You are on page 1of 57

Chapter 15: Advanced Topics and Troubleshooting

The Complete Guide to Linux System Administration

Objectives
Understand X window system scripts and remote access Implement basic system security Use simple features of common network services Troubleshoot common hardware and software problems

The Complete Guide to Linux System Administration

X Window System Advanced Configuration


Challenges configuring graphical system are rare due to improvements in:
XFree86 X server Installation programs

The Complete Guide to Linux System Administration

Configuring X
X software normally located in directory /usr/X11R6
Sometimes called X-root directory Version 11, release 6 Configuration file for Red Hat Linux and Fedora called xorg.conf located in /etc/X11 directory Commercial X servers use different configuration files

The Complete Guide to Linux System Administration

Configuring X (continued)
xvidtune program
Adjust finer details of display Can damage monitor if used carelessly

system-config-display program configures:


Screen resolution Number of colors

The Complete Guide to Linux System Administration

Configuring X (continued)

The Complete Guide to Linux System Administration

Using X Window System Start-up Scripts


X Window System starts automatically every time user logs in at graphical prompt startx command
Start X Window System from command line Script located in /usr/X11R6/bin Starts xinit program Place scripts in users home directory to define graphical configuration for user

The Complete Guide to Linux System Administration

Using X Window System Start-up Scripts (continued)


Background application
Does not prevent program that started it from going on to other tasks xinit scripts can start X client then go on to start another

Window manager
Responsible for controlling graphical screen Started last by xinit

The Complete Guide to Linux System Administration

Using X Window System Start-up Scripts (continued)

The Complete Guide to Linux System Administration

Adjusting the Display of Graphical Applications


X resource
Separate screen elements such as:
Scroll bars Text fonts Mouse pointers Title bars for windows or dialog boxes

Collection of default X resource settings applies to all X applications

The Complete Guide to Linux System Administration

10

Adjusting the Display of Graphical Applications (continued)


Resource database file
Settings apply only when specific user runs specific application Main file app-defaults located at /usr/X11R6/lib/X11 Users home directory can contain additional settings
.Xresources .Xdefaults

The Complete Guide to Linux System Administration

11

Adjusting the Display of Graphical Applications (continued)


xrdb command
Loads initial X database resource file Adds resource configuration details from files xrdb -load $HOME/.Xresources

xfontsel command
See fonts supported by X Window System

xset command
Adjust behavior of X to suit preferences

The Complete Guide to Linux System Administration

12

Using a Graphical Login Screen


Most Linux distributions start in run level 5
Graphical environment

xdm program
Graphical login screen provided by X display manager Versions specific to KDE and GNOME called:
kdm Gdm

Session defines set of graphical programs to run when user logs in


The Complete Guide to Linux System Administration 13

Using a Graphical Login Screen (continued)


Xsession file specifies which programs started by particular session name xdm executes file /etc/x11/xdm/Xsession to determine which X clients to run Xsession file
Placed in user home directory Controls which sessions specific user has available

/etc/X11/xdm subdirectory files configure features of xdm


The Complete Guide to Linux System Administration 14

Using a Graphical Login Screen (continued)


Any type of computer can run X server Graphical application decides which X server to use
By default uses X server on same computer Specify different server
DISPLAY environment variable Add display option to command

Configuring remote display security


X server on remote host configured to allow other computers to display programs there
The Complete Guide to Linux System Administration 15

Using a Graphical Login Screen (continued)


xhost command specifies name of remote computer permitted to use local X server
Insecure

xauth command restricts access to users on remote system who have specific token
Commonly called cookie
MIT magic cookie

The Complete Guide to Linux System Administration

16

Using a Graphical Login Screen (continued)


.Xauthority files
Stored in users home directory User-to-user security system

Remote graphical login


Log in to Linux system, use graphical environment as if sitting at Linux system Uses XDMCP

The Complete Guide to Linux System Administration

17

Displaying X Clients Remotely


X protocol
X Window System uses own protocol to communicate between X server and each X client Can be used over network connections

The Complete Guide to Linux System Administration

18

Displaying X Clients Remotely (continued)

The Complete Guide to Linux System Administration

19

Security Issues: The Structure of a Secure Network


Security divided into areas:
Physical security User security File security Network security

The Complete Guide to Linux System Administration

20

Types of Security Attacks


Password cracking Trojan horse Buffer overflow attacks Denial-of-service (DoS) Port scanning Packet sniffing

The Complete Guide to Linux System Administration

21

Security Tools
nmap
Most widely used port-scanning utility Can use variety of different scanning methods nmap -ss www.myplace.net

nmapfe utility
Graphical interface

IPTraf program
Popular tool for viewing network activity on LAN

The Complete Guide to Linux System Administration

22

Security Tools (continued)


tcpdump utility
Similar to IPTraf program Also includes more detailed information about packets on network

Ethereal
One of the best packet-sniffing tools Network traffic analysis tool

The Complete Guide to Linux System Administration

23

Security Tools (continued)


Intrusion detection system (IDS) watches network for activity that may indicate attacker is looking for way to enter server Linux Intrusion Detection System (LIDS)
Adds module to Linux kernel Blocks access to resources for all users except as configured by LIDS

The Complete Guide to Linux System Administration

24

Security Tools (continued)


Security audit
Review or test of how secure system really is What needs to be done to improve its security

Security Administrators Integrated Network Tool (SAINT) utility


Uses Web browser interface to manage attack on network Reports vulnerabilities it finds

The Complete Guide to Linux System Administration

25

Viruses and Worms


Security threats designed to replicate themselves once installed on system Virus tries to replicate as part of another program Worm attempts to infiltrate other systems on its own Linux rarely subject of virus attacks Worms pose greater threat than viruses

The Complete Guide to Linux System Administration

26

Security Organizations
CERT Coordination Center (CERT/CC)
U.S. Federal government-funded software engineering institute Maintains lists of security vulnerabilities, alerts, incident reports

System Administration, Networking, and Security (SANS) Institute


Education and research organization Visiting web site www.sans.org
The Complete Guide to Linux System Administration 27

Security Organizations (continued)


Global Information Assurance Certification (GIAC) program
Certification program for security professionals from SANS

The Complete Guide to Linux System Administration

28

Using Network Services


Most network services installed by default
Controlled using script in /etc/rc.d/init.d directory or using service command

The Complete Guide to Linux System Administration

29

Using NetFilter for Firewalls


Firewall
Hardware device or software program that prevents unintended network access

Packet filter
Firewall that examines each packet Decides how to process it based on firewall rules

NetFilter defines rules in IP tables

The Complete Guide to Linux System Administration

30

Using NetFilter for Firewalls (continued)


Packet stages
Input Forward Output

iptables command creates and manages firewall rules Rules executed in order defined in chain

The Complete Guide to Linux System Administration

31

Using NetFilter for Firewalls (continued)


Network address translation (NAT)
Routing technique Alters addresses or other information in packet

IP masquerading
Type of network address translation Packets from many computers on LAN altered to appear as if they came from single computer

The Complete Guide to Linux System Administration

32

Using NetFilter for Firewalls (continued)


system-config-securitylevel program sets up reasonable rules based on:
How secure system should be Specific protocols to leave more open

Other graphical firewall programs that use IP tables


Firestarter Mason KMyFirewall GuardDog
33

The Complete Guide to Linux System Administration

Setting Up a DNS Name Server


Root name servers
DNS servers designated as starting point for DNS queries

Master DNS server or primary DNS server


Provides information on domain

Slave DNS server or secondary DNS server


Contains backup copy of DNS information

Named
Daemon that implements DNS
The Complete Guide to Linux System Administration 34

Setting Up a DNS Name Server (continued)


Caching name server
Queries other DNS servers and caches results

Zone
DNS server maintains information for at least part of domain

Zone information files


Define host names and corresponding IP addresses

rndc utility
Control named daemon from command line
The Complete Guide to Linux System Administration 35

Setting Up a DNS Name Server (continued)


dig utility
Query any DNS server

whois
Information about organization that registered domain name

The Complete Guide to Linux System Administration

36

File Sharing with NFS


Work with hard disks located all over local network ss if part of local directory structure NFS protocol implemented by several daemons
rpc.mountd nfsd rpc.rquotad rpc.statd

The Complete Guide to Linux System Administration

37

File Sharing with NFS (continued)


/etc/exports file defines which local directories should be accessible to remote users exportfs command activates contents of /etc/exports Squashing prevents user from gaining access to user account on NFS server because user has same ID on NFS client

The Complete Guide to Linux System Administration

38

Setting Up a Samba Server


Samba suite
File and print sharing using SMB and CIFS protocols

Server daemons
nmbd smbd

smb.conf
Main configuration file

The Complete Guide to Linux System Administration

39

Setting Up a Samba Server (continued)


Common to allow everyone with Linux user account to log in via Samba SWAT
Graphical configuration tool for Samba Runs as network service managed by superserver Access SWAT: http//localhost:901/

The Complete Guide to Linux System Administration

40

Creating a Proxy Server with Squid


Proxy server
Lets one server make request for another server Done to improve efficiency and security of network

Squid requires significant configuration before use


In file /etc/squid/squid.conf

Transparent proxy redirects network packet based on port to which packet addressed

The Complete Guide to Linux System Administration

41

Creating a Linux Web Server with Apache


Daemon named httpd
Control with apachectl program

/etc/httpd/conf directory
Configuration files

Many features implemented as loadable modules Container activates other directives only if condition is met or only within particular context

The Complete Guide to Linux System Administration

42

Configuring a Basic E-mail Server


Mail Transfer Agent (MTA) moves mail between e-mail servers Mail Delivery Agent (MDA) examines messages and delivers them to users mailbox file Mail User Agent (MUA) lets user:
View messages stored in mailbox Create new messages

The Complete Guide to Linux System Administration

43

Configuring a Basic E-mail Server (continued)


sendmail
Most widely known e-mail server Managed using standard script in /etc/rc.d/init.d /etc/sendmail.cf
Configuration file Considered to be single most difficult Linux configuration file to master

m4 program
Configure sendmail
The Complete Guide to Linux System Administration 44

Configuring a Basic E-mail Server (continued)


E-mail alias
Another name that can deliver e-mail messages to user Configured in sendmail with /etc/aliases file

Monitor sendmail
/var/log/maillog file hoststat mailq mailstats
45

The Complete Guide to Linux System Administration

Using Superservers for Network Services


Superserver
Listens on multiple network ports and starts appropriate service when client connection arrives for port Programs
inetd xinetd

The Complete Guide to Linux System Administration

46

Using Superservers for Network Services (continued)


tcpd
TCP wrappers Examines incoming network connection Compares it to configuration file to determine whether connection allowed Configured by
/etc/hosts.allow /etc/hosts.deny

The Complete Guide to Linux System Administration

47

Troubleshooting and Recovery


Having appropriate methodology makes it easier to locate and fix problems Basic methodology for troubleshooting
What system or service is causing the problem? Can I eliminate other possible causes to limit the scope of the problem?

The Complete Guide to Linux System Administration

48

Troubleshooting Linux Installation


Installation program doesnt boot
Boot disk created incorrectly Bios configured to start operating system from hard disk without first checking floppy disk or CD-ROM Installation program not able to detect video card

The Complete Guide to Linux System Administration

49

Troubleshooting Linux Installation (continued)


After Linux installed system doesnt boot
Another boot manager installed in MBR Trouble identifying hardware on system that was not detected during installation process

Graphical interface doesnt work


Some video cards not supported by XFree86 Supported by commercial X Window System products

The Complete Guide to Linux System Administration

50

Troubleshooting Linux Installation (continued)


Device or part of memory isnt available
Hardware not correctly configured Linux does not access all of available system RAM because of limitations in computers BIOS

The Complete Guide to Linux System Administration

51

Diagnosing Device Status


Utilities to learn about devices
/proc file system lspci setserial usbmodules

The Complete Guide to Linux System Administration

52

Troubleshooting Network Connections

The Complete Guide to Linux System Administration

53

Troubleshooting Network Connections (continued)

The Complete Guide to Linux System Administration

54

Creating Rescue Disks


Rescue disk
3.5-inch disk used to boot Linux-based computer Create when installing Linux

Rescue mode
Boots from CD Searches for Fedora installations Launches console to repair problems

The Complete Guide to Linux System Administration

55

Summary
Scripts used by X Window System to determine exactly what programs to start Graphical login screen handled by xdm Graphical programs can be displayed remotely Computer security often divided into categories Linux uses firewalling and packet-filtering system called NetFilter

The Complete Guide to Linux System Administration

56

Summary (continued)
DNS server on Linux implemented using named daemon NFS permits remote users to mount file system on NFS server as part of directory structure Apache Web server included with most Linux distributions Systematically eliminating possible problems good methodology for troubleshooting

The Complete Guide to Linux System Administration

57