Lab work for LPI 202 released under the G!L by LinuxI" A#ril 200$ GN% ree !ocumentation License Copyright (c) 2005 LinuxIT. Permission is granted to copy, distribute andor modi!y this document under the terms o! the "#$ %ree &ocumentation License, 'ersion (.2 or any )ater *ersion pub)ished by the %ree +o!t,are %oundation- ,ith the In*ariant +ections being .istory, /c0no,)edgements, ,ith the %ront1 Co*er Texts being 2re)eased under the "%&L by LinuxIT3. GN% ree !ocumentation License Version 1.2, November 2002 Copyright (C) 2000,200(,2002 %ree +o!t,are %oundation, Inc. 54 Temp)e P)ace, +uite 550, 6oston, 7/ 02(((1(508 $+/ 9*eryone is permitted to copy and distribute *erbatim copies o! this )icense document, but changing it is not a))o,ed. 0& P'(A)*L( The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom to assure ever!one the effective freedom to cop! and redistribute it, "ith or "ithout modif!in# it, either commerciall! or noncommerciall!. $econdaril!, this License preserves for the author and publisher a "a! to #et credit for their "ork, "hile not bein# considered responsible for modifications made b! others. This License is a kind of "cop!left", "hich means that derivative "orks of the document must themselves be free in the same sense. %t complements the &N' &eneral (ublic License, "hich is a cop!left license desi#ned for free soft"are. )e have desi#ned this License in order to use it for manuals for free soft"are, because free soft"are needs free documentation a free pro#ram should come "ith manuals providin# the same freedoms that the soft"are does. *ut this License is not limited to soft"are manuals+ it can be used for an! textual "ork, re#ardless of sub,ect matter or "hether it is published as a printed book. )e recommend this License principall! for "orks "hose purpose is instruction or reference. +& APPLI,A*ILI"- AN! !(INI"I.NS This License applies to an! manual or other "ork, in an! medium, that contains a notice placed b! the cop!ri#ht holder sa!in# it can be distributed under the terms of this License. $uch a notice #rants a "orld-"ide, ro!alt!-free license, unlimited in duration, to use that "ork under the conditions stated herein. The ".ocument", belo", refers to an! such manual or "ork. /n! member of the public is a licensee, and is addressed as "!ou". 0ou accept the license if !ou cop!, modif! or distribute the "ork in a "a! re1uirin# permission under cop!ri#ht la". / "2odified Version" of the .ocument means an! "ork containin# the .ocument or a portion of it, either copied verbatim, or "ith modifications and3or translated into another lan#ua#e. / "$econdar! $ection" is a named appendix or a front-matter section of the .ocument that deals exclusivel! "ith the relationship of the publishers or authors of the .ocument to the .ocument4s overall sub,ect 5or to related matters6 and contains nothin# that could fall directl! "ithin that overall sub,ect. 5Thus, if the .ocument is in part a textbook of mathematics, a $econdar! $ection ma! not explain an! mathematics.6 The relationship could be a matter of historical connection "ith the sub,ect or "ith related matters, or of le#al, commercial, philosophical, ethical or political position re#ardin# them. The "%nvariant $ections" are certain $econdar! $ections "hose titles are desi#nated, as bein# those of %nvariant $ections, in the notice that sa!s that the .ocument is released under this License. %f a section does not fit the above definition of $econdar! then it is not allo"ed to be desi#nated as %nvariant. The .ocument ma! contain 7ero %nvariant $ections. %f the .ocument does not identif! an! %nvariant $ections then there are none. The "8over Texts" are certain short passa#es of text that are listed, as 9ront-8over Texts or *ack-8over Texts, in the notice that sa!s that the .ocument is released under this License. / 9ront-8over Text ma! be at most : "ords, and a *ack-8over Text ma! be at most 2: "ords. 2 GN% ree !ocumentation License / "Transparent" cop! of the .ocument means a machine-readable cop!, represented in a format "hose specification is available to the #eneral public, that is suitable for revisin# the document strai#htfor"ardl! "ith #eneric text editors or 5for ima#es composed of pixels6 #eneric paint pro#rams or 5for dra"in#s6 some "idel! available dra"in# editor, and that is suitable for input to text formatters or for automatic translation to a variet! of formats suitable for input to text formatters. / cop! made in an other"ise Transparent file format "hose markup, or absence of markup, has been arran#ed to th"art or discoura#e subse1uent modification b! readers is not Transparent. /n ima#e format is not Transparent if used for an! substantial amount of text. / cop! that is not "Transparent" is called ";pa1ue". <xamples of suitable formats for Transparent copies include plain /$8%% "ithout markup, Texinfo input format, LaTe= input format, $&2L or =2L usin# a publicl! available .T., and standard-conformin# simple >T2L, (ost$cript or (.9 desi#ned for human modification. <xamples of transparent ima#e formats include (N&, =89 and ?(&. ;pa1ue formats include proprietar! formats that can be read and edited onl! b! proprietar! "ord processors, $&2L or =2L for "hich the .T. and3or processin# tools are not #enerall! available, and the machine-#enerated >T2L, (ost$cript or (.9 produced b! some "ord processors for output purposes onl!. The "Title (a#e" means, for a printed book, the title pa#e itself, plus such follo"in# pa#es as are needed to hold, le#ibl!, the material this License re1uires to appear in the title pa#e. 9or "orks in formats "hich do not have an! title pa#e as such, "Title (a#e" means the text near the most prominent appearance of the "ork4s title, precedin# the be#innin# of the bod! of the text. / section "<ntitled =0@" means a named subunit of the .ocument "hose title either is precisel! =0@ or contains =0@ in parentheses follo"in# text that translates =0@ in another lan#ua#e. 5>ere =0@ stands for a specific section name mentioned belo", such as "/ckno"led#ements", ".edications", "<ndorsements", or ">istor!".6 To "(reserve the Title" of such a section "hen !ou modif! the .ocument means that it remains a section "<ntitled =0@" accordin# to this definition. The .ocument ma! include )arrant! .isclaimers next to the notice "hich states that this License applies to the .ocument. These )arrant! .isclaimers are considered to be included b! reference in this License, but onl! as re#ards disclaimin# "arranties an! other implication that these )arrant! .isclaimers ma! have is void and has no effect on the meanin# of this License. 2& /('*A"I) ,.P-ING 0ou ma! cop! and distribute the .ocument in an! medium, either commerciall! or noncommerciall!, provided that this License, the cop!ri#ht notices, and the license notice sa!in# this License applies to the .ocument are reproduced in all copies, and that !ou add no other conditions "hatsoever to those of this License. 0ou ma! not use technical measures to obstruct or control the readin# or further cop!in# of the copies !ou make or distribute. >o"ever, !ou ma! accept compensation in exchan#e for copies. %f !ou distribute a lar#e enou#h number of copies !ou must also follo" the conditions in section A. 0ou ma! also lend copies, under the same conditions stated above, and !ou ma! publicl! displa! copies. 0& ,.P-ING IN 1%AN"I"- %f !ou publish printed copies 5or copies in media that commonl! have printed covers6 of the .ocument, numberin# more than 100, and the .ocument4s license notice re1uires 8over Texts, !ou must enclose the copies in covers that carr!, clearl! and le#ibl!, all these 8over Texts 9ront-8over Texts on the front cover, and *ack- 8over Texts on the back cover. *oth covers must also clearl! and le#ibl! identif! !ou as the publisher of these copies. The front cover must present the full title "ith all "ords of the title e1uall! prominent and visible. 0ou ma! add other material on the covers in addition. 8op!in# "ith chan#es limited to the covers, as lon# as the! preserve the title of the .ocument and satisf! these conditions, can be treated as verbatim cop!in# in other respects. %f the re1uired texts for either cover are too voluminous to fit le#ibl!, !ou should put the first ones listed 5as man! as fit reasonabl!6 on the actual cover, and continue the rest onto ad,acent pa#es. %f !ou publish or distribute ;pa1ue copies of the .ocument numberin# more than 100, !ou must either include a machine-readable Transparent cop! alon# "ith each ;pa1ue cop!, or state in or "ith each ;pa1ue cop! a computer-net"ork location from "hich the #eneral net"ork-usin# public has access to do"nload usin# public- standard net"ork protocols a complete Transparent cop! of the .ocument, free of added material. %f !ou use the A GN% ree !ocumentation License latter option, !ou must take reasonabl! prudent steps, "hen !ou be#in distribution of ;pa1ue copies in 1uantit!, to ensure that this Transparent cop! "ill remain thus accessible at the stated location until at least one !ear after the last time !ou distribute an ;pa1ue cop! 5directl! or throu#h !our a#ents or retailers6 of that edition to the public. %t is re1uested, but not re1uired, that !ou contact the authors of the .ocument "ell before redistributin# an! lar#e number of copies, to #ive them a chance to provide !ou "ith an updated version of the .ocument. $& ).!II,A"I.NS 0ou ma! cop! and distribute a 2odified Version of the .ocument under the conditions of sections 2 and A above, provided that !ou release the 2odified Version under precisel! this License, "ith the 2odified Version fillin# the role of the .ocument, thus licensin# distribution and modification of the 2odified Version to "hoever possesses a cop! of it. %n addition, !ou must do these thin#s in the 2odified Version A& 'se in the Title (a#e 5and on the covers, if an!6 a title distinct from that of the .ocument, and from those of previous versions 5"hich should, if there "ere an!, be listed in the >istor! section of the .ocument6. 0ou ma! use the same title as a previous version if the ori#inal publisher of that version #ives permission. *& List on the Title (a#e, as authors, one or more persons or entities responsible for authorship of the modifications in the 2odified Version, to#ether "ith at least five of the principal authors of the .ocument 5all of its principal authors, if it has fe"er than five6, unless the! release !ou from this re1uirement. ,& $tate on the Title pa#e the name of the publisher of the 2odified Version, as the publisher. !& (reserve all the cop!ri#ht notices of the .ocument. (& /dd an appropriate cop!ri#ht notice for !our modifications ad,acent to the other cop!ri#ht notices. & %nclude, immediatel! after the cop!ri#ht notices, a license notice #ivin# the public permission to use the 2odified Version under the terms of this License, in the form sho"n in the /ddendum belo". G& (reserve in that license notice the full lists of %nvariant $ections and re1uired 8over Texts #iven in the .ocument4s license notice. 2& %nclude an unaltered cop! of this License. I& (reserve the section <ntitled ">istor!", (reserve its Title, and add to it an item statin# at least the title, !ear, ne" authors, and publisher of the 2odified Version as #iven on the Title (a#e. %f there is no section <ntitled ">istor!" in the .ocument, create one statin# the title, !ear, authors, and publisher of the .ocument as #iven on its Title (a#e, then add an item describin# the 2odified Version as stated in the previous sentence. 3& (reserve the net"ork location, if an!, #iven in the .ocument for public access to a Transparent cop! of the .ocument, and like"ise the net"ork locations #iven in the .ocument for previous versions it "as based on. These ma! be placed in the ">istor!" section. 0ou ma! omit a net"ork location for a "ork that "as published at least four !ears before the .ocument itself, or if the ori#inal publisher of the version it refers to #ives permission. 4& 9or an! section <ntitled "/ckno"led#ements" or ".edications", (reserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor ackno"led#ements and3or dedications #iven therein. L& (reserve all the %nvariant $ections of the .ocument, unaltered in their text and in their titles. $ection numbers or the e1uivalent are not considered part of the section titles. )& .elete an! section <ntitled "<ndorsements". $uch a section ma! not be included in the 2odified Version. N& .o not retitle an! existin# section to be <ntitled "<ndorsements" or to conflict in title "ith an! %nvariant $ection. .& (reserve an! )arrant! .isclaimers. %f the 2odified Version includes ne" front-matter sections or appendices that 1ualif! as $econdar! $ections and contain no material copied from the .ocument, !ou ma! at !our option desi#nate some or all of these sections as invariant. To do this, add their titles to the list of %nvariant $ections in the 2odified Version4s license notice. These titles must be distinct from an! other section titles. 0ou ma! add a section <ntitled "<ndorsements", provided it contains nothin# but endorsements of !our 2odified Version b! various parties--for example, statements of peer revie" or that the text has been approved b! an B GN% ree !ocumentation License or#ani7ation as the authoritative definition of a standard. 0ou ma! add a passa#e of up to five "ords as a 9ront-8over Text, and a passa#e of up to 2: "ords as a *ack- 8over Text, to the end of the list of 8over Texts in the 2odified Version. ;nl! one passa#e of 9ront-8over Text and one of *ack-8over Text ma! be added b! 5or throu#h arran#ements made b!6 an! one entit!. %f the .ocument alread! includes a cover text for the same cover, previousl! added b! !ou or b! arran#ement made b! the same entit! !ou are actin# on behalf of, !ou ma! not add another+ but !ou ma! replace the old one, on explicit permission from the previous publisher that added the old one. The author5s6 and publisher5s6 of the .ocument do not b! this License #ive permission to use their names for publicit! for or to assert or impl! endorsement of an! 2odified Version. 5& ,.)*INING !.,%)(N"S 0ou ma! combine the .ocument "ith other documents released under this License, under the terms defined in section B above for modified versions, provided that !ou include in the combination all of the %nvariant $ections of all of the ori#inal documents, unmodified, and list them all as %nvariant $ections of !our combined "ork in its license notice, and that !ou preserve all their )arrant! .isclaimers. The combined "ork need onl! contain one cop! of this License, and multiple identical %nvariant $ections ma! be replaced "ith a sin#le cop!. %f there are multiple %nvariant $ections "ith the same name but different contents, make the title of each such section uni1ue b! addin# at the end of it, in parentheses, the name of the ori#inal author or publisher of that section if kno"n, or else a uni1ue number. 2ake the same ad,ustment to the section titles in the list of %nvariant $ections in the license notice of the combined "ork. %n the combination, !ou must combine an! sections <ntitled ">istor!" in the various ori#inal documents, formin# one section <ntitled ">istor!"+ like"ise combine an! sections <ntitled "/ckno"led#ements", and an! sections <ntitled ".edications". 0ou must delete all sections <ntitled "<ndorsements." 6& ,.LL(,"I.NS . !.,%)(N"S 0ou ma! make a collection consistin# of the .ocument and other documents released under this License, and replace the individual copies of this License in the various documents "ith a sin#le cop! that is included in the collection, provided that !ou follo" the rules of this License for verbatim cop!in# of each of the documents in all other respects. 0ou ma! extract a sin#le document from such a collection, and distribute it individuall! under this License, provided !ou insert a cop! of this License into the extracted document, and follo" this License in all other respects re#ardin# verbatim cop!in# of that document. 7& AGG'(GA"I.N 8I"2 IN!(P(N!(N" 8.'4S / compilation of the .ocument or its derivatives "ith other separate and independent documents or "orks, in or on a volume of a stora#e or distribution medium, is called an "a##re#ate" if the cop!ri#ht resultin# from the compilation is not used to limit the le#al ri#hts of the compilation4s users be!ond "hat the individual "orks permit. )hen the .ocument is included in an a##re#ate, this License does not appl! to the other "orks in the a##re#ate "hich are not themselves derivative "orks of the .ocument. %f the 8over Text re1uirement of section A is applicable to these copies of the .ocument, then if the .ocument is less than one half of the entire a##re#ate, the .ocument4s 8over Texts ma! be placed on covers that bracket the .ocument "ithin the a##re#ate, or the electronic e1uivalent of covers if the .ocument is in electronic form. ;ther"ise the! must appear on printed covers that bracket the "hole a##re#ate. 9& "'ANSLA"I.N Translation is considered a kind of modification, so !ou ma! distribute translations of the .ocument under the terms of section B. Ceplacin# %nvariant $ections "ith translations re1uires special permission from their cop!ri#ht holders, but !ou ma! include translations of some or all %nvariant $ections in addition to the ori#inal versions of these %nvariant $ections. 0ou ma! include a translation of this License, and all the license notices in the .ocument, and an! )arrant! .isclaimers, provided that !ou also include the ori#inal <n#lish version of this License and the ori#inal versions of those notices and disclaimers. %n case of a disa#reement bet"een the translation and the ori#inal version of this License or a notice or disclaimer, the ori#inal version "ill prevail. : GN% ree !ocumentation License %f a section in the .ocument is <ntitled "/ckno"led#ements", ".edications", or ">istor!", the re1uirement 5section B6 to (reserve its Title 5section 16 "ill t!picall! re1uire chan#in# the actual title. :& "(')INA"I.N 0ou ma! not cop!, modif!, sublicense, or distribute the .ocument except as expressl! provided for under this License. /n! other attempt to cop!, modif!, sublicense or distribute the .ocument is void, and "ill automaticall! terminate !our ri#hts under this License. >o"ever, parties "ho have received copies, or ri#hts, from !ou under this License "ill not have their licenses terminated so lon# as such parties remain in full compliance. +0& %"%'( '(/ISI.NS . "2IS LI,(NS( The 9ree $oft"are 9oundation ma! publish ne", revised versions of the &N' 9ree .ocumentation License from time to time. $uch ne" versions "ill be similar in spirit to the present version, but ma! differ in detail to address ne" problems or concerns. $ee http33""".#nu.or#3cop!left3. <ach version of the License is #iven a distin#uishin# version number. %f the .ocument specifies that a particular numbered version of this License "or an! later version" applies to it, !ou have the option of follo"in# the terms and conditions either of that specified version or of an! later version that has been published 5not as a draft6 b! the 9ree $oft"are 9oundation. %f the .ocument does not specif! a version number of this License, !ou ma! choose an! version ever published 5not as a draft6 b! the 9ree $oft"are 9oundation. Introduction; Acknowled<ments The ori#inal material "as made available b! Linux%T4s technical trainin# centre """.linuxit.com. The manual is available online at http33savannah.non#nu.or#3pro,ects3lpi-manuals3. )e "ould like to thank the $avannah Volunteers for assessin# the pro,ect and providin# us "ith the )eb space. 2istory 8V$ version 0.0 ?anuar! 200B, /drian Thomasset DadrianElinuxit.comF. Cevie"ed3'pdated /pril 200B, /ndre" 2eredith Dandre"Eanvil.or#F Cevie"3'pdate 2a! 200:, /drian Thomasset DadriantElinuxit.comF G Linux%T Technical <ducation 8entre ,ontents HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Introduction;&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6 /ckno"led#ments............................................................................................................................................................ G >istor!.............................................................................................................................................................................. G !NS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& : +& %sin< di< and host&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +0 1.1 Non-recursive 1ueries.............................................................................................................................................. 10 2& *asic *ind 9 ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +2 2.1 The Lo##in# $tatement........................................................................................................................................... 1A 2.2 The ;ptions $tatement ........................................................................................................................................... 1B 2.A The @one $tatement................................................................................................................................................. 1G 2.B The /ccess 8ontrol Lists 5acl6 $tatement................................................................................................................ 1I 0& ,reate and )aintain =one iles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +9 $& Securin< a !NS Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +: B.1 $erver /uthentication .............................................................................................................................................. 20 B.2 ./T/ %nte#rit! and /uthenticit! .............................................................................................................................. 21 Sendmail&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2$ +& %sin< Sendmail&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 25 1.1 8onfi#uration $ettin#s.............................................................................................................................................. 2: 1.2 Virtual >ostin#.......................................................................................................................................................... 2G 2& ,onfi<urin< )ailin< Lists&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 27 2.1 2a,ordomo and $endmail........................................................................................................................................ 2I 0& )ana<in< )ail "raffic&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 00 A.1 'sin# (rocmail......................................................................................................................................................... A0 8eb Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 02 +& Im#lementin< a 8eb Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 00 1.1 %nstallin# /pache...................................................................................................................................................... AA 1.2 2onitorin# apache load............................................................................................................................................ AA 1.A 'sin# /pachectl....................................................................................................................................................... AB 1.B *asic 8onfi#uration ;ptions..................................................................................................................................... A: 1.: Cestrictin# 8lient /ccess......................................................................................................................................... AI 1.G 8lient *asic /uthentication...................................................................................................................................... AJ 2& )aintainin< a 8eb Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 09 2.1 >TT($ ;vervie"...................................................................................................................................................... AJ 2.2 $$L Virtual >osts..................................................................................................................................................... AK 2.A 2ana#in# 8ertificates............................................................................................................................................... B0 2.B Virtual >osts............................................................................................................................................................. B1 0& Im#lementin< a Proxy Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& $0 A.1 &ettin# $tarted......................................................................................................................................................... BA A.2 /ccess Lists and /ccess 8ontrol............................................................................................................................. BA A.A /dditional 8onfi#uration ;ptions.............................................................................................................................. B: A.B Ceportin# Tools........................................................................................................................................................ BG A.B 'ser /uthentication 5usin# (/26............................................................................................................................. BJ Network ,lient )ana<ement&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 50 +& !2,P ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 5+ 1.1 .efault .>8( 8onfi#urations................................................................................................................................... :1 1.2 .!namic .N$ .......................................................................................................................................................... :A 1.A .>8( Cela!............................................................................................................................................................. :: 2& NIS ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 56 2.1 2aster $erver 8onfi#uration.................................................................................................................................... :G 2.2 $lave $erver 8onfi#uration...................................................................................................................................... :I 2.A 8lient $etup.............................................................................................................................................................. :I 2.B $ettin# up N9$ home directories............................................................................................................................. :J I Linux%T Technical <ducation 8entre ,ontents HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 2.: *asic N%$ /dministration.......................................................................................................................................... :J 0& L!AP ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 60 A.1 )hat is ldap............................................................................................................................................................. G0 A.2 ;penL./( server confi#uration.............................................................................................................................. G1 A.A 8lient confi#uration files........................................................................................................................................... G2 A.B 2i#ratin# $!stem 9iles to L./( .............................................................................................................................. GA A.: L./( /uthentication $cheme.................................................................................................................................. GG $& PA) Authentication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6: B.1 (/2 /"are /pplications ......................................................................................................................................... GK B.2 (/2 8onfi#uration................................................................................................................................................... GK System Security&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7+ +& I#tables>I#chains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 72 1.1 The 8hains............................................................................................................................................................... I2 1.2 The Tables............................................................................................................................................................... IA 1.A The Tar#ets.............................................................................................................................................................. IB 1.B <xample Cules......................................................................................................................................................... IB 2& !ifferences with I#chains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 75 0& Security "ools&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 77 A.1 $$>.......................................................................................................................................................................... II A.2 L$;9........................................................................................................................................................................ IJ A.A N<T$T/T................................................................................................................................................................. IK A.B T8(.'2(................................................................................................................................................................ IK A.: N2/(....................................................................................................................................................................... J2 (xam 202; !etailed .b?ectives&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 90 Topic 20: Net"orkin# 8onfi#uration............................................................................................................................. JA Topic 20G 2ail L Ne"s................................................................................................................................................... JB Topic 20I .N$.............................................................................................................................................................. J: Topic 20J )eb $ervices................................................................................................................................................ JI Topic 210 Net"ork 8lient 2ana#ement......................................................................................................................... JJ Topic 212 $!stem $ecurit!............................................................................................................................................. JK Topic 21B Net"ork Troubleshootin#............................................................................................................................... K1 J LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH !NS !NS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& : +& %sin< di< and host&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +0 1.1 Non-recursive 1ueries....................................................................................................................................... 10 2& *asic *ind 9 ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +2 2.1 The Lo##in# $tatement.................................................................................................................................... 1A 2.2 The ;ptions $tatement ..................................................................................................................................... 1B 2.A The @one $tatement.......................................................................................................................................... 1G 2.B The /ccess 8ontrol Lists 5acl6 $tatement......................................................................................................... 1I 0& ,reate and )aintain =one iles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +9 $& Securin< a !NS Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +: B.1 $erver /uthentication ....................................................................................................................................... 20 B.2 ./T/ %nte#rit! and /uthenticit! ........................................................................................................................ 21 K LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 1. Using dig and host The bind@utils packa#e 5or dnsutils for .ebian based s!stems6 provides tools used to 1uer! .N$ servers. )e "ill use di< and host to illustrate different t!pes of 1ueries. +&+ Non@recursive Aueries *! forcin# all 1ueried .N$ servers not to perform recursive 1ueries "e "ill discover that "e need to manuall! follo" the thread of information 5list of .N$ servers for each domain6 in order to #et an ans"er. 9or this "e need to 1uer! a hostname that has not been cached on our local server !et. M'<C0 1 dig +norecursive +nostats www.tldp.org @127.0.0.1 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.tldp.org. IN A
;; AUTHORITY SECTION: . 3600000 IN NS A.ROOT-SERVERS.NET. . 3600000 IN NS B.ROOT-SERVERS.NET. . 3600000 IN NS C.ROOT-SERVERS.NET. . 3600000 IN NS D.ROOT-SERVERS.NET. . 3600000 IN NS E.ROOT-SERVERS.NET. . 3600000 IN NS F.ROOT-SERVERS.NET. . 3600000 IN NS G.ROOT-SERVERS.NET. 'esult the local cache does not contain the re1uired information so it 1ueries the root servers 5.6 "hich return alternative .N$ servers. M'<C0 2 dig +norecursive +nostats www.tldp.org @L.root-servers.net ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.tldp.org. IN A
;; AUTHORITY SECTION: org. 172800 IN NS TLD1.ULTRADNS.NET. org. 172800 IN NS TLD2.ULTRADNS.NET.
;; ADDITIONAL SECTION: TLD1.ULTRADNS.NET. 172800 IN A 204.74.112.1 TLD2.ULTRADNS.NET. 172800 IN A 204.74.113.1 'esult The root .N$ server L.C;;T-$<CV<C$.N<T is 1ueried. This server returns the 10 LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH names and additional %( address for 2 ne" .N$ servers authoritative on the .;C& domain. M'<C0 A dig +norecursive +nostats www.tldp.org @tld2.ultradns.net ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.tldp.org. IN A
;; AUTHORITY SECTION: TLDP.ORG. 172800 IN NS NS2.UNC.EDU. TLDP.ORG. 172800 IN NS NS.UNC.EDU. 'esult Muer!in# one of the .;C& .N$ server "e receive the names for t"o authoritative .N$ servers on the TL.(.;C& domain. The next 1uer! should !ield an ans"erN M'<C0 B dig +norecursive +nostats www.tldp.org @ns.unc.edu ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; ANSWER SECTION: www.tldp.org. 86400 IN A 152.2.210.81
;; AUTHORITY SECTION: tldp.org. 86400 IN NS ns.unc.edu. tldp.org. 86400 IN NS ns2.unc.edu. tldp.org. 86400 IN NS ncnoc.ncren.net.
;; ADDITIONAL SECTION: ns.unc.edu. 172800 IN A 152.2.21.1 ns2.unc.edu. 172800 IN A 152.2.253.100 ncnoc.ncren.net. 885 IN A 128.109.193.1 ncnoc.ncren.net. 885 IN A 192.101.21.1 'esult /s expected the .N$ servers on the TL.(.;C& domain have a record for """.tldp.or#. N;T%8< The above se1uence of 1ueries "as necessar! onl! because the host """.tldp.or# "as not cached on the local cachin# server. The di< instruction 1ueried the remote .N$ servers "ithout usin# the local server. T!pin# host www.tldp.org 127.0.0.1 and then dig +norecursion www.tldp.org @127.0.0.1 "ould !ield an ans"er since all the information is no" cached on the local cachin# server Search NS record for domain 5authoritative .N$ servers6 11 LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH host -t NS tldp.org tldp.org name server ns2.unc.edu. tldp.org name server ncnoc.ncren.net. tldp.org name server ns.unc.edu. Search )B record for domain host -t MX tldp.org tldp.org mail is handled by 0 gabber.metalab.unc.edu 9inall!, it is possible to see all records "ith host @a.
2. Basic Bind 8 Configuration The confi#uration file for a *ind J server is >etc>named&conf This file has the follo"in# main entries 2ain entries in named&conf lo<<in< $pecif! "here lo#s are "ritten too and "hat needs to be lo##ed o#tions &lobal options are set here 5e.# the path to the 7one files6 Cone .efines a 7one the name, the 7one file, the server t!pe acl /ccess control list server $pecific options for remote servers Let4s look at a t!pical confi#uration file for a cachin# onl! server. )e "ill add entries to it as "e #o to create ne" 7ones, lo##in# facilities, securit!, etc. $keleton named&conf file options O director! "3var3named"+ datasi7e 1002+ P+
7one "." %N O t!pe hint+ file "named.ca"+ P+ 7one "localhost" %N O t!pe master+ 12 LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH file "localhost.7one"+ allo"-update O none+ P+ P+ 7one "0.0.12I.in-addr.arpa" %N O t!pe master+ file "named.local"+ allo"-update O none+ P+ P+ 2&+ "he Lo<<in< Statement The s!ntax for lo##in# is logging { channel channel_name { file file_name; versions number_of_files; size log_size; syslog < daemon | auth | syslog | authpriv | local0 -to- local7 | null >; severity <critical | error | warning | notice | info | debug | dynamic > ; print-category yes_or_no; print-severity yes_or_no; print-time yes_or_no; }; category category_name { channel_name; }; The channel defines "here lo#s are sent to 5file, s!slo# or null6. %f s!slo# is selected then the facilit! and the lo# level can be specified too. The cate<ory clause defines the t!pe of information sent to a #iven channel 5or list of channels6. The t!pe of channel is #iven then the default lo##in# facilit! is used category default { default_syslog; default_debug; };
(xam#le; )e choose not to use the s!slo# daemon and lo# ever!thin# to a file called QL;&R that "ill be created in the same director! as the 7one files 5default >var>named>6. 9or this "e "ill create the channel foo_channel. Next "e "ant to lo# queries usin# this channel. The entr! in named&conf "ill look like this logging { 1A LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH channel foo_channel { file "LOG"; print-time yes; print-category yes; print-severity yes; }; category "queries" { "foo_channel"; }; }; 8ate#ories such as queries are predefined and listed in the named&confD5E manpa#es. >o"ever some of the names have chan#ed since *%N. J, so "e include as a reference the list of cate#ories for *%N. K belo" *%N. K Lo##in# 8ate#ories default 8ate#or! used "hen no specific channels 5lo# levels, files ...6 have been defined #eneral 8atch all for messa#es that haven4t been classified belo" database 2essa#es about the internal 7one files securit! /pproval of re1uests confi# (rocessin# of the confi#uration file resolver %nfornation about operations performed b! clients xfer-in or xfer- out Ceceived or sent 7one files notif! Lo# N;T%90 messa#es client 8lient activit! update @one updates 1ueries 8lient Mueries dnssec .N$<8 transactions lame-servers Transactions sent from servers marked as lame-servers
2&2 "he .#tions Statement The #lobal options for the server are set at the be#innin# of named&conf. The s!ntax is options{ option1; option2; 1B LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH .... }; )e next cover the most common options. version 2anpa#e sa!s QThe version the server should report via the ndc command. The default is the real version number of this server, but some server operators prefer the strin# 5surel! !ou must be ,okin# 6R version (surely you must be joking); directory The "orkin# director! of the server directory /var/named; fetch@<lue 5default yes6 - obsolete (revent the server from resolvin# N$ records 5the additional data section6. )hen a record is not present in the cache *%N. can determine "hich servers are authoritative for the ne"l! 1ueried domain. This is often used in con,unction "ith recursion no. notify 5default yes6 $end DNS NOTIFY messa#es to the slave servers to notif! 7one chan#es 5helps speed up conver#ence6 recursion 5default yes6 The server "ill perform recursive 1ueries "hen needed forward 5only or first6 The default value is first and causes the sever to 1uer! the for"arders before attemptin# to ans"er a 1uer! itself. %f the option is set to only the server "ill al"a!s ask the for"arders for an ans"er. This option has to be used "ith forwarders. forwarders 5list6 List of servers to be used for for"ardin#. The default is an empt! list. forwarders { 10.0.0.1; 10.0.0.10;}; datasiCe Limit the si7e of the cache datasize 512M; 1: LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH allow@Auery 5list6 / lists of hosts or net"orks that ma! 1uer! the server allow@recursion 5list6 List of hosts that can submit recursive 1ueries allow@transfer 5list6 List of hosts 5usuall! the slaves6 "ho are allo"ed to do 7one transfers 2&0 "he =one Statement The s!ntax for a 7one entr! in named&conf is as follo"s zone domain_name { type zone_type; file zone_file; local_options; }; )e first look at the local_options available. $ome of these are the same options "ith the same s!ntax as the #lobal options "e have ,ust covered 5"ith some additional ones6. The most common ones are notify, allow@transfer and allow@Auery. /dditional ones are masters 5list of master servers6 or dialu#. The domain_name is the name of the domain "e "ant to keep records for. 9or each domain name there is usuall! an additional 7one that controls the local in-addr.arpa 7one. The zone_type can either be master the server has a master cop! of the 7one file slave the server has a version of the 7one file that "as do"nloaded from a master server hint predefined 7one containin# a list of root servers stub similar to a slave server but onl! keeps the N$ records The zone_file is a path to the file containin# the 7one records. %f the path is not an absolute path then the path is taken relativel! to the director! #iven earlier b! the directory option 5usuall! 3var3named6. <xample master 7one entries, allo"in# 7one transfers to a slave server at 10.1.2.A 1G LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH zone seafront.bar { type master; file seafront.zone; allow-transfer{10.1.2.3;); }; zone 2.1.10.in-addr.arpa { type master; file 10.1.2.zone allow-transfer{10.1.2.3;); }; The next example is the correspondin# named&conf zone section for the slave server, assumin# the master has the %( 10.1.2.1 zone "seafront.bar" IN { type slave; masters {10.1.2.1;}; file "slave/seafront.zone"; }; zone "2.1.10.in-addr.arpa" IN { type slave; masters {10.1.2.1;}; file "slave/10.1.2.local"; }; 2&$ "he Access ,ontrol Lists DaclE Statement Cather than use %(s it is possible to #roup lists of %( addresses or net"orks and assi#n a name to this #roupin#. <xmaple acl acl internalHnet O10.0.0.03J+ P+ There are built-in /8Ls as follo" any all hosts none no host localhost all %( address for the local interfaces localnets net"ork associated to the localhost interfaces 1I LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH "he Server Statement This statement is used to assi#n confi#uration options for a specific server. 9or example if a server is #ivin# bad information it can be marked as bo<us. ;ne can also set the keys associated "ith a server for hosts authentication "hen usin# .N$$<8 5see section B. $ecurin# a .N$ $erver6 3. Create and Maintain Zone Files The format of the 7one files is defined in C98 10A: and contains resource records 5CC6 for the administered domain or sub-domain. The t!pes of resource records are 1 S $tart ;f /uthorit! 5$;/6 describes to root of the 7one root-name TTL IN SOA name-server email-address ( serial number; refresh; retry; expire; minimum; ) The root-name is often replaced "ith an QER s!mbol "hich resolves to the name of the 7one specified in named&conf. <xample $TTL 86400 @ 1D IN SOA ns.seafront.bar. root.seafront.bar. ( 46 ; serial (d. adams) 1H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 2 S Cecords definin# the name-servers for this domain, N$ records domain-name IN NS name-server <xample IN NS ns N;T%8< 1J LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 1. %f the name of the domain is missin# then E is assumed 2. The full! 1ualified name of the name-server is ns.seafront.bar.. / host name that doesn4t end "ith a dot "ill automaticall! have the domain-name 4E4 appended to it. >ere for example ns becomes ns.seafront.bar.
A S Cecords definin# the mail-servers for this domain, 2= records domain-name IN MX PRI mail-server The PRI entr! is a priorit! number. %f several mail-servers are defined for a domain then the servers "ith the lo"est priorit! number are used first. B S /uthoritative information for hosts on the domain, called / records host-name IN A IP-address Authority !ele<ation : S )hen definin# the name-servers responsible for another sub-domain additional N$ records are added as "ell as some glue records "hich are simple / records resolvin# the .N$ servers. <xample devel.myco.com IN NS ns1.devel.myco.com ns1 IN A 192.168.21.254 'everse Cone files G S /uthoritative (TC records, resolvin# %( addresses n IN PTR host-name 4. Securing a DNS Serer %n 1KK:, follo"in# ma,or securit! fla"s discovered in .N$, a ne" topic called .N$$<8 "as started "ithin the %<T9. This .N$$<8 protocol is described in a se1uence of three draft documents kno"n as C982:A:bis and proposes to handle server authentication as "ell as data authenticity. 1K LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH $&+ Server Authentication .N$$<8 attempts to handle vulnerabilities that occur durin# unauthorised dynamic u#dates as "ell as spoofed master im#ersonations. These involve host-to-host authentications bet"een either a .>8( or a slave server and the master server. The dnssec@key<en tool is used to #enerate a host ke! on the master server that can then be transferred on a slave server. This authentication mechanism is call T$%& and stands for Transaction $i#nature. /nother mechanism is $%&0 and is not covered in these notes. )aster ,onfi<uration 1. 9irst #enerate the host ke! on the master server called seafront.bar dnssec-keygen -a HMAC-MD5 -b 256 -n host seafront.bar. This "ill create the follo"in# public and a private ke! pair Kseafront.bar.+157+49196.key Kseafront.bar.+157+49196.private Notice These ke!s must N;T be inserted in the 7one files 5there is an %N T<0 section in the public ke! that is misleadin#, looks like a CC6. The public and the private ke!s are identical this means that the private ke! can be kept in an! location. This also means that the public ke! shouldn4t be published. The content of the Tseafront.bar.U1:IUBK1KG.ke! is seafront.bar. IN KEY 512 3 157 QN3vIApnV76WS+a2Hr3qj+AqZjpuPjQgVWeeMMGSBC4= 2. %n the same director! as the server4s named&conf confi#uration file. 8reate the file slave&key "ith the follo"in# content key "seafront.bar." { algorithm hmac-md5; secret "QN3vIApnV76WS+a2Hr3qj+AqZjpuPjQgVWeeMMGSBC4="; }; A. /ppl! the follo"in# chan#es in named&conf; include "/etc/slave.key"; zone "seafront.bar" IN { 20 LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH type master; file "seafront.zone"; allow-transfer { key seafront.bar.; }; }; zone 2.1.10.in-addr.arpa { type master; file 10.1.2.zone allow-transfer{key seafront.bar.;); }; Slave ,onfi<uration 8op! the slave&key file to the slave server in the director! containin# named&conf. /dd the follo"in# server and include statements to named&conf server 10.1.2.1 { (this is the IP for the master server) keys {seafront.bar.;}; }; include /etc/slave.key; "roubleshootin< Cestart named on both servers and monitor the lo#s. Notice that .N$$<8 is sensitive to time stamps so !ou "ill need to s!nchronise the servers 5usin# NT(6. Then run the follo"in# command on the master server in the same director! "here the dnssec ke!s "here #enerated dig @10.1.2.1 seafront.bar AXFR -k Kseafront.bar.+157+49196.key $&2 !A"A Inte<rity and Authenticity This aspect of .N$$<8 is above the level of this manual and is simpl! a summar! of the concepts involved.
.ata authenticit! ma! be compromised at different levels. The reco#nised areas are 21 LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH - altered slave 7one files - cache impersonation - cache poisonin# New '' records The inte#rit! and authenticit! of data is #uarantied b! si#nin# the Cesource Cecords usin# a private ke!. These si#natures can be verified usin# a public .N$T<0. ;nl! the validit! of the .N$T<0 needs to be established b! the parent server or Qdele#ation si#nerR .$. $o "e have the follo"in# ne" CCs in the 7one files CC$%& the si#nature of the CC set .N$T<0 public ke! used to verif! CC$%&s .$ the .ele#ation $i#ner Si<nin< =one 'ecords These are the basic steps 1. 8reate a pair of public3private 7one si#nin# ke!s 5@$T6 dnssec-keygen -a DSA -b 1024 -n zone seafront.bar. 0ou should #et t"o files such as these Tseafront.bar.U00AUA11IA.ke! Tseafront.bar.U00AUA11IA.private 2. %nsert the public ke! into the unsi#ned 7one file cat Kseafront.bar.+003+31173.key >> seafront.bar A. $i#n the 7one file dnssec-signzone -o seafront.bar Kseafront.bar.+003+31173 0ou should see a messa#e such as WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING This version of dnssec-signzone produces zones that are WARNING WARNING incompatible with the forth coming DS based DNSSEC WARNING WARNING standard. WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING 22 LinuxI" "echnical (ducation ,entre !NS HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH seafront.zone.signed This is due to the fact that the dnssec-si#n7one tool doesn4t support the @k s"itch "hich "ould allo" to make use of a ke! si#nin# ke! 5T$T6 "hich is then for"arded to a parent 7one to #enerate a .$ record ... %f !ou "ant to make use of this si#ned 7one, chan#e the filename in named&conf to Qseafront.bar.si#nedR 2A LinuxI" "echnical (ducation ,entre )ail and Lists HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Sendmail Sendmail&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2$ +& %sin< Sendmail&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 25 1.1 8onfi#uration $ettin#s....................................................................................................................................... 2: 1.2 Virtual >ostin#................................................................................................................................................... 2G 2& ,onfi<urin< )ailin< Lists&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 27 2.1 2a,ordomo and $endmail.................................................................................................................................. 2I 0& )ana<in< )ail "raffic&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 00 A.1 'sin# (rocmail.................................................................................................................................................. A0 2B LinuxI" "echnical (ducation ,entre )ail and Lists HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 1. Using Send!ail +&+ ,onfi<uration Settin<s !NS Settin<s 1. )e first "ant to make sure that mail "ill be sent to our machine. )e assume that "e have properl! confi#ured a domain called seafront.bar "ith *%N. J or K. Let4s make sure that the 7one file for this domain has an 2= record pointin# to our s!stem. 9or example if our machine is called test1 and has the %( 192.168.246.12 then "e need the follo"in# lines seafront.bar. IN MX 10 test1.seafront.bar. test1.seafront.bar. IN A 192.168.246.12 2. Next "e need to make sure that this information is read b! the resolvers, so "e add the follo"in# at the top of the file >etc>resolv&conf nameserver 127.0.0.1 domain seafront.bar Sendmail Settin<s )e #o into sendmail4s main confi#uration director! >etc>mail. >ere "e need to do the follo"in# 1. *! default sendmail is confi#ured to listen for connections ;NL0 for the 12I.0.0.1 interface. %n order to make sendmail listen to all interfaces "e need to comment out the follo"in# line in >etc>mail>sendmail&mc usin# 4dnl4 "hich stands for Qdo next lineR dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl ;nce this is done run m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf 2: LinuxI" "echnical (ducation ,entre )ail and Lists HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Notice 2ake sure 3etc3sendmail.cf isn4t also there, if it is, delete it. Cestart sendmail and tr! the follo"in# telnet test1.seafront.bar 25 8arnin< %f !ou #et a connection then sendmail is respondin#. This doesn4t mean that sendmail "ill deliver mail 5rela!6 for !ouN A. To confi#ure sendmail to rela! for !ou !ou need to add the %( for !our machine to the >etc>mail>access file 192.168.246.12 RELAY
B. 9inall!, "e also need to tell sendmail to accept mail for @seafront.bar addresses. 9or this, add the domain name to >etc>mail>local@host@names seafront.bar Cestart sendmail and send a mail to an existin# user. %f !ou have a user tux on the machine then check the output of the follo"in# mail -v -s test seafront domain tux@seafront.bar < /etc/passwd +&2 /irtual 2ostin< )e "ant the server seafront.bar to accept mail for the city.bar domain. 9or this "e follo" the follo"in# steps. "he !NS entries )e need to add an 2= record for the cit!.bar domain. >ere is the "hole block for clarit! seafront.bar. IN MX 10 test1.seafront.bar. city.bar. IN MX 10 test1.seafront.bar. test1.seafront.bar. IN A 192.168.246.12 Ceload the 7one file 2G LinuxI" "echnical (ducation ,entre )ail and Lists HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH rndc reload Sendmail Settin<s 1. )e need to make sendmail accept mail for users at Ecit!.bar. 9or this "e add the next line to the local@host@names file city.bar %f mail is sent to tux@city.bar and tux is a valid user on test1.seafront.bar then mail "ill be delivered to the local user tux. To avoid this "e can use the >etc>mail>virtusertable database. 2. %f !ou "ant to for"ard mail onto another account here are example entries for the virtusertable database tuxEcit!.bar mr.tuxEotherdomain.or# Ecit!.bar administrator listEcit!.bar local-list >ere mail for user tux is diverted to mr.tuxEotherdomain.or#, the user administrator is the catchall account, lists are redirected to local lists 5this needs to point to a valid list defined in the aliases 2. Configuring Mailing "ists 2&+ )a?ordomo and Sendmail .o"nload the code from http33""".#reatcircle.com3ma,ordomo3 $ource version ma,ordomo-1.KB.:.tar.#7 Pre@installation ,onfi<uration 1. %n the 2akefile, replace >bin>#erl "ith the path to the perl binar! on !our s!stem 5usuall! 3usr3bin3perl6 2I LinuxI" "echnical (ducation ,entre )ail and Lists HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH PERL = /usr/bin/perl To make thin#s easier "e "ill leave the )H>;2< as is W_HOME = /usr/test/majordomo-$(VERSION) 0ou need to create the director! >usr>test mkdir /usr/test 8reate a #roup called ma?ordomo "ith &%. $5, and add a user called ma?ordomo "ith '%. +20 groupadd -g 45 majordomo useradd -g 45 -u 123 majordomo 2. %n the sam#le&cf file "e need to define our domain 5for example seafront.bar6. This is also "here the path to the sendmail binar! is set $whereami = "seafront.bar"; $sendmail_command = "/usr/sbin/sendmail"; No" "e can run make install make install-wrapper 9inall! !ou can test the confi#uration as su##ested "ith the follo"in# cd /usr/test/majordomo-1.94.5; ./wrapper config-test %f all #oes "ell !ou "ill be prompted to re#ister to the ma,ordomo mailin# list. $ince "e do not have a valid email address, ans"er N; to the 1uestion. Sendmail ,onfi<uration The sendmail confi#uration involves addin# appropriate entries in >etc>aliases for each mailin# list "e create. *ut before that "e need a s!mbolic link in >etc>smrsh pointin# to the ma,ordomo wra##er binar!, and here is "h!. 2J LinuxI" "echnical (ducation ,entre )ail and Lists HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH %n order to limit the number of pro#rams mail can be piped to 5usin# a 4V command4 instead of an email address6 sendmail defines a set of commands kno"n as Qsendmail restricted shellsR or smrsh. The list of restricted shells is contained in >etc>smrsh "hich are s!mbolic links to the actual binaries "e allo" mail to be piped to. )e "ill make the wra##er binar! available, "hich is located in 3usr3test3ma,ordomo- 1.KB.:, "ith the follo"in# ln -s /usr/test/majordomo-1.94.5/wrapper /etc/smrsh *efore addin# the entries to >etc>aliases "e need to decide on a name for our first list, and "e choose ... test. Cemember that before sendin# mail to the list testEseafront.bar "e first need to subscribe to this list b! sendin# a mail to ma,ordomoEseafront.bar "ith the contents subscribe test. $ome "ork needs to be done for this to "ork. 8reatin# the list QtestR 5 as documented in N<)L%$T6 1 . create an empt! file called test and a file containin# information about the list called test.info in the director! 3usr3test3ma,ordomo-1.KB.:3lists3 2. 8reate the follo"in# aliases in >etc>aliases majordomo: "|/usr/test/majordomo-1.94.5/wrapper majordomo" test: "|/usr/test/majordomo-1.94.5/wrapper resend -l test test-list" test-list: :include:/usr/test/majordomo-1.94.5/lists/test test-request: "|/usr/test/majordomo-1.94.5/wrapper request- answer test" owner-test: tux test-approval: tux A. Cun newaliases and restart sendmail. )a?ordomo "est $end an email to majordomo@seafront.bar "ith the content
subscribe test %f all #oes "ell !ou "ill receive a response "ith further steps to be taken.
2K LinuxI" "echnical (ducation ,entre )ail and Lists HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 3. Managing Mail #raffic 0&+ %sin< Procmail %n depth information can be found in the #rocmail, #rocmailrc and #rocmailex manpa#es. >ere are a fe" examples taken from #rocmailexD5E / promailrc file is a se1uence of recipes of the form :0 ;!)ags< ; : ;)oca))oc0!i)e< < =>ero or more conditions (one per )ine)? =exact)y one action )ine? The next tables cover the main fla#s, conditions and actions available. 9la#s .escription > <#rep the header 5default6. * <#rep the bod! < This recipe onl! executes if the immediatel! precedin# recipe "as not executed. e This recipe onl! executes if the immediatel! precedin# recipe failed " )ait for the filter or pro#ram to finish and check its exitcode The conditions are extended re#ular expressions "ith the additional conditions belo" 8onditions .escription N %nvert the condition W <valuate the remainder of this condition accordin# to sh516 substitution rules inside double 1uotes, skip leadin# "hitespace, then reparse it X 'se the exitcode of the specified pro#ram D 8heck if the total len#th of the mail is shorter than the specified 5in decimal6 number of b!tes F 8heck if the total len#th of the mail is lar#er than the specified 5in decimal6 number of b!tes A0 LinuxI" "echnical (ducation ,entre )ail and Lists HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH The action line can start "ith one of /ction line .escription N 9or"ards to all the specified mail addresses V $tarts the specified pro#ram O 9ollo"ed b! at least one space, tab or ne"line "ill mark the start of a nestin# block /n!thin# else interpret as a mailbox 5file or director! relative to current director! or 2/%L.%C6 (xam#les; $ort all mail comin# from the lpi-dev mailin# list into the mail folder L(% :0: @ ATBC)pi1de* LPI 9or"ard mails bet"een t"o accounts main.address and the-other.address. This rule is for the procmailrc on the main address account. Notice the =-Loop header used to prevent loops :0 c @ DAE1Loop: yournameFmain.address G !ormai) 1/ HE1Loop: yournameFmain.addressH G I J+9#&7/IL 1oi yournameFthe1other.address The c option tells procmail to keep a local cop!. A1 Linux%T Technical <ducation 8entre 8eb Services HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 8eb Services
8eb Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 02 +& Im#lementin< a 8eb Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 00 1.1 %nstallin# /pache............................................................................................................................................... AA 1.2 2onitorin# apache load..................................................................................................................................... AA 1.A 'sin# /pachectl................................................................................................................................................. AB 1.B *asic 8onfi#uration ;ptions.............................................................................................................................. A: 1.: Cestrictin# 8lient /ccess................................................................................................................................... AI 1.G 8lient *asic /uthentication................................................................................................................................ AJ 2& )aintainin< a 8eb Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 09 2.1 >TT($ ;vervie"............................................................................................................................................... AJ 2.2 $$L Virtual >osts.............................................................................................................................................. AK 2.A 2ana#in# 8ertificates........................................................................................................................................ B0 2.B Virtual >osts...................................................................................................................................................... B1 0& Im#lementin< a Proxy Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& $0 A.1 &ettin# $tarted................................................................................................................................................... BA A.2 /ccess Lists and /ccess 8ontrol...................................................................................................................... BA A.A /dditional 8onfi#uration ;ptions....................................................................................................................... B: A.B Ceportin# Tools................................................................................................................................................. BG A.B 'ser /uthentication 5usin# (/26...................................................................................................................... BJ A2 Linux%T Technical <ducation 8entre 8eb Services HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 1. $!%le!enting a &e' Serer +&+ Installin< A#ache The apache source code can be do"nloaded from """.apache.or#. There are t"o versions of the apache server 1.A and 2.0 The confi#ure script allo"s us to customise the installation. %n particular "e can choose "hich modules "e "ant to compile etc. 2odules can either be - staticall! compiled "ith --enable-MODULE 5"here 2;.'L< is the Module Indentifier 6 or --enable-modules=MOD1 MOD2 ... - d!namicall! compiled "ith --enable-mods-shared=MOD1 MOD2 ... -disabled "ith --disable-MODULE "ask .o"nload the source code for apache 1.A 5apacheH1.A.2K.tar.#76 and compile support for modHphp and modHperl +&2 )onitorin< a#ache load $N2( 8reate a read-onl! $N2( communit! and restart the snmpd daemon 3etc3snmp3snmp.conf rocommunit! lifesavers Cestart the snmpd service etcinit.dsnmpd restart 8heck that !ou can bro"se information about !our s!stem usin# the communit! name lifesavers AA Linux%T Technical <ducation 8entre 8eb Services HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH snmpwalk -v 1 -c lifesavers localhost ip 2CT& 2CT& stands for Qmulti-router traffic #rapherR and uses $N2( to #et information about the s!stem. cfgmaker --output=/etc/mrtg/seafront.cfg \ -ifref=ip --global "workdir: /var/www/mrtg/stats" lifesavers@localhost This "ill create a file called 3etc3mrt#3seafront.cf#. )e next update the information in 3var3"""3mrt#3stats "ith the follo"in# command mkdir /var/www/mrtg/stats mrtg /etc/mrtg/seafront.cfg
This should be run at re#ular intervals so it should be run throu#h a cron ,ob. "ask The #raphical output for 2CT& "ill be saved in 3var3"""3mrt#3stats as an >T2L document. This is not a usual place to keep files for the apache server. /fter the next section, "e "ill make the appropriate chan#es to htt#d&conf to make this director! accessible throu#h the "ebserver. 2an! other tools are available such as 8ebaliser "hich anal!se the access lo#s of the apache server 5"e "ill confi#ure this tool for sAuid. +&0 %sin< A#achectl The a#achectl script is used to control the htt#d daemon. %t takes the follo"in# options a#achectl o#tion !escri#tion S extract from apachectl5J6 start $tart the /pache httpd daemon. &ives an error if it is alread! runnin#. This is e1uivalent to a#achectl @k start stop $tops the /pache httpd daemon. This is e1uivalent to a#achectl @k sto# AB Linux%T Technical <ducation 8entre 8eb Services HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH restart Cestarts the /pache httpd daemon. %f the daemon is not runnin#, it is started. This command automaticall! checks the confi#uration files as in confi#test before initiatin# the restart to make sure the daemon doesnYt die. This is e1uivalent to a#achectl @k restart fullstatus .ispla!s a full status report from modHstatus. 9or this to "ork, !ou need to have modHstatus enabled on !our server and a text-based bro"ser such as l!nx available on !our s!stem. The 'CL used to access the status report can be set b! editin# the $T/T'$'CL variable in the script. $tatus .ispla!s a brief status report. $imilar to the !u))status option, except that the list of re1uests currentl! bein# served is omitted #raceful &racefull! restarts the /pache httpd daemon. %f the daemon is not runnin#, it is started. This differs from a normal restart in that currentl! open connections are not aborted. This is e1uivalent to a#achectl @k <raceful confi#test Cun a confi#uration file s!ntax test. %t parses the confi#uration files and either reports +yntax B0 or detailed information about the particular s!ntax error. This is e1uivalent to a#achectl @t +&$ *asic ,onfi<uration .#tions $ection 1 &eneral ;ptions Teep/live on3off /llo"s a client to perform multiple re1uests throu#h a sin#le connection 2axTeep/liveCe1uests 100 2aximum number of re1uests durin# a persistent connection Teep/liveTimeout 1: Number of seconds to "ait for a next re1uest on the same connection Sin<le "hreaded Server The httpd daemon is a sin#le threaded process "hich needs to fork child daemons to deal "ith multiple connections S onl! "ith apache2 is it possible to build a multi threaded server. $tart$ervers J Number of httpd servers to start 2in$pare$ervers : 2inimum number of spare servers to keep loaded in memor! A: Linux%T Technical <ducation 8entre 8eb Services HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 2ax$pare$ervers 20 2aximum number of spare servers to keep loaded in memor! 2ax8lients 1:0 2aximum number of server processes allo"ed at an! one time 2axCe1uests(er8hild 1000 2aximum number of re1uests before a child is QretiredR )ulti "hreaded Server ;ptions available onl! for apache2 and on"ards. 0ou need to recompile apache to enable threads. 2ost current apache2 binar! distributions are still sin#le threaded because of conflicts "ith most d!namic modules "hich don4t support multi threadin# !et. $tart$ervers 2 Notice that this is much lo"er than the sin#le threaded server 2in$pareThreads 2: 2inimum number of spare threads 2ax$pareThreads I: 2aximum number of spare threads Threads(er8hild 2: Number of "orker threads per child 2ax8lients 1:0 2aximum number of server processes allo"ed at an! one time 2axCe1uests(er8hild 0 Never retiresX Listen J0 $pecif! "hich port to listen on. 8an be of the form %(port Load2odule 2;.'L< %N.<NT%9%<C 3(/T>- T;32;.'L< $ection "here d!namic modules are loaded %nclude FIL Cead extra confi#uration options from FIL. /pache2 has a conf.d director! for this $ection 2 $erver 8onfi#uration $erverName The name of the server S can be different 'ser Name of the user the server runs as &roup Name of the #roup the server runs as .ocumentCoot The director! the "here >T2L files are kept D.irector!F $pecif! options 5access control,...6 for directories containin# >T2L files /lias 'CL alias for a #iven director! AG Linux%T Technical <ducation 8entre 8eb Services HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH /lias$cript $ame as Q/liasR option but for directories containin# 8&% scripts .irector!%ndex $et the name of the file "hich "ill be used as an index $ection A Virtual >osts )e "ill cover virtual hosts "hen confi#urin# $$L servers later in this chapter. 9or no" "e distin#uish t"o concepts
DVirtual>ost %((;CTF %( based virtual host DVirtual>ost >;$TN/2<(;CTF Name based virtual +&5 'estrictin< ,lient Access >ost based control is available usin# the ke!"ords .rder, !eny from and Allow from on directories D.irector! P!"#-"$-%IR&"$R'F ... D3.irector!F or locations DLocation (RLF ... D3LocationF The next confi#uration para#raph "ill allo" an!bod! to access the director! 3var3"""3safe except the host "ith %( 1K2.1GJ.A.101 <Directory /var/www/safe> Order allow,deny Deny from 192.168.3.101 Allow from all </Directory> Alias /safe /var/www/safe Notice The .rder ke!"ord is important. %f "e reverse the above order to Order deny,allow then the follo"in# "ould happen host 1K2.1GJ.A.101 "ould first be denied AI Linux%T Technical <ducation 8entre 8eb Services HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH access because of the .en! rule but the /llo" rule is read last and "ill subse1uentl! #rant it access. The default access is #iven b! the last ar#ument in the order directive. %.e. Q;rder allo",den!R has a default of Qden!R. +&6 ,lient *asic Authentication The htpass"d tool is used to create pass"ords for users. 9or example, "e create a ne" file in the $erverCoot director! called passwords-for-directory1 "ith a pass"ord for user gnu htpasswd -c passwords-for-directory1 gnu %f "e choose to implement client authentication for the director! 3var3"""3html3seafront "e need to add the follo"in# para#raph to htt#d&conf <Directory /var/www/html/seafront> AuthType basic AuthName "protected site" AuthUserFile conf/seafront.passwd Require user gnu </Directory> Notice /lternativel!, "ith httpd2 confi#urations "e could create a file called seafront.conf "ith the above content and save it in the 3etc3httpd3conf.d director!. Ceread the confi#uration file "ith apachectl graceful
2. Maintaining a &e' Serer
2&+ 2""PS .verview The secure socket la!er protocol $$L allo"s an! net"orked applications to use encr!ption. This can be thou#ht of as a process "hich "raps the socket preparin# it to use encr!ption at the application level. %n the case of >TT($, the server uses a pair of ke!s, public and private. The server4s public ke! is used b! the client to encr!pt the session ke!, the private ke! is then used to decr!pt the session ke! for use. AJ Linux%T Technical <ducation 8entre 8eb Services HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH The public ke! is published usin# certificates. / certificate contains the follo"in# information - Name and /ddress, >ostname, etc. - (ublic Te! - TTL - 5optional6 %. U $i#nature from a certificate authorit! 58/6 The certificate "ill be used to establish the authenticit! of the server. / valid si#nature from a kno"n 8/ is automaticall! reco#nised b! the client4s bro"ser. )ith 2o7illa for example these trusted 8/ certificates can be found b! follo"in# the links (dit @F Preferences @F Privacy G Security @F ,ertificates then clickin# on the QManage &ertificatesR button and the /uthorities T/* $tart $$L >andshake $end 8ertificate $end encr!pted session ke! <ncr!pt >TT( session "ith session ke! ;n the other hand communications "ould be too slo" if the session "as encr!pted usin# public ke! encr!ption. %nstead, once the authenticit! of the server is established, the client #enerates a uni1ue secret session ke! "hich is encr!pted usin# the servers public ke! found in the certificate. ;nce the server receives this session ke! it can decr!pt it usin# the private ke! associated "ith the certificate. 9rom there on the communication is encr!pted and decr!pted usin# this secrete session ke! #enerated b! the client. 2&2 SSL /irtual 2osts / separate apache server can be used to listen on port BBA and implement $$L connections. >o"ever most default confi#urations involve a sin#le apache server listenin# on both ports J0 and BBA. 9or this an additional Listen directive is set in htt#d&conf askin# the server to listen on AK 1 client server 2 A B Linux%T Technical <ducation 8entre 8eb Services HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH port BBA. /pache "ill then bind to both ports BBA and J0. Non encr!pted connections are handled on port J0 "hile an $$L a"are virtual host is confi#ured to listen on port BBA <VirtualHost _default_:443> SSL CONFIGURATION </VirtualHost> The $$L 8;N9%&'C/T%;N lines are SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW: +SSLv2:+EXP SSLCertificateFile PATH_TO_FILE.crt SSLCertificateKeyFile PATH_TO_FILE.key )e need to #enerate the servers private ke! 59%L<.ke!6 and certificate 59%L<.crt6 to complete this confi#uration. 2&0 )ana<in< ,ertificates The ke!s and certificates are usuall! kept in subdirectories of >etc>htt#d>conf called ssl&crt and ssl&key. There should also be a 2akefile that "ill #enerate both a T<0 and a 8<CT%9%8/T< in (<2 format "hich is baseGB encoded data. %sin< the )akefile 9or example if "e "ant to #enerate a self-si#ned certificate and private ke! simpl! t!pe make mysite.crt The 2akefile "ill #enerate both files m!site.ke! 5the private ke!6 as "ell as m!site.crt 5the certificate file containin# the public ke!6. 0ou can use the follo"in# directives in htt#d&conf SSLCertificateFile ... mysite.crt SSLCertificateKeyFile ... mysite.key ,ertificate 'eAuests ;n a production server !ou "ould need to #enerate a ne" file called a Qcertificate re1uestR B0 Linux%T Technical <ducation 8entre 8eb Services HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH "ith openssl req -new -key mysite.key -out mysite.csr This file can be sent to a certificate authorit! 58/6 to be si#ned. The certificate authorit! "ill send back the si#ned certificate. Pass Phrases / private ke! can be #enerated "ith or "ithout a passphase, and a private ke! "ithout a passphrase can be constructed from an existin# private ke!. A #ass#hrased file %f a private ke! has a passphrase set then the file starts "ith -----*<&%N C$/ (C%V/T< T<0----- (roc-T!pe B,<N8C0(T<. .<T-%nfo .<$-<.<A-8*8, ---- snip ---- ..... this means that the file is protected b! a pass-phrase usin# A.<$. This "as #enerate b! the line /usr/bin/openssl genrsa -des3 1024 > $@ in the 2akefile. %f the -desA fla# is omitted N; passphrase is set. 0ou can #enerate a ne" private ke! 5m!site-nophrase.ke!6 "ithout a passphrase from the old private ke! 5m!site.ke!6 as follo"s openssl rsa -in mysite.key -out mysite-nopass.key 2&$ /irtual 2osts Name based virtual hosts )e "ill first discuss the situation "here onl! one %( has been assi#ned to the server but there are several / records or 8N/2< records pointin# to the same %(. "ask + 2odif! the 7one files to include a ne" 8N/2< record for test1.seafront.bar to point to the actual name of the "eb server. e.# test1.seafront.bar. %N 8N/2< """.seafront.bar. """ %N / 1K2.x.x.x %n httpd.conf it "ill be enou#h to create the follo"in# DVirtual>ost test1.seafront.barJ0F $erver/dmin "ebmasterEseafront.bar B1 Linux%T Technical <ducation 8entre 8eb Services HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH .ocumentCoot 3var3"""3html3test1 $erverName test1.example.com D3Virtual>ostF "ask 2 8reate an $$L a"are Virtual>ost for test1 - make the certificate and the ke! make host1.seafront.bar - add these lines to htt#d&conf <VirtualHost 192.168.3.200:443> SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP SSLCertificateFile /etc/httpd/conf/test1.seafront.bar.crt SSLCertificateKeyFile /etc/httpd/conf/test1.seafront.bar.out ServerAdmin webmaster@seafront.bar DocumentRoot /var/www/html/test1 ServerName test1.seafront.bar </VirtualHost> Notice that the certificate that is presented once !ou connect to the https33test1 site is incorrect. This is because test1.seafront.bar resolves to the servers %( address and the server "ill start the $$L handshake before lookin# at the >TT( re1uest. The next section "ill fix that. IP *ased /irtual 2osts )e "ill directl! create a series of virtual $$L a"are hosts and verif! that the! present the client "ith the correct certificate. "ask /ssi#n ne" %( addresses to the eth0 interface ifconfig eth0:0 X.X.X.X 9or each %( enter a ne" / record www1 IN A X.X.X.X 9or each host create a self si#ned certificate <nter a DVirtual>ost =.=.=.=BBAF para#raph in htt#d&conf Notice 0ou ma! have to chan#e the existin# $$L virtual host from <VirtualHost _default_:443> to <VirtualHost 127.0.0.1:443> This prevents the default host certificate from bein# presented irrespective of the site hostname. Test that https33"""1 and https33"""2 do present the proper certificates. Notice that if !ou permanentl! accept a certificate it "ill be added to the list of 8/ certificates on !our bro"serN B2 Linux%T Technical <ducation 8entre 8eb Services HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
BA Linux%T Technical <ducation 8entre Im#lementin< a Proxy Server HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 3. $!%le!enting a (ro)* Serer 0&+ Gettin< Started 0ou can verif! that the s1uid prox! server is installed usin# rpm 1K sKuid 2ost versions "ill install the >etc>init&d>sAuid rc-script that creates the initial cachin# directories. %f this is not the case s1uid can initialise these cache directories "ith the @C s"itch. sKuid 1> N."I,( 0ou ma! need to add an access rule in the s1uid confi#uration file before bein# able to rebuild the cache 5see the next section Q/ccess Lists and /ccess 8ontrolR6 The confi#uration file is >etc>sAuid>sAuid&conf. The s!ntax of this file can be checked usin# the @k s"itch sKuid 10 chec0 /s "ith most net"ork services the >etc>init&d>sAuid rc-script is used to start the service.
0&2 Access Lists and Access ,ontrol /ccess Lists 5acl6 %n sAuid&conf the access lists have the follo"in# format acl aclname aclt!pe strin#3file BB Linux%T Technical <ducation 8entre Im#lementin< a Proxy Server HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH %n the most simple cases an acl defines a list of hosts, net"orks or domains and is #iven a name. This list can then be #ranted or denied access usin# the access control command http_access described in the next para#raph.
The next line defines an access list name called localnet correspondin# to the local L/N ac) )oca)net src (42.(LM.2.0255.255.255.0 The main /8L t!pes are listed belo" aclty#e descri#tion src %(3netmask or %(1-%(23netmask 5client4s %( address6 dst %(3net"ork 5'CL re1uested6 arp 2/8 address srcdomain .example.com 5client addresses6 dstdomain .example.com 5'CLs re1uested6 time ran#e of times port space separated list of ports or ran#e of the form p1-p2 /ccess control 5httpHaccess6 )ith http_access a particular access list is either allo"ed or denied access via the prox!. The format is as follo"s httpHaccess allo"Vden! aclname
The httpHaccess re1uests are read in se1uence and the first rule matched is used. To allo" access to all computers on the net"ork insert the follo"in# )efore the htt#Haccess deny all line
httpCaccess a))o, )oca)net B: Linux%T Technical <ducation 8entre Im#lementin< a Proxy Server HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 0&0 Additional ,onfi<uration .#tions The follo"in# table is a list of additional options available to further control the s1uid prox!. ;ption .escription httpHport the port s1uid uses to listen for re1uests 5default A12J6 cacheHpeer specif! another prox! server to 1uer! "henever an ob,ect isn4t cached cacheHmem limit the amount of additional memor! used to cache ob,ects 5this parameter doesn4t limit the maximum process si7e6 cacheHs"apHlo" percenta#e of s"ap utilisation. ;nce this limit is passed ob,ects start to be cached to disk cacheHs"apHhi#h percenta#e of s"ap utilisation. ;nce this limit is approached ob,ects start #ettin# evicted from the prox! cache maximumHob,ectHsi7e ob,ects lar#er than this "ill not be cached maximumHob,ectHsi7e HinHmemor! ob,ects lar#er than this "ill not be kept in the memor! cache )emory )ana<ement D from the S1%I! A1 section 9E QThis version of $M'%. stores incomin# ob,ects onl! in memor!, until the transfer is complete. /t that point it decides "hether or not to store the ob,ect on disk. This means that "hen users do"nload lar#e files, !our memor! usa#e "ill increase si#nificantl!. The s1uid.conf parameter maximum_o)*ect_size determines ho" much memor! an in-transit ob,ect can consume before "e mark it as uncachable. )hen an ob,ect is marked uncachable, there is no need to keep all of the ob,ect in memor!, so the memor! is freed for the part of the ob,ect "hich has alread! been "ritten to the client. %n other "ords, lo"erin# maximum_o)*ect_size also lo"ers $1uid-1.1 memor! usa#e.R Q%f !our cache performance is sufferin# because of memor! limitations, !ou mi#ht consider bu!in# more memor!. *ut if that is not an option, There are a number of thin#s to tr! Tr! a different malloc librar! Zcompile $M%. "ith a different malloc[ Ceduce the cache_mem parameter in the confi# file. This controls ho" man! \\hot44 ob,ects are kept in memor!. Ceducin# this parameter "ill not si#nificantl! affect performance, but !ou ma! recieve some "arnin#s in cache.log if !our cache is bus! Turn the memory_pools off in the confi# file. This causes $1uid to #ive up unused memor! b! callin# free+, instead of holdin# on to the chunk for potential, future use. Ceduce the cache_s-ap parameter in !our confi# file. This "ill reduce the number of ob,ects $1uid keeps. 0our overall hit ratio ma! #o do"n a little, but !our cache "ill perform si#nificantl! better BG Linux%T Technical <ducation 8entre Im#lementin< a Proxy Server HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Ceduce the maximum_o)*ect_size parameter 5$1uid-1.1 onl!6. 0ou "on4t be able to cache the lar#er ob,ects, and !our b!te volume hit ratio ma! #o do"n, but $1uid "ill perform better overallR 0&$ 'e#ortin< "ools 2ost lo# anal!sis tools available for s1uid are listed on the follo"in# site http33""".s1uid-cache.or#3$cripts3 The main lo#file for s1uid is the >var>lo<>sAuid>access&lo< file. Next is a short overvie" of calamaris and webaliCer. /lso notice that webmin produces lo# reports based on calamaris. ,achem<r&c<i scri#t The current s1uid packa#e installs a 8&% script in >usr>lib>sAuid called cachem<r&c<i. ;ne can cop! this across to the >var>www>c<i@bin director! "here all 8&% scripts can run from. %t is recommended ho"ever to set up a separate director! "ith htaccess authentication. ,alamaris The code is &(L and can be do"nloaded from http33cord.de3tools3s1uid3calamaris. 0ou can #enerate reports as follo" cat *ar)ogsKuidaccess.)og G ca)amaris N +ummary )ines parsed: 22( in*a)id )ines: 0 parse time (sec): 0 N Incoming reKuests by method method reKuest O 6yte O sec 06sec 111111111111111111111111111111111 111111111 111111 11111111 111111 1111 1111111 "9T 22( (00.00 (2PP2L2 (00.00 5 (.LM 111111111111111111111111111111111 111111111 111111 11111111 111111 1111 1111111 +um 22( (00.00 (2PP2L2 (00.00 5 (.LM N Incoming $&P1reKuests by status no matching reKuests N Incoming TCP1reKuests by status status reKuest O 6yte O sec 06sec 111111111111111111111111111111111 111111111 111111 11111111 111111 1111 1111111 .IT 55 (5.MP P25(P 5.P0 0 L.(( 7I++ (M2 M2.55 ((48MP0 4L.28 ( P.48 9QQBQ P (.M( P(0M 0.55 (20 0.0( 111111111111111111111111111111111 111111111 111111 11111111 111111 1111 1111111 +um 22( (00.00 (2PP2L2 (00.00 5 (.LM
%n order to #et information on "ebpa#e re1uests per host one can use the @' s"itch BI Linux%T Technical <ducation 8entre Im#lementin< a Proxy Server HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH There are man! more s"itches available 5check the manpa#es for calamaris6. There are also a number of scripts that can run hourl! or monthl! reports. These scipts are included in the <=/2(L<$ file distributed "ith calamaris. ca)amaris 1Q 5 *ar)ogsKuidaccess.)og ] %ncomin# T8(-re1uests b! host host 3 tar#et re1uest hit-^ *!te hit-^ sec k*3sec --------------------------------- --------- ------ -------- ------ ---- ------- 1K2.1GJ.2.10A I2 0.00 A2AAAG 0.00 0 10.2B _.redhat.com A: 0.00 12GI2G 0.00 0 10.BB _.suse.co.uk 20 0.00 GA:0A 0.00 0 1A.1: _.lemonde.fr G 0.00 10KI12 0.00 1 1G.AK 20I.AG.1:._ : 0.00 JKBG 0.00 0 A.KB _.akamai.net B 0.00 12B2J 0.00 1 B.BA other 2 re1uested urlhosts 2 0.00 2021 0.00 1 0.I1 1K2.1GJ.2.101 GA 0.00 2K:A1: 0.00 1 B.G: cord.de 1I 0.00 11:IJI 0.00 0 20.JG _.doubleclick.net 1A 0.00 2G1GA 0.00 1 2.0I _.#oo#le.com 10 0.00 A0GBG 0.00 1 A.I1 _.s1uid-cache.or# J 0.00 :1I:J 0.00 1 G.:A DerrorF B 0.00 B2K0 0.00 0 10BIB other G re1uested urlhosts 11 0.00 GGGI1 0.00 : 2.2J --------------------------------- --------- ------ -------- ------ ---- ------- $um 1A: 0.00 G1JG:1 0.00 1 G.:1 8ebaliCer This tool is often installed b! default on some Linux distributions. %t is also &(L4ed and can be do"nloaded from http33""".mrunix.net3"ebali7er3. *! editin# the >etc>webaliCer&conf file one can choose bet"een apache access lo#s, ftp transfer lo#s or s1uid lo#s. <xample #raphics #enerated "ith webaliser. BJ Linux%T Technical <ducation 8entre Im#lementin< a Proxy Server HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 0&5 %ser Authentication Dusin< PA)E To prevent unauthorised users bro"sin# on the %nternet !ou can setup s1uid to ask for a username and pass"ord.
%2(;CT/NT 0ou cannot have user authentication and transparent prox! at the same time N The "ork around is to block all out#oin# re1uests on port J0, except the ones from the $1uid prox! itself. 'sers are then forced to manuall! set up their bro"sers to use the prox!.
8onfi#uration settin#s for (/2 authentication >ere are the list of options !ou need to set in the sAuid&conf file sKuid.con! P/7 authentication settings ;B)der *ersions< authenticateCprogram usr)ibsKuidpamCauth ;+Kuid '2.5< authCparam basic program usr)ibsKuidpamCauth authCparam basic chi)dren 5 authCparam basic rea)m /n*i) Internet Proxy authCparam basic credentia)stt) 2 hours ac) pass,ord proxyCauth Q9R$IQ9& httpCaccess a))o, pass,ord The (/2 confi#uration in 3etc3pam.d
>ere "e re#ister s1uid to use the (lu##able /uthentication 2odule. This is done b! addin# a file in >etc>#am&d> called sAuid "ith the follo"in# content etcpam.dsKuid auth reKuired )ibsecuritypamCstac0.so ser*iceSsystem1auth auth reKuired )ibsecuritypamCno)ogin.so account reKuired )ibsecuritypamCstac0.so ser*iceSsystem1auth pass,ord reKuired )ibsecuritypamCstac0.so ser*iceSsystem1auth BK Linux%T Technical <ducation 8entre Im#lementin< a Proxy Server HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH session reKuired )ibsecuritypamCstac0.so ser*iceSsystem1auth session reKuired )ibsecuritypamC)imits.so This is a standard polic! description on "hat to do "hen a person lo#s on. The lo#in session is abstracted into B part auth, account, pass"ord and session.
(/2 then uses a specific librar! function "hich handles each sta#e. Notice that most lines re1uest the system@auth service "hich is the >etc>#am&d>system@auth file. /lso note the follo"in# from the pamHauth man pa#e. )hen used for authenticatin# to local 'N%= shado" pass"ord databases the pro#ram must be runnin# as root or else it "on4t have sufficient permissions to access the user pass"ord database. $uch use of this pro#ram is not recommended, but if !ou absolutel! need to then make the pro#ram setuid root cho"n root pamHauth chmod uUs pamHauth (lease note that in such confi#urations it is also stron#l! recommended that the pro#ram is moved into a director! "here normal users cannot access it, as this mode of operation "ill allo" an! local user to brute-force other users pass"ords. /lso note the pro#ram has not been full! audited and the author cannot be held responsible for an! securit! issues due to such installations. :0 Linux%T Technical <ducation 8entre Network ,lient )ana<ement HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Network ,lient )ana<ement Network ,lient )ana<ement&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 50 +& !2,P ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 5+ 1.1 .efault .>8( 8onfi#urations............................................................................................................................ :1 1.2 .!namic .N$ ................................................................................................................................................... :A 1.A .>8( Cela!...................................................................................................................................................... :: 2& NIS ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 56 2.1 2aster $erver 8onfi#uration.............................................................................................................................. :G 2.2 $lave $erver 8onfi#uration................................................................................................................................ :I 2.A 8lient $etup....................................................................................................................................................... :I 2.B $ettin# up N9$ home directories...................................................................................................................... :J 2.: *asic N%$ /dministration................................................................................................................................... :J 0& L!AP ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 60 A.1 )hat is ldap....................................................................................................................................................... G0 A.2 ;penL./( server confi#uration........................................................................................................................ G1 A.A 8lient confi#uration files.................................................................................................................................... G2 A.B 2i#ratin# $!stem 9iles to L./( ....................................................................................................................... GA A.: L./( /uthentication $cheme........................................................................................................................... GG $& PA) Authentication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6: B.1 (/2 /"are /pplications .................................................................................................................................. GK B.2 (/2 8onfi#uration............................................................................................................................................. GK :1 LinuxI" "echnical (ducation ,entre !2,P ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 1. D+C( Configuration 8A'NINGII 0ou should not attempt to run a .>8( server unless !ou are certain not to interfere "ith the net"ork !ou are currentl! usin# S The safest option for this section is to be totall! isolated from the net"ork and use a hub or a s"itch to connect the classroom to#ether. +&+ !efault !2,P ,onfi<urations The basic communication process bet"een a client "orkstation ,oinin# a T8(3%( net"ork and the .>8( server is depicted belo". The .>8(.%$8;V<C re1uest is sent usin# the broadcast 2::.2::.2::.2:: The .>8( server can use t"o methods to allocate %( addresses +& / d!namic %( is assi#ned for a client host chosen from a ran#e of %(s 2& / fixed %( is assi#ned for a specific host 5identified usin# the 2/8 address, similar to bootp6
$ince a sin#le .>8( server can be used to administer %(s over several net"ork, the :2 LinuxI" "echnical (ducation ,entre !2,P ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH dhc#d&conf confi#uration file is composed of #lobal options follo"ed b! net"ork sections <xample net"ork block subnet 10.0.0.0 netmask 255.0.0.0 { .... } %n the next example "e "ill assi#n both d!namic %( addresses and a fixed %( address subnet 10.0.0.0 netmask 255.0.0.0 { range 10.5.5.10 10.5.5.200; host proxy { hardware ethernet 00:80:C6:30:0A:7E; fixed-address 10.5.5.2; } } 9or each subnet it is possible to #ive information on net"ork services, such as - the default #ate"a! - the .N$ domain name and the N%$ domain name - the .N$ servers %n the subnet section above these directives "ould look like this option routers 10.254.254.254; option nis-domain "nisdomain"; option domain-name "seafront.bar"; option domain-name-servers 10.0.0.2; The database of d!namicall! assi#ned %( addresses is stored in >var>lib>dhc#>dhc#d&leases :A LinuxI" "echnical (ducation ,entre !2,P ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH +&2 !ynamic !NS )e assume that "e still have the private3public ke! used for the seafront T$%& authentication, "e "ill use this same ke! to allo" the .>8( server to update the 7one files on the .N$ server. Additional ,onfi<urations on the !2,P Server ;n the .>8( server add the follo"in# to the dhc#d&conf file ddns-update-st!le interim+ i#nore client-updates+ ke! seafront.bar. O al#orithm hmac-md:+ secret MNAv%/pnVIG)$Ua2>rA1,U/1@,pu(,M#V)ee22&$*8B`+ P+ 7one seafront.bar. O primar! 1K2.1GJ.A.100+ ke! seafront.bar.+ P 7one A.1GJ.1K2.in-addr.arpa. O primar! 1K2.1GJ.A.100+ ke! seafront.bar.+ P ;ptionall!, it is possible to set a specific host name and domain name for a #iven host "ith the ke!"ords ddns-hostname host_name ddns-domain-name domain_name %f the ddns@hostname option are not present then the .>8( server "ill tr! and use the name provided b! the client. The domain on the other hand cannot be set b! the client, so if ddns@ domain@name is not present then the .>8( server "ill use the value #iven b! the domain@ name option. :B LinuxI" "echnical (ducation ,entre !2,P ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Additional ,onfi<urations on the !NS Server ;n the .N$ server "e need to do the follo"in# 1. %f !ou are usin# .N$$<8 si#ned 7one files then "e need to use the unsi#ned 7ones 2. /dd the an allow@u#date option to the seafront.bar entr! zone "seafront.bar" IN { type master; file "seafront.zone"; allow-update { key seafront.bar.; }; allow-transfer { key seafront.bar.; }; }; and do the same "ith the in-addr.arpa 7one zone "3.168.192.in-addr.arpa" IN { type master; file "192.168.3.local"; allow-update { key seafront.bar.; }; allow-transfer { key seafront.bar.;}; }; ,lient ,onfi<uration ;n Linux clients it is possible to set the .>8(H>;$TN/2< variable in the interface setup script. %n Cedhat-like variants this "ould be in the 3etc3s!sconfi#3net"ork-scripts3ifcf#-eth= files. Notice that this is simple a hostname, the domain name "ill be appended to that name on the .>8( sever. :: LinuxI" "echnical (ducation ,entre !2,P ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH +&0 !2,P 'elay The .>8(.%$8;V<C packets from clients reach the server throu#h the broadcast 2::.2::.2::.2::, ho"ever broadcasts are blocked b! routers. $o in a confi#uration "ith multiple net"orks and a sin#le .>8( server each router needs to be able to rela! .>8(.%$8;V<C broadcasts from a #iven net"ork to the .>8( server. 9or a Linux router this is done usin# the dhc#@relay or dhcrelay 5more recent6 tool. *oth tools take a mandator! sin#le ar#ument "hich is th %( of the .>8( server. *! default the rela! tools "ill listen on all net"ork interfaces for .>8( re1uests. ;ne can specif! an interface "ith the @i option dhcrelay -i eth0 IP_FOR_DHCP_server :G LinuxI" "echnical (ducation ,entre NIS ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 2. N$S Configuration 2&+ )aster Server ,onfi<uration ;n a Linux s!stem the net"ork information s!stem 5N%$6 server is called y#serv 5packa#e name !pserv6. The C(2 packa#e has the same name and installs the follo"in# main files
9iles installed "ith y#serv .escription 3etc3rc.d3init.d3!ppass"dd script for the daemon allo"in# users to chan#e pass"ords 3etc3rc.d3init.d3!pserv script for !pserv daemon 3etc3rc.d3init.d3!pxfrd script for daemon used to speed up transfers to slave servers 3etc3!pserv.conf main confi#uration file for !pserv 3var3!p32akefile 2akefile for database files S should onl! be used on the master server 1. 8hoose a nisdomain name %n 3etc3s!sconfi#3net"ork set the variable N%$.;2/%N. 9or example "e can set the nisdomain to linis as follo"sa NISDOMAIN=linis ] entr! in >etc>sysconfi<>network The file >etc>sysconfi<>network "ill be sourced b! the y#serv initscript. 2. 2ake sure the master server "ill push map chan#es to the slave servers. 9or this !ou need to edit the file 3var3!p32akefile and put NOPUSH=false A. $tart the !pserv daemon etcinit.dypser* restart B. 8heck that the nisdomain has been properl! set nisdomainname linis :I LinuxI" "echnical (ducation ,entre NIS ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH :. 8reate the databases, the @m option to y#init is to indicate the server is a master server usr)ibypypinit 1m <nter the list of slave servers !ou "ill run on this domain. This "ill create a number of .*2 files in >var>y#>linis as "ell as a file called >var>y#>y#servers 2&2 Slave Server ,onfi<uration ;n the slave server, "e need to install the y#serv packa#e too. This time "e run y#init and point it to the the master server /etc/rc.d/init.d/ypserv start /usr/lib/yp/ypinit -s MASTER_IP /lso make sure to leave the line NOPUSH=true in >var>y#>)akefile 2&0 ,lient Setu# ;n the client the main service is called y#bind 5packa#e name !pbind6. This daemon is responsible for bindin# to a N%$ server and successfull! resolves names and pass"ords as needed. The main confi#uration file is >etc>y#&conf. %f the N%$.;2/%N variable is set in >etc>sysconfi<>network "hich is sourced b! the rc- script >etc>init&d>y#bind then the N%$ server "ill be detected usin# the broadcast. ;ne can also confi#ure y#&conf and specif!. ;nce this is set one can start y#bind etcinit.dypbind start 2ake sure that the nis ke!"ord is added to >etc>nsswitch&conf& :J LinuxI" "echnical (ducation ,entre NIS ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 2&$ Settin< u# NS home directories ;nce the N%$ server and clients are setup as above, an!bod! "ith an account on the N%$ server can lo# onto a machine setup usin# y#bind pointin# at the correct server. /ll that is needed is for the user to access a home director!. This can be done in a number of "a!s. )e "ill discribe one implementation usin# NS. )e assume that all the home directories are on a sin#le server "ith the follo"in# %( 10.0.0.1 /ll the clients are on the 10.0.0.03J net"ork. .n the NS server <dit 3etc3exports and add home (0.0.0.(M(r,) Notice that rootHs1uash "ill appl! automaticall!. .n the client <dit 3etc3fstab and add (0.0.0.(:home home de!au)ts 0 0 2&5 *asic NIS Administration )ith the latest versions of y#serv a number of default maps are created usin# source files in >etc. %t is possible to alter the YPPWDDIR and YPSRCDIR variables in the 2akefile to build maps from alternative files from custom locations. 'pdates are made "ith the 2akefile in >var>y#. The tar#ets are all, passwd, group ... 8op! the ne" maps to >var>y#>linis and run y##ush to update the slave servers yppush MAP_NAME :K LinuxI" "echnical (ducation ,entre NIS ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Additional ,ommands 8ommand .escription y#cat #et values from a database, for example ypcat pass,d y#which return the name of the N%$ server on the net"ork G0 LinuxI" "echnical (ducation ,entre L!AP ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 3. "D,( Configuration
0&+ 8hat is lda# L./( stands for Li#ht"ei#ht .irector! /ccess (rotocol. The protocol allo"s access to data in a tree-like structure usin# attributes. L./( can be thou#ht of as a specialised database "hich handles trees. $ince directories are also trees, navi#atin# L./( fields is like navi#atin# a director!. /dded to this L./( has been desi#ned mainl! for optimal access. This clarifies the "ords %irectory and !ccess. )ith this in mind let4s see "hat characterises an L./( database. "he !istin<uished Name /n item in the database can be referenced usin# a uni1ue %istinguished .ame 5dn6. This is similar to a file4s full path in a director!. <ach intermediate subfolder is called a Relative %istinguished .ame. !istin<uished Name dc`example, dc`com ou`(eople ou`/liases cn`Tux dn cn`Tux, ou`(eople , dc`<xample, dc`com
G1 LinuxI" "echnical (ducation ,entre L!AP ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH )ore "erminolo<y . !I" The .ata %nformation Tree !N .istin#uished Name '!N Celative .istin#uished Name L!I L./( .ata %nterchan#e 9ormat Attributes dc .omain 8omponent cn 8ommon Name c 8ountr! l Location o ;r#anisation ou ;r#anisational 'nit sn $urname st $tate uid 'ser id
0&2 .#enL!AP server confi<uration
The server is called sla#d 5$tandalone L./( daemon6 and it4s confi#uration file is
>etc>o#enlda#>sla#d&conf )e "ill cover each section of this file in more detail Im#ortin< schemas
There is an include clause in sla#d&conf "hich tells the L./( server "hich schemas should be loaded. )e need at least the follo"in# inc)ude etcopen)dapschemacore.schema inc)ude etcopen)dapschemamisc.schema G2 LinuxI" "echnical (ducation ,entre L!AP ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH inc)ude etcopen)dapschemacosine.schema inc)ude etcopen)dapschemanis.schema inc)ude etcopen)dapschemainetorgperson.schema !atabase !efinition /vailable .*2s 5.atabase 2ana#ers6 are ld)m or the more recent )d). )e "ill use bdb database bdb 0ou need to specif! the root or base for the L./( director!, as "ell as the director! "here the database file "ill be kept. This is done belo"+ su!!ix 2dcSexamp)e,dcScom3 directory *ar)ib)dap The follo"in# lines are onl! needed "hen modif!in# the L./( server online. 0ou can then specif! an adminstrator username3pass"ord. 'se the sla##asswd to #enerate an encr!pted hash 5see 0&$ )i<ratin< System iles to L!AP6 rootdn HcnS7anager,dcSexamp)e,dcScomH rootp, T++./UViE+5htbn'9Rp8BrWoteRX..ICs00r6B 0&0 ,lient confi<uration files There are t"o confi#uration files called ldap.conf. >ere is "hat the! do The 3etc3ldap.conf file is used b! the nssHldap and pamHldap modules The file 3etc3openldap3ldap.conf is used b! the tools lda#search and lda#add 9or example, to save time t!pin# )dapsearch 1b 2dcSexamp)e,dcScom3 1x !ou can add the next lines to >etc>o#enlda#>lda#&conf 6/+9 dcSexamp)e, dcScom .B+T (28.0.0.( GA LinuxI" "echnical (ducation ,entre L!AP ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH /o far -e have configured sla%d and the configuration file for lda%search in particular. $nce -e have populated an L%!P directory -e -ill )e a)le to test our setup )y typing0 )dapsearch 1x 0&$ )i<ratin< System iles to L!AP There are t"o methods available to populate an L./( director!. %f the ldap daemon sla#d is stopped, "e can do an offline update usin# sla#add )hile sla#d is runnin#, it is possible to perform an online update usin# lda#add or lda#modify )e "ill also use mi#ration tools "hich can be do"nloaded from http33""".padl.com3;$$32i#rationTools.html ,reatin< L!AP directories offline )e are #oin# to "ork in the director! containin# the L./( mi#ration (erl scripts "hich "e have do"nloaded from """.padl.com. Notice $ome distributions ma! include the mi#ration tools "ith the L./( server packa#e. 0ou should have the follo"in# files mi#rateHautomount.pl mi#rateHbase.pl 8V$Version%nfo.txt mi#rateHcommon.ph 2ake.rules mi#rateHfstab.pl 2i#rationTools.spec mi#rateH#roup.pl C</.2< mi#rateHhosts.pl ads mi#rateHnet#roup.pl mi#rateHnet#roupHb!host.pl mi#rateHaliases.pl mi#rateHnet#roupHb!user.pl mi#rateHallHnetinfoHoffline.sh mi#rateHnet"orks.pl mi#rateHallHnetinfoHonline.sh mi#rateHpass"d.pl mi#rateHallHnisHoffline.sh mi#rateHprofile.pl mi#rateHallHnisHonline.sh mi#rateHprotocols.pl mi#rateHallHnisplusHoffline.sh mi#rateHrpc.pl mi#rateHallHnisplusHonline.sh GB LinuxI" "echnical (ducation ,entre L!AP ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH mi#rateHservices.pl mi#rateHallHoffline.sh mi#rateHslapdHconf.pl mi#rateHallHonline.sh 9irst edit mi<rateHcommon&#h and chan#e the W.<9/'LTH*/$< variable to J&9%/$LTC6/+9 S HdcSexamp)e,dcScomH- N;T%8< )hen mi#ratin# the 3etc3pass"d file one can either use shado" pass"ords or not. )hen usin# shado" pass"ords an added ob,ect8lass called shado"/ccount is used in the L./( record and there is no need to mi#rate the shado" pass"ord file. )e create our first L.%9 file called base&ldif to serve as our root migrateCbase.p) ? base.)di! This flat file "ill be converted into bdb 5or ldbm6 files stored in >var>lib>lda# as follo"s s)apadd 1* = base.)di!
)e next choose to mi#rate the pass"ord "ithout shado" pass"ords as follo"s p,uncon* .migrateCpass,d.p) etcpass,d pass,d.)di! The entries in #asswd&ldif should look like this
dn: uidStest,ouSPeop)e,dcSexamp)e,dcScom uid: test cn: test obWectC)ass: account obWectC)ass: posix/ccount obWectC)ass: top userPass,ord: TcryptUJ(J%"rQ!a0uJ)o5E,/4xxssmWbo#62X5L( )ogin+he)): binbash uid#umber: 505 G: LinuxI" "echnical (ducation ,entre L!AP ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH gid#umber: 50L home&irectory: hometest No" let4s add this L.%9 file to our L./( director!5remember that L./( is stopped so "e are still offline6 s)apadd 1* 1) pass,d.)di! or s)apadd 1* = pass,d.)di! N;T%8< 2ake sure all the files in /var/lib/ldap belon# to user lda# "(S"ING; Cestart the L./( server etcinit.d)dap restart $earch all the entries in the director! )dapsearch 1x %f the lda# server does not respond, or the result from lda#search is empt!, it is possible to sho" the content of the L./( databases in >var>lib>lda# "ith the sla#cat command. ,reatin< L!AP !irectories .nline The L./( server can be updated online, "ithout havin# to shut the ldap service do"n. 9or this to "ork ho"ever "e must specif! a rootdn and a root#w in >etc>o#enlda#>sla#d&conf. The pass"ord is #enerated from the command line as follo"s s)dappass,d #e, pass,ord: GG LinuxI" "echnical (ducation ,entre L!AP ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Qe1enter ne, pass,ord: T++./UEyXm..(Q)n+'ETWM8$*xB/BCX/Mox#CT )e next choose the rootdn in >etc>o#enlda#>sla#d&conf to be rootdn HcnS7anager,dcSexamp)e,dcScomH rootp, T++./UEyXm..(Q)n+'ETWM8$*xB/BCX/Mox#CT The next line "ill update the L./( entries )dapmodi!y 1! pass,d.)di! 1x 1& 2dcSexamp)e,dcScom3 1Y 9nter L&/P Pass,ord: 0&5 L!AP Authentication Scheme Server ,onfi<uration )e assume that the L./( server has been confi#ured as above. The pass"ords in the L./( director! can also be updated online "ith the lda##asswd command. The next line "ill update the pass"ord for user tux on the L./( server. )dappass,d 1& HcnS7anager,dcSexamp)e,dcScomH 1+ 1x 1Y I HuidStux,ouSPeop)e,dcSexamp)e,dcScomH The @S s"itch is used to confi#ure a ne" pass"ord. )e assume that the %( address for the server is 10.0.0.1 and that the domain component is Qdc`example,dc`comR 0ou ma! allo" users to chan#e their pass"ords on the L./( server as follo"s GI LinuxI" "echnical (ducation ,entre L!AP ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 1. 8op! the pass-d (/2 file >etc>share>doc>nssHlda#-version>#am&d>#asswd to >etc>#am&d 2. /dd the follo"in# access rule in >etc>o#enlda#>sla#d&conf access to attrsSuserPass,ord by se)! ,rite by anonymous auth by @ none ,lient ,onfi<uration The clients need to have the nssHlda# packa#e installed 5some distributions have a separate #amHlda# packa#e "ith the (/2 related modules and files6. The follo"in# files and libraries are installed 3etc3ldap.conf set the hostname and the domain component of the L./( server used for authentications 3lib3libnssHldap-2.A.2.so an ldap module for the Name$ervice $"itch 3lib3securit!3pamHldap.so the (/2 ldap module 3usr3lib3libnssHldap.so a s!mbolic link to 3lib3libnssHldap-2.A.2.so 3usr3share3doc3nssHldap- 20I3pam.d sample files for pro#rams usin# (/2 %f "e don4t use $$L certificates then >etc>lda#&conf is as follo"s The >etc>lda#&conf file GJ LinuxI" "echnical (ducation ,entre L!AP ,onfi<uration HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH host 10.0.0.1 base dc`example,dc`com ssl no pamHpass"ord md: Next in >etc>#am&d replace the file called lo<in "ith >usr>share>doc>nssHlda#@ 207>#am&d>lo<in. This "ill tell the authentication binar! >bin>lo<in to use the pamHldap.so module. 9inall! the >etc>nsswitch&conf needs to have the follo"in# line pass,d )dap !i)es 8heck the >var>lo<>lda#>lda#&lo< file on the server to follo" the authentication process. GK Linux%T Technical <ducation 8entre PA) Authentication HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 4. (,M ,uthentication $ervices or applications "hich need authentication can use the plu##able authentication module 5(/26 mechanism "hich offer a modular approach to the authentication process. 9or example, if a ne" hard"are authentication scheme is added to a s!stem, usin# smart cards or prime number #enerators, and if correspondin# (/2 librar! modules are available for this ne" scheme, then it is possible to modif! existin# services to use this ne" authentication scheme.
J J
$&+ PA) Aware A##lications $ervices "hich use plu##able authentication modules have been compiled "ith lib#am. 9or example sshd is such a service
The (/2 modules are confi#ured usin# the authconfi< tool Authconfi< chan#es the Name $ervice databases in >etc>nsswitch&conf Linux%T Technical <ducation 8entre PA) Authentication HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH These applications "ill scan the (/2 confi#uration files "hich in turn tell the application ho" the authentication "ill take place. $&2 PA) ,onfi<uration (/2 confi#uration is controlled "ith the sin#le file >etc>#am&conf. This file contains a list of services and a set of instructions, as follo"s service t!pe control module-path module-ar#uments >o"ever, if the director! >etc>#am&d exists then #am&conf is i#nored and each service is confi#ured throu#h a separate file in #am&d. These files are similar to #am&conf except that the service name is dropped t!pe control module-path module-ar#uments type defines the Qmana#ement #roup t!peR. (/2 modules are classified into four mana#ement #roups "hich define different aspects of the authentication process account check the validit! of the account 5e#. does the users have a 'N%= accountX is the user authorised to use the application ...6 auth the authentication method. This points to a module5s6 responsible for the challen#e-response #assword defines ho" to chan#e user pass"ords, if at all. session modules that are run before and after a service is #ranted control defines "hat action to take if the module fails. The simple controls are reAuisite a failure of the module results in the immediate termination of the authentication process reAuired a failure of the module "ill result in the termination of the authentication once all the other modules of the same t!pe have been executed sufficient success of the module is sufficient except if a prior reAuired module has failed o#tional success or failure of this module are not taken into account unless it is the onl! re1uirement of its t!pe module-path the path to a (/2 module 5usuall! in 3lib3securit!6 module-arguments list of ar#uments for a specific module Linux%T Technical <ducation 8entre PA) Authentication HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH System Security
System Security&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7+ +& I#tables>I#chains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 72 1.1 The 8hains............................................................................................................................................................... I2 1.2 The Tables............................................................................................................................................................... IA 1.A The Tar#ets.............................................................................................................................................................. IB 1.B <xample Cules......................................................................................................................................................... IB 2& !ifferences with I#chains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 75 0& Security "ools&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 77 A.1 $$>.......................................................................................................................................................................... II A.2 L$;9........................................................................................................................................................................ IJ A.A N<T$T/T................................................................................................................................................................. IK A.B T8(.'2(................................................................................................................................................................ IK A.: N2/(....................................................................................................................................................................... J2
IA Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 1. $%ta'les-$%chains $o )hat4s / (acket 9ilterX / packet filter is a piece of soft"are "hich looks at the header of packets as the! pass throu#h, and decides the fate of the entire packet. %t mi#ht decide to .C;( the packet 5i.e., discard the packet as if it had never received it6, /88<(T the packet 5i.e., let the packet #o throu#h6, or somethin# more complicated. - from the Q(acket 9ilterin# >;)T;R b! Cust! Cussell 9or more in depth information see the >;)T;s at """.netfilter.or#. %n this section "e introduce the i#tables concepts of chains, tables and tar#ets. )e then look at some examples to illustrate net"ork address translation 5N/T6 as "ell as the special cases of mas1ueradin# and transparent redirections.
+&+ "he ,hains / chain is a list of rules "hich b! considerin# criteria found in the packet4s header "ill make decisions about the t!pe of action to take 5tar#et6. There are five chains correspondin# to different sta#es in the netfilter frame"ork (C<C;'T%N&, %N('T, 9;C)/C., (;$TC;'T%N& and ;'T('T. *elo" is a dia#ram of the pro#ression of a packet throu#h the kernel netfilter frame"ork IB Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH +&2 "he "ables There are three built-in tables 5the %( Tables6 "hich allo" to carr! out different tasks as listed belo". filter this is the default table and the packets are never altered. (ackets are available from the follo"in# chains %N('T for packets comin# into the box itself ;'T('T for locall!-#enerated packets 9;C)/C. for packets bein# routed throu#h the box 5check the value of 3proc3s!s3net3ipvB3ipHfor"ard6 nat this table onl! deals "ith net"ork address translations 5N/T6 it is consulted "hen a packet creatin# a ne" connection is encountered. (acket headers connected "ith routin# can be altered here. The follo"in# chains are considered (C<C;'T%N& alters the packets as the! come in (;$TC;'T%N& alters packets as the! #o out ;'T('T alters locall! #enerated packets before routin# man<le used for speciali7ed packet alterations. Tar#ets in this table allo" the T;$ or TTL field to be modified. 'ntil kernel 2.B.1I it could onl! interact "ith t"o chains (C<C;'T%N& for alterin# incomin# packets before routin# ;'T('T for alterin# locall!-#enerated packets before routin# $ince kernel 2.B.1J, the three other chains are also supported %N('T for packets comin# into the box itself 9;C)/C. for alterin# packets bein# routed throu#h the box (;$TC;'T%N& for alterin# packets as the! are about to #o out I: Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH +&0 "he "ar<ets The part of a the filterin# rule "hich determines "hat action to take if the rule is matched is called a target and is preceded b! a @? fla# 5,ump6. >ere is an overvie" of available tar#ets for a #iven table all tables; /88<(T, C<?<8T, .C;(, L;&, 'L;&, T8(2$$, 2%CC;C filter 5nothin# individual to this chain6 nat .N/T, $N/T, 2/$M'<C/.<, C<.%C<8T man<le T;$, 2/CT, .$8(, <8N There are more tar#ets, but the! come as part of additional extension kernel modules. +&$ (xam#le 'ules +& <xample filter rules .rop incomin# icmp-re1uest as "ell as out#oin# icmp-repl! packets iptables -A INPUT -p icmp --icmp-type echo-request -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP Notice The protocol extension fla#s allo" !ou to specif! more information about a specific protocol. %n the case of T8( packets for example !ou ma! have -p tcp Stcp-fla#s /LL $0N,/8T /LL stands for $0N /8T 9%N C$T 'C& and ($>. This rule sa!s that all fla#s must be examined and of those, if the $0N and /8T fla#s are set, the rule is true. 2& <xample .estination Net"ork /ddress Translation 5.N/T6 /ll re1uests on port J0 for host 1K2.1GJ.A.100 are redirected to the host 10.1.1.1 on port J0 iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.3.100 \ --dport 80 -j DNAT --to 10.1.1.1:80 IG Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 0& <xample $ource Net"ork /ddress Translation 5$N/T6 The $N/T tar#et is used to chan#e the $ource /ddress. 9or example, in the case "here a router s"itches the from address on all out#oin# packets leavin# throu#h ppp0 to it4s o"n 5public6 %( address. The line "ould look like this iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.3.0/24 -d 0/0 \ -j SNAT to ROUTER_IP This rule can also be "ritten usin# the 2/$M'<C/.< tar#et iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.3.0/24 -d 0/0 -j MASQUERADE $& <xample Cedirection / redirection is a special case of .N/T "here the Z1to host is the same host. 9or example if a prox! server is runnin# on a router, all re1uests throu#h port J0 can be (C<- routed throu#h port A12J "ith iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 "AS4; /t this sta#e if !ou "ant to implement a transparent prox! "ith the previous redirection rule !ou "ill have to chan#e the confi#uration file sAuid&conf and add the follo"in# httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Cemember that if !ou have implemented an authentication scheme "ith s1uid !ou ma! have to disable it for the transparent prox! to "ork. 2. Differences .ith $%chains )e "ill simpl! mention some of the main improvement over i#chains. )ith iptables1 each filtered pac2et is only processed using rules from one chain rather than multiple chains. %n other "ords, a 9;C)/C. packet comin# into a s!stem usin# II Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH ipchains "ould have to #o throu#h the %N('T, 9;C)/C., and ;'T('T chains in order to move alon# to its destination. >o"ever, i#tables onl! sends packets to the %N('T chain if the! are destined for the local s!stem and onl! sends them to the ;'T('T chain if the local s!stem #enerated the packets. 9or this reason, !ou must be sure to place the rule desi#ned to catch a particular packet in the correct chain that "ill actuall! see the packet. The advanta#e is that !ou no" have finer-#rained control over the disposition of each packet. %f !ou are attemptin# to block access to a particular "ebsite, it is no" possible to block access attempts from clients runnin# on hosts "hich use !our host as a #ate"a!. /n ;'T('T rule "hich denies access "ill no lon#er prevent access for hosts "hich use !our host as a #ate"a!. Additional )atchin< (xtensions 2atchin# extensions are implemented in i#tables as modules. 2odules are invoked "ith the @m s"itch. 9or example the state module makes it possible to distin#uish ne" packets and packets from an established connect. The packet is tested for a matchin# state. (articular state values are N<), <$T/*L%$><., C<L/T<. or %NV/L%.. iptables -A INPUT -p tcp -m state -state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m state -state NEW,ESTABLISHED -j ACCEPT 2atchin# extension modules are listed belo". 2odule .escription ;ption 5example6 connrate matches the current connection rate @@connrate ;D< ;!rom<:;to< dstlimit This module allo"s !ou to limit the packet per second 5pps6 rate on a per destination %( or per destination port base @@dstlimit a*g icm# this extension is loaded if b-- protocol icmpY is specified @@icm#ty#e ;D< typename i#ran<e specif! a ran#e of %(s @@src@ran<e IP1IP len<th matches the len#th of the packet @@len<th )ength mac match the 2/8 source @@mac@source ;D< address IJ Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH state determine the state of a packet 5N<),<$T/*L%$><.,C<L/T<. , %NV/L%.<6 Sstate state IK Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 3. Securit* #ools 0&+ SS2 9or a first description of the ssh client and sshd server see the section on Q*asic $ecurit!R in the lpi-manuals document for L(% 102. 9or an in depth presentation see the %nternet draft QThe $$> 5$ecure $hell6 Cemote Lo#in (rotocolR at http33""".free.lp.se3fish3rfc.txt. This section covers the server confi#uration file and briefl! discusses other mechanisms that the $$> protocol offers such as =11 for"ardin# and port for"ardin#. sshdHcon fi< overview (ort 22 $pecif! "hich port to listen on. 2ultiple Q(ortR options can be used (rotocol 2,1 $pecif! version 1 or version 2 $$> protocol. 8an be a comma separated list. %f both are supplied, the! are tried in the order presented. .en!'sers Z'$<C[E>;$T .en! users from a specific host. )ild cards such as _ can be used %#noreChosts !es3no .efault is !es S %#nore the c3.rhosts and c3.shosts files (ermit<mpt!(ass"ords !es3no .efault is no S /llo" lo#in "ith an empt! pass"ords "hen pass"ord authentication is allo"ed (ermitCootLo#in !es3no /llo" or disallo" root access =119or"ardin# !es3no %nstructs the remote end to route =11 traffic back throu#h the ssh tunnel to the user4s = session. 'nless disabled, the xauth settin#s "ill be transferred in order to properl! authenticate remote = applications Port orwardin< %t is possible to do port for"ardin# "ith the $$> client. This is often used to provide a simple mechanism to encr!pt a connection. 9or example one can open a local 5-L6 port 512AB6 pointin# to the remote host 5""".#oo#le.com6 on another port 5J06 as follo"s J0 Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
ssh 1L (25P:,,,.goog)e.com:M0 (28.0.0.( 1uick /PN This is a user-space V(N as opposed to other t!pes of V(Ns "hich are kernel based. /usr/sbin/pppd noauth pty \ "ssh SOME_HOST -l root '/usr/sbin/pppd notty noauth 192.168.0.1:192.168.0.2'" \ 192.168.0.2:192.168.0.1 0&2 LS. lsof - show open files used by processes Traditionally used to list PIDs of processes running on a given directory: )so! [& &IQ9CTBQ\ lsof will output the following information: NAM: name of the process PID: process ID !"#: name of the user to whom the process belongs $D: $ile desciptor %e&g u ' read write( r ' read( w ' write) T*P: The file type %e&g #+ ' regular file) D,I-: Ma.or/Minor number %e&g 0(12 '/dev/hda12 ) "I3: "i4e or offset of the file N5D: Inode of the file NAM: The name of the file J1 Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 6sof can also be used to display networ7 soc7ets& $or e8ample the following line will list all internet connections: )so! 1i *ou can also list connections to a single host: )so! 1i F.B+T $or e8ample if a host T5$$* is connected to your localhost on port 190:( the following would display information about the connection: )so! 1i FTB%%\:(25P 0&0 N("S"A" netstat - Print networ7 connections( routing tables &&& Main options are: -r display routing tables -l only listening services -- display route cache --inet restrict to networ7 soc7ets Protocol types: -t select tcp -u select udp 0&$ ",P!%)P tcpdump ; dump traffic on a networ7 This is ta7en directly from the man pages: The TCP Packet J2 Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH <The general format of a tcp protocol line is: src ? dst: !)ags data1seKno ac0 ,indo, urgent options
Src and dst are the source and destination IP addresses and ports&
Flags are some combination of " %"*N)( $ %$IN)( P %P!"=) or # %#"T) or a single >&? %no flags)& Data-seqno describes the portion of se@uence space covered by the data in this pac7et %see e8ample below)& Ack is se@uence number of the ne8t data e8pected in the other direction on this connection& Window is the number of bytes of receive buffer space available in the other direction on this connection& Urg indicates there is >urgent? data in the pac7et& ptions are tcp options enclosed in angle brac7ets (e.g., =mss (02P?) Capturing TCP packets with particular flag com!inations "e#g S$%-AC&' U()-AC&' etc#* There are A bits in the control bits section of the T-P header: CYQ G 9C9 G $Q" G /CV G P+. G Q+T G +\# G %I# 6et?s assume that we want to watch pac7ets used in establishing a T-P connection& #ecall the structure of a T-P header without options: 0 (5 5( 11111111111111111111111111111111111111111111111111111111111111111 G source port G destination port G 11111111111111111111111111111111111111111111111111111111111111111 G seKuence number G 11111111111111111111111111111111111111111111111111111111111111111 G ac0no,)edgment number G 11111111111111111111111111111111111111111111111111111111111111111 G .L G rs*d |C|E|U|A|P|R|S|F| ,indo, si>e G 11111111111111111111111111111111111111111111111111111111111111111 G TCP chec0sum G urgent pointer G 11111111111111111111111111111111111111111111111111111111111111111 A T-P header usually holds 9B octets of data( unless options are present& The first line of the graph contains octets B - 0( the second line shows octets : - C etc "tarting to count with B( the relevant T-P control bits are contained in octet 10: JA Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 0 8G (5G 25G 5( 1111111111111111G111111111111111G111111111111111G1111111111111111 G .L G rs*d GCG9G$G/GPGQG+G%G ,indo, si>e G 1111111111111111G111111111111111G111111111111111G1111111111111111 G G (5th octet G G G Let]s ha*e a c)oser )oo0 at octet no. (5: G G G111111111111111G GCG9G$G/GPGQG+G%G G111111111111111G G8 5 5 0G These are the T-P control bits we are interested in& De have numbered the bits in this octet from B to C( right to left( so the P"= bit is bit number 0( while the !#+ bit is number E& #ecall that we want to capture pac7ets with only "*N set& 6et?s see what happens to octet 10 if a T-P datagram arrives with the "*N bit set in its header: GCG9G$G/GPGQG+G%G G111111111111111G G0 0 0 0 0 0 ( 0G G111111111111111G G8 L 5 P 5 2 ( 0G 6oo7ing at the control bits section we see that only bit number 1 %"*N) is set& Assuming that octet number 10 is an A-bit unsigned integer in networ7 byte order( the binary value of this octet is 000000(0 and its decimal representation is 8 L 5 P 5 2 ( 0 0@2 [ 0@2 [ 0@2 [ 0@2 [ 0@2 [ 0@2 [ (@2 [ 0@2 S 2 De?re almost done( because now we 7now that if only "*N is set( the value of the 10th octet in the T-P header( when interpreted as a A-bit unsigned integer in networ7 byte order( must be e8actly 9& This relationship can be e8pressed as
tcp;(5< SS 2 JB Linux%T Technical <ducation 8entre System Security HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH 0&5 N)AP nmap - Networ7 e8ploration tool and security scanner The scanner ma7es use of the fact that a closed port should %according to #$- CF0) send bac7 an #"T& In the case if a "*N scan( connections that are half opened are immediately close by nmap by sending an #"T itself& "can Types: "*N or =alf-open: -s" Nmap will send a synchronisation pac7et "*N as7ing for a connection& If the remote host send a #"T/A-G it is assumed that the port is closed& If the remote host sends a "*N/A-G this indicates that the port is listening& !DP: -s! !DP is connectionless& "o there is no need for a 0 way handsha7e as with T-P& If a port is closed the server will send bac7 a I-MP P5#T !N#A-=AH6& 5ne then deduces that all the other ports are open %not reliable in the case were I-MP messages are bloc7ed)& T-P N!66: -sN T-P pac7et with no flags set& -losed port will send a #"T when receiving this pac7ets %e8cept with M" Dindows)& T-P Imas: -sI T-P pac7et with the $INJ!#+JP!"= flags set& The remote host should send bac7 a #"T for all closed ports when receiving a Imas pac7et& JJJJ many more( Ac7 scans -sA( #P- scan -s# &&& TASKS: 1 Con!igure iptab)e ru)es to )og the di!!erent nmap scans using the Ztcp1!)ags option. 1 #otice that tcpdump can ta0e compound options such as tcpdump host / and not host 6 tcpdump ip proto IC7P and host .B+T ... 1 But o! interest, go to ,,,.tcpdump.org and try the )ibpcap tutoria)s (remember to compi)e the codes CB&9.c ,ith 2gcc CB&9.c 1) pcap3 ...) J: Linux%T Technical <ducation 8entre LPI 202 .b?ectives HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH (xam 202; !etailed .b?ectives This is a re1uired exam for L(% certification Level 2. %t covers advanced net"ork administration skills that are common across all distributions of Linux. <ach ob,ective is assi#ned a "ei#htin# value. The "ei#hts ran#e rou#hl! from 1 to 10, and indicate the relative importance of each ob,ective. ;b,ectives "ith hi#her "ei#hts "ill be covered in the exam "ith more 1uestions. "o#ic 205; Networkin< ,onfi<uration K 2&205&+ *asic networkin< confi<uration Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 9 .escription The candidate should be able to confi#ure a net"ork device to be able to connect to a local net"ork and a "ide-area net"ork. This ob,ective includes bein# able to communicate bet"een various subnets "ithin a sin#le net"ork, confi#ure dialup access usin# m#ett!, confi#ure dialup access usin# a modem or %$.N, confi#ure authentication protocols such as (/( and 8>/(, and confi#ure T8(3%( lo##in#. Te! files, terms, and utilities include 3sbinroute sbini!con!ig sbinarp usrsbinarp,atch etc
_ 2&205&2 Advanced Network ,onfi<uration and "roubleshootin< Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 : .escription The candidate should be able to confi#ure a net"ork device to implement various net"ork authentication schemes. This ob,ective includes confi#urin# a multi-homed net"ork device, confi#urin# a virtual private net"ork and resolvin# net"orkin# and communication problems. JG Linux%T Technical <ducation 8entre LPI 202 .b?ectives HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH Te! files, terms, and utilities include sbinroute sbinroute sbini!con!ig binnetstat binping sbinarp usrsbintcpdump usrsbin)so! usrbinnc "o#ic 206 )ail G News K 2&206&+ ,onfi<urin< mailin< lists Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 5 .escription %nstall and maintain mailin# lists usin# ma,ordomo. 2onitor ma,ordomo problems b! vie"in# ma,ordomo lo#s. Te! files, terms, and utilities include 2a,ordomo2 K 2&206&2 %sin< Sendmail Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 6 .escription 8andidates should be able to mana#e a $endmail confi#uration includin# email aliases, mail 1uotas, and virtual mail domains. This ob,ective includes confi#urin# internal mail rela!s and monitorin# $2T( servers. Te! files, terms, and utilities include etca)iases sendmai).c, *irtusertab)e genericstab)e JI Linux%T Technical <ducation 8entre LPI 202 .b?ectives HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH K 2&206&0 )ana<in< )ail "raffic Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 : .escription 8andidates shold be able to implement client mail mana#ement soft"are to filter, sort, and monitor incomin# user mail. This ob,ective includes usin# soft"are such as procmail on both server and client side. Te! files, terms, and utilities include procmai) K 2&206&$ Servin< news Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 5 .escription 8andidates should be able to install and confi#ure ne"s servers usin# inn. This ob,ective includes customi7in# and monitorin# served ne"s#roups. Te! files, terms, and utilities include innd "o#ic 207; !NS K 2&207&+ *asic *IN! 9 confi<uration Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 3 .escription The candidate should be able to confi#ure *%N. to function as a cachin#- onl! .N$ server. This ob,ective includes the abilit! to convert a *%N. B.K named.boot file to the *%N. J.x named.conf format, and reload the .N$ b! usin# kill or ndc. This ob,ective also includes confi#urin# lo##in# and options such as director!h location for 7one files. Te! files, terms, and utilities include etcnamed.con! usrsbinndc JJ Linux%T Technical <ducation 8entre LPI 202 .b?ectives HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH usrsbinnamed1bootcon! 0i)) K 2&207&2 ,reate and maintain !NS Cones Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 : .escription The candidate should be able to create a 7one file for a for"ard or reverse 7one or root level server. This ob,ective includes settin# appropriate values for the $;/ resource record, N$ records, and 2= records. /lso included is addin# hosts "ith / resource records and 8N/2< records as appropriate, addin# hosts to reverse 7ones "ith (TC records, and addin# the 7one to the 3etc3named.conf file usin# the 7one statement "ith appropriate t!pe, file and masters values. / candidate should also be able to dele#ate a 7one to another .N$ server. Te! files, terms, and utilities include contents of 3var3named 7one file s!ntax resource record formats dig ns)oo0up host K 2&207&0 Securin< a !NS server Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 : .escription The candidate should be able to confi#ure *%N. to run as a non-root user, and confi#ure *%N. to run in a chroot ,ail. This ob,ective includes confi#urin# .N$$<8 statements such as ke! and trusted-ke!s to prevent domain spoofin#. /lso included is the abilit! to confi#ure a split .N$ confi#uration usin# the for"arders statement, and specif!in# a non-standard version number strin# in response to 1ueries. Te! files, terms, and utilities include $!sV init files or rc.local etcnamed.con! etcpass,d dns0eygen JK Linux%T Technical <ducation 8entre LPI 202 .b?ectives HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH "o#ic 209 8eb Services K 2&209&+ Im#lementin< a web server Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 3 .escription 8andidates should be able to install and confi#ure an /pache "eb server. This ob,ective includes monitorin# /pache load and performance, restrictin# client user access, confi#urin# modHperl and (>( support, and settin# up client user authentication. /lso included is confi#urin# /pache server options such as maximum re1uests, minimum and maximim servers, and clients. Te! files, terms, and utilities include access.)og .htaccess httpd.con! modCauth htpass,d htgroup K 2&209&2 )aintainin< a web server 2odified 2001-/u#ust-2B 2aintainer .imitrios *o#iat7oules )ei#ht 2 .escription 8andidates should be able to confi#ure /pache to use virtual hosts for "ebsites "ithout dedicated %( addresses. This ob,ective also includes creatin# an $$L certification for /pache and definin# $$L definitions in confi#uration files usin# ;pen$$L. /lso included is customi7in# file access b! implementin# redirect statements in /pache4s confi#uration files. Te! files, terms, and utilities include httpd.con! K 2&209&0 Im#lementin< a #roxy server Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 3 K0 Linux%T Technical <ducation 8entre LPI 202 .b?ectives HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH .escription 8andidates should be able to install and confi#ure a prox! server usin# $1uid. This ob,ective includes impelementin# access policies, settin# up authentication, and utili7in# memor! usa#e. Te! files, terms, and utilities include sKuid.con! ac) httpCaccess "o#ic 2+0 Network ,lient )ana<ement K 2&2+0&+ !2,P confi<uration Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 3 .escription The candidate should be able to confi#ure a .>8( server and set default options, create a subnet, and create a d!namicall!-allocated ran#e. This ob,ective includes addin# a static host, settin# options for a sin#le host, and addin# bootp hosts. /lso included is to confi#ure a .>8( rela! a#ent, and reload the .>8( server after makin# chan#es. Te! files, terms, and utilities include dhcpd.con! dhcpd.)eases K 2&2+0&2 NIS confi<uration Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 5 .escriptionThe candidate should be able to confi#ure an N%$ server and create N%$ maps for ma,or confi#uration files. This ob,ective includes confi#urin# a s!stem as a N%$ client, settin# up an N%$ slave server, and confi#urin# abilit! to search local files, .N$, N%$, etc. in nss"itch.conf. Te! files, terms, and utilities include nisupdate, ypbind, ypcat, ypmatch, ypser*, yps,itch, yppass,d, yppo)), yppush, yp,hich, rpcin!o nis.con!, nss,itch.con!, ypser*.con! 8ontents of etcnis: netgroup, nic0names, securenets 7a0e!i)e K1 Linux%T Technical <ducation 8entre LPI 202 .b?ectives HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH K 2&2+0&0 L!AP confi<uration Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 5 .escription The candidate should be able to confi#ure an L./( server. This ob,ective includes confi#urin# a director! hierarch!, addin# #roup, hosts, services and other data to the hierarch!. /lso included is importin# items from L.%9 files and add items "ith a mana#ement tool, as "ell as addin# users to the director! and chan#e their pass"ords. Te! files, terms, and utilities include s)apd s)apd.con! K 2&2+0&$ PA) authentication Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 3 .escription The candidate should be able to confi#ure (/2 to support authentication via traditional 3etc3pass"d, shado" pass"ords, N%$, or L./(. Te! files, terms, and utilities include etcpam.d pam.con! "o#ic 2+2 System Security K 2&2+2&2 ,onfi<urin< a router 2odified 2001-/u#ust-2B 2aintainer .imitrios *o#iat7oules )ei#ht 2 .escription The candidate should be able to confi#ure ipchains and iptables to perform %( mas1ueradin#, and state the si#nificance of Net"ork /ddress Translation and (rivate Net"ork /ddresses in protectin# a net"ork. This ob,ective includes confi#urin# port redirection, listin# filterin# rules, and "ritin# rules that accept or block data#rams based upon source or destination protocol, port and address. /lso included is savin# and reloadin# filterin# confi#urations, usin# settin#s in 3proc3s!s3net3ipvB to respond to .;$ attacks, usin# 3proc3s!s3net3ipvB3ipHfor"ard to turn %( for"ardin# on and off, and usin# tools such as K2 Linux%T Technical <ducation 8entre LPI 202 .b?ectives HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH (ort$entr! to block port scans and vulnerabilit! probes. Te! files, terms, and utilities include 3procsysnetip*P etcser*ices ipchains iptab)es routed K 2&2+2&0 Securin< "P servers Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 3 .escription The candidate should be able to confi#ure an anon!mous do"nload 9T( server. This ob,ective includes confi#urin# an 9T( server to allo" anon!mous uploads, listin# additional precautions to be taken if anon!mous uploads are permitted, confi#urin# #uest users and #roups "ith chroot ,ail, and confi#urin# ftpaccess to den! access to named users or #roups. Te! files, terms, and utilities include !tpaccess, !tpusers, !tpgroups etcpass,d chroot K 2&2+2&$ Secure shell D.#enSS2E Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 3 .escription The candidate should be able to confi#ure sshd to allo" or den! root lo#ins, enable or disable = for"ardin#. This ob,ective includes #eneratin# server ke!s, #eneratin# a user4s public3private ke! pair, addin# a public ke! to a user4s authori7edHke!s file, and confi#urin# ssh-a#ent for all users. 8andidates should also be able to confi#ure port for"ardin# to tunnel an application protocol over ssh, confi#ure ssh to support the ssh protocol versions 1 and 2, disable non-root lo#ins durin# s!stem maintenance, confi#ure trusted clients for ssh lo#ins "ithout a pass"ord, and make multiple connections from multiple hosts to #uard a#ainst loss of connection to remote host follo"in# confi#uration chan#es. Te! files, terms, and utilities include ssh, sshd etcsshsshdCcon!ig KA Linux%T Technical <ducation 8entre LPI 202 .b?ectives HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH ^.sshidentity.pub and identity, ^.sshauthori>edC0eys .shosts, .rhosts K 2&2+2&5 ",PHwra##ers Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 5 .escription The candidate should be able to confi#ure tcp"rappers to allo" connections to specified servers from onl! certain hosts or subnets. Te! files, terms, and utilities include inetd.con!, tcpd hosts.a))o,, hosts.deny xinetd K 2&2+2&6 Security tasks Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 : .escription The candidate should be able to install and confi#ure kerberos and perform basic securit! auditin# of source code. This ob,ective includes arran#in# to receive securit! alerts from *u#tra1, 8<CT, 8%/8 or other sources, bein# able to test for open mail rela!s and anon!mous 9T( servers, installin# and confi#urin# an intrusion detection s!stem such as snort or Trip"ire. 8andidates should also be able to update the %.$ confi#uration as ne" vulnerabilities are discovered and appl! securit! patches and bu#fixes. Te! files, terms, and utilities include Trip,ire te)net nmap "o#ic 2+$ Network "roubleshootin< K 2&2+$&7 "roubleshootin< network issues Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 5 .escription 8andidates should be able to identif! and correct common net"ork setup KB Linux%T Technical <ducation 8entre LPI 202 .b?ectives HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH issues to include kno"led#e of locations for basic confi#uration files and commands. Te! files, terms, and utilities include sbini!con!ig sbinroute binnetstat etcnet,or0 or etcsyscon!ignet,or01scripts s!stem lo# files such as *ar)ogsys)og and *ar)ogmessages binping etcreso)*.con! etchosts etchosts.a))o, __ etchosts.deny etchostname GG etc.B+T#/79 sbinhostname usrsbintraceroute usrbinns)oo0up usrbindig bindmesg host K: