Gnu FDL Oo Lpi 202 0.3

Study Guide for
Advanced Linux Network Administration

Lab work for LPI 202
released under the G!L by LinuxI"
A#ril 200$
GN% ree !ocumentation License
Copyright (c) 2005 LinuxIT.
Permission is granted to copy, distribute andor modi!y this document
under the terms o! the "#$ %ree &ocumentation License, 'ersion (.2
or any )ater *ersion pub)ished by the %ree +o!t,are %oundation-
,ith the In*ariant +ections being .istory, /c0no,)edgements, ,ith the %ront1
Co*er Texts being 2re)eased under the "%&L by LinuxIT3.
Version 1.2, November 2002
Copyright (C) 2000,200(,2002 %ree +o!t,are %oundation, Inc.
54 Temp)e P)ace, +uite 550, 6oston, 7/ 02(((1(508 $+/
9*eryone is permitted to copy and distribute *erbatim copies
o! this )icense document, but changing it is not a))o,ed.
0& P'(A)*L(
The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the
sense of freedom to assure ever!one the effective freedom to cop! and redistribute it, "ith or "ithout modif!in#
it, either commerciall! or noncommerciall!. $econdaril!, this License preserves for the author and publisher a
"a! to #et credit for their "ork, "hile not bein# considered responsible for modifications made b! others.
This License is a kind of "cop!left", "hich means that derivative "orks of the document must themselves be free
in the same sense. %t complements the &N' &eneral (ublic License, "hich is a cop!left license desi#ned for free
soft"are.
)e have desi#ned this License in order to use it for manuals for free soft"are, because free soft"are needs free
documentation a free pro#ram should come "ith manuals providin# the same freedoms that the soft"are does.
*ut this License is not limited to soft"are manuals+ it can be used for an! textual "ork, re#ardless of sub,ect
matter or "hether it is published as a printed book. )e recommend this License principall! for "orks "hose
purpose is instruction or reference.
+& APPLI,A*ILI"- AN! !(INI"I.NS
This License applies to an! manual or other "ork, in an! medium, that contains a notice placed b! the cop!ri#ht
holder sa!in# it can be distributed under the terms of this License. $uch a notice #rants a "orld-"ide, ro!alt!-free
license, unlimited in duration, to use that "ork under the conditions stated herein. The ".ocument", belo", refers
to an! such manual or "ork. /n! member of the public is a licensee, and is addressed as "!ou". 0ou accept the
license if !ou cop!, modif! or distribute the "ork in a "a! re1uirin# permission under cop!ri#ht la".
/ "2odified Version" of the .ocument means an! "ork containin# the .ocument or a portion of it, either copied
verbatim, or "ith modifications and3or translated into another lan#ua#e.
/ "$econdar! $ection" is a named appendix or a front-matter section of the .ocument that deals exclusivel! "ith
the relationship of the publishers or authors of the .ocument to the .ocument4s overall sub,ect 5or to related
matters6 and contains nothin# that could fall directl! "ithin that overall sub,ect. 5Thus, if the .ocument is in part a
textbook of mathematics, a $econdar! $ection ma! not explain an! mathematics.6 The relationship could be a
matter of historical connection "ith the sub,ect or "ith related matters, or of le#al, commercial, philosophical,
ethical or political position re#ardin# them.
The "%nvariant $ections" are certain $econdar! $ections "hose titles are desi#nated, as bein# those of %nvariant
$ections, in the notice that sa!s that the .ocument is released under this License. %f a section does not fit the
above definition of $econdar! then it is not allo"ed to be desi#nated as %nvariant. The .ocument ma! contain
7ero %nvariant $ections. %f the .ocument does not identif! an! %nvariant $ections then there are none.
The "8over Texts" are certain short passa#es of text that are listed, as 9ront-8over Texts or *ack-8over Texts,
in the notice that sa!s that the .ocument is released under this License. / 9ront-8over Text ma! be at most :
"ords, and a *ack-8over Text ma! be at most 2: "ords.
2
/ "Transparent" cop! of the .ocument means a machine-readable cop!, represented in a format "hose
specification is available to the #eneral public, that is suitable for revisin# the document strai#htfor"ardl! "ith
#eneric text editors or 5for ima#es composed of pixels6 #eneric paint pro#rams or 5for dra"in#s6 some "idel!
available dra"in# editor, and that is suitable for input to text formatters or for automatic translation to a variet! of
formats suitable for input to text formatters. / cop! made in an other"ise Transparent file format "hose markup,
or absence of markup, has been arran#ed to th"art or discoura#e subse1uent modification b! readers is not
Transparent. /n ima#e format is not Transparent if used for an! substantial amount of text. / cop! that is not
"Transparent" is called ";pa1ue".
<xamples of suitable formats for Transparent copies include plain /$8%% "ithout markup, Texinfo input format,
LaTe= input format, $&2L or =2L usin# a publicl! available .T., and standard-conformin# simple >T2L,
(ost$cript or (.9 desi#ned for human modification. <xamples of transparent ima#e formats include (N&, =89
and ?(&. ;pa1ue formats include proprietar! formats that can be read and edited onl! b! proprietar! "ord
processors, $&2L or =2L for "hich the .T. and3or processin# tools are not #enerall! available, and the
machine-#enerated >T2L, (ost$cript or (.9 produced b! some "ord processors for output purposes onl!.
The "Title (a#e" means, for a printed book, the title pa#e itself, plus such follo"in# pa#es as are needed to hold,
le#ibl!, the material this License re1uires to appear in the title pa#e. 9or "orks in formats "hich do not have an!
title pa#e as such, "Title (a#e" means the text near the most prominent appearance of the "ork4s title, precedin#
the be#innin# of the bod! of the text.
/ section "<ntitled =0@" means a named subunit of the .ocument "hose title either is precisel! =0@ or contains
=0@ in parentheses follo"in# text that translates =0@ in another lan#ua#e. 5>ere =0@ stands for a specific
section name mentioned belo", such as "/ckno"led#ements", ".edications", "<ndorsements", or ">istor!".6 To
"(reserve the Title" of such a section "hen !ou modif! the .ocument means that it remains a section "<ntitled
=0@" accordin# to this definition.
The .ocument ma! include )arrant! .isclaimers next to the notice "hich states that this License applies to the
.ocument. These )arrant! .isclaimers are considered to be included b! reference in this License, but onl! as
re#ards disclaimin# "arranties an! other implication that these )arrant! .isclaimers ma! have is void and has
no effect on the meanin# of this License.
2& /('*A"I) ,.P-ING
0ou ma! cop! and distribute the .ocument in an! medium, either commerciall! or noncommerciall!, provided
that this License, the cop!ri#ht notices, and the license notice sa!in# this License applies to the .ocument are
reproduced in all copies, and that !ou add no other conditions "hatsoever to those of this License. 0ou ma! not
use technical measures to obstruct or control the readin# or further cop!in# of the copies !ou make or distribute.
>o"ever, !ou ma! accept compensation in exchan#e for copies. %f !ou distribute a lar#e enou#h number of
copies !ou must also follo" the conditions in section A.
0ou ma! also lend copies, under the same conditions stated above, and !ou ma! publicl! displa! copies.
0& ,.P-ING IN 1%AN"I"-
%f !ou publish printed copies 5or copies in media that commonl! have printed covers6 of the .ocument,
numberin# more than 100, and the .ocument4s license notice re1uires 8over Texts, !ou must enclose the copies
in covers that carr!, clearl! and le#ibl!, all these 8over Texts 9ront-8over Texts on the front cover, and *ack-
8over Texts on the back cover. *oth covers must also clearl! and le#ibl! identif! !ou as the publisher of these
copies. The front cover must present the full title "ith all "ords of the title e1uall! prominent and visible. 0ou ma!
add other material on the covers in addition. 8op!in# "ith chan#es limited to the covers, as lon# as the! preserve
the title of the .ocument and satisf! these conditions, can be treated as verbatim cop!in# in other respects.
%f the re1uired texts for either cover are too voluminous to fit le#ibl!, !ou should put the first ones listed 5as man!
as fit reasonabl!6 on the actual cover, and continue the rest onto ad,acent pa#es.
%f !ou publish or distribute ;pa1ue copies of the .ocument numberin# more than 100, !ou must either include a
machine-readable Transparent cop! alon# "ith each ;pa1ue cop!, or state in or "ith each ;pa1ue cop! a
computer-net"ork location from "hich the #eneral net"ork-usin# public has access to do"nload usin# public-
standard net"ork protocols a complete Transparent cop! of the .ocument, free of added material. %f !ou use the
A
latter option, !ou must take reasonabl! prudent steps, "hen !ou be#in distribution of ;pa1ue copies in 1uantit!,
to ensure that this Transparent cop! "ill remain thus accessible at the stated location until at least one !ear after
the last time !ou distribute an ;pa1ue cop! 5directl! or throu#h !our a#ents or retailers6 of that edition to the
public.
%t is re1uested, but not re1uired, that !ou contact the authors of the .ocument "ell before redistributin# an! lar#e
number of copies, to #ive them a chance to provide !ou "ith an updated version of the .ocument.
$& ).!II,A"I.NS
0ou ma! cop! and distribute a 2odified Version of the .ocument under the conditions of sections 2 and A above,
provided that !ou release the 2odified Version under precisel! this License, "ith the 2odified Version fillin# the
role of the .ocument, thus licensin# distribution and modification of the 2odified Version to "hoever possesses
a cop! of it. %n addition, !ou must do these thin#s in the 2odified Version
A& 'se in the Title (a#e 5and on the covers, if an!6 a title distinct from that of the .ocument, and from
those of previous versions 5"hich should, if there "ere an!, be listed in the >istor! section of the
.ocument6. 0ou ma! use the same title as a previous version if the ori#inal publisher of that version
#ives permission.
*& List on the Title (a#e, as authors, one or more persons or entities responsible for authorship of the
modifications in the 2odified Version, to#ether "ith at least five of the principal authors of the .ocument
5all of its principal authors, if it has fe"er than five6, unless the! release !ou from this re1uirement.
,& $tate on the Title pa#e the name of the publisher of the 2odified Version, as the publisher.
!& (reserve all the cop!ri#ht notices of the .ocument.
(& /dd an appropriate cop!ri#ht notice for !our modifications ad,acent to the other cop!ri#ht notices.
& %nclude, immediatel! after the cop!ri#ht notices, a license notice #ivin# the public permission to use
the 2odified Version under the terms of this License, in the form sho"n in the /ddendum belo".
G& (reserve in that license notice the full lists of %nvariant $ections and re1uired 8over Texts #iven in the
.ocument4s license notice.
2& %nclude an unaltered cop! of this License.
I& (reserve the section <ntitled ">istor!", (reserve its Title, and add to it an item statin# at least the title,
!ear, ne" authors, and publisher of the 2odified Version as #iven on the Title (a#e. %f there is no section
<ntitled ">istor!" in the .ocument, create one statin# the title, !ear, authors, and publisher of the
.ocument as #iven on its Title (a#e, then add an item describin# the 2odified Version as stated in the
previous sentence.
3& (reserve the net"ork location, if an!, #iven in the .ocument for public access to a Transparent cop!
of the .ocument, and like"ise the net"ork locations #iven in the .ocument for previous versions it "as
based on. These ma! be placed in the ">istor!" section. 0ou ma! omit a net"ork location for a "ork that
"as published at least four !ears before the .ocument itself, or if the ori#inal publisher of the version it
refers to #ives permission.
4& 9or an! section <ntitled "/ckno"led#ements" or ".edications", (reserve the Title of the section, and
preserve in the section all the substance and tone of each of the contributor ackno"led#ements and3or
dedications #iven therein.
L& (reserve all the %nvariant $ections of the .ocument, unaltered in their text and in their titles. $ection
numbers or the e1uivalent are not considered part of the section titles.
)& .elete an! section <ntitled "<ndorsements". $uch a section ma! not be included in the 2odified
Version.
N& .o not retitle an! existin# section to be <ntitled "<ndorsements" or to conflict in title "ith an! %nvariant
$ection.
.& (reserve an! )arrant! .isclaimers.
%f the 2odified Version includes ne" front-matter sections or appendices that 1ualif! as $econdar! $ections and
contain no material copied from the .ocument, !ou ma! at !our option desi#nate some or all of these sections as
invariant. To do this, add their titles to the list of %nvariant $ections in the 2odified Version4s license notice. These
titles must be distinct from an! other section titles.
0ou ma! add a section <ntitled "<ndorsements", provided it contains nothin# but endorsements of !our 2odified
Version b! various parties--for example, statements of peer revie" or that the text has been approved b! an
B
or#ani7ation as the authoritative definition of a standard.
0ou ma! add a passa#e of up to five "ords as a 9ront-8over Text, and a passa#e of up to 2: "ords as a *ack-
8over Text, to the end of the list of 8over Texts in the 2odified Version. ;nl! one passa#e of 9ront-8over Text
and one of *ack-8over Text ma! be added b! 5or throu#h arran#ements made b!6 an! one entit!. %f the
.ocument alread! includes a cover text for the same cover, previousl! added b! !ou or b! arran#ement made b!
the same entit! !ou are actin# on behalf of, !ou ma! not add another+ but !ou ma! replace the old one, on explicit
permission from the previous publisher that added the old one.
The author5s6 and publisher5s6 of the .ocument do not b! this License #ive permission to use their names for
publicit! for or to assert or impl! endorsement of an! 2odified Version.
5& ,.)*INING !.,%)(N"S
0ou ma! combine the .ocument "ith other documents released under this License, under the terms defined in
section B above for modified versions, provided that !ou include in the combination all of the %nvariant $ections of
all of the ori#inal documents, unmodified, and list them all as %nvariant $ections of !our combined "ork in its
license notice, and that !ou preserve all their )arrant! .isclaimers.
The combined "ork need onl! contain one cop! of this License, and multiple identical %nvariant $ections ma! be
replaced "ith a sin#le cop!. %f there are multiple %nvariant $ections "ith the same name but different contents,
make the title of each such section uni1ue b! addin# at the end of it, in parentheses, the name of the ori#inal
author or publisher of that section if kno"n, or else a uni1ue number. 2ake the same ad,ustment to the section
titles in the list of %nvariant $ections in the license notice of the combined "ork.
%n the combination, !ou must combine an! sections <ntitled ">istor!" in the various ori#inal documents, formin#
one section <ntitled ">istor!"+ like"ise combine an! sections <ntitled "/ckno"led#ements", and an! sections
<ntitled ".edications". 0ou must delete all sections <ntitled "<ndorsements."
6& ,.LL(,"I.NS . !.,%)(N"S
0ou ma! make a collection consistin# of the .ocument and other documents released under this License, and
replace the individual copies of this License in the various documents "ith a sin#le cop! that is included in the
collection, provided that !ou follo" the rules of this License for verbatim cop!in# of each of the documents in all
other respects.
0ou ma! extract a sin#le document from such a collection, and distribute it individuall! under this License,
provided !ou insert a cop! of this License into the extracted document, and follo" this License in all other
respects re#ardin# verbatim cop!in# of that document.
7& AGG'(GA"I.N 8I"2 IN!(P(N!(N" 8.'4S
/ compilation of the .ocument or its derivatives "ith other separate and independent documents or "orks, in or
on a volume of a stora#e or distribution medium, is called an "a##re#ate" if the cop!ri#ht resultin# from the
compilation is not used to limit the le#al ri#hts of the compilation4s users be!ond "hat the individual "orks permit.
)hen the .ocument is included in an a##re#ate, this License does not appl! to the other "orks in the a##re#ate
"hich are not themselves derivative "orks of the .ocument.
%f the 8over Text re1uirement of section A is applicable to these copies of the .ocument, then if the .ocument is
less than one half of the entire a##re#ate, the .ocument4s 8over Texts ma! be placed on covers that bracket the
.ocument "ithin the a##re#ate, or the electronic e1uivalent of covers if the .ocument is in electronic form.
;ther"ise the! must appear on printed covers that bracket the "hole a##re#ate.
9& "'ANSLA"I.N
Translation is considered a kind of modification, so !ou ma! distribute translations of the .ocument under the
terms of section B. Ceplacin# %nvariant $ections "ith translations re1uires special permission from their cop!ri#ht
holders, but !ou ma! include translations of some or all %nvariant $ections in addition to the ori#inal versions of
these %nvariant $ections. 0ou ma! include a translation of this License, and all the license notices in the
.ocument, and an! )arrant! .isclaimers, provided that !ou also include the ori#inal <n#lish version of this
License and the ori#inal versions of those notices and disclaimers. %n case of a disa#reement bet"een the
translation and the ori#inal version of this License or a notice or disclaimer, the ori#inal version "ill prevail.
:
%f a section in the .ocument is <ntitled "/ckno"led#ements", ".edications", or ">istor!", the re1uirement 5section
B6 to (reserve its Title 5section 16 "ill t!picall! re1uire chan#in# the actual title.
:& "(')INA"I.N
0ou ma! not cop!, modif!, sublicense, or distribute the .ocument except as expressl! provided for under this
License. /n! other attempt to cop!, modif!, sublicense or distribute the .ocument is void, and "ill automaticall!
terminate !our ri#hts under this License. >o"ever, parties "ho have received copies, or ri#hts, from !ou under
this License "ill not have their licenses terminated so lon# as such parties remain in full compliance.
+0& %"%'( '(/ISI.NS . "2IS LI,(NS(
The 9ree $oft"are 9oundation ma! publish ne", revised versions of the &N' 9ree .ocumentation License from
time to time. $uch ne" versions "ill be similar in spirit to the present version, but ma! differ in detail to address
ne" problems or concerns. $ee http33""".#nu.or#3cop!left3.
<ach version of the License is #iven a distin#uishin# version number. %f the .ocument specifies that a particular
numbered version of this License "or an! later version" applies to it, !ou have the option of follo"in# the terms
and conditions either of that specified version or of an! later version that has been published 5not as a draft6 b!
the 9ree $oft"are 9oundation. %f the .ocument does not specif! a version number of this License, !ou ma!
choose an! version ever published 5not as a draft6 b! the 9ree $oft"are 9oundation.
Introduction;
Acknowled<ments
The ori#inal material "as made available b! Linux%T4s technical trainin# centre
""".linuxit.com.
The manual is available online at http33savannah.non#nu.or#3pro,ects3lpi-manuals3. )e
"ould like to thank the $avannah Volunteers for assessin# the pro,ect and providin# us "ith
the )eb space.
2istory
8V$ version 0.0 ?anuar! 200B, /drian Thomasset DadrianElinuxit.comF.
Cevie"ed3'pdated /pril 200B, /ndre" 2eredith Dandre"Eanvil.or#F
Cevie"3'pdate 2a! 200:, /drian Thomasset DadriantElinuxit.comF
G
Linux%T Technical <ducation 8entre
,ontents
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
Introduction;&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6
/ckno"led#ments............................................................................................................................................................ G
>istor!.............................................................................................................................................................................. G
!NS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :
+& %sin< di< and host&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +0
1.1 Non-recursive 1ueries.............................................................................................................................................. 10
2& *asic *ind 9 ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +2
2.1 The Lo##in# $tatement........................................................................................................................................... 1A
2.2 The ;ptions $tatement ........................................................................................................................................... 1B
2.A The @one $tatement................................................................................................................................................. 1G
2.B The /ccess 8ontrol Lists 5acl6 $tatement................................................................................................................ 1I
0& ,reate and )aintain =one iles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +9
$& Securin< a !NS Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +:
B.1 $erver /uthentication .............................................................................................................................................. 20
B.2 ./T/ %nte#rit! and /uthenticit! .............................................................................................................................. 21
Sendmail&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2$
+& %sin< Sendmail&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 25
1.1 8onfi#uration $ettin#s.............................................................................................................................................. 2:
1.2 Virtual >ostin#.......................................................................................................................................................... 2G
2& ,onfi<urin< )ailin< Lists&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 27
2.1 2a,ordomo and $endmail........................................................................................................................................ 2I
0& )ana<in< )ail "raffic&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 00
A.1 'sin# (rocmail......................................................................................................................................................... A0
8eb Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 02
+& Im#lementin< a 8eb Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 00
1.1 %nstallin# /pache...................................................................................................................................................... AA
1.2 2onitorin# apache load............................................................................................................................................ AA
1.A 'sin# /pachectl....................................................................................................................................................... AB
1.B *asic 8onfi#uration ;ptions..................................................................................................................................... A:
1.: Cestrictin# 8lient /ccess......................................................................................................................................... AI
1.G 8lient *asic /uthentication...................................................................................................................................... AJ
2& )aintainin< a 8eb Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 09
2.1 >TT($ ;vervie"...................................................................................................................................................... AJ
2.2 $$L Virtual >osts..................................................................................................................................................... AK
2.A 2ana#in# 8ertificates............................................................................................................................................... B0
2.B Virtual >osts............................................................................................................................................................. B1
0& Im#lementin< a Proxy Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& $0
A.1 &ettin# $tarted......................................................................................................................................................... BA
A.2 /ccess Lists and /ccess 8ontrol............................................................................................................................. BA
A.A /dditional 8onfi#uration ;ptions.............................................................................................................................. B:
A.B Ceportin# Tools........................................................................................................................................................ BG
A.B 'ser /uthentication 5usin# (/26............................................................................................................................. BJ
Network ,lient )ana<ement&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 50
+& !2,P ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 5+
1.1 .efault .>8( 8onfi#urations................................................................................................................................... :1
1.2 .!namic .N$ .......................................................................................................................................................... :A
1.A .>8( Cela!............................................................................................................................................................. ::
2& NIS ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 56
2.1 2aster $erver 8onfi#uration.................................................................................................................................... :G
2.2 $lave $erver 8onfi#uration...................................................................................................................................... :I
2.A 8lient $etup.............................................................................................................................................................. :I
2.B $ettin# up N9$ home directories............................................................................................................................. :J
I
,ontents
2.: *asic N%$ /dministration.......................................................................................................................................... :J
0& L!AP ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 60
A.1 )hat is ldap............................................................................................................................................................. G0
A.2 ;penL./( server confi#uration.............................................................................................................................. G1
A.A 8lient confi#uration files........................................................................................................................................... G2
A.B 2i#ratin# $!stem 9iles to L./( .............................................................................................................................. GA
A.: L./( /uthentication $cheme.................................................................................................................................. GG
$& PA) Authentication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:
B.1 (/2 /"are /pplications ......................................................................................................................................... GK
B.2 (/2 8onfi#uration................................................................................................................................................... GK
System Security&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7+
+& I#tables>I#chains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 72
1.1 The 8hains............................................................................................................................................................... I2
1.2 The Tables............................................................................................................................................................... IA
1.A The Tar#ets.............................................................................................................................................................. IB
1.B <xample Cules......................................................................................................................................................... IB
2& !ifferences with I#chains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 75
0& Security "ools&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 77
A.1 $$>.......................................................................................................................................................................... II
A.2 L$;9........................................................................................................................................................................ IJ
A.A N<T$T/T................................................................................................................................................................. IK
A.B T8(.'2(................................................................................................................................................................ IK
A.: N2/(....................................................................................................................................................................... J2
(xam 202; !etailed .b?ectives&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 90
Topic 20: Net"orkin# 8onfi#uration............................................................................................................................. JA
Topic 20G 2ail L Ne"s................................................................................................................................................... JB
Topic 20I .N$.............................................................................................................................................................. J:
Topic 20J )eb $ervices................................................................................................................................................ JI
Topic 210 Net"ork 8lient 2ana#ement......................................................................................................................... JJ
Topic 212 $!stem $ecurit!............................................................................................................................................. JK
Topic 21B Net"ork Troubleshootin#............................................................................................................................... K1
J
LinuxI" "echnical (ducation ,entre
!NS
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
!NS
!NS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :
+& %sin< di< and host&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +0
1.1 Non-recursive 1ueries....................................................................................................................................... 10
2& *asic *ind 9 ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +2
2.1 The Lo##in# $tatement.................................................................................................................................... 1A
2.2 The ;ptions $tatement ..................................................................................................................................... 1B
2.A The @one $tatement.......................................................................................................................................... 1G
2.B The /ccess 8ontrol Lists 5acl6 $tatement......................................................................................................... 1I
0& ,reate and )aintain =one iles&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +9
$& Securin< a !NS Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +:
B.1 $erver /uthentication ....................................................................................................................................... 20
B.2 ./T/ %nte#rit! and /uthenticit! ........................................................................................................................ 21
K
!NS
1. Using dig and host
The bind@utils packa#e 5or dnsutils for .ebian based s!stems6 provides tools used to
1uer! .N$ servers. )e "ill use di< and host to illustrate different t!pes of 1ueries.
+&+ Non@recursive Aueries
*! forcin# all 1ueried .N$ servers not to perform recursive 1ueries "e "ill discover that
"e need to manuall! follo" the thread of information 5list of .N$ servers for each domain6
in order to #et an ans"er.
9or this "e need to 1uer! a hostname that has not been cached on our local server !et.
M'<C0 1
dig +norecursive +nostats www.tldp.org @127.0.0.1
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 0
;; QUESTION SECTION:
;www.tldp.org. IN A

;; AUTHORITY SECTION:
. 3600000 IN NS A.ROOT-SERVERS.NET.
. 3600000 IN NS B.ROOT-SERVERS.NET.
. 3600000 IN NS C.ROOT-SERVERS.NET.
. 3600000 IN NS D.ROOT-SERVERS.NET.
. 3600000 IN NS E.ROOT-SERVERS.NET.
. 3600000 IN NS F.ROOT-SERVERS.NET.
. 3600000 IN NS G.ROOT-SERVERS.NET.
'esult the local cache does not contain the re1uired information so it 1ueries the root
servers 5.6 "hich return alternative .N$ servers.
M'<C0 2
dig +norecursive +nostats www.tldp.org @L.root-servers.net
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
;www.tldp.org. IN A

org. 172800 IN NS TLD1.ULTRADNS.NET.
org. 172800 IN NS TLD2.ULTRADNS.NET.

;; ADDITIONAL SECTION:
TLD1.ULTRADNS.NET. 172800 IN A 204.74.112.1
TLD2.ULTRADNS.NET. 172800 IN A 204.74.113.1
'esult The root .N$ server L.C;;T-$<CV<C$.N<T is 1ueried. This server returns the
10
!NS
names and additional %( address for 2 ne" .N$ servers authoritative on the .;C&
domain.
M'<C0 A
dig +norecursive +nostats www.tldp.org @tld2.ultradns.net
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;www.tldp.org. IN A

TLDP.ORG. 172800 IN NS NS2.UNC.EDU.
TLDP.ORG. 172800 IN NS NS.UNC.EDU.
'esult Muer!in# one of the .;C& .N$ server "e receive the names for t"o authoritative
.N$ servers on the TL.(.;C& domain. The next 1uer! should !ield an ans"erN
M'<C0 B
dig +norecursive +nostats www.tldp.org @ns.unc.edu
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; ANSWER SECTION:
www.tldp.org. 86400 IN A 152.2.210.81

tldp.org. 86400 IN NS ns.unc.edu.
tldp.org. 86400 IN NS ns2.unc.edu.
tldp.org. 86400 IN NS ncnoc.ncren.net.

;; ADDITIONAL SECTION:
ns.unc.edu. 172800 IN A 152.2.21.1
ns2.unc.edu. 172800 IN A 152.2.253.100
ncnoc.ncren.net. 885 IN A 128.109.193.1
ncnoc.ncren.net. 885 IN A 192.101.21.1
'esult /s expected the .N$ servers on the TL.(.;C& domain have a record for
""".tldp.or#.
N;T%8<
The above se1uence of 1ueries "as necessar! onl! because the host """.tldp.or# "as not
cached on the local cachin# server. The di< instruction 1ueried the remote .N$ servers "ithout
usin# the local server. T!pin#
host www.tldp.org 127.0.0.1
and then
dig +norecursion www.tldp.org @127.0.0.1
"ould !ield an ans"er since all the information is no" cached on the local cachin# server
Search NS record for domain 5authoritative .N$ servers6
11
!NS
host -t NS tldp.org
tldp.org name server ns2.unc.edu.
tldp.org name server ncnoc.ncren.net.
tldp.org name server ns.unc.edu.
Search )B record for domain
host -t MX tldp.org
tldp.org mail is handled by 0 gabber.metalab.unc.edu
9inall!, it is possible to see all records "ith host @a.

2. Basic Bind 8 Configuration
The confi#uration file for a *ind J server is >etc>named&conf This file has the follo"in#
main entries
2ain entries in named&conf
lo<<in< $pecif! "here lo#s are "ritten too and "hat needs to be lo##ed
o#tions &lobal options are set here 5e.# the path to the 7one files6
Cone .efines a 7one the name, the 7one file, the server t!pe
acl /ccess control list
server $pecific options for remote servers
Let4s look at a t!pical confi#uration file for a cachin# onl! server. )e "ill add entries to it
as "e #o to create ne" 7ones, lo##in# facilities, securit!, etc.
$keleton named&conf file
options O
director! "3var3named"+
datasi7e 1002+
P+

7one "." %N O
t!pe hint+
file "named.ca"+
P+
7one "localhost" %N O
t!pe master+
12
!NS
file "localhost.7one"+
allo"-update O none+ P+
P+
7one "0.0.12I.in-addr.arpa" %N O
t!pe master+
file "named.local"+
allo"-update O none+ P+
P+
2&+ "he Lo<<in< Statement
The s!ntax for lo##in# is
logging {
channel channel_name {
file file_name;
versions number_of_files;
size log_size;
syslog < daemon | auth | syslog | authpriv | local0 -to-
local7 | null >;
severity <critical | error | warning | notice | info | debug
| dynamic > ;
print-category yes_or_no;
print-severity yes_or_no;
print-time yes_or_no;
};
category category_name {
channel_name;
};
The channel defines "here lo#s are sent to 5file, s!slo# or null6. %f s!slo# is selected then
the facilit! and the lo# level can be specified too.
The cate<ory clause defines the t!pe of information sent to a #iven channel 5or list of
channels6. The t!pe of channel is #iven then the default lo##in# facilit! is used
category default { default_syslog; default_debug; };

(xam#le;
)e choose not to use the s!slo# daemon and lo# ever!thin# to a file called QL;&R that "ill
be created in the same director! as the 7one files 5default >var>named>6. 9or this "e "ill
create the channel foo_channel. Next "e "ant to lo# queries usin# this channel.
The entr! in named&conf "ill look like this
logging {
1A
!NS
channel foo_channel {
file "LOG";
print-time yes;
print-category yes;
print-severity yes;
};
category "queries" {
"foo_channel";
};
};
8ate#ories such as queries are predefined and listed in the named&confD5E manpa#es.
>o"ever some of the names have chan#ed since *%N. J, so "e include as a reference
the list of cate#ories for *%N. K belo"
*%N. K Lo##in# 8ate#ories
default 8ate#or! used "hen no specific channels 5lo# levels, files ...6 have been
defined
#eneral 8atch all for messa#es that haven4t been classified belo"
database 2essa#es about the internal 7one files
securit! /pproval of re1uests
confi# (rocessin# of the confi#uration file
resolver %nfornation about operations performed b! clients
xfer-in or xfer-
out
Ceceived or sent 7one files
notif! Lo# N;T%90 messa#es
client 8lient activit!
update @one updates
1ueries 8lient Mueries
dnssec .N$<8 transactions
lame-servers Transactions sent from servers marked as lame-servers

2&2 "he .#tions Statement
The #lobal options for the server are set at the be#innin# of named&conf. The s!ntax is
options{
option1;
option2;
1B
!NS
....
};
)e next cover the most common options.
version
2anpa#e sa!s QThe version the server
should report via the ndc command. The
default is the real version number of this
server, but some server operators prefer
the strin# 5surel! !ou must be ,okin# 6R
version (surely you must be
joking);
directory
The "orkin# director! of the
server
directory /var/named;
fetch@<lue 5default yes6 - obsolete
(revent the server from resolvin# N$ records 5the additional data section6. )hen a record
is not present in the cache *%N. can determine "hich servers are authoritative for the
ne"l! 1ueried domain. This is often used in con,unction "ith recursion no.
notify 5default yes6
$end DNS NOTIFY messa#es to the slave servers to notif! 7one chan#es 5helps speed
up conver#ence6
recursion 5default yes6
The server "ill perform recursive 1ueries "hen needed
forward 5only or first6
The default value is first and causes the sever to 1uer! the for"arders before attemptin#
to ans"er a 1uer! itself. %f the option is set to only the server "ill al"a!s ask the
for"arders for an ans"er. This option has to be used "ith forwarders.
forwarders 5list6
List of servers to be used for
for"ardin#. The default is an empt!
list.
forwarders { 10.0.0.1; 10.0.0.10;};
datasiCe
Limit the si7e of the cache datasize 512M;
1:
!NS
allow@Auery 5list6
/ lists of hosts or net"orks that ma! 1uer! the server
allow@recursion 5list6
List of hosts that can submit recursive 1ueries
allow@transfer 5list6
List of hosts 5usuall! the slaves6 "ho are allo"ed to do 7one transfers
2&0 "he =one Statement
The s!ntax for a 7one entr! in named&conf is as follo"s
zone domain_name {
type zone_type;
file zone_file;
local_options;
};
)e first look at the local_options available. $ome of these are the same options "ith the
same s!ntax as the #lobal options "e have ,ust covered 5"ith some additional ones6. The
most common ones are notify, allow@transfer and allow@Auery. /dditional ones are
masters 5list of master servers6 or dialu#.
The domain_name is the name of the domain "e "ant to keep records for. 9or each
domain name there is usuall! an additional 7one that controls the local in-addr.arpa 7one.
The zone_type can either be
master the server has a master cop! of the 7one file
slave the server has a version of the 7one file that "as do"nloaded from a master server
hint predefined 7one containin# a list of root servers
stub similar to a slave server but onl! keeps the N$ records
The zone_file is a path to the file containin# the 7one records. %f the path is not an
absolute path then the path is taken relativel! to the director! #iven earlier b! the
directory option 5usuall! 3var3named6.
<xample master 7one entries, allo"in# 7one transfers to a slave server at 10.1.2.A
1G
!NS
zone seafront.bar {
type master;
file seafront.zone;
allow-transfer{10.1.2.3;);
};
zone 2.1.10.in-addr.arpa {
type master;
file 10.1.2.zone
allow-transfer{10.1.2.3;);
};
The next example is the correspondin# named&conf zone section for the slave server,
assumin# the master has the %( 10.1.2.1
zone "seafront.bar" IN {
type slave;
masters {10.1.2.1;};
file "slave/seafront.zone";
};
zone "2.1.10.in-addr.arpa" IN {
type slave;
masters {10.1.2.1;};
file "slave/10.1.2.local";
};
2&$ "he Access ,ontrol Lists DaclE Statement
Cather than use %(s it is possible to #roup lists of %( addresses or net"orks and assi#n a
name to this #roupin#.
<xmaple acl
acl internalHnet O10.0.0.03J+ P+
There are built-in /8Ls as follo"
any all hosts
none no host
localhost all %( address for the local interfaces
localnets net"ork associated to the localhost interfaces
1I
!NS
"he Server Statement
This statement is used to assi#n confi#uration options for a specific server. 9or example if
a server is #ivin# bad information it can be marked as bo<us. ;ne can also set the keys
associated "ith a server for hosts authentication "hen usin# .N$$<8 5see section B.
$ecurin# a .N$ $erver6
3. Create and Maintain Zone Files
The format of the 7one files is defined in C98 10A: and contains resource records 5CC6
for the administered domain or sub-domain.
The t!pes of resource records are
1 S $tart ;f /uthorit! 5$;/6 describes to root of the 7one
root-name TTL IN SOA name-server email-address (
serial number;
refresh;
retry;
expire;
minimum;
)
The root-name is often replaced "ith an QER s!mbol "hich resolves to the name of the
7one specified in named&conf.
<xample
$TTL 86400
@ 1D IN SOA ns.seafront.bar. root.seafront.bar. (
46 ; serial (d. adams)
1H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
2 S Cecords definin# the name-servers for this domain, N$ records
domain-name IN NS name-server
<xample
IN NS ns
N;T%8<
1J
!NS
1. %f the name of the domain is missin# then E is assumed
2. The full! 1ualified name of the name-server is ns.seafront.bar.. / host name that
doesn4t end "ith a dot "ill automaticall! have the domain-name 4E4 appended to it. >ere
for example
ns becomes ns.seafront.bar.

A S Cecords definin# the mail-servers for this domain, 2= records
domain-name IN MX PRI mail-server
The PRI entr! is a priorit! number. %f several mail-servers are defined for a domain then
the servers "ith the lo"est priorit! number are used first.
B S /uthoritative information for hosts on the domain, called / records
host-name IN A IP-address
Authority !ele<ation
: S )hen definin# the name-servers responsible for another sub-domain additional N$
records are added as "ell as some glue records "hich are simple / records resolvin# the
.N$ servers.
<xample
devel.myco.com IN NS ns1.devel.myco.com
ns1 IN A 192.168.21.254
'everse Cone files
G S /uthoritative (TC records, resolvin# %( addresses
n IN PTR host-name
4. Securing a DNS Serer
%n 1KK:, follo"in# ma,or securit! fla"s discovered in .N$, a ne" topic called .N$$<8
"as started "ithin the %<T9. This .N$$<8 protocol is described in a se1uence of three
draft documents kno"n as C982:A:bis and proposes to handle server authentication as
"ell as data authenticity.
1K
!NS
$&+ Server Authentication
.N$$<8 attempts to handle vulnerabilities that occur durin# unauthorised dynamic
u#dates as "ell as spoofed master im#ersonations. These involve host-to-host
authentications bet"een either a .>8( or a slave server and the master server.
The dnssec@key<en tool is used to #enerate a host ke! on the master server that can
then be transferred on a slave server. This authentication mechanism is call T$%& and
stands for Transaction $i#nature. /nother mechanism is $%&0 and is not covered in these
notes.
)aster ,onfi<uration
1. 9irst #enerate the host ke! on the master server called seafront.bar
dnssec-keygen -a HMAC-MD5 -b 256 -n host seafront.bar.
This "ill create the follo"in# public and a private ke! pair
Kseafront.bar.+157+49196.key
Kseafront.bar.+157+49196.private
Notice These ke!s must N;T be inserted in the 7one files 5there is an %N T<0
section in the public ke! that is misleadin#, looks like a CC6.
The public and the private ke!s are identical this means that the private ke!
can be kept in an! location. This also means that the public ke! shouldn4t be published.
The content of the Tseafront.bar.U1:IUBK1KG.ke! is
seafront.bar. IN KEY 512 3 157
QN3vIApnV76WS+a2Hr3qj+AqZjpuPjQgVWeeMMGSBC4=
2. %n the same director! as the server4s named&conf confi#uration file. 8reate the file
slave&key "ith the follo"in# content
key "seafront.bar." {
algorithm hmac-md5;
secret "QN3vIApnV76WS+a2Hr3qj+AqZjpuPjQgVWeeMMGSBC4=";
};
A. /ppl! the follo"in# chan#es in named&conf;
include "/etc/slave.key";
20
!NS
type master;
file "seafront.zone";
allow-transfer { key seafront.bar.; };
};
zone 2.1.10.in-addr.arpa {
type master;
file 10.1.2.zone
allow-transfer{key seafront.bar.;);
};
Slave ,onfi<uration
8op! the slave&key file to the slave server in the director! containin# named&conf. /dd
the follo"in# server and include statements to named&conf
server 10.1.2.1 { (this is the IP for the master server)
keys {seafront.bar.;};
};
include /etc/slave.key;
"roubleshootin<
Cestart named on both servers and monitor the lo#s. Notice that .N$$<8 is sensitive to
time stamps so !ou "ill need to s!nchronise the servers 5usin# NT(6. Then run the
follo"in# command on the master server in the same director! "here the dnssec ke!s
"here #enerated
dig @10.1.2.1 seafront.bar AXFR -k Kseafront.bar.+157+49196.key
$&2 !A"A Inte<rity and Authenticity
This aspect of .N$$<8 is above the level of this manual and is simpl! a summar! of the
concepts involved.

.ata authenticit! ma! be compromised at different levels. The reco#nised areas are
21
!NS
- altered slave 7one files
- cache impersonation
- cache poisonin#
New '' records
The inte#rit! and authenticit! of data is #uarantied b! si#nin# the Cesource Cecords usin#
a private ke!. These si#natures can be verified usin# a public .N$T<0. ;nl! the validit!
of the .N$T<0 needs to be established b! the parent server or Qdele#ation si#nerR .$.
$o "e have the follo"in# ne" CCs in the 7one files
CC$%& the si#nature of the CC set
.N$T<0 public ke! used to verif! CC$%&s
.$ the .ele#ation $i#ner
Si<nin< =one 'ecords
These are the basic steps
1. 8reate a pair of public3private 7one si#nin# ke!s 5@$T6
dnssec-keygen -a DSA -b 1024 -n zone seafront.bar.
0ou should #et t"o files such as these
Tseafront.bar.U00AUA11IA.ke!
Tseafront.bar.U00AUA11IA.private
2. %nsert the public ke! into the unsi#ned 7one file
cat Kseafront.bar.+003+31173.key >> seafront.bar
A. $i#n the 7one file
dnssec-signzone -o seafront.bar Kseafront.bar.+003+31173
0ou should see a messa#e such as
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
WARNING WARNING
WARNING WARNING
WARNING This version of dnssec-signzone produces zones that are WARNING
WARNING incompatible with the forth coming DS based DNSSEC WARNING
WARNING standard. WARNING
WARNING WARNING
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
22
!NS
seafront.zone.signed
This is due to the fact that the dnssec-si#n7one tool doesn4t support the @k s"itch "hich
"ould allo" to make use of a ke! si#nin# ke! 5T$T6 "hich is then for"arded to a parent
7one to #enerate a .$ record ...
%f !ou "ant to make use of this si#ned 7one, chan#e the filename in named&conf to
Qseafront.bar.si#nedR
2A
)ail and Lists
Sendmail
Sendmail&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2$
+& %sin< Sendmail&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 25
1.1 8onfi#uration $ettin#s....................................................................................................................................... 2:
1.2 Virtual >ostin#................................................................................................................................................... 2G
2& ,onfi<urin< )ailin< Lists&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 27
2.1 2a,ordomo and $endmail.................................................................................................................................. 2I
0& )ana<in< )ail "raffic&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 00
A.1 'sin# (rocmail.................................................................................................................................................. A0
2B
)ail and Lists
1. Using Send!ail
+&+ ,onfi<uration Settin<s
!NS Settin<s
1. )e first "ant to make sure that mail "ill be sent to our machine. )e assume that "e
have properl! confi#ured a domain called seafront.bar "ith *%N. J or K. Let4s make
sure that the 7one file for this domain has an 2= record pointin# to our s!stem.
9or example if our machine is called test1 and has the %( 192.168.246.12 then "e
need the follo"in# lines
seafront.bar. IN MX 10 test1.seafront.bar.
test1.seafront.bar. IN A 192.168.246.12
2. Next "e need to make sure that this information is read b! the resolvers, so "e add the
follo"in# at the top of the file >etc>resolv&conf
nameserver 127.0.0.1
domain seafront.bar
Sendmail Settin<s
)e #o into sendmail4s main confi#uration director! >etc>mail. >ere "e need to do the
follo"in#
1. *! default sendmail is confi#ured to listen for connections ;NL0 for the 12I.0.0.1
interface. %n order to make sendmail listen to all interfaces "e need to comment out the
follo"in# line in >etc>mail>sendmail&mc usin# 4dnl4 "hich stands for Qdo next lineR
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
;nce this is done run
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
2:
)ail and Lists
Notice 2ake sure 3etc3sendmail.cf isn4t also there, if it is, delete it.
Cestart sendmail and tr! the follo"in#
telnet test1.seafront.bar 25
8arnin< %f !ou #et a connection then sendmail is respondin#. This doesn4t mean that
sendmail "ill deliver mail 5rela!6 for !ouN
A. To confi#ure sendmail to rela! for !ou !ou need to add the %( for !our machine to the
>etc>mail>access file
192.168.246.12 RELAY

B. 9inall!, "e also need to tell sendmail to accept mail for @seafront.bar addresses.
9or this, add the domain name to >etc>mail>local@host@names
seafront.bar
Cestart sendmail and send a mail to an existin# user. %f !ou have a user tux on the
machine then check the output of the follo"in#
mail -v -s test seafront domain tux@seafront.bar < /etc/passwd
+&2 /irtual 2ostin<
)e "ant the server seafront.bar to accept mail for the city.bar domain. 9or this
"e follo" the follo"in# steps.
"he !NS entries
)e need to add an 2= record for the cit!.bar domain. >ere is the "hole block for clarit!
seafront.bar. IN MX 10 test1.seafront.bar.
city.bar. IN MX 10 test1.seafront.bar.
test1.seafront.bar. IN A 192.168.246.12
Ceload the 7one file
2G
)ail and Lists
rndc reload
Sendmail Settin<s
1. )e need to make sendmail accept mail for users at Ecit!.bar. 9or this "e add the next
line to the local@host@names file
city.bar
%f mail is sent to tux@city.bar and tux is a valid user on test1.seafront.bar then
mail "ill be delivered to the local user tux.
To avoid this "e can use the >etc>mail>virtusertable database.
2. %f !ou "ant to for"ard mail onto another account here are example entries for the
virtusertable database
tuxEcit!.bar mr.tuxEotherdomain.or#
Ecit!.bar administrator
listEcit!.bar local-list
>ere mail for user tux is diverted to mr.tuxEotherdomain.or#, the user administrator is the
catchall account, lists are redirected to local lists 5this needs to point to a valid list defined
in the aliases
2. Configuring Mailing "ists
2&+ )a?ordomo and Sendmail
.o"nload the code from
http33""".#reatcircle.com3ma,ordomo3
$ource version ma,ordomo-1.KB.:.tar.#7
Pre@installation ,onfi<uration
1. %n the 2akefile, replace >bin>#erl "ith the path to the perl binar! on !our s!stem
5usuall! 3usr3bin3perl6
2I
)ail and Lists
PERL = /usr/bin/perl
To make thin#s easier "e "ill leave the )H>;2< as is
W_HOME = /usr/test/majordomo-$(VERSION)
0ou need to create the director! >usr>test
mkdir /usr/test
8reate a #roup called ma?ordomo "ith &%. $5, and add a user called ma?ordomo "ith
'%. +20
groupadd -g 45 majordomo
useradd -g 45 -u 123 majordomo
2. %n the sam#le&cf file "e need to define our domain 5for example seafront.bar6. This is
also "here the path to the sendmail binar! is set
$whereami = "seafront.bar";
$sendmail_command = "/usr/sbin/sendmail";
No" "e can run
make install
make install-wrapper
9inall! !ou can test the confi#uration as su##ested "ith the follo"in#
cd /usr/test/majordomo-1.94.5; ./wrapper config-test
%f all #oes "ell !ou "ill be prompted to re#ister to the ma,ordomo mailin# list. $ince "e do
not have a valid email address, ans"er N; to the 1uestion.
Sendmail ,onfi<uration
The sendmail confi#uration involves addin# appropriate entries in >etc>aliases for each
mailin# list "e create. *ut before that "e need a s!mbolic link in >etc>smrsh pointin# to
the ma,ordomo wra##er binar!, and here is "h!.
2J
)ail and Lists
%n order to limit the number of pro#rams mail can be piped to 5usin# a 4V command4 instead
of an email address6 sendmail defines a set of commands kno"n as Qsendmail restricted
shellsR or smrsh. The list of restricted shells is contained in >etc>smrsh "hich are
s!mbolic links to the actual binaries "e allo" mail to be piped to.
)e "ill make the wra##er binar! available, "hich is located in 3usr3test3ma,ordomo-
1.KB.:, "ith the follo"in#
ln -s /usr/test/majordomo-1.94.5/wrapper /etc/smrsh
*efore addin# the entries to >etc>aliases "e need to decide on a name for our first list,
and "e choose ... test.
Cemember that before sendin# mail to the list testEseafront.bar "e first need to
subscribe to this list b! sendin# a mail to ma,ordomoEseafront.bar "ith the contents
subscribe test. $ome "ork needs to be done for this to "ork.
8reatin# the list QtestR 5 as documented in N<)L%$T6
1 . create an empt! file called test and a file containin# information about the list called
test.info in the director! 3usr3test3ma,ordomo-1.KB.:3lists3
2. 8reate the follo"in# aliases in >etc>aliases
majordomo: "|/usr/test/majordomo-1.94.5/wrapper majordomo"
test: "|/usr/test/majordomo-1.94.5/wrapper resend -l
test test-list"
test-list: :include:/usr/test/majordomo-1.94.5/lists/test
test-request: "|/usr/test/majordomo-1.94.5/wrapper request-
answer test"
owner-test: tux
test-approval: tux
A. Cun newaliases and restart sendmail.
)a?ordomo "est
$end an email to majordomo@seafront.bar "ith the content

subscribe test
%f all #oes "ell !ou "ill receive a response "ith further steps to be taken.

2K
)ail and Lists
3. Managing Mail #raffic
0&+ %sin< Procmail
%n depth information can be found in the #rocmail, #rocmailrc and #rocmailex
manpa#es. >ere are a fe" examples taken from #rocmailexD5E
/ promailrc file is a se1uence of recipes of the form
:0 ;!)ags< ; : ;)oca))oc0!i)e< <
=>ero or more conditions (one per )ine)?
=exact)y one action )ine?
The next tables cover the main fla#s, conditions and actions available.
9la#s .escription
> <#rep the header 5default6.
* <#rep the bod!
< This recipe onl! executes if the immediatel! precedin# recipe "as not executed.
e This recipe onl! executes if the immediatel! precedin# recipe failed
" )ait for the filter or pro#ram to finish and check its exitcode
The conditions are extended re#ular expressions "ith the additional conditions belo"
8onditions .escription
N %nvert the condition
W <valuate the remainder of this condition accordin# to sh516 substitution rules
inside double 1uotes, skip leadin# "hitespace, then reparse it
X 'se the exitcode of the specified pro#ram
D 8heck if the total len#th of the mail is shorter than the specified 5in decimal6
number of b!tes
F 8heck if the total len#th of the mail is lar#er than the specified 5in decimal6
number of b!tes
A0
)ail and Lists
The action line can start "ith one of
/ction line .escription
N 9or"ards to all the specified mail addresses
V $tarts the specified pro#ram
O 9ollo"ed b! at least one space, tab or ne"line "ill mark the start of a
nestin# block
/n!thin#
else
interpret as a mailbox 5file or director! relative to current director! or
2/%L.%C6
(xam#les;
$ort all mail comin# from the lpi-dev mailin# list into the mail folder L(%
:0:
@ ATBC)pi1de*
LPI
9or"ard mails bet"een t"o accounts main.address and the-other.address. This rule is for
the procmailrc on the main address account. Notice the =-Loop header used to prevent
loops
:0 c
@ DAE1Loop: yournameFmain.address
G !ormai) 1/ HE1Loop: yournameFmain.addressH G I
J+9#&7/IL 1oi yournameFthe1other.address
The c option tells procmail to keep a local cop!.
A1
8eb Services
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
8eb Services

8eb Services&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 02
+& Im#lementin< a 8eb Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 00
1.1 %nstallin# /pache............................................................................................................................................... AA
1.2 2onitorin# apache load..................................................................................................................................... AA
1.A 'sin# /pachectl................................................................................................................................................. AB
1.B *asic 8onfi#uration ;ptions.............................................................................................................................. A:
1.: Cestrictin# 8lient /ccess................................................................................................................................... AI
1.G 8lient *asic /uthentication................................................................................................................................ AJ
2& )aintainin< a 8eb Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 09
2.1 >TT($ ;vervie"............................................................................................................................................... AJ
2.2 $$L Virtual >osts.............................................................................................................................................. AK
2.A 2ana#in# 8ertificates........................................................................................................................................ B0
2.B Virtual >osts...................................................................................................................................................... B1
0& Im#lementin< a Proxy Server&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& $0
A.1 &ettin# $tarted................................................................................................................................................... BA
A.2 /ccess Lists and /ccess 8ontrol...................................................................................................................... BA
A.A /dditional 8onfi#uration ;ptions....................................................................................................................... B:
A.B Ceportin# Tools................................................................................................................................................. BG
A.B 'ser /uthentication 5usin# (/26...................................................................................................................... BJ
A2
8eb Services
1. $!%le!enting a &e' Serer
+&+ Installin< A#ache
The apache source code can be do"nloaded from """.apache.or#.
There are t"o versions of the apache server 1.A and 2.0
The confi#ure script allo"s us to customise the installation. %n particular "e can choose
"hich modules "e "ant to compile etc. 2odules can either be
- staticall! compiled "ith
--enable-MODULE 5"here 2;.'L< is the Module Indentifier 6 or
--enable-modules=MOD1 MOD2 ...
- d!namicall! compiled "ith
--enable-mods-shared=MOD1 MOD2 ...
-disabled "ith
--disable-MODULE
"ask .o"nload the source code for apache 1.A 5apacheH1.A.2K.tar.#76 and compile
support for modHphp and modHperl
+&2 )onitorin< a#ache load
$N2(
8reate a read-onl! $N2( communit! and restart the snmpd daemon
3etc3snmp3snmp.conf
rocommunit! lifesavers
Cestart the snmpd service
etcinit.dsnmpd restart
8heck that !ou can bro"se information about !our s!stem usin# the communit! name
lifesavers
AA
8eb Services
snmpwalk -v 1 -c lifesavers localhost ip
2CT&
2CT& stands for Qmulti-router traffic #rapherR and uses $N2( to #et information about
the s!stem.
cfgmaker --output=/etc/mrtg/seafront.cfg \
-ifref=ip --global "workdir: /var/www/mrtg/stats"
lifesavers@localhost
This "ill create a file called 3etc3mrt#3seafront.cf#. )e next update the information in
3var3"""3mrt#3stats "ith the follo"in# command
mkdir /var/www/mrtg/stats
mrtg /etc/mrtg/seafront.cfg

This should be run at re#ular intervals so it should be run throu#h a cron ,ob.
"ask The #raphical output for 2CT& "ill be saved in 3var3"""3mrt#3stats as an >T2L
document. This is not a usual place to keep files for the apache server. /fter the next
section, "e "ill make the appropriate chan#es to htt#d&conf to make this director!
accessible throu#h the "ebserver.
2an! other tools are available such as 8ebaliser "hich anal!se the access lo#s of the
apache server 5"e "ill confi#ure this tool for sAuid.
+&0 %sin< A#achectl
The a#achectl script is used to control the htt#d daemon. %t takes the follo"in# options
a#achectl o#tion !escri#tion S extract from apachectl5J6
start $tart the /pache httpd daemon. &ives an error if it is alread!
runnin#. This is e1uivalent to a#achectl @k start
stop $tops the /pache httpd daemon. This is e1uivalent to a#achectl @k
sto#
AB
8eb Services
restart Cestarts the /pache httpd daemon. %f the daemon is not runnin#, it is
started. This command automaticall! checks the confi#uration files
as in confi#test before initiatin# the restart to make sure the
daemon doesnYt die. This is e1uivalent to a#achectl @k restart
fullstatus .ispla!s a full status report from modHstatus. 9or this to "ork, !ou
need to have modHstatus enabled on !our server and a text-based
bro"ser such as l!nx available on !our s!stem. The 'CL used to
access the status report can be set b! editin# the $T/T'$'CL
variable in the script.
$tatus .ispla!s a brief status report. $imilar to the !u))status option,
except that the list of re1uests currentl! bein# served is omitted
#raceful &racefull! restarts the /pache httpd daemon. %f the daemon is not
runnin#, it is started. This differs from a normal restart in that
currentl! open connections are not aborted. This is e1uivalent to
a#achectl @k <raceful
confi#test Cun a confi#uration file s!ntax test. %t parses the confi#uration files
and either reports +yntax B0 or detailed information about the
particular s!ntax error. This is e1uivalent to a#achectl @t
+&$ *asic ,onfi<uration .#tions
$ection 1 &eneral ;ptions
Teep/live on3off /llo"s a client to perform multiple re1uests throu#h a
sin#le connection
2axTeep/liveCe1uests 100 2aximum number of re1uests durin# a persistent
connection
Teep/liveTimeout 1: Number of seconds to "ait for a next re1uest on the same
connection
Sin<le "hreaded Server
The httpd daemon is a sin#le threaded process "hich needs to fork child daemons to deal
"ith multiple connections S onl! "ith apache2 is it possible to build a multi threaded
server.
$tart$ervers J Number of httpd servers to start
2in$pare$ervers : 2inimum number of spare servers to keep loaded in memor!
A:
8eb Services
2ax$pare$ervers 20 2aximum number of spare servers to keep loaded in memor!
2ax8lients 1:0 2aximum number of server processes allo"ed at an! one time
2axCe1uests(er8hild
1000
2aximum number of re1uests before a child is QretiredR
)ulti "hreaded Server
;ptions available onl! for apache2 and on"ards. 0ou need to recompile apache to enable
threads. 2ost current apache2 binar! distributions are still sin#le threaded because of
conflicts "ith most d!namic modules "hich don4t support multi threadin# !et.
$tart$ervers 2 Notice that this is much lo"er than the sin#le threaded server
2in$pareThreads 2: 2inimum number of spare threads
2ax$pareThreads I: 2aximum number of spare threads
Threads(er8hild 2: Number of "orker threads per child
2ax8lients 1:0 2aximum number of server processes allo"ed at an! one
time
2axCe1uests(er8hild 0 Never retiresX
Listen J0 $pecif! "hich port to listen on.
8an be of the form %(port
Load2odule 2;.'L< %N.<NT%9%<C 3(/T>-
T;32;.'L<
$ection "here d!namic modules
are loaded
%nclude FIL Cead extra confi#uration options
from FIL. /pache2 has a conf.d
director! for this
$ection 2 $erver 8onfi#uration
$erverName The name of the server S can be different
'ser Name of the user the server runs as
&roup Name of the #roup the server runs as
.ocumentCoot The director! the "here >T2L files are kept
D.irector!F $pecif! options 5access control,...6 for directories containin# >T2L
files
/lias 'CL alias for a #iven director!
AG
8eb Services
/lias$cript $ame as Q/liasR option but for directories containin# 8&% scripts
.irector!%ndex $et the name of the file "hich "ill be used as an index
$ection A Virtual >osts
)e "ill cover virtual hosts "hen confi#urin# $$L servers later in this chapter. 9or no" "e
distin#uish t"o concepts

DVirtual>ost %((;CTF %( based virtual host
DVirtual>ost
>;$TN/2<(;CTF
Name based virtual
+&5 'estrictin< ,lient Access
>ost based control is available usin# the ke!"ords .rder, !eny from and Allow from on
directories
D.irector! P!"#-"$-%IR&"$R'F ... D3.irector!F
or locations
DLocation (RLF ... D3LocationF
The next confi#uration para#raph "ill allo" an!bod! to access the director! 3var3"""3safe
except the host "ith %( 1K2.1GJ.A.101
<Directory /var/www/safe>
Order allow,deny
Deny from 192.168.3.101
Allow from all
</Directory>
Alias /safe /var/www/safe
Notice The .rder ke!"ord is important. %f "e reverse the above order to Order
deny,allow then the follo"in# "ould happen host 1K2.1GJ.A.101 "ould first be denied
AI
8eb Services
access because of the .en! rule but the /llo" rule is read last and "ill subse1uentl! #rant
it access. The default access is #iven b! the last ar#ument in the order directive. %.e.
Q;rder allo",den!R has a default of Qden!R.
+&6 ,lient *asic Authentication
The htpass"d tool is used to create pass"ords for users. 9or example, "e create a ne"
file in the $erverCoot director! called passwords-for-directory1 "ith a pass"ord for
user gnu
htpasswd -c passwords-for-directory1 gnu
%f "e choose to implement client authentication for the director! 3var3"""3html3seafront "e
need to add the follo"in# para#raph to htt#d&conf
<Directory /var/www/html/seafront>
AuthType basic
AuthName "protected site"
AuthUserFile conf/seafront.passwd
Require user gnu
</Directory>
Notice /lternativel!, "ith httpd2 confi#urations "e could create a file called seafront.conf
"ith the above content and save it in the 3etc3httpd3conf.d director!.
Ceread the confi#uration file "ith
apachectl graceful

2. Maintaining a &e' Serer

2&+ 2""PS .verview
The secure socket la!er protocol $$L allo"s an! net"orked applications to use
encr!ption. This can be thou#ht of as a process "hich "raps the socket preparin# it to use
encr!ption at the application level.
%n the case of >TT($, the server uses a pair of ke!s, public and private. The server4s
public ke! is used b! the client to encr!pt the session ke!, the private ke! is then used to
decr!pt the session ke! for use.
AJ
8eb Services
The public ke! is published usin# certificates. / certificate contains the follo"in#
information
- Name and /ddress, >ostname, etc.
- (ublic Te!
- TTL
- 5optional6 %. U $i#nature from a certificate authorit! 58/6
The certificate "ill be used to establish the authenticit! of the server. / valid si#nature
from a kno"n 8/ is automaticall! reco#nised b! the client4s bro"ser. )ith 2o7illa for
example these trusted 8/ certificates can be found b! follo"in# the links (dit @F
Preferences @F Privacy G Security @F ,ertificates then clickin# on the QManage
&ertificatesR button and the /uthorities T/*
$tart $$L >andshake
$end 8ertificate
$end encr!pted session ke!
<ncr!pt >TT( session "ith session ke!
;n the other hand communications "ould be too slo" if the session "as encr!pted usin#
public ke! encr!ption. %nstead, once the authenticit! of the server is established, the client
#enerates a uni1ue secret session ke! "hich is encr!pted usin# the servers public ke!
found in the certificate. ;nce the server receives this session ke! it can decr!pt it usin#
the private ke! associated "ith the certificate. 9rom there on the communication is
encr!pted and decr!pted usin# this secrete session ke! #enerated b! the client.
2&2 SSL /irtual 2osts
/ separate apache server can be used to listen on port BBA and implement $$L
connections. >o"ever most default confi#urations involve a sin#le apache server listenin#
on both ports J0 and BBA.
9or this an additional Listen directive is set in htt#d&conf askin# the server to listen on
AK
1
client
server
2
A
B
8eb Services
port BBA. /pache "ill then bind to both ports BBA and J0. Non encr!pted connections are
handled on port J0 "hile an $$L a"are virtual host is confi#ured to listen on port BBA
<VirtualHost _default_:443>
SSL CONFIGURATION
</VirtualHost>
The $$L 8;N9%&'C/T%;N lines are
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:
+SSLv2:+EXP
SSLCertificateFile PATH_TO_FILE.crt
SSLCertificateKeyFile PATH_TO_FILE.key
)e need to #enerate the servers private ke! 59%L<.ke!6 and certificate 59%L<.crt6 to
complete this confi#uration.
2&0 )ana<in< ,ertificates
The ke!s and certificates are usuall! kept in subdirectories of >etc>htt#d>conf called
ssl&crt and ssl&key.
There should also be a 2akefile that "ill #enerate both a T<0 and a 8<CT%9%8/T< in
(<2 format "hich is baseGB encoded data.
%sin< the )akefile
9or example if "e "ant to #enerate a self-si#ned certificate and private ke! simpl! t!pe
make mysite.crt
The 2akefile "ill #enerate both files m!site.ke! 5the private ke!6 as "ell as m!site.crt 5the
certificate file containin# the public ke!6. 0ou can use the follo"in# directives in
htt#d&conf
SSLCertificateFile ... mysite.crt
SSLCertificateKeyFile ... mysite.key
,ertificate 'eAuests
;n a production server !ou "ould need to #enerate a ne" file called a Qcertificate re1uestR
B0
8eb Services
"ith
openssl req -new -key mysite.key -out mysite.csr
This file can be sent to a certificate authorit! 58/6 to be si#ned. The certificate authorit!
"ill send back the si#ned certificate.
Pass Phrases
/ private ke! can be #enerated "ith or "ithout a passphase, and a private ke! "ithout a
passphrase can be constructed from an existin# private ke!.
A #ass#hrased file %f a private ke! has a passphrase set then the file starts "ith
-----*<&%N C$/ (C%V/T< T<0-----
(roc-T!pe B,<N8C0(T<.
.<T-%nfo .<$-<.<A-8*8, ---- snip ----
.....
this means that the file is protected b! a pass-phrase usin# A.<$. This "as #enerate b!
the line
/usr/bin/openssl genrsa -des3 1024 > $@ in the 2akefile. %f the -desA fla# is
omitted N; passphrase is set.
0ou can #enerate a ne" private ke! 5m!site-nophrase.ke!6 "ithout a passphrase from the
old private ke! 5m!site.ke!6 as follo"s
openssl rsa -in mysite.key -out mysite-nopass.key
2&$ /irtual 2osts
Name based virtual hosts
)e "ill first discuss the situation "here onl! one %( has been assi#ned to the server but
there are several / records or 8N/2< records pointin# to the same %(.
"ask + 2odif! the 7one files to include a ne" 8N/2< record for test1.seafront.bar to
point to the actual name of the "eb server.
e.# test1.seafront.bar. %N 8N/2< """.seafront.bar.
""" %N / 1K2.x.x.x
%n httpd.conf it "ill be enou#h to create the follo"in#
DVirtual>ost test1.seafront.barJ0F
$erver/dmin "ebmasterEseafront.bar
B1
8eb Services
.ocumentCoot 3var3"""3html3test1
$erverName test1.example.com
D3Virtual>ostF
"ask 2 8reate an $$L a"are Virtual>ost for test1
- make the certificate and the ke! make host1.seafront.bar
- add these lines to htt#d&conf
<VirtualHost 192.168.3.200:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/test1.seafront.bar.crt
SSLCertificateKeyFile /etc/httpd/conf/test1.seafront.bar.out
ServerAdmin webmaster@seafront.bar
DocumentRoot /var/www/html/test1
ServerName test1.seafront.bar
</VirtualHost>
Notice that the certificate that is presented once !ou connect to the https33test1 site is
incorrect. This is because test1.seafront.bar resolves to the servers %( address and the
server "ill start the $$L handshake before lookin# at the >TT( re1uest. The next section
"ill fix that.
IP *ased /irtual 2osts
)e "ill directl! create a series of virtual $$L a"are hosts and verif! that the! present the
client "ith the correct certificate.
"ask /ssi#n ne" %( addresses to the eth0 interface ifconfig eth0:0 X.X.X.X
9or each %( enter a ne" / record www1 IN A X.X.X.X
9or each host create a self si#ned certificate
<nter a DVirtual>ost =.=.=.=BBAF para#raph in htt#d&conf
Notice 0ou ma! have to chan#e the existin# $$L virtual host from
<VirtualHost _default_:443>
to
<VirtualHost 127.0.0.1:443>
This prevents the default host certificate from bein# presented irrespective of the site
hostname.
Test that https33"""1 and https33"""2 do present the proper certificates.
Notice that if !ou permanentl! accept a certificate it "ill be added to the list of 8/
certificates on !our bro"serN
B2
8eb Services

BA
Im#lementin< a Proxy Server
3. $!%le!enting a (ro)* Serer
0&+ Gettin< Started
0ou can verif! that the s1uid prox! server is installed usin#
rpm 1K sKuid
2ost versions "ill install the >etc>init&d>sAuid rc-script that creates the initial cachin#
directories. %f this is not the case s1uid can initialise these cache directories "ith the @C
s"itch.
sKuid 1>
N."I,(
0ou ma! need to add an access rule in the s1uid confi#uration file before bein# able to
rebuild the cache 5see the next section Q/ccess Lists and /ccess 8ontrolR6
The confi#uration file is >etc>sAuid>sAuid&conf. The s!ntax of this file can be checked
usin# the @k s"itch
sKuid 10 chec0
/s "ith most net"ork services the >etc>init&d>sAuid rc-script is used to start the service.

0&2 Access Lists and Access ,ontrol
/ccess Lists 5acl6
%n sAuid&conf the access lists have the follo"in# format
acl aclname aclt!pe strin#3file
BB
%n the most simple cases an acl defines a list of hosts, net"orks or domains and is #iven a
name. This list can then be #ranted or denied access usin# the access control command
http_access described in the next para#raph.

The next line defines an access list name called localnet correspondin# to the local L/N
ac) )oca)net src (42.(LM.2.0255.255.255.0
The main /8L t!pes are listed belo"
aclty#e descri#tion
src %(3netmask or %(1-%(23netmask 5client4s %( address6
dst %(3net"ork 5'CL re1uested6
arp 2/8 address
srcdomain .example.com 5client addresses6
dstdomain .example.com 5'CLs re1uested6
time ran#e of times
port space separated list of ports or ran#e of the form p1-p2
/ccess control 5httpHaccess6
)ith http_access a particular access list is either allo"ed or denied access via the prox!.
The format is as follo"s
httpHaccess allo"Vden! aclname

The httpHaccess re1uests are read in se1uence and the first rule matched is used. To
allo" access to all
computers on the net"ork insert the follo"in# )efore the htt#Haccess deny all line

httpCaccess a))o, )oca)net
B:
0&0 Additional ,onfi<uration .#tions
The follo"in# table is a list of additional options available to further control the s1uid prox!.
;ption .escription
httpHport the port s1uid uses to listen for re1uests 5default A12J6
cacheHpeer specif! another prox! server to 1uer! "henever an ob,ect isn4t
cached
cacheHmem limit the amount of additional memor! used to cache ob,ects
5this parameter doesn4t limit the maximum process si7e6
cacheHs"apHlo" percenta#e of s"ap utilisation. ;nce this limit is passed ob,ects
start to be cached to disk
cacheHs"apHhi#h percenta#e of s"ap utilisation. ;nce this limit is approached
ob,ects start #ettin# evicted from the prox! cache
maximumHob,ectHsi7e ob,ects lar#er than this "ill not be cached
maximumHob,ectHsi7e
HinHmemor!
ob,ects lar#er than this "ill not be kept in the memor! cache
)emory )ana<ement D from the S1%I! A1 section 9E
QThis version of $M'%. stores incomin# ob,ects onl! in memor!, until the transfer is
complete. /t that point it decides "hether or not to store the ob,ect on disk. This means
that "hen users do"nload lar#e files, !our memor! usa#e "ill increase si#nificantl!. The
s1uid.conf parameter maximum_o)*ect_size determines ho" much memor! an in-transit
ob,ect can consume before "e mark it as uncachable. )hen an ob,ect is marked
uncachable, there is no need to keep all of the ob,ect in memor!, so the memor! is freed
for the part of the ob,ect "hich has alread! been "ritten to the client. %n other "ords,
lo"erin# maximum_o)*ect_size also lo"ers $1uid-1.1 memor! usa#e.R
Q%f !our cache performance is sufferin# because of memor! limitations, !ou mi#ht consider
bu!in# more memor!. *ut if that is not an option, There are a number of thin#s to tr!
Tr! a different malloc librar! Zcompile $M%. "ith a different malloc[
Ceduce the cache_mem parameter in the confi# file. This controls ho" man! \\hot44
ob,ects are kept in memor!. Ceducin# this parameter "ill not si#nificantl! affect
performance, but !ou ma! recieve some "arnin#s in cache.log if !our cache is bus!
Turn the memory_pools off in the confi# file. This causes $1uid to #ive up unused
memor! b! callin# free+, instead of holdin# on to the chunk for potential, future use.
Ceduce the cache_s-ap parameter in !our confi# file. This "ill reduce the number
of ob,ects $1uid keeps. 0our overall hit ratio ma! #o do"n a little, but !our cache
"ill perform si#nificantl! better
BG
Ceduce the maximum_o)*ect_size parameter 5$1uid-1.1 onl!6. 0ou "on4t be able to
cache the lar#er ob,ects, and !our b!te volume hit ratio ma! #o do"n, but $1uid "ill
perform better overallR
0&$ 'e#ortin< "ools
2ost lo# anal!sis tools available for s1uid are listed on the follo"in# site
http33""".s1uid-cache.or#3$cripts3
The main lo#file for s1uid is the >var>lo<>sAuid>access&lo< file. Next is a short overvie" of
calamaris and webaliCer. /lso notice that webmin produces lo# reports based on
calamaris.
,achem<r&c<i scri#t
The current s1uid packa#e installs a 8&% script in >usr>lib>sAuid called cachem<r&c<i.
;ne can cop! this across to the >var>www>c<i@bin director! "here all 8&% scripts can run
from. %t is recommended ho"ever to set up a separate director! "ith htaccess
authentication.
,alamaris
The code is &(L and can be do"nloaded from http33cord.de3tools3s1uid3calamaris. 0ou
can #enerate reports as follo"
cat *ar)ogsKuidaccess.)og G ca)amaris
N +ummary
)ines parsed: 22(
in*a)id )ines: 0
parse time (sec): 0
N Incoming reKuests by method
method reKuest O 6yte O sec 06sec
111111111111111111111111111111111 111111111 111111 11111111 111111 1111 1111111
"9T 22( (00.00 (2PP2L2 (00.00 5 (.LM
111111111111111111111111111111111 111111111 111111 11111111 111111 1111 1111111
+um 22( (00.00 (2PP2L2 (00.00 5 (.LM
N Incoming $&P1reKuests by status
no matching reKuests
N Incoming TCP1reKuests by status
status reKuest O 6yte O sec 06sec
111111111111111111111111111111111 111111111 111111 11111111 111111 1111 1111111
.IT 55 (5.MP P25(P 5.P0 0 L.((
7I++ (M2 M2.55 ((48MP0 4L.28 ( P.48
9QQBQ P (.M( P(0M 0.55 (20 0.0(
111111111111111111111111111111111 111111111 111111 11111111 111111 1111 1111111
+um 22( (00.00 (2PP2L2 (00.00 5 (.LM

%n order to #et information on "ebpa#e re1uests per host one can use the @' s"itch
BI
There are man! more s"itches available 5check the manpa#es for calamaris6.
There are also a number of scripts that can run hourl! or monthl! reports. These scipts
are included in the <=/2(L<$ file distributed "ith calamaris.
ca)amaris 1Q 5 *ar)ogsKuidaccess.)og
] %ncomin# T8(-re1uests b! host
host 3 tar#et re1uest hit-^ *!te hit-^ sec k*3sec
--------------------------------- --------- ------ -------- ------ ---- -------
1K2.1GJ.2.10A I2 0.00 A2AAAG 0.00 0 10.2B
_.redhat.com A: 0.00 12GI2G 0.00 0 10.BB
_.suse.co.uk 20 0.00 GA:0A 0.00 0 1A.1:
_.lemonde.fr G 0.00 10KI12 0.00 1 1G.AK
20I.AG.1:._ : 0.00 JKBG 0.00 0 A.KB
_.akamai.net B 0.00 12B2J 0.00 1 B.BA
other 2 re1uested urlhosts 2 0.00 2021 0.00 1 0.I1
1K2.1GJ.2.101 GA 0.00 2K:A1: 0.00 1 B.G:
cord.de 1I 0.00 11:IJI 0.00 0 20.JG
_.doubleclick.net 1A 0.00 2G1GA 0.00 1 2.0I
_.#oo#le.com 10 0.00 A0GBG 0.00 1 A.I1
_.s1uid-cache.or# J 0.00 :1I:J 0.00 1 G.:A
DerrorF B 0.00 B2K0 0.00 0 10BIB
other G re1uested urlhosts 11 0.00 GGGI1 0.00 : 2.2J
--------------------------------- --------- ------ -------- ------ ---- -------
$um 1A: 0.00 G1JG:1 0.00 1 G.:1
8ebaliCer
This tool is often installed b! default on some Linux distributions. %t is also &(L4ed and can
be do"nloaded from http33""".mrunix.net3"ebali7er3.
*! editin# the >etc>webaliCer&conf file one can choose bet"een apache access lo#s, ftp
transfer lo#s or s1uid lo#s.
<xample #raphics #enerated "ith webaliser.
BJ
0&5 %ser Authentication Dusin< PA)E
To prevent unauthorised users bro"sin# on the %nternet !ou can setup s1uid to ask for a
username and pass"ord.

%2(;CT/NT 0ou cannot have user authentication and transparent prox! at the same
time N The "ork around is to block all out#oin# re1uests on port J0, except the ones from
the $1uid prox! itself. 'sers are then forced to manuall! set up their bro"sers to use the
prox!.

8onfi#uration settin#s for (/2 authentication
>ere are the list of options !ou need to set in the sAuid&conf file
sKuid.con! P/7 authentication
settings
;B)der *ersions<
authenticateCprogram usr)ibsKuidpamCauth
;+Kuid '2.5<
authCparam basic program usr)ibsKuidpamCauth
authCparam basic chi)dren 5
authCparam basic rea)m /n*i) Internet Proxy
authCparam basic credentia)stt) 2 hours
ac) pass,ord proxyCauth Q9R$IQ9&
httpCaccess a))o, pass,ord
The (/2 confi#uration in 3etc3pam.d

>ere "e re#ister s1uid to use the (lu##able /uthentication 2odule.
This is done b! addin# a file in >etc>#am&d> called sAuid "ith the follo"in# content
etcpam.dsKuid
auth reKuired )ibsecuritypamCstac0.so ser*iceSsystem1auth
auth reKuired )ibsecuritypamCno)ogin.so
account reKuired )ibsecuritypamCstac0.so ser*iceSsystem1auth
pass,ord reKuired )ibsecuritypamCstac0.so ser*iceSsystem1auth
BK
session reKuired )ibsecuritypamCstac0.so ser*iceSsystem1auth
session reKuired )ibsecuritypamC)imits.so
This is a standard polic! description on "hat to do "hen a person lo#s on.
The lo#in session is abstracted into B part auth, account, pass"ord and session.

(/2 then uses a specific librar! function "hich handles each sta#e.
Notice that most lines re1uest the system@auth service "hich is the
>etc>#am&d>system@auth file.
/lso note the follo"in# from the pamHauth man pa#e.
)hen used for authenticatin# to local 'N%= shado" pass"ord databases the pro#ram
must be runnin# as root or else it "on4t have sufficient permissions to access the user
pass"ord database. $uch use of this pro#ram is not recommended, but if !ou absolutel!
need to then make the pro#ram setuid root
cho"n root pamHauth
chmod uUs pamHauth
(lease note that in such confi#urations it is also stron#l! recommended that the pro#ram
is moved into a director! "here normal users cannot access it, as this mode of
operation "ill allo" an! local user to brute-force other users pass"ords. /lso note the
pro#ram has not been full! audited and the author cannot be held responsible for an!
securit! issues due to such installations.
:0
Network ,lient )ana<ement
Network ,lient )ana<ement
Network ,lient )ana<ement&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 50
+& !2,P ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 5+
1.1 .efault .>8( 8onfi#urations............................................................................................................................ :1
1.2 .!namic .N$ ................................................................................................................................................... :A
1.A .>8( Cela!...................................................................................................................................................... ::
2& NIS ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 56
2.1 2aster $erver 8onfi#uration.............................................................................................................................. :G
2.2 $lave $erver 8onfi#uration................................................................................................................................ :I
2.A 8lient $etup....................................................................................................................................................... :I
2.B $ettin# up N9$ home directories...................................................................................................................... :J
2.: *asic N%$ /dministration................................................................................................................................... :J
0& L!AP ,onfi<uration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 60
A.1 )hat is ldap....................................................................................................................................................... G0
A.2 ;penL./( server confi#uration........................................................................................................................ G1
A.A 8lient confi#uration files.................................................................................................................................... G2
A.B 2i#ratin# $!stem 9iles to L./( ....................................................................................................................... GA
A.: L./( /uthentication $cheme........................................................................................................................... GG
$& PA) Authentication&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 6:
B.1 (/2 /"are /pplications .................................................................................................................................. GK
B.2 (/2 8onfi#uration............................................................................................................................................. GK
:1
!2,P ,onfi<uration
HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH
1. D+C( Configuration
8A'NINGII 0ou should not attempt to run a .>8( server unless !ou are certain not to
interfere "ith the net"ork !ou are currentl! usin# S The safest option for this section is to be
totall! isolated from the net"ork and use a hub or a s"itch to connect the classroom to#ether.
+&+ !efault !2,P ,onfi<urations
The basic communication process bet"een a client "orkstation ,oinin# a T8(3%( net"ork and
the .>8( server is depicted belo".
The .>8(.%$8;V<C re1uest is sent usin# the broadcast 2::.2::.2::.2::
The .>8( server can use t"o methods to allocate %( addresses
+& / d!namic %( is assi#ned for a client host chosen from a ran#e of %(s
2& / fixed %( is assi#ned for a specific host 5identified usin# the 2/8 address, similar to
bootp6

$ince a sin#le .>8( server can be used to administer %(s over several net"ork, the
:2
!2,P ,onfi<uration
dhc#d&conf confi#uration file is composed of #lobal options follo"ed b! net"ork sections
<xample net"ork block
subnet 10.0.0.0 netmask 255.0.0.0 {
....
}
%n the next example "e "ill assi#n both d!namic %( addresses and a fixed %( address
subnet 10.0.0.0 netmask 255.0.0.0 {
range 10.5.5.10 10.5.5.200;
host proxy {
hardware ethernet 00:80:C6:30:0A:7E;
fixed-address 10.5.5.2;
}
}
9or each subnet it is possible to #ive information on net"ork services, such as
- the default #ate"a!
- the .N$ domain name and the N%$ domain name
- the .N$ servers
%n the subnet section above these directives "ould look like this
option routers 10.254.254.254;
option nis-domain "nisdomain";
option domain-name "seafront.bar";
option domain-name-servers 10.0.0.2;
The database of d!namicall! assi#ned %( addresses is stored in >var>lib>dhc#>dhc#d&leases
:A
!2,P ,onfi<uration
+&2 !ynamic !NS
)e assume that "e still have the private3public ke! used for the seafront T$%&
authentication, "e "ill use this same ke! to allo" the .>8( server to update the 7one files
on the .N$ server.
Additional ,onfi<urations on the !2,P Server
;n the .>8( server add the follo"in# to the dhc#d&conf file
ddns-update-st!le interim+
i#nore client-updates+
ke! seafront.bar. O
al#orithm hmac-md:+
secret MNAv%/pnVIG)$Ua2>rA1,U/1@,pu(,M#V)ee22&$*8B`+
P+
7one seafront.bar. O
primar! 1K2.1GJ.A.100+
ke! seafront.bar.+
P
7one A.1GJ.1K2.in-addr.arpa. O
primar! 1K2.1GJ.A.100+
ke! seafront.bar.+
P
;ptionall!, it is possible to set a specific host name and domain name for a #iven host "ith
the ke!"ords
ddns-hostname host_name
ddns-domain-name domain_name
%f the ddns@hostname option are not present then the .>8( server "ill tr! and use the name
provided b! the client. The domain on the other hand cannot be set b! the client, so if ddns@
domain@name is not present then the .>8( server "ill use the value #iven b! the domain@
name option.
:B
!2,P ,onfi<uration
Additional ,onfi<urations on the !NS Server
;n the .N$ server "e need to do the follo"in#
1. %f !ou are usin# .N$$<8 si#ned 7one files then "e need to use the unsi#ned 7ones
2. /dd the an allow@u#date option to the seafront.bar entr!
type master;
file "seafront.zone";
allow-update { key seafront.bar.;
};
allow-transfer { key seafront.bar.;
};
};
and do the same "ith the in-addr.arpa 7one
zone "3.168.192.in-addr.arpa" IN {
type master;
file "192.168.3.local";
allow-update { key seafront.bar.; };
allow-transfer { key seafront.bar.;};
};
,lient ,onfi<uration
;n Linux clients it is possible to set the .>8(H>;$TN/2< variable in the interface setup
script. %n Cedhat-like variants this "ould be in the 3etc3s!sconfi#3net"ork-scripts3ifcf#-eth=
files. Notice that this is simple a hostname, the domain name "ill be appended to that name
on the .>8( sever.
::
!2,P ,onfi<uration
+&0 !2,P 'elay
The .>8(.%$8;V<C packets from clients reach the server throu#h the broadcast
2::.2::.2::.2::, ho"ever broadcasts are blocked b! routers.
$o in a confi#uration "ith multiple net"orks and a sin#le .>8( server each router needs to
be able to rela! .>8(.%$8;V<C broadcasts from a #iven net"ork to the .>8( server.
9or a Linux router this is done usin# the dhc#@relay or dhcrelay 5more recent6 tool. *oth
tools take a mandator! sin#le ar#ument "hich is th %( of the .>8( server.
*! default the rela! tools "ill listen on all net"ork interfaces for .>8( re1uests. ;ne can
specif! an interface "ith the @i option
dhcrelay -i eth0 IP_FOR_DHCP_server
:G
NIS ,onfi<uration
2. N$S Configuration
2&+ )aster Server ,onfi<uration
;n a Linux s!stem the net"ork information s!stem 5N%$6 server is called y#serv 5packa#e
name !pserv6. The C(2 packa#e has the same name and installs the follo"in# main files

9iles installed "ith y#serv .escription
3etc3rc.d3init.d3!ppass"dd script for the daemon allo"in# users to chan#e pass"ords
3etc3rc.d3init.d3!pserv script for !pserv daemon
3etc3rc.d3init.d3!pxfrd script for daemon used to speed up transfers to slave
servers
3etc3!pserv.conf main confi#uration file for !pserv
3var3!p32akefile 2akefile for database files S should onl! be used on the
master server
1. 8hoose a nisdomain name
%n 3etc3s!sconfi#3net"ork set the variable N%$.;2/%N. 9or example "e can set the
nisdomain to linis as follo"sa
NISDOMAIN=linis ] entr! in >etc>sysconfi<>network
The file >etc>sysconfi<>network "ill be sourced b! the y#serv initscript.
2. 2ake sure the master server "ill push map chan#es to the slave servers. 9or this !ou
need to edit the file
3var3!p32akefile and put
NOPUSH=false
A. $tart the !pserv daemon
etcinit.dypser* restart
B. 8heck that the nisdomain has been properl! set
nisdomainname
linis
:I
NIS ,onfi<uration
:. 8reate the databases, the @m option to y#init is to indicate the server is a master server
usr)ibypypinit 1m
<nter the list of slave servers !ou "ill run on this domain. This "ill create a number of
.*2 files in
>var>y#>linis as "ell as a file called >var>y#>y#servers
2&2 Slave Server ,onfi<uration
;n the slave server, "e need to install the y#serv packa#e too. This time "e run y#init
and point it to the the master server
/etc/rc.d/init.d/ypserv start
/usr/lib/yp/ypinit -s MASTER_IP
/lso make sure to leave the line NOPUSH=true in >var>y#>)akefile
2&0 ,lient Setu#
;n the client the main service is called y#bind 5packa#e name !pbind6. This daemon is
responsible for bindin# to a N%$ server and successfull! resolves names and pass"ords
as needed.
The main confi#uration file is >etc>y#&conf.
%f the N%$.;2/%N variable is set in >etc>sysconfi<>network "hich is sourced b! the rc-
script >etc>init&d>y#bind then the N%$ server "ill be detected usin# the broadcast. ;ne can
also confi#ure y#&conf and specif!. ;nce this is set one can start y#bind
etcinit.dypbind start
2ake sure that the nis ke!"ord is added to >etc>nsswitch&conf&
:J
NIS ,onfi<uration
2&$ Settin< u# NS home directories
;nce the N%$ server and clients are setup as above, an!bod! "ith an account on the N%$
server can lo# onto a machine setup usin# y#bind pointin# at the correct server.
/ll that is needed is for the user to access a home director!. This can be done in a
number of "a!s. )e "ill discribe one implementation usin# NS.
)e assume that all the home directories are on a sin#le server "ith the follo"in# %(
10.0.0.1
/ll the clients are on the 10.0.0.03J net"ork.
.n the NS server
<dit 3etc3exports and add
home (0.0.0.(M(r,)
Notice that rootHs1uash "ill appl! automaticall!.
.n the client
<dit 3etc3fstab and add
(0.0.0.(:home home de!au)ts 0 0
2&5 *asic NIS Administration
)ith the latest versions of y#serv a number of default maps are created usin# source files
in >etc. %t is possible to alter the YPPWDDIR and YPSRCDIR variables in the 2akefile to
build maps from alternative files from custom locations.
'pdates are made "ith the 2akefile in >var>y#. The tar#ets are all, passwd, group ...
8op! the ne" maps to >var>y#>linis and run y##ush to update the slave servers
yppush MAP_NAME
:K
NIS ,onfi<uration
Additional ,ommands
8ommand .escription
y#cat #et values from a database, for example ypcat pass,d
y#which return the name of the N%$ server on the net"ork
G0
L!AP ,onfi<uration
3. "D,( Configuration

0&+ 8hat is lda#
L./( stands for Li#ht"ei#ht .irector! /ccess (rotocol. The protocol allo"s access to data in
a tree-like structure usin# attributes. L./( can be thou#ht of as a specialised database
"hich handles trees. $ince directories are also trees, navi#atin# L./( fields is like navi#atin#
a director!. /dded to this L./( has been desi#ned mainl! for optimal access. This clarifies
the "ords %irectory and !ccess.
)ith this in mind let4s see "hat characterises an L./( database.
"he !istin<uished Name
/n item in the database can be referenced usin# a uni1ue %istinguished .ame 5dn6. This is
similar to a file4s full path in a director!. <ach intermediate subfolder is called a Relative
%istinguished .ame.
!istin<uished Name
dcèxample, dc`com
ou`(eople
ou`/liases
cn`Tux
dn cn`Tux, ou`(eople , dc`<xample, dc`com

G1
L!AP ,onfi<uration
)ore "erminolo<y
.
!I" The .ata %nformation Tree
!N .istin#uished Name
'!N Celative .istin#uished Name
L!I L./( .ata %nterchan#e 9ormat
Attributes
dc .omain 8omponent
cn 8ommon Name
c 8ountr!
l Location
o ;r#anisation
ou ;r#anisational 'nit
sn $urname
st $tate
uid 'ser id

0&2 .#enL!AP server confi<uration

The server is called sla#d 5$tandalone L./( daemon6 and it4s confi#uration file is

>etc>o#enlda#>sla#d&conf
)e "ill cover each section of this file in more detail
Im#ortin< schemas

There is an include clause in sla#d&conf "hich tells the L./( server "hich schemas should
be loaded.
)e need at least the follo"in#
inc)ude etcopen)dapschemacore.schema
inc)ude etcopen)dapschemamisc.schema
G2
L!AP ,onfi<uration
inc)ude etcopen)dapschemacosine.schema
inc)ude etcopen)dapschemanis.schema
inc)ude etcopen)dapschemainetorgperson.schema
!atabase !efinition
/vailable .*2s 5.atabase 2ana#ers6 are ld)m or the more recent )d).
)e "ill use bdb
database bdb
0ou need to specif! the root or base for the L./( director!, as "ell as the director! "here
the database file "ill be kept. This is done belo"+
su!!ix 2dcSexamp)e,dcScom3
directory *ar)ib)dap
The follo"in# lines are onl! needed "hen modif!in# the L./( server online. 0ou can then
specif! an adminstrator username3pass"ord. 'se the sla##asswd to #enerate an encr!pted
hash 5see 0&$ )i<ratin< System iles to L!AP6
rootdn HcnS7anager,dcSexamp)e,dcScomH
rootp, T++./UViE+5htbn'9Rp8BrWoteRX..ICs00r6B
0&0 ,lient confi<uration files
There are t"o confi#uration files called ldap.conf. >ere is "hat the! do
The 3etc3ldap.conf file is used b! the nssHldap and pamHldap modules
The file 3etc3openldap3ldap.conf is used b! the tools lda#search and lda#add
9or example, to save time t!pin#
)dapsearch 1b 2dcSexamp)e,dcScom3 1x
!ou can add the next lines to >etc>o#enlda#>lda#&conf
6/+9 dcSexamp)e, dcScom
.B+T (28.0.0.(
GA
L!AP ,onfi<uration
/o far -e have configured sla%d and the configuration file for lda%search in particular. $nce
-e have populated an L%!P directory -e -ill )e a)le to test our setup )y typing0
)dapsearch 1x
0&$ )i<ratin< System iles to L!AP
There are t"o methods available to populate an L./( director!.
%f the ldap daemon sla#d is stopped, "e can do an offline update usin# sla#add
)hile sla#d is runnin#, it is possible to perform an online update usin# lda#add or
lda#modify
)e "ill also use mi#ration tools "hich can be do"nloaded from
http33""".padl.com3;$$32i#rationTools.html
,reatin< L!AP directories offline
)e are #oin# to "ork in the director! containin# the L./( mi#ration (erl scripts "hich "e
have do"nloaded from """.padl.com.
Notice $ome distributions ma! include the mi#ration tools "ith the L./( server packa#e.
0ou should have the follo"in# files
mi#rateHautomount.pl mi#rateHbase.pl
8V$Version%nfo.txt mi#rateHcommon.ph
2ake.rules mi#rateHfstab.pl
2i#rationTools.spec mi#rateH#roup.pl
C</.2< mi#rateHhosts.pl
ads mi#rateHnet#roup.pl
mi#rateHnet#roupHb!host.pl mi#rateHaliases.pl
mi#rateHnet#roupHb!user.pl mi#rateHallHnetinfoHoffline.sh
mi#rateHnet"orks.pl mi#rateHallHnetinfoHonline.sh
mi#rateHpass"d.pl mi#rateHallHnisHoffline.sh
mi#rateHprofile.pl mi#rateHallHnisHonline.sh
mi#rateHprotocols.pl mi#rateHallHnisplusHoffline.sh
mi#rateHrpc.pl mi#rateHallHnisplusHonline.sh
GB
L!AP ,onfi<uration
mi#rateHservices.pl mi#rateHallHoffline.sh
mi#rateHslapdHconf.pl mi#rateHallHonline.sh
9irst edit mi<rateHcommon&#h and chan#e the W.<9/'LTH*/$< variable to
J&9%/$LTC6/+9 S HdcSexamp)e,dcScomH-
N;T%8<
)hen mi#ratin# the 3etc3pass"d file one can either use shado" pass"ords or not. )hen
usin# shado" pass"ords an added ob,ect8lass called shado"/ccount is used in the L./(
record and there is no need to mi#rate the shado" pass"ord file.
)e create our first L.%9 file called base&ldif to serve as our root
migrateCbase.p) ? base.)di!
This flat file "ill be converted into bdb 5or ldbm6 files stored in >var>lib>lda# as follo"s
s)apadd 1* = base.)di!

)e next choose to mi#rate the pass"ord "ithout shado" pass"ords as follo"s
p,uncon*
.migrateCpass,d.p) etcpass,d pass,d.)di!
The entries in #asswd&ldif should look like this

dn: uidStest,ouSPeop)e,dcSexamp)e,dcScom
uid: test
cn: test
obWectC)ass: account
obWectC)ass: posix/ccount
obWectC)ass: top
userPass,ord: TcryptUJ(J%"rQ!a0uJ)o5E,/4xxssmWbo#62X5L(
)ogin+he)): binbash
uid#umber: 505
G:
L!AP ,onfi<uration
gid#umber: 50L
home&irectory: hometest
No" let4s add this L.%9 file to our L./( director!5remember that L./( is stopped so "e are
still offline6
s)apadd 1* 1) pass,d.)di! or
s)apadd 1* = pass,d.)di!
N;T%8<
2ake sure all the files in /var/lib/ldap belon# to user
lda#
"(S"ING;
Cestart the L./( server
etcinit.d)dap restart
$earch all the entries in the director!
)dapsearch 1x
%f the lda# server does not respond, or the result from lda#search is empt!, it is possible to
sho" the content of the L./( databases in >var>lib>lda# "ith the sla#cat command.
,reatin< L!AP !irectories .nline
The L./( server can be updated online, "ithout havin# to shut the ldap service do"n. 9or
this to "ork ho"ever "e must specif! a rootdn and a root#w in >etc>o#enlda#>sla#d&conf.
The pass"ord is #enerated from the command line as follo"s
s)dappass,d
#e, pass,ord:
GG
L!AP ,onfi<uration
Qe1enter ne, pass,ord:
T++./UEyXm..(Q)n+'ETWM8$*xB/BCX/Mox#CT
)e next choose the rootdn in >etc>o#enlda#>sla#d&conf to be
rootdn HcnS7anager,dcSexamp)e,dcScomH
rootp, T++./UEyXm..(Q)n+'ETWM8$*xB/BCX/Mox#CT
The next line "ill update the L./( entries
)dapmodi!y 1! pass,d.)di! 1x 1& 2dcSexamp)e,dcScom3 1Y
9nter L&/P Pass,ord:
0&5 L!AP Authentication Scheme
Server ,onfi<uration
)e assume that the L./( server has been confi#ured as above.
The pass"ords in the L./( director! can also be updated online "ith the lda##asswd
command.
The next line "ill update the pass"ord for user tux on the L./( server.
)dappass,d 1& HcnS7anager,dcSexamp)e,dcScomH 1+ 1x 1Y I
HuidStux,ouSPeop)e,dcSexamp)e,dcScomH
The @S s"itch is used to confi#ure a ne" pass"ord.
)e assume that the %( address for the server is 10.0.0.1 and that the domain component is
Qdcèxample,dc`comR
0ou ma! allo" users to chan#e their pass"ords on the L./( server as follo"s
GI
L!AP ,onfi<uration
1. 8op! the pass-d (/2 file >etc>share>doc>nssHlda#-version>#am&d>#asswd to
>etc>#am&d
2. /dd the follo"in# access rule in >etc>o#enlda#>sla#d&conf
access to attrsSuserPass,ord
by se)! ,rite
by anonymous auth
by @ none
,lient ,onfi<uration
The clients need to have the nssHlda# packa#e installed 5some distributions have a separate
#amHlda# packa#e "ith the (/2 related modules and files6. The follo"in# files and libraries
are installed
3etc3ldap.conf set the hostname and the domain component of the L./( server
used for authentications
3lib3libnssHldap-2.A.2.so an ldap module for the Name$ervice $"itch
3lib3securit!3pamHldap.so the (/2 ldap module
3usr3lib3libnssHldap.so a s!mbolic link to 3lib3libnssHldap-2.A.2.so
3usr3share3doc3nssHldap-
20I3pam.d
sample files for pro#rams usin# (/2
%f "e don4t use $$L certificates then >etc>lda#&conf is as follo"s
The >etc>lda#&conf file
GJ
L!AP ,onfi<uration
host 10.0.0.1
base dcèxample,dc`com
ssl no
pamHpass"ord md:
Next in >etc>#am&d replace the file called lo<in "ith >usr>share>doc>nssHlda#@
207>#am&d>lo<in. This "ill tell the authentication binar! >bin>lo<in to use the pamHldap.so
module.
9inall! the >etc>nsswitch&conf needs to have the follo"in# line
pass,d )dap !i)es
8heck the >var>lo<>lda#>lda#&lo< file on the server to follo" the authentication process.
GK
PA) Authentication
4. (,M ,uthentication
$ervices or applications "hich need authentication can use the plu##able authentication
module 5(/26 mechanism "hich offer a modular approach to the authentication process.
9or example, if a ne" hard"are authentication scheme is added to a s!stem, usin# smart
cards or prime number #enerators, and if correspondin# (/2 librar! modules are
available for this ne" scheme, then it is possible to modif! existin# services to use this
ne" authentication scheme.

J J

$&+ PA) Aware A##lications
$ervices "hich use plu##able authentication modules have been compiled "ith lib#am.
9or example sshd is such a service

ldd `which sshd` | grep pam
libpam.so.0 => /lib/libpam.so.0 (0x00941000)
lo#in
(/2
files
nis
ldap
nss"itch
3etc3pass"d
3etc3#roup
3etc3shado"
3etc3!p.conf
3etc3ldap.conf

The (/2 modules are
confi#ured usin# the
authconfi< tool
Authconfi< chan#es the
Name $ervice databases
in >etc>nsswitch&conf
PA) Authentication
These applications "ill scan the (/2 confi#uration files "hich in turn tell the application
ho" the authentication "ill take place.
$&2 PA) ,onfi<uration
(/2 confi#uration is controlled "ith the sin#le file >etc>#am&conf. This file contains a list
of services and a set of instructions, as follo"s
service t!pe control module-path module-ar#uments
>o"ever, if the director! >etc>#am&d exists then #am&conf is i#nored and each service is
confi#ured throu#h a separate file in #am&d. These files are similar to #am&conf except
that the service name is dropped
t!pe control module-path module-ar#uments
type defines the Qmana#ement #roup t!peR. (/2 modules are classified into four
mana#ement #roups "hich define different aspects of the authentication process
account check the validit! of the account 5e#. does the users have a 'N%=
accountX is the user authorised to use the application ...6
auth the authentication method. This points to a module5s6 responsible for
the challen#e-response
#assword defines ho" to chan#e user pass"ords, if at all.
session modules that are run before and after a service is #ranted
control defines "hat action to take if the module fails. The simple controls are
reAuisite a failure of the module results in the immediate termination of the
authentication process
reAuired a failure of the module "ill result in the termination of the
authentication once all the other modules of the same t!pe have been executed
sufficient success of the module is sufficient except if a prior reAuired module
has failed
o#tional success or failure of this module are not taken into account unless it is
the onl! re1uirement of its t!pe
module-path the path to a (/2 module 5usuall! in 3lib3securit!6
module-arguments list of ar#uments for a specific module
PA) Authentication

System Security
System Security

System Security&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 7+
+& I#tables>I#chains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 72
1.1 The 8hains............................................................................................................................................................... I2
1.2 The Tables............................................................................................................................................................... IA
1.A The Tar#ets.............................................................................................................................................................. IB
1.B <xample Cules......................................................................................................................................................... IB
2& !ifferences with I#chains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 75
0& Security "ools&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 77
A.1 $$>.......................................................................................................................................................................... II
A.2 L$;9........................................................................................................................................................................ IJ
A.A N<T$T/T................................................................................................................................................................. IK
A.B T8(.'2(................................................................................................................................................................ IK
A.: N2/(....................................................................................................................................................................... J2

IA
System Security
1. $%ta'les-$%chains
$o )hat4s / (acket 9ilterX
/ packet filter is a piece of soft"are "hich looks at the header of packets as the! pass
throu#h, and decides the fate of the entire packet. %t mi#ht decide to .C;( the packet 5i.e.,
discard the packet as if it had never received it6, /88<(T the packet 5i.e., let the packet #o
throu#h6, or somethin# more complicated. - from the Q(acket 9ilterin# >;)T;R b! Cust!
Cussell
9or more in depth information see the >;)T;s at """.netfilter.or#.
%n this section "e introduce the i#tables concepts of chains, tables and tar#ets. )e then look
at some examples to illustrate net"ork address translation 5N/T6 as "ell as the special cases
of mas1ueradin# and transparent redirections.

+&+ "he ,hains
/ chain is a list of rules "hich b! considerin# criteria found in the packet4s header "ill make
decisions about the t!pe of action to take 5tar#et6. There are five chains correspondin# to
different sta#es in the netfilter frame"ork (C<C;'T%N&, %N('T, 9;C)/C.,
(;$TC;'T%N& and ;'T('T.
*elo" is a dia#ram of the pro#ression of a packet throu#h the kernel netfilter frame"ork
IB
System Security
+&2 "he "ables
There are three built-in tables 5the %( Tables6 "hich allo" to carr! out different tasks as listed
belo".
filter this is the default table and the packets are never altered. (ackets are available from
the follo"in# chains
%N('T for packets comin# into the box itself
;'T('T for locall!-#enerated packets
9;C)/C. for packets bein# routed throu#h the box 5check the value of
3proc3s!s3net3ipvB3ipHfor"ard6
nat this table onl! deals "ith net"ork address translations 5N/T6 it is consulted "hen a
packet creatin# a ne" connection is encountered. (acket headers connected "ith routin#
can be altered here. The follo"in# chains are considered
(C<C;'T%N& alters the packets as the! come in
(;$TC;'T%N& alters packets as the! #o out
;'T('T alters locall! #enerated packets before routin#
man<le used for speciali7ed packet alterations. Tar#ets in this table allo" the T;$ or TTL
field to be modified.
'ntil kernel 2.B.1I it could onl! interact "ith t"o chains
(C<C;'T%N& for alterin# incomin# packets before routin#
;'T('T for alterin# locall!-#enerated packets before routin#
$ince kernel 2.B.1J, the three other chains are also supported
%N('T for packets comin# into the box itself
9;C)/C. for alterin# packets bein# routed throu#h the box
(;$TC;'T%N& for alterin# packets as the! are about to #o out
I:
System Security
+&0 "he "ar<ets
The part of a the filterin# rule "hich determines "hat action to take if the rule is matched is
called a target and is preceded b! a @? fla# 5,ump6. >ere is an overvie" of available tar#ets
for a #iven table
all tables; /88<(T, C<?<8T, .C;(, L;&, 'L;&, T8(2$$, 2%CC;C
filter 5nothin# individual to this chain6
nat .N/T, $N/T, 2/$M'<C/.<, C<.%C<8T
man<le T;$, 2/CT, .$8(, <8N
There are more tar#ets, but the! come as part of additional extension kernel modules.
+&$ (xam#le 'ules
+& <xample filter rules
.rop incomin# icmp-re1uest as "ell as out#oin# icmp-repl! packets
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP
Notice The protocol extension fla#s allo" !ou to specif! more information about a specific
protocol. %n the case of T8( packets for example !ou ma! have
-p tcp Stcp-fla#s /LL $0N,/8T
/LL stands for $0N /8T 9%N C$T 'C& and ($>. This rule sa!s that all fla#s must be
examined and of those, if the $0N and /8T fla#s are set, the rule is true.
2& <xample .estination Net"ork /ddress Translation 5.N/T6
/ll re1uests on port J0 for host 1K2.1GJ.A.100 are redirected to the host 10.1.1.1 on port J0
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.3.100 \
--dport 80 -j DNAT --to 10.1.1.1:80
IG
System Security
0& <xample $ource Net"ork /ddress Translation 5$N/T6
The $N/T tar#et is used to chan#e the $ource /ddress. 9or example, in the case "here a
router s"itches the from address on all out#oin# packets leavin# throu#h ppp0 to it4s o"n
5public6 %( address. The line "ould look like this
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.3.0/24 -d 0/0 \
-j SNAT to ROUTER_IP
This rule can also be "ritten usin# the 2/$M'<C/.< tar#et
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.3.0/24 -d 0/0 -j MASQUERADE
$& <xample Cedirection
/ redirection is a special case of .N/T "here the Z1to host is the same host. 9or
example if a prox! server is runnin# on a router, all re1uests throu#h port J0 can be (C<-
routed throu#h port A12J "ith
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
"AS4; /t this sta#e if !ou "ant to implement a transparent prox! "ith the previous
redirection rule !ou "ill have to chan#e the confi#uration file sAuid&conf and add the
follo"in#
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Cemember that if !ou have implemented an authentication scheme "ith s1uid !ou ma! have
to disable it for the transparent prox! to "ork.
2. Differences .ith $%chains
)e "ill simpl! mention some of the main improvement over i#chains.
)ith iptables1 each filtered pac2et is only processed using rules from one chain rather
than multiple chains. %n other "ords, a 9;C)/C. packet comin# into a s!stem usin#
II
System Security
ipchains "ould have to #o throu#h the %N('T, 9;C)/C., and ;'T('T chains in order
to move alon# to its destination. >o"ever, i#tables onl! sends packets to the %N('T chain if
the! are destined for the local s!stem and onl! sends them to the ;'T('T chain if the local
s!stem #enerated the packets. 9or this reason, !ou must be sure to place the rule desi#ned
to catch a particular packet in the correct chain that "ill actuall! see the packet. The
advanta#e is that !ou no" have finer-#rained control over the disposition of each packet. %f
!ou are attemptin# to block access to a particular "ebsite, it is no" possible to block access
attempts from clients runnin# on hosts "hich use !our host as a #ate"a!. /n ;'T('T rule
"hich denies access "ill no lon#er prevent access for hosts "hich use !our host as a
#ate"a!.
Additional )atchin< (xtensions
2atchin# extensions are implemented in i#tables as modules. 2odules are invoked "ith the
@m s"itch.
9or example the state module makes it possible to distin#uish ne" packets and packets from
an established connect. The packet is tested for a matchin# state. (articular state values are
N<), <$T/*L%$><., C<L/T<. or %NV/L%..
iptables -A INPUT -p tcp -m state -state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state -state NEW,ESTABLISHED -j ACCEPT
2atchin# extension modules are listed belo".
2odule .escription ;ption 5example6
connrate matches the current connection
rate
@@connrate ;D< ;!rom<:;to<
dstlimit This module allo"s !ou to limit
the packet per second 5pps6 rate
on a per destination %( or per
destination port base
@@dstlimit a*g
icm# this extension is loaded if b--
protocol icmpY is specified
@@icm#ty#e ;D< typename
i#ran<e specif! a ran#e of %(s @@src@ran<e IP1IP
len<th matches the len#th of the packet @@len<th )ength
mac match the 2/8 source @@mac@source ;D< address
IJ
System Security
state determine the state of a packet
5N<),<$T/*L%$><.,C<L/T<.
,
%NV/L%.<6
Sstate state
IK
System Security
3. Securit* #ools
0&+ SS2
9or a first description of the ssh client and sshd server see the section on Q*asic $ecurit!R in
the lpi-manuals document for L(% 102. 9or an in depth presentation see the %nternet draft
QThe $$> 5$ecure $hell6 Cemote Lo#in (rotocolR at http33""".free.lp.se3fish3rfc.txt.
This section covers the server confi#uration file and briefl! discusses other mechanisms that
the $$> protocol offers such as =11 for"ardin# and port for"ardin#.
sshdHcon fi< overview
(ort 22 $pecif! "hich port to listen on. 2ultiple Q(ortR options can
be used
(rotocol 2,1 $pecif! version 1 or version 2 $$> protocol. 8an be a
comma separated list. %f both are supplied, the! are tried in
the order presented.
.en!'sers Z'$<C[E>;$T .en! users from a specific host. )ild cards such as _ can
be used
%#noreChosts !es3no .efault is !es S %#nore the c3.rhosts and c3.shosts files
(ermit<mpt!(ass"ords !es3no .efault is no S /llo" lo#in "ith an empt! pass"ords "hen
pass"ord authentication is allo"ed
(ermitCootLo#in !es3no /llo" or disallo" root access
=119or"ardin# !es3no %nstructs the remote end to route =11 traffic back throu#h
the ssh tunnel to the user4s = session. 'nless disabled,
the xauth settin#s "ill be transferred in order to properl!
authenticate remote = applications
Port orwardin<
%t is possible to do port for"ardin# "ith the $$> client. This is often used to provide a simple
mechanism to encr!pt a connection. 9or example one can open a local 5-L6 port 512AB6
pointin# to the remote host 5""".#oo#le.com6 on another port 5J06 as follo"s
J0
System Security

ssh 1L (25P:,,,.goog)e.com:M0 (28.0.0.(
1uick /PN
This is a user-space V(N as opposed to other t!pes of V(Ns "hich are kernel based.
/usr/sbin/pppd noauth pty \
"ssh SOME_HOST -l root '/usr/sbin/pppd notty noauth
192.168.0.1:192.168.0.2'" \
192.168.0.2:192.168.0.1
0&2 LS.
lsof - show open files used by processes
Traditionally used to list PIDs of processes running on a given directory:
)so! [& &IQ9CTBQ\
lsof will output the following information:
NAM: name of the process
PID: process ID
!"#: name of the user to whom the process belongs
$D: $ile desciptor %e&g u ' read write( r ' read( w ' write)
T*P: The file type %e&g #+ ' regular file)
D,I-: Ma.or/Minor number %e&g 0(12 '/dev/hda12 )
"I3: "i4e or offset of the file
N5D: Inode of the file
NAM: The name of the file
J1
System Security
6sof can also be used to display networ7 soc7ets& $or e8ample the following line will list all internet connections:
)so! 1i
*ou can also list connections to a single host:
)so! 1i F.B+T
$or e8ample if a host T5$$* is connected to your localhost on port 190:( the following would display information
about the connection:
)so! 1i FTB%%\:(25P
0&0 N("S"A"
netstat - Print networ7 connections( routing tables &&&
Main options are:
-r display routing tables -l only listening services
-- display route cache --inet restrict to networ7 soc7ets
Protocol types:
-t select tcp
-u select udp
0&$ ",P!%)P
tcpdump ; dump traffic on a networ7
This is ta7en directly from the man pages:
The TCP Packet
J2
System Security
<The general format of a tcp protocol line is:
src ? dst: !)ags data1seKno ac0 ,indo, urgent options

Src and dst are the source and destination IP addresses and ports&

Flags are some combination of " %"*N)( $ %$IN)( P %P!"=) or # %#"T) or
a single >&? %no flags)&
Data-seqno describes the portion of se@uence space covered by the data in this pac7et %see e8ample below)&
Ack is se@uence number of the ne8t data e8pected in the other direction on this connection&
Window is the number of bytes of receive buffer space available in the other direction on this connection&
Urg indicates there is >urgent? data in the pac7et&
ptions are tcp options enclosed in angle brac7ets (e.g., =mss (02P?)
Capturing TCP packets with particular flag com!inations
"e#g S$%-AC&' U()-AC&' etc#*
There are A bits in the control bits section of the T-P header:
CYQ G 9C9 G $Q" G /CV G P+. G Q+T G +\# G %I#
6et?s assume that we want to watch pac7ets used in establishing a T-P
connection& #ecall the structure of a T-P header without options:
0 (5 5(
11111111111111111111111111111111111111111111111111111111111111111
G source port G destination port G
11111111111111111111111111111111111111111111111111111111111111111
G seKuence number G
11111111111111111111111111111111111111111111111111111111111111111
G ac0no,)edgment number G
11111111111111111111111111111111111111111111111111111111111111111
G .L G rs*d |C|E|U|A|P|R|S|F| ,indo, si>e G
11111111111111111111111111111111111111111111111111111111111111111
G TCP chec0sum G urgent pointer G
11111111111111111111111111111111111111111111111111111111111111111
A T-P header usually holds 9B octets of data( unless options are present& The first line of the graph contains
octets B - 0( the second line shows octets : - C etc
"tarting to count with B( the relevant T-P control bits are contained
in octet 10:
JA
System Security
0 8G (5G 25G 5(
1111111111111111G111111111111111G111111111111111G1111111111111111
G .L G rs*d GCG9G$G/GPGQG+G%G ,indo, si>e G
1111111111111111G111111111111111G111111111111111G1111111111111111
G G (5th octet G G G
Let]s ha*e a c)oser )oo0 at octet no. (5:
G G
G111111111111111G
GCG9G$G/GPGQG+G%G
G111111111111111G
G8 5 5 0G
These are the T-P control bits we are interested in& De have numbered
the bits in this octet from B to C( right to left( so the P"= bit is bit number 0( while the !#+ bit is number E&
#ecall that we want to capture pac7ets with only "*N set& 6et?s see
what happens to octet 10 if a T-P datagram arrives with the "*N bit set
in its header:
GCG9G$G/GPGQG+G%G
G111111111111111G
G0 0 0 0 0 0 ( 0G
G111111111111111G
G8 L 5 P 5 2 ( 0G
6oo7ing at the control bits section we see that only bit number 1 %"*N)
is set&
Assuming that octet number 10 is an A-bit unsigned integer in networ7 byte order( the binary value of this octet
is
000000(0
and its decimal representation is
8 L 5 P 5 2 ( 0
0@2 [ 0@2 [ 0@2 [ 0@2 [ 0@2 [ 0@2 [ (@2 [ 0@2 S 2
De?re almost done( because now we 7now that if only "*N is set( the value of the 10th octet in the T-P
header( when interpreted as a A-bit unsigned integer in networ7 byte order( must be e8actly 9&
This relationship can be e8pressed as

tcp;(5< SS 2
JB
System Security
0&5 N)AP
nmap - Networ7 e8ploration tool and security scanner
The scanner ma7es use of the fact that a closed port should %according to #$- CF0) send bac7 an #"T& In the
case if a "*N scan( connections that are half opened are immediately close by nmap by sending an #"T itself&
"can Types:
"*N or =alf-open: -s"
Nmap will send a synchronisation pac7et "*N as7ing for a connection& If the remote host send a #"T/A-G it is
assumed that the port is closed& If the remote host sends a "*N/A-G this indicates that the port is listening&
!DP: -s!
!DP is connectionless& "o there is no need for a 0 way handsha7e as with T-P& If a port is closed the server will
send bac7 a I-MP P5#T !N#A-=AH6& 5ne then deduces that all the other ports are open %not reliable in the
case were I-MP messages are bloc7ed)&
T-P N!66: -sN
T-P pac7et with no flags set& -losed port will send a #"T when receiving this pac7ets %e8cept with M"
Dindows)&
T-P Imas: -sI
T-P pac7et with the $INJ!#+JP!"= flags set& The remote host should send bac7 a #"T for all closed ports
when receiving a Imas pac7et&
JJJJ many more( Ac7 scans -sA( #P- scan -s# &&&
TASKS:
1 Con!igure iptab)e ru)es to )og the di!!erent nmap scans using the Ztcp1!)ags
option.
1 #otice that tcpdump can ta0e compound options such as
tcpdump host / and not host 6
tcpdump ip proto IC7P and host .B+T ...
1 But o! interest, go to ,,,.tcpdump.org and try the )ibpcap tutoria)s (remember to
compi)e the codes CB&9.c ,ith 2gcc CB&9.c 1) pcap3 ...)
J:
LPI 202 .b?ectives
(xam 202; !etailed .b?ectives
This is a re1uired exam for L(% certification Level 2. %t covers advanced net"ork
administration skills that are common across all distributions of Linux.
<ach ob,ective is assi#ned a "ei#htin# value. The "ei#hts ran#e rou#hl! from 1 to 10, and
indicate the relative importance of each ob,ective. ;b,ectives "ith hi#her "ei#hts "ill be
covered in the exam "ith more 1uestions.
"o#ic 205; Networkin< ,onfi<uration
K 2&205&+ *asic networkin< confi<uration
Modified0 3445-!ugust-36
Maintainer0 %imitrios 7ogiatzoules
8eight0 9
.escription The candidate should be able to confi#ure a net"ork device to be able to
connect to a local net"ork and a "ide-area net"ork. This ob,ective includes bein# able to
communicate bet"een various subnets "ithin a sin#le net"ork, confi#ure dialup access usin#
m#ett!, confi#ure dialup access usin# a modem or %$.N, confi#ure authentication protocols
such as (/( and 8>/(, and confi#ure T8(3%( lo##in#.
Te! files, terms, and utilities include
3sbinroute
sbini!con!ig
sbinarp
usrsbinarp,atch
etc

_ 2&205&2 Advanced Network ,onfi<uration and "roubleshootin<
8eight0 :
.escription The candidate should be able to confi#ure a net"ork device to implement
various net"ork authentication schemes. This ob,ective includes confi#urin# a multi-homed
net"ork device, confi#urin# a virtual private net"ork and resolvin# net"orkin# and
communication problems.
JG
LPI 202 .b?ectives
sbinroute
sbinroute
sbini!con!ig
binnetstat
binping
sbinarp
usrsbintcpdump
usrsbin)so!
usrbinnc
"o#ic 206 )ail G News
K 2&206&+ ,onfi<urin< mailin< lists
8eight0 5
.escription %nstall and maintain mailin# lists usin# ma,ordomo. 2onitor ma,ordomo
problems b! vie"in# ma,ordomo lo#s.
2a,ordomo2
K 2&206&2 %sin< Sendmail
8eight0 6
.escription 8andidates should be able to mana#e a $endmail confi#uration includin#
email aliases, mail 1uotas, and virtual mail domains. This ob,ective includes confi#urin#
internal mail rela!s and monitorin# $2T( servers.
etca)iases
sendmai).c,
*irtusertab)e
genericstab)e
JI
LPI 202 .b?ectives
K 2&206&0 )ana<in< )ail "raffic
8eight0 :
.escription 8andidates shold be able to implement client mail mana#ement soft"are to
filter, sort, and monitor incomin# user mail. This ob,ective includes usin# soft"are such as
procmail on both server and client side.
procmai)
K 2&206&$ Servin< news
8eight0 5
.escription 8andidates should be able to install and confi#ure ne"s servers usin# inn.
This ob,ective includes customi7in# and monitorin# served ne"s#roups.
innd
"o#ic 207; !NS
K 2&207&+ *asic *IN! 9 confi<uration
8eight0 3
.escription The candidate should be able to confi#ure *%N. to function as a cachin#-
onl! .N$ server. This ob,ective includes the abilit! to convert a *%N. B.K named.boot file to
the *%N. J.x named.conf format, and reload the .N$ b! usin# kill or ndc. This ob,ective also
includes confi#urin# lo##in# and options such as director!h location for 7one files.
etcnamed.con!
usrsbinndc
JJ
LPI 202 .b?ectives
usrsbinnamed1bootcon!
0i))
K 2&207&2 ,reate and maintain !NS Cones
8eight0 :
.escription The candidate should be able to create a 7one file for a for"ard or reverse
7one or root level server. This ob,ective includes settin# appropriate values for the $;/
resource record, N$ records, and 2= records. /lso included is addin# hosts "ith / resource
records and 8N/2< records as appropriate, addin# hosts to reverse 7ones "ith (TC
records, and addin# the 7one to the 3etc3named.conf file usin# the 7one statement "ith
appropriate t!pe, file and masters values. / candidate should also be able to dele#ate a 7one
to another .N$ server.
contents of 3var3named
7one file s!ntax
resource record formats
dig
ns)oo0up
host
K 2&207&0 Securin< a !NS server
8eight0 :
.escription The candidate should be able to confi#ure *%N. to run as a non-root user,
and confi#ure *%N. to run in a chroot ,ail. This ob,ective includes confi#urin# .N$$<8
statements such as ke! and trusted-ke!s to prevent domain spoofin#. /lso included is the
abilit! to confi#ure a split .N$ confi#uration usin# the for"arders statement, and specif!in# a
non-standard version number strin# in response to 1ueries.
$!sV init files or rc.local
etcnamed.con!
etcpass,d
dns0eygen
JK
LPI 202 .b?ectives
"o#ic 209 8eb Services
K 2&209&+ Im#lementin< a web server
8eight0 3
.escription 8andidates should be able to install and confi#ure an /pache "eb server.
This ob,ective includes monitorin# /pache load and performance, restrictin# client user
access, confi#urin# modHperl and (>( support, and settin# up client user authentication.
/lso included is confi#urin# /pache server options such as maximum re1uests, minimum and
maximim servers, and clients.
access.)og
.htaccess
httpd.con!
modCauth
htpass,d
htgroup
K 2&209&2 )aintainin< a web server
2odified 2001-/u#ust-2B
2aintainer .imitrios *o#iat7oules
)ei#ht 2
.escription 8andidates should be able to confi#ure /pache to use virtual hosts for
"ebsites "ithout dedicated %( addresses. This ob,ective also includes creatin# an $$L
certification for /pache and definin# $$L definitions in confi#uration files usin# ;pen$$L.
/lso included is customi7in# file access b! implementin# redirect statements in /pache4s
confi#uration files.
httpd.con!
K 2&209&0 Im#lementin< a #roxy server
8eight0 3
K0
LPI 202 .b?ectives
.escription 8andidates should be able to install and confi#ure a prox! server usin#
$1uid. This ob,ective includes impelementin# access policies, settin# up authentication, and
utili7in# memor! usa#e.
sKuid.con!
ac)
httpCaccess
"o#ic 2+0 Network ,lient )ana<ement
K 2&2+0&+ !2,P confi<uration
8eight0 3
.escription The candidate should be able to confi#ure a .>8( server and set default
options, create a subnet, and create a d!namicall!-allocated ran#e. This ob,ective includes
addin# a static host, settin# options for a sin#le host, and addin# bootp hosts. /lso included
is to confi#ure a .>8( rela! a#ent, and reload the .>8( server after makin# chan#es.
dhcpd.con!
dhcpd.)eases
K 2&2+0&2 NIS confi<uration
8eight0 5
.escriptionThe candidate should be able to confi#ure an N%$ server and create N%$
maps for ma,or confi#uration files. This ob,ective includes confi#urin# a s!stem as a N%$
client, settin# up an N%$ slave server, and confi#urin# abilit! to search local files, .N$, N%$,
etc. in nss"itch.conf.
nisupdate, ypbind, ypcat, ypmatch, ypser*, yps,itch, yppass,d,
yppo)), yppush, yp,hich, rpcin!o
nis.con!, nss,itch.con!, ypser*.con!
8ontents of etcnis: netgroup, nic0names, securenets
7a0e!i)e
K1
LPI 202 .b?ectives
K 2&2+0&0 L!AP confi<uration
8eight0 5
.escription The candidate should be able to confi#ure an L./( server. This ob,ective
includes confi#urin# a director! hierarch!, addin# #roup, hosts, services and other data to the
hierarch!. /lso included is importin# items from L.%9 files and add items "ith a mana#ement
tool, as "ell as addin# users to the director! and chan#e their pass"ords.
s)apd
s)apd.con!
K 2&2+0&$ PA) authentication
8eight0 3
.escription The candidate should be able to confi#ure (/2 to support authentication via
traditional 3etc3pass"d, shado" pass"ords, N%$, or L./(.
etcpam.d
pam.con!
"o#ic 2+2 System Security
K 2&2+2&2 ,onfi<urin< a router
2odified 2001-/u#ust-2B
2aintainer .imitrios *o#iat7oules
)ei#ht 2
.escription The candidate should be able to confi#ure ipchains and iptables to perform
%( mas1ueradin#, and state the si#nificance of Net"ork /ddress Translation and (rivate
Net"ork /ddresses in protectin# a net"ork. This ob,ective includes confi#urin# port
redirection, listin# filterin# rules, and "ritin# rules that accept or block data#rams based upon
source or destination protocol, port and address. /lso included is savin# and reloadin#
filterin# confi#urations, usin# settin#s in 3proc3s!s3net3ipvB to respond to .;$ attacks,
usin# 3proc3s!s3net3ipvB3ipHfor"ard to turn %( for"ardin# on and off, and usin# tools such as
K2
LPI 202 .b?ectives
(ort$entr! to block port scans and vulnerabilit! probes.
3procsysnetip*P
etcser*ices
ipchains
iptab)es
routed
K 2&2+2&0 Securin< "P servers
8eight0 3
.escription The candidate should be able to confi#ure an anon!mous do"nload 9T(
server. This ob,ective includes confi#urin# an 9T( server to allo" anon!mous uploads, listin#
additional precautions to be taken if anon!mous uploads are permitted, confi#urin# #uest
users and #roups "ith chroot ,ail, and confi#urin# ftpaccess to den! access to named users
or #roups.
!tpaccess, !tpusers, !tpgroups
etcpass,d
chroot
K 2&2+2&$ Secure shell D.#enSS2E
8eight0 3
.escription The candidate should be able to confi#ure sshd to allo" or den! root lo#ins,
enable or disable = for"ardin#. This ob,ective includes #eneratin# server ke!s, #eneratin# a
user4s public3private ke! pair, addin# a public ke! to a user4s authori7edHke!s file, and
confi#urin# ssh-a#ent for all users. 8andidates should also be able to confi#ure port
for"ardin# to tunnel an application protocol over ssh, confi#ure ssh to support the ssh
protocol versions 1 and 2, disable non-root lo#ins durin# s!stem maintenance, confi#ure
trusted clients for ssh lo#ins "ithout a pass"ord, and make multiple connections from
multiple hosts to #uard a#ainst loss of connection to remote host follo"in# confi#uration
chan#es.
ssh, sshd
etcsshsshdCcon!ig
KA
LPI 202 .b?ectives
^.sshidentity.pub and identity, ^.sshauthori>edC0eys
.shosts, .rhosts
K 2&2+2&5 ",PHwra##ers
8eight0 5
.escription The candidate should be able to confi#ure tcp"rappers to allo" connections
to specified servers from onl! certain hosts or subnets.
inetd.con!, tcpd
hosts.a))o,, hosts.deny
xinetd
K 2&2+2&6 Security tasks
8eight0 :
.escription The candidate should be able to install and confi#ure kerberos and perform
basic securit! auditin# of source code. This ob,ective includes arran#in# to receive securit!
alerts from *u#tra1, 8<CT, 8%/8 or other sources, bein# able to test for open mail rela!s and
anon!mous 9T( servers, installin# and confi#urin# an intrusion detection s!stem such as
snort or Trip"ire. 8andidates should also be able to update the %.$ confi#uration as ne"
vulnerabilities are discovered and appl! securit! patches and bu#fixes.
Trip,ire
te)net
nmap
"o#ic 2+$ Network "roubleshootin<
K 2&2+$&7 "roubleshootin< network issues
8eight0 5
.escription 8andidates should be able to identif! and correct common net"ork setup
KB
LPI 202 .b?ectives
issues to include kno"led#e of locations for basic confi#uration files and commands.
sbini!con!ig
sbinroute
binnetstat
etcnet,or0 or etcsyscon!ignet,or01scripts
s!stem lo# files such as *ar)ogsys)og and *ar)ogmessages
binping
etcreso)*.con!
etchosts
etchosts.a))o, __ etchosts.deny
etchostname GG etc.B+T#/79
sbinhostname
usrsbintraceroute
usrbinns)oo0up
usrbindig
bindmesg
host
K:

Gnu FDL Oo Lpi 202 0.3

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Gnu FDL Oo Lpi 202 0.3

Uploaded by

Copyright:

Available Formats

Study Guide for

Advanced Linux Network Administration

You might also like