........................................................................................................................................ '*6
*. #rinters and print ueues..................................................................................................................... '*6
3. #rinting Tools....................................................................................................................................... '*7
6. The configuration files.......................................................................................................................... '*=
7. $xercises and /ummary...................................................................................................................... '*A
_________________________________________________________________________
+25
Printin"
__________________________________________________________
1$ Filters and "s
"or non.text formats Linux and <CI% systems generally use filters. These filters translate `PD" or tro!!
file formats into a postscript type format. This could directly be sent to a postscript printer! but since not all
generic printers can handle postscript! an intermediate 'virtual postscript printer' is used called ghostscript or
"s which translates the postscript into printer compatible language &#9L) or something that the printer
understands.

The commercial version of ghostscript is Aladdin ?hostscript and the ?C< version is derived from this.
The "s utility has a database of printer drivers it can handle &this list is usually up to date! for example many
</@ printers are supported) and converts the postscript directly into #9L for these known models. The "s
utility plays a central role in Linux printing.
2$ Printers and #rint 6ueues
As seen above simple ascii text printing is not handled in the same way as image or postscript files. If you
only have one printer and you would like to printout your mail for example! it may not be necessary to use a
filter. :ou may want to define a ueue without filters! which would print mail faster. :ou could also define a
ueue on the same printer! which would only handle postscript files.
All ueues and printers are defined in 2et!2#rint!a#. 8ere is the full configuration of a remote printer
'A*.'=>.'.*( using the remote ueue named RlpF+
)p=^
=sdI*arspoo))pd)p=^
=mxB0=^
=sh=^
=rmI(L2.(<;.(.20=^
=rpI)p=
The essential options here are rm the remote host! sd the spool directory and r# the name of the remote
ueue. Cotice that no filters are specified &you would use if for input filter). All the filtering is done on the
remote host.
_________________________________________________________________________
+29
Printin"
__________________________________________________________
%$ Printin" ools
l#r7
The l#r utility is used to submit -obs to a printer. This is a modern version of l# &line print). "rom a userFs
point of view it is helpful to understand that a printer can be associated with more than one ueue. 8ere are
two examples to print a file called L$TT$4.
:end Eo& to default printer:
)pr LDTTDC
/end -ob to theF l-etF ueue+
)pr 1P)Vet LDTTDC
%a&le+: "ain 8ptions for lpr
8Tnum #rint num copies
8PpG /pecify the print ueue pG
8s Make a symbolic link in the spool directory rather than copy the file in
l#67
A user can monitor the status of print ueues with the l#6 utility. 8ere are a few examples.
:ho# Eo&s in default ?ueue:
)pG
:ho# Eo&s for all ?ueues on the s!stem:
)pG 1a
:ho# Eo&s in the Kremote. ?ueue:
)pG 1Premote
l#rm7
Depending on the options in 2et!2l#d$#erms users may be allowed to delete ueued -obs using l#rm.
Aemove last Eo& su&mitted:
)prm
Aemove Eo&s su&mitted &! user dhill:
)prm dhi))
Aemove all su&mitted Eo&s:
)prm 1a &or simply )prm 1)
_________________________________________________________________________
+2$
Printin"
__________________________________________________________
It is possible to remove a specific spooled -ob by referencing the -ob numberS this number is given by l#6.
l#!7
The Line #rinter 9ontrol utility is used to control the print ueues and the printers. The print ueues can be
disabled or enabled. Cotice that l#rm on the other hand can remove -obs from the ueue but doesnFt stop
the ueue.
2ne can either use l#! interactively &l#! has its own prompt)! or on the command line.
8ere is an output of l#! Bhel#+
CA&= usrsbin)pc he)p
V Commands may be abbre*iated. Commands are=
abort enab)e disab)e he)p restart status topG \
c)ean exit do,n Guit start stop up
The enable2disable2to#62u#2down options relate to ueues
The start2sto# options relate to printers
m#a"e7
This tool will format a document to print a fixed number of pages per sheet. The default is four pages per
sheet. This is usefull to have a uick overview of a document.
.$ he !onfi"uration files
2et!2#rint!a#
As seen earlier in the chapter! this file defines all printers and ueues that the system can use &remote and
local).
The default printer can be specified with either variables L#D$/T or #4ICT$4+ #4ICT$4Klp
If no environmental variable is set the default printer is the first printer defined in 2et!2#rint!a#.
The main definitions are+
l# device name! usually ,dev,lp( for the parallel port
mx maximum file siMe &MeroKnolimit)
sd spool directory &,var,spool,lpd,4Gueuename5)
if input filter
rm remote host address or I#
r# remote ueue name
If this file is modified you will need to restart the l#d daemon.
2et!2l#d$!onf
This is a very lengthy file and by default all options are commented out. This file is used if an administrator
wishes to have more control &i.e remote access authentication! user permissions Z) over the printing.
_________________________________________________________________________
+2,
Printin"
__________________________________________________________
2et!2l#d$#erms
This file controls permission for the l#!! l#6 and l#rm utilities. In particular you can grant users the right to
deueue their current -ob &using the l#rm tool) with the line +
/CCDPT +DC'ICDIA +/AD.H+T +/AD$+DC
L#4ng uses a system of keys to shorten the entries in l#d$#erms. This is however not very to understand.
"or example the service RAF corresponds to l#rm in the above line.
/ample 2et!2l#d$#erms file +
BB Permissions are chec0ed by the use o! X0eysX and matches. %or each o!
BB the !o))o,ing LPC acti*ities, the !o))o,ing 0eys ha*e a *a)ue.
BB
BB Jey Aatch Connect òb òb LPN LPCA LPC
BB +poo) Print
BB +DC'ICD + XEX XCX XPX XNX XAX XCX
BB $+DC + 1 `$+C `$+C `$+C `$+C `$+C
BB .H+T + C. `. `. `. `. `.
BB "CH$P + 1 `$+C `$+C `$+C `$+C `$+C
BB IP IP CIP ÌP ÌP CIP ÌP ÌP
BB PHCT # PHCT PHCT 1 PHCT PHCT PHCT
BB CDAHTD$+DC + 1 `$+C `$+C `$+C C$+C C$+C
BB CDAHTD.H+T + C. C. `. C. C. C.
BB CDAHTD"CH$P + 1 `$+C `$+C `$+C C$+C C$+C
BB CDAHTDIP IP CIP CIP ÌP CIP CIP CIP
BB CH#TCHLLI#D + 1 CL CL CL CL CL
BB PCI#TDC + 1 PC PC PC PC PC
BB %HCK/C& ' 1 +/ 1 1 +/ +/
BB +/AD.H+T ' 1 +/ 1 +/ +/ +/
BB +/AD$+DC ' 1 1 1 +$ +$ +$
BB +DC'DC ' 1 +' 1 +' +' +'
BB LPC + 1 1 1 1 1 LPC
BB /$T. ' 1 /$ /$ /$ /$ /$
BB /$T.TTPD + 1 /$ /$ /$ /$ /$
BB /$T.$+DC + 1 /$ /$ /$ /$ /$
BB /$T.%CHA + 1 /$ /$ /$ /$ /$
BB /$T.+/AD$+DC + 1 /$ /$ /$ /$ /$
BB
BB JDT=
BB `. I .H+T host in contro) !i)e
BB C. I CDAHTD.H+T connecting host name
BB `$+C I $+DC user in contro) !i)e
BB /$T. ,i)) match (true) i! authenticated trans!er
BB /$T.TTPD ,i)) match authentication type
BB /$T.$+DC ,i)) match c)ient authentication type
BB /$T.%CHA ,i)) match ser*er authentication type and is #$LL i! not !rom ser*er
BB /$T.+/AD$+DC ,i)) match c)ient authentication to sa*e authentication in Vob
BB
BB Dxamp)e Permissions
BB
BB B /)) operations a))o,ed except those speci!ica))y !orbidden
BB &D%/$LT /CCDPT
BB
BB BCeVect connections !rom hosts not on subnet (:0.(L(.0.0
BB B or Dngineering pcXs
_________________________________________________________________________
+21
Printin"
__________________________________________________________
BB CD`DCT +DC'ICDIE #HT CDAHTDIPI(:0.(L(.0.0255.255.0.0
BB CD`DCT +DC'ICDIE #HT CDAHTD.H+TIengpcS
BB
BB B&o not a))o, anybody but root or papo,e)) on
BB Bastart(.astart.com or the ser*er to use contro)
BB B!aci)ities.
BB /CCDPT +DC'ICDIC +DC'DC CDAHTD$+DCIroot
BB /CCDPT +DC'ICDIC CDAHTD.H+TIastart(.astart.com CDAHTD$+DCIpapo,e))
BB
BB B/))o, root on ta)0er.astart.com to contro) printer hpVet
BB /CCDPT +DC'ICDIC .H+TIta)0er.astart.com PCI#TDCIhpVet CDAHTD$+DCIroot
BB BCeVect a)) others
BB CD`DCT +DC'ICDIC
BB
BB B&o not a))o, !or,arded Vobs or reGuests
BB CD`DCT +DC'ICDIC,C,A %HCK/C&
BB
B
B a))o, root on ser*er to contro) Vobs
/CCDPT +DC'ICDIC +DC'DC CDAHTD$+DCIroot
B a))o, anybody to get ser*er, status, and printcap
/CCDPT +DC'ICDIC LPCI)pd,status,printcap
B reVect a)) others
CD`DCT +DC'ICDIC
B
B a))o, same user on originating host to remo*e a Vob
/CCDPT +DC'ICDIA +/AD.H+T +/AD$+DC
B a))o, root on ser*er to remo*e a Vob
/CCDPT +DC'ICDIA +DC'DC CDAHTD$+DCIroot
CD`DCT +DC'ICDIA
B a)) other operations a))o,ed
&D%/$LT /CCDPT
2et!2hosts$Jl#dAe6ui4K
These files were used by the L#4 printing suite and presented a security risk. 1hen running a print server
you needed to specify which hosts could access the printer in 2et!2hosts$l#d. :ou also needed to add the
hosts to 2et!2hosts$e6ui4.
These files are now replaced in L#4ng by the 2et!2l#d$#erms file
_________________________________________________________________________
+22
Printin"
__________________________________________________________
erm Definitiion
"ilter /cripts used to prepare a document before printing
Device Type of connection used to access the printer &e.g parallel! </@ or network)
Driver Translates raw or postscript type formats into printer specific instructions such a s #9L
Files
File Des!ri#tion
,etc,printcap 4ead by the l#d daemon at start up and contains a list of configured printers
,etc,lpd.perms 9ontains permissions applied to the l#d daemon such as remote access
(ommands
(ommand Des!ri#tion
lpc line printer control program
lpd line printer daemon
lp print printer ueue status
lpr submit files for printing
lprm remove a ueued print -ob
mpage print multiple pages of a document on one page
1$ /tart #rinttool and create a new local ueue called lp.
2$ 9ustomise the device ,dev,tty'( as the printer device &remember to
do !hmod 111 2de42tty10 to allow printing on this device). :ou now have
a virtual printer on your systemQ
%$ /end -obs to the print ueue using l#r and #r &pre.formatting tool)
.$ 1ith your systemFs print tool! define different remote ueues+
. a <CI% ueue
. a /M@ ueue
If you are the server! make sure the appropriate rules are defined in 2et!2l#d$#erms
In each case
. check the 2et!2#rint!a# file. 1hich filter is usedT 8ow is the remote host definedT
. check the 24ar2s#ool2l#d2 directory.
5$ /top the various printer ueues and printers with l#!.
_________________________________________________________________________
+40
Printin"
__________________________________________________________
1$ 9heck the contents of each ueue with l#6
&$ De.ueue selected -obs with l#rm
_________________________________________________________________________
+4+
Appendix
__________________________________________________________________________
L;I 1D$ 3bEecti"es
1$ ,ernel
Manage,Euery kernel and kernel modules at runtime
Manage a kernel and kernel loadable modules. <se command.line utilities to get information about the
kernel modules and the running kernel. Load modules with correct parameters and unload them. Load
modules using aliases &p.3)
Ke!#ords: )ibmodu)eskernel-versionmodu)es.dep (p.:), etcmodu)es.con! or
etccon!.modu)es (p.:)
de#mod ?#$%@! insmod ?#$%@! lsmod ?#$%@! rmmod ?#$%@! modinfo ?#$.@! mod#robe ?#$%@! uname ?#$I@
4econfigure! build! and install a custom kernel and kernel modules
9ustomise! build! and install a kernel and kernel loadable modules from source 9ustomise the current
kernel. @uild a new kernel or new kernel modules as needed. Install the new kernel and reconfigure the boot
loader.
Ke!#ords: usrsrc)inuxS (p.5), usrsrc)inux.con!ig (p.<)!
)ibmodu)eskernel-versionS (p.;)! bootS (p.;)
make! !onfi" ?#$1@! menu!onfi" ?#$1@! x!onfi" ?#$1@! old!onfi" ?#$1@! modules ?#$3@! install!
modulesGinstall ?#$3@! de#mod ?#$%@
2$ -ootA InitialisationA Shutdown and *unle4els
@oot the system
"ollow the system through the booting process. #arse parameters to the boot loader &runlevel and kernel
options). 9heck events in the log files.
Ke!#ords: dmes" ?#$22@! *ar)ogmessages, etcmodu)es.con! (p.:), LIL2 &p.'A)! ?4<@
&p.'A)
9hange runlevels and shutdown or reboot system
Manage the systemFs runlevels. The default runlevel. The single user mode. /hutdown and reboot. Alert
users before switching runlevel.
Ke!#ords: shutdown ?#$25@! init ?#$15@! etcinittab (p.(;)
%$ Printin"
Manage printers and print ueues
Manage print ueues and print -obs. Monitor print server and user print ueues. Troubleshoot general
printing problems.
Ke!#ords: l#! ?#$12&@! l#6 ?#$121@! l#rm ?#$121@! l#r ?#$121@! etcprintcap (p.(2M)
#rint files
Manage print ueues and manipulate print -obs. Add and remove -obs from printer ueues. 9onvert text
files to postscript for printing.
Ke!#ords: l#r ?#$121@! l#6 ?#$121@! m#a"e ?#$12&@
Install and configure local and remote printers
Install a printer daemon. Install and configure a print filter &e.g.+ apsfilter! magicfilter). Make local and
remote printers accessible for a Linux system. /M@ shared printers.
_________________________________________________________________________

+42
Appendix
__________________________________________________________________________
Ke!#ords: l#d! etcprintcap (p.(2M), etcaps!i)terS, *ar)ibaps!i)terS,
etcmagic!i)terS, *arspoo))pdS
.$ Do!umentation
<se and manage local system documentation
<se and administer the manpages and the material in ,usr,share,doc. "ind relevant man pages. /earch
vmware $rror saving serial number+ no matchman page sections. "ind a command and all the
documentation related to it. 9onfigure access to man sources and the man system.
Ke!#ords: man ?#$112@! a#ro#os ?#$111@! whatis ?#$111@! A/#P/T. (p.((()
"ind Linux documentation on the Internet
"ind and use Linux documentation. <se Linux documentation from sources such as the ;inux
ocumentation 0roEect &LD#) &p.''*)! vendors and third.party websites. Linux specific newsgroups &p.''*).
Cewsgroup archives. Mailing lists.

Cotify users on system.related issues
Cotify users about current issues related to the system. Logon messages.
Ke!#ords: etcissue (p.L and p.((:), etcissue.net (p.((:), etcmotd (p.((:)
5$ ShellsA S!ri#tin"A Pro"rammin" and (om#ilin"
9ustomise and use the shell environment
9ustomise shell environments to meet users' needs. /et environment variables at login! or when spawning
a new shell. 1rite bash functions for freuently used seuences of commands.
Ke!#ords: _.bash9pro!i)e (p.ML)! _.bash9)ogin (p.ML)! _.pro!i)e (p.ML)! _.bashrc
(p.;0)! _.bash9)ogout (p.;0)! _.inputrc (p.;0)
fun!tion ?#$@! ex#ort ?#$&I@! en4 ?#$&I@! set ?#$&I@! unset ?#$&I@
9ustomise or write simple scripts
9ustomise existing scripts. 1rite simple new shell scripts. <se standard sh syntax &loops! tests). <se
command substitution. Test command return.values and file status. 9onditionally mailing the superuser.
The she.bang &dQ) sign. Manage location! ownership! execution and suid rights of scripts.
Ke!#ords: while ?#$3%@! for ?#$3.@! test ?#$32@! !hmod ?#$31 and file permissions in L#I'('@
1$ Administrati4e asks
Manage users and group accounts and related system files
Add! remove! suspend and change user accounts. Manage groups. 9hange user,group info in passwd,group
databases. 9reate special purpose and limited accounts.
Ke!#ords: !ha"e ?#$%%@! "#asswd?#$@! "rou#add ?#$2I@! "rou#del ?#$2I@! "rou#mod?#$%2@! "r#!on4
?#$%1@! "r#un!on4 ?#$%1@! #asswd ?#$2&@! #w!on4?#$%0@! #wun!on4?#$%0@! useradd?#$2&A#$%1@! userdel
?#$%%@! usermod ?#$%2@
etcpass,d (p.:0)! etcshado, (p.:0)! etcgroup(p.:()! etcgshado, (p.:()
Tune the user environment and system environment variables
Modify global and user profiles. /et up environment variables. Maintain the skel directory. /et command
search path.
Ke!#ords: en4 ?#$&I@! ex#ort ?#$&I@! set ?#$&I@! unset ?#$&I@! etcpro!i)e(p.;<)! etcs0e)
(p.:()
_________________________________________________________________________

+44
Appendix
__________________________________________________________________________
9onfigure and use system log files to meet administrative and security needs
9onfigure system logs. Manage type and level of information logged. Manually scan log files for notable
activity. Monitoring log files+ automatic rotation and archiving. Track down problems noted in logs.
Ke!#ords: lo"rotate ?#$105@! tail Bf! etcsys)og.con! (p.(0:, p.(0>)! *ar)ogS (p.(0:)
Automate system administration tasks by scheduling -obs to run in the future
<se !ron or ana!ron to run -obs at regular intervals. <se at to run -obs once. Manage !ron and at -obs.
9onfigure user access to !ron and at services.
Ke!#ords: at ?#$10&@! at6 ?#$10&@! atrm?#$10&@! !rontab ?#$101@
etcanacrontab! etcat.deny ((0;)! etcat.a))o, (p.(0M)! etccrontab (p.(0<)!
etccron.a))o, (p.(0M)! etccron.deny (p.(0M)! *arspoo)cronS (p.(0<)
Maintain an effective data backup strategy
#lan a backup strategy. Automatically backup filesystems to various media. Dump a raw device to a file and
vice versa. #erform partial and manual backups. 0erify the integrity of backup files. #artially or fully restore
backups.
Ke!#ords: !#io ?#$10I@! dd ?#$110@! dum# ?#$10I@! restore ?#$10I@! tar ?#$103@
Maintain system time
Maintain the system time and synchroniMe the clock over CT#. /et the system date and time. /et the @I2/
clock to the correct time in <T9! configuring the correct time Mone for the system and configuring the
system to correct clock drift to match CT# clock.
Ke!#ords: date ?#$I&@! hw!lo!k ?#$I3@! nt#d ?#$I3@! nt#date ?#$II@
usrshare8onein!o (p.L;), etctime8one (p.), etc)oca)time(p.L;),
etcntp.con! (p.L;), etcntp.dri!t (p.LL)
&$ +etworkin" Fundamentals
"undamentals of T9#,I#
<nderstand I#.addresses! network masks and broadcast address. Determine the network address!
broadcast address and netmask when given an I#.address and the number of bits. Cetwork classes and
classless subnets &9ID4) and the reserved addresses for private network use. It includes the understanding
of the function and application of a default route. It also includes the understanding of basic Internet
protocols &I#! I9M#! T9#! <D#) &p.73) and the more common T9# and <D# ports &*(! *'! *3! *7! 73! >(!
''(! ''A! '3A! '63! '=').
Ke!#ords: etcser*ices(p.5>)! ft# ?#$11@! telnet ?#$10@! host! #in"! di"! tra!eroute! whois
T9#,I# configuration and troubleshooting
0iew! change and verify configuration settings for various network interfaces. Manual and onboot
configuration for interfaces and routing tables. 9onfigure and correct routing tables. 9onfigure Linux as a
D89# client.
Ke!#ords: etc.H+T#/AD (p.:;) or etchostname, etchosts (p.:;), etcnet,or0s
(p.>(), etchost.con! (see &#+ section p.<<), etcreso)*.con! (p.:;),
etcnss,itch.con! (see &#+ section p.<M)
if!onfi" ?#$%I@! route ?#$.0@! dh!#!d ?#$.0@! dh!#!lient ?#$.0@! #um# ?#$.0@! host! hostname
?domainnameA dnsdomainname@! netstat ?#$.%@! #in" ?#$.2@! tra!eroute ?#$..@! t!#dum# ?#$.2@

9onfigure Linux as a ### client
_________________________________________________________________________

+45
Appendix
__________________________________________________________________________
<nderstand the basics of the ### protocol. 9onfigure ### for outbound connections. Define the chat
seuence when connecting. Initialisation and termination of a ### connection with a modem! I/DC or
AD/L. /et up ### to automatically reconnect if disconnected.
Ke!#ords: etcpppoptions.S (p.(20), etcppppeersS (p.(2(), etc,*dia).con!
(p.((L)
2et!2###2i#8u# ?#$121@! 2et!2###2i#8down ?#$121@! w4dial ?#$11I@! pppd &p.'*()

3$ +etworkin" Ser4i!es
9onfigure and manage inetd! xinetd! and related services
9onfigure services available through inetd. <se tcpwrappers. /tart! stop! and restart internet services.
9onfigure basic network services including telnet and ftp. /et a service to run as another user instead of the
default in inetd.conf.
Ke!#ords: etcinetd.con! (p.5;), etchosts.a))o, (p.<2), etchosts.deny
(p.<2), etcser*ices (p.5L), etcxinetd.con! (p.5L), etcxinetd.)og
2perate and perform basic configuration of sendmail
Modify simple parameters in sendmail configuration files. 9reate mail aliases. Manage the mail ueue. /tart
and stop sendmail. 9onfigure mail forwarding and perform basic troubleshooting of sendmail. The ob-ective
includes checking for and closing open relay on the mailserver. It does not include advanced custom
configuration of /endmail.
Ke!#ords: etcsendmai).c! (p.M(), etca)iases (p.M(), etcmai)S (p.M(),
_.!or,ard (p.M2)
mail6 ?#$&2@! sendmail ?#$&1@! newaliases ?#$&2@
2perate and perform basic configuration of Apache
Modify simple parameters in Apache configuration files. /tart! stop! and restart httpd. Does not include
advanced custom configuration of Apache.
Ke!#ords: a#a!he!tl ?#$&%@! htt#d! httpd.con! (p.M2)
#roperly manage the C"/! smb! and nmb daemons
Mount remote filesystems using C"/. 9onfigure C"/ for exporting local filesystems. /tart! stop! and restart
the C"/ services. Install and configure /amba using ?<I tools or direct edit of the ,etc,smb.conf file.
/haring of home directories and printers! as well as correctly setting the nmbd as a 1IC/ client.
Ke!#ords: etcexports (p.<:)! etc!stab (p.<:)! etcsmb.con! (p.<5)! mount ?#$1%@!
umount
/etup and configure basic DC/ services
9onfigure hostname lookups and troubleshoot problems with local caching.only name server. <nderstand
the domain registration and DC/ translation process. Differences between bind 6 and bind > configuration
files.
Ke!#ords: etchosts (p.<M), etcreso)*.con! (p.<M), etcnss,itch.con!
(p.<M), etcnamed.boot &v.6) &p.=>) or etcnamed.con! &v.>) &p.=>)! named
/et up secure shell &2pen//8)
_________________________________________________________________________

+49
Appendix
__________________________________________________________________________
2btain and configure 2pen//8. @asic 2pen//8 installation and troubleshooting. 9onfigure sshd to start at
system boot.
Ke!#ords: etchosts.a))o, (p.LM), etchosts.deny (p.LM), etcno)ogin,
etcsshsshd9con!ig (p.LM), etcssh90no,n9hosts (p.L<), etcsshrc
sshd ?#$I1@! ssh8key"en ?#$I1@
I$ Se!urity
#erform security administration tasks
$nsure local security policies. 9onfigure T9# wrappers. "ind files with /<ID,/?ID bit set. 0erify packages.
/et or change user passwords and password ageing information. <pdate binaries as recommended by
9$4T! @<?T4AE or distribution's security alerts. @asic knowledge of i#!hains and i#tables.
Ke!#ords: procnetip9!,chains, procnetip9!,names, procnetip9masGuerade,
find ?#$I0@! i#!hains ?#$I2@! #asswd! so!ket! i#tables ?#$I2@
/etup host security
/et up a basic level of host security. 9onfigure syslog ! shadowed passwords. /et up a mail alias for root.
Turn off unused network services.
Ke!#ords: etcinetd.con! or etcinet.dS, etcno)ogin (p.L0), etcpass,d,
etcshado,, etssys)og.con!
/etup user level security &p.A()
9onfigure user level security. Limits on user logins! processes! and memory usage.
Ke!#ords: 6uota! usermod ?see l#i 101@
_________________________________________________________________________

+4$
Licence Agreement
____________________________________________

Copyright (c) 200: LinuxIT.
Permission is granted to copy, distribute andor modi!y this document
under the terms o! the "#$ %ree &ocumentation License, 'ersion (.2
or any )ater *ersion pub)ished by the %ree +o!t,are %oundation-
,ith the In*ariant +ections being .istory, /c0no,)edgements, ,ith the
%ront1Co*er Texts being 2re)eased under the "%&L by LinuxIT3.
G+0 Free Do!umentation Li!ense
Version 1.2, November 2002
Copyright (C) 2000,200(,2002 %ree +o!t,are %oundation, Inc.
5L Temp)e P)ace, +uite ::0, Ooston, A/ 02(((1(:0M $+/
D*eryone is permitted to copy and distribute *erbatim copies
o! this )icense document, but changing it is not a))o,ed.
0. PREAMBLE
The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense
of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either
commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit
for their work, while not being considered responsible for modifications made by others.
This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the
same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.
We have designed this License in order to use it for manuals for free software, because free software needs free
documentation: a free program should come with manuals providing the same freedoms that the software does. But
this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or
whether it is published as a printed book. We recommend this License principally for works whose purpose is
instruction or reference.
1. APPLICABILITY AND DEFINITIONS
This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder
saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license,
unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such
manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy,
modify or distribute the work in a way requiring permission under copyright law.
A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied
verbatim, or with modifications and/or translated into another language.
A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the
relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and
contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of
mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical
connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position
regarding them.
The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant
Sections, in the notice that says that the Document is released under this License. If a section does not fit the above
definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant
Sections. If the Document does not identify any Invariant Sections then there are none.
The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the
_____________________________________________________________________
cxxxvii
Licence Agreement
____________________________________________
notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a
Back-Cover Text may be at most 25 words.
A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is
available to the general public, that is suitable for revising the document straightforwardly with generic text editors or
(for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and
that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text
formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been
arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not
Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called "Opaque".
Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format,
LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML,
PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and
JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors,
SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated
HTML, PostScript or PDF produced by some word processors for output purposes only.
The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold,
legibly, the material this License requires to appear in the title page. For works in formats which do not have any title
page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the
beginning of the body of the text.
A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains
XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section
name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the
Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to
this definition.
The Document may include Warranty Disclaimers next to the notice which states that this License applies to the
Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards
disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on
the meaning of this License.
2. VERBATIM COPYING
You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that
this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced
in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical
measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may
accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow
the conditions in section 3.
You may also lend copies, under the same conditions stated above, and you may publicly display copies.
3. COPYING IN QUANTITY
If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering
more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that
carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the
back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover
must present the full title with all words of the title equally prominent and visible. You may add other material on the
covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and
satisfy these conditions, can be treated as verbatim copying in other respects.
If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as
fit reasonably) on the actual cover, and continue the rest onto adjacent pages.
If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a
machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-
network location from which the general network-using public has access to download using public-standard network
protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must
_____________________________________________________________________
cxxxviii
Licence Agreement
____________________________________________
take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this
Transparent copy will remain thus accessible at the stated location until at least one year after the last time you
distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.
It is requested, but not required, that you contact the authors of the Document well before redistributing any large
number of copies, to give them a chance to provide you with an updated version of the Document.
4. MODIFICATIONS
You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above,
provided that you release the Modified Version under precisely this License, with the Modified Version filling the role
of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of
it. In addition, you must do these things in the Modified Version:
A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those
of previous versions (which should, if there were any, be listed in the History section of the Document). You
may use the same title as a previous version if the original publisher of that version gives permission.
B. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the
modifications in the Modified Version, together with at least five of the principal authors of the Document (all
of its principal authors, if it has fewer than five), unless they release you from this requirement.
C. State on the Title page the name of the publisher of the Modified Version, as the publisher.
D. Preserve all the copyright notices of the Document.
E. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.
F. Include, immediately after the copyright notices, a license notice giving the public permission to use the
Modified Version under the terms of this License, in the form shown in the Addendum below.
G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the
Document's license notice.
H. Include an unaltered copy of this License.
I. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at least the title, year,
new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled
"History" in the Document, create one stating the title, year, authors, and publisher of the Document as given
on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.
J. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the
Document, and likewise the network locations given in the Document for previous versions it was based on.
These may be placed in the "History" section. You may omit a network location for a work that was published
at least four years before the Document itself, or if the original publisher of the version it refers to gives
permission.
K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and
preserve in the section all the substance and tone of each of the contributor acknowledgements and/or
dedications given therein.
L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section
numbers or the equivalent are not considered part of the section titles.
M. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version.
N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant
Section.
O. Preserve any Warranty Disclaimers.
If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and
contain no material copied from the Document, you may at your option designate some or all of these sections as
invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These
titles must be distinct from any other section titles.
You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified
Version by various parties--for example, statements of peer review or that the text has been approved by an
organization as the authoritative definition of a standard.
You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover
Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of
Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already
_____________________________________________________________________
cxxxix
Licence Agreement
____________________________________________
includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are
acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the
previous publisher that added the old one.
The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity
for or to assert or imply endorsement of any Modified Version.
5. COMBINING DOCUMENTS
You may combine the Document with other documents released under this License, under the terms defined in section
4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the
original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice,
and that you preserve all their Warranty Disclaimers.
The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be
replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make
the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or
publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of
Invariant Sections in the license notice of the combined work.
In the combination, you must combine any sections Entitled "History" in the various original documents, forming one
section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled
"Dedications". You must delete all sections Entitled "Endorsements."
6. COLLECTIONS OF DOCUMENTS
You may make a collection consisting of the Document and other documents released under this License, and replace
the individual copies of this License in the various documents with a single copy that is included in the collection,
provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.
You may extract a single document from such a collection, and distribute it individually under this License, provided
you insert a copy of this License into the extracted document, and follow this License in all other respects regarding
verbatim copying of that document.
7. AGGREGATION WITH INDEPENDENT WORKS
A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a
volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is
not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the
Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not
themselves derivative works of the Document.
If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less
than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document
within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must
appear on printed covers that bracket the whole aggregate.
8. TRANSLATION
Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of
section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but
you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant
Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty
Disclaimers, provided that you also include the original English version of this License and the original versions of
those notices and disclaimers. In case of a disagreement between the translation and the original version of this License
or a notice or disclaimer, the original version will prevail.
If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4)
to Preserve its Title (section 1) will typically require changing the actual title.
9. TERMINATION
You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License.
Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate
_____________________________________________________________________
cxl
Licence Agreement
____________________________________________
your rights under this License. However, parties who have received copies, or rights, from you under this License will
not have their licenses terminated so long as such parties remain in full compliance.
10. FUTURE REVISIONS OF THIS LICENSE
The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time
to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new
problems or concerns. See http://www.gnu.org/copyleft/.
Each version of the License is given a distinguishing version number. If the Document specifies that a particular
numbered version of this License "or any later version" applies to it, you have the option of following the terms and
conditions either of that specified version or of any later version that has been published (not as a draft) by the Free
Software Foundation. If the Document does not specify a version number of this License, you may choose any version
ever published (not as a draft) by the Free Software Foundation.
_____________________________________________________________________
cxli
Index
__________________________________________________________
Index

A
apachectl B3
apropos '''
arp 63
at '(B
atd '(B
at '(B
atrm '(B
@
backup strategies '(>
bootloaders
'(*6 cylinders *(
broadcast address 7(
9
chage 33
chattr >A
classless subnets 7*
cron '(3
crond '(=
crontab '(=
D
date AB
dd ''(
depmod 3
dhcpcd 6(
dhcpclient 6(
dig B(
DC/
,etc,named.boot =>
,etc,named.conf =A
dig B(
DC/ 9onfiguration "iles =>
DC/ Mone files =A
8ierarchical structure =>
host B(
Types of DC/ servers =>
Dotted Euad 6A
driftfile A>
dump '(A
$
env BA
export BA
exportfs =3
"
"iles
,etc,hosts.allow =*
,etc,aliases B*
,etc,at.allow '(>
,etc,at.deny'(>
,etc,bashrc >(
,etc,cron.allow '(B
,etc,cron.deny '(B
,etc,crontab'(=
,etc,dumpdates '(A
,etc,exports =3
,etc,host.conf ==
,etc,hosts =B
,etc,hosts.deny =*
,etc,inetd.conf 7>
,etc,inputrc >(
,etc,issue ''3
,etc,issue.net ''3
,etc,localtime A>
,etc,logrotate.conf '(7
,etc,mail,L B'
,etc,motd ''3
,etc,named.boot =>
,etc,named.conf =A
,etc,networks 6'
,etc,nsswitch.conf ==
,etc,ntp.conf A>
,etc,ntp.drift AA
,etc,ntp,drift AA
,etc,ppp,ip.down '*'
,etc,ppp,ip.up '*'
,etc,printcap '*7! '*B
,etc,profile BA
,etc,resolv =B
,etc,resolv.conf 3>! =B
,etc,security,access.conf A(
,etc,security,limits.conf A(
,etc,sendmail.cf B'
,etc,services 77
,etc,shadow 3(
,etc,smb.conf =7
,etc,ssh A=
,etc,sysctl.conf 3A
,etc,syslog.conf '(3p.
,etc,wvdial.conf '*'
,etc,xinetd.conf 7A
,lib,modules, *p.
,proc,sys,net,ipv6,ipPforward 3A
,usr,share,man '''
,usr,share,Moneinfo, A>
,var,log,httpd B3
,var,log,messages A(
,var,log,secure A(
,var,log,wtmp A(
,var,run,utmp A(
,var,spool,at, '(B
,var,spool,cron,GusernameH '(=
,var,spool,mail, B*
,var,spool,mueue B*
b,.bashPprofile BA
b,.bashrc >(
b,.forward B*
b,.inputrc >(
c82M$,.ssh A=
access.conf B3
authoriMedPkeys* A=
httpd.conf B3
idPdsa A=
idPdsa.pub A=
knownPhosts A=
modutils &package) 3
srm.conf B3
Index
__________________________________________________________
sshPconfig AB
sshdPconfig AB
find A(
ftp ='
?
gpasswd *A
groupadd 3*
groupadd *A
groups *>
8
host B(
821T2s ''*
hwclock A>
I
I9M# 76
id *>
ifconfig 3A
inetd 7>
info ''*
init '=
init &boot parameters) *'
init.d 'B
insmod 3
I# 76
ipchains A*
iptables A*
;
kernel build
LIL2 '(
make clean B
make config =
make dep B
make menuconfig =
make modules >
make modulesPinstall >
make oldconfig =
make xconfig =
L
last A(
libwrap A'
LIL2 *(p.
logger '(7
logrotate '(7
lpc '*B
lpd '*=
lp '*=
lpr '*=
lprm '*=
lsmod 3
M
mail B*
man .k '''
Manpages ''(
MAC#AT8 '''
modinfo 3
modprobe 3
modprobe 3
modules.conf 3
modules.dep 3
mpage '*B
C
netmask 6A
netstat 63
network address 7(
Cews ?roups ''*
C"/ =*
noexec >A
nosuid >A
CT# . network time protocol A>
ntpd A>
ntpdate AA
#
passwd *B
ping 6*
portmap =3
### 76
pppd
,etc,wvdial.conf '*'
chap.secrets '*'
chat '*(
minicom ''A
pap.secrets'*'
peers '*'
wvdial ''A
pump 6(
4
restore '(A
rmmod 3
route 6'
/
/amba
smbclient =6
smbmount =6
scripting
c&& )) >7
expr >7
for loop >6
if then >3
until loop >6
while loop >3
sendmail B*
sendmail.cf
9w B'
DsB'
"w B'
shutdown '>
socket 7A
ssh A=
ssh.keygen A=
sshd A=
subneting 7*
subnets 7*
sysctl 3A
syslog.conf '(3
syslogd '(3
T
tar '(>
T9# 76
T9# wrappers ='
Index
__________________________________________________________
tcpPwrapper A'
T9#,I# model &6 layer) 73
T9#,I# /uite 73
tcpdump 6*
telnet =(
test >*
The Linux Documentation #ro-ect ''*
traceroute 66
<
<D# 76
unset BA
useradd *B! 3*
usermod 3*
1
whatis '''
who A(
%
xinetd 7A

Gnu FDL Oo Lpi 102 0.2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Gnu FDL Oo Lpi 102 0.2

Uploaded by

Copyright:

Available Formats

Study Guide for

Linux System Administration II

You might also like