How to Install, Configure, Administer and Troubleshoot Linux

About This Presentation

Title:

How to Install, Configure, Administer and Troubleshoot Linux

Description:

Linus wrote the kernel (the heart of the OS) while a ... Sherwin Williams. Disney. 7. Linux Essentials. 8. Linux Essentials. The basic configuration steps ... – PowerPoint PPT presentation

Number of Views:1157

Avg rating:3.0/5.0

Slides: 211

Provided by: busines6

Category:

more less

Transcript and Presenter's Notes

Title: How to Install, Configure, Administer and Troubleshoot Linux

1
How to Install, Configure, Administer and
Troubleshoot Linux
2
An Overview of Red Hat
3
An Overview of Red Hat

What is Linux?
A free, Unix clone operating system
Developed from 1991-1994 by Linus Torvalds
Linus wrote the kernel (the heart of the OS)
while a student at the University of Helsinki in
Finland
The Internet community enhanced it

4
An Overview of Red Hat

What Features are in Linux?
Multiuser, multitasking
GUI (X Window System)
Supported with third-party desktop environments
(GNOME and KDE)
Hardware and network protocol support
Application support
POSIX.1 compatible (for job control) IEEE Std.
1003.1-1990 Standard for Information Technology
Portable Operating System Interface (POSIX) -
Part 1 System Application Programming Interface
(API)

5
An Overview of Red Hat

Why Choose Red Hat?
Software packaging and distribution (RPM)
Easy installation (anaconda and disk druid)
UNIX System-V run-level scripting
Desktop managers ready-to-run
Administration tools
Testing and support (RHN and up2date)

6
An Overview of Red Hat

Companies Using Red Hat Linux
Credit Suisse Bank
First Boston Bank
Amazon.com
Morgan Stanley
Cisco Systems
AOL-Time Warner
Sherwin Williams
Disney

7
Linux Essentials
8
Linux Essentials

The basic configuration steps
Other operating systems needed or present
Is there available hard disk space
Will the Linux installation be
Personal Desktop (1.5 1.8 GB)
Workstation (2.0 2.3 GB)
Server (1.3 2.1 GB)
Custom (400 MB 4.5 GB)
Upgrade (existing)

9
Linux Essentials

Change BIOS to boot from CD
Boot from Disk 1
At installation Welcome screen type text at
command prompt
Language English
Keyboard US
Mouse Generic 2 Button Mouse (PS/2)

10
Linux Essentials

Welcome OK
What type of system? Custom
Disk Partitioning Setup Disk Druid
Delete all existing partitions

11
Linux Essentials

Partitioning
Auto Partitioning
Disk Druid
fdisk

12
Linux Essentials

Adding Partitions
Mount Point
Filesystem Type
Allowable Drives
Size
Fixed size
Fill max size of
Fill all available space

13
Linux Essentials

Adding Partitions
Force to be a primary partition
Check for bad blocks

14
Linux Essentials

Add the following partitions
/boot 75 MB
/ 512 MB
/usr 2500 MB
/var 512 MB
/tmp 512 MB
/home 100 MB
Swap (no mount point use swap fs) 256 MB

15
Linux Essentials

After adding partitions, select OK and save new
partition scheme
Boot Loader Configuration Grub
Where do you want to install the boot loader?
(MBR) Master Boot Record
Pass special options - leave blank
Booting other Oss leave default

16
Linux Essentials

Network Configuration Use bootp/dhcp do NOT
activate on bootup
Firewall Medium Customize (select eth0 as
trusted device)
Language Support English (USA)
Time Zone Selection Hardware clock set to GMT?
leave blank

17
Linux Essentials

Root Password set as password
Add User do not add user at this time

18
Linux Essentials

Authentication Configuration
Shadow Passwords
MD5 Passwords
NIS
LDAP
Kerberos

19
Linux Essentials

Authentication Configuration leave all at
default setting

20
Linux Essentials

Package Group Selection
Administration Tools
DNS Name Server
Development Tools
FTP Server
Gnome Desktop Environment
Graphical Internet
Kernel Development

21
Linux Essentials

Package Group Selection cont.
Mail Server
Network Server
Printing Support
Server Configuration Tools
System Tools
Web Server

22
Linux Essentials

Package Group Selection cont.
Windows File Server
X Window System
Select Individual Packages

23
Linux Essentials

Individual Package Selection (in addition to what
is already selected)
Applications/System
- ipxutils
- samba-swat

24
Linux Essentials

Individual Package Selection (in addition to what
is already selected)
System Environment/Daemons
- sendmail-cf
- sendmail-devel

25
Linux Essentials

Installation Log OK
Would You Like To Create Boot Disk? No
Video Card Configuration Skip X Configuration
Complete OK

26
Linux Essentials
C
D
F
E
27
Linux Essentials
/dev/hda1
/boot
/
/dev/hda7
/dev/hda5
/usr
/var
/dev/hda6
28
Linux Essentials
29
/boot
/
/usr
cdrom
/var
30
Must-Know Administration Tools and Techniques

Navigating the Red Hat Filesystem
Complies with the (FHS) Filesystem Hierarchy
Standard

31
Must-Know Administration Tools and Techniques

Navigating the Red Hat Filesystem
White text
Green executable
Dark blue directory
Light blue soft link
Light green hard link
Yellow device
Red archive/zip
Pink graphic/image

32
Linux Essentials

File/Directory Syntax
cd /root/docs
cd docs
mkdir /mnt/win
mkdir win

33
Linux Essentials

Troubleshooting a failed Linux installation
Video cards and monitors are number one source of
configuration errors
Everything is logged to
/root/install.log
/root/upgrade.log

34
Linux Essentials

Deciphering the on-screen messages during the
boot and halt processes
Press Shift and Page Up/Down keys together
View recorded information in
/var/log/dmesg
/var/log/boot.log

35
Linux Essentials

How the Boot Loader (Grub) works
Assumes control after the BIOS (Basic
Input/Output System) POST (Power-On Self Test)
BIOS passes control to the MBR (Master Boot
Record), where Grub should be located
Grub offers prompts for selecting from multiple
operating systems

36
Linux Essentials

How to create a Grub boot floppy after
installation
At command prompt
uname -r
mkbootdisk 2.4.x-y

37
Linux Essentials

Configure X Windows after installation
redhat-config-xfree86
Configuration files located in /etc/X11
startx

38
Linux Essentials

Login as root
redhat-config-xfree86
Select Resolution - 1024x768
Select Color Depth Thousands of colors (16 bit)
Click on the Advanced tab located at the top left
of the window

39
Linux Essentials

Make changes to the Monitor configuration if
necessary
Make changes to the Video Card configuration if
necessary
Click on the OK button at the lower right of the
window

40
Linux Essentials

Click on the OK button of the Display settings
changed window
startx

41
Must-Know Administration Tools and Techniques
42
Must-Know Administration Tools and Techniques

Creating accounts/groups in a shell
useradd ltusergt - add users
/etc/login.defs contains default login settings
/etc/skel user home directory template
/etc/passwd - contains account information
/etc/group - contains group information
/etc/shadow - contains account passwords
userdel ltusergt - remove users

43
Must-Know Administration Tools and Techniques

Creating accounts/groups in a shell
passwd ltusergt - change passwords
groupadd ltgroupgt - create new groups
gpasswd -a ltusergt ltgroupgt - add user to new group

44
Must-Know Administration Tools and Techniques

Users can also be administered via X using User
Manager
Main menu -gt System Settings -gt Users and Groups

45
Must-Know Administration Tools and Techniques

The shell configuration
bash (Bourne Again Shell)
sh (Bourne Shell)
csh (C Shell)
ksh (Korn Shell)

46
Must-Know Administration Tools and Techniques

Managing your login session
ltCtrlgtltAltgtltFngt - Toggles terminal X windows
history - history of commands issued
!lthistorygt - repeat command
can use up/down arrow keys to scroll through
history list

47
Must-Know Administration Tools and Techniques

Working with the filesystem
df - display free space
cat ltfilegt - displays contents of file
info lttopicgt - displays information about a
particular command or configuration file
ls - display contents of directory

48
Must-Know Administration Tools and Techniques
-rwxrwxrwx
Group- owner
Others
Owner
49
Must-Know Administration Tools and Techniques

Managing file permissions
chmod ltpermissionsgt ltfilegt - change file
permissions
chown ltownergt ltfilegt - change owner
chgrp ltgroupgt ltfilegt - change group

50
Must-Know Administration Tools and Techniques

Octal permission set
r 4
w 2
x 1

51
Must-Know Administration Tools and Techniques
-rwxr-x--x
421 7
001 1
401 5
chmod 751 ltfilenamegt
52
Must-Know Administration Tools and Techniques

System-V run levels
0 system halt
1 single-user mode
2 multiuser mode, no network or X support
3 multiuser mode with network support
4 multiuser mode with network support
5 multiuser mode with network and X support
6 system reboot

53
Must-Know Administration Tools and Techniques

System-V run levels
/etc/rc.d contains scripting directories
Scripts are maintained in /etc/rc.d/init.d
/etc/rc.d/rcn.d contains links to init.d scripts
Number represents priority (low higher
priority)
K for "kill"
S for "start"

54
Must-Know Administration Tools and Techniques

Also in /etc/rc.d
rc.sysinit - loads kerneld, checks and mounts
filesystems and turns on swapping
rc - manages the run level processes inherited
from rc.sysinit and inittab
rc.local programs to execute when the system
boots, after all other routines are completed

55
Must-Know Administration Tools and Techniques

Vi
vi ltfilenamegt
i - insert text before cursor
Esc return to command mode
q! - quit without saving
wq - write and quit

56
Must-Know Administration Tools and Techniques

Disk quotas
Impose quotas on the file system to limit disk
consumption by users
Quotas can be defined on a per user basis
Measurements are taken against ownership of
files, so might include E-mail and Web pages

57
Must-Know Administration Tools and Techniques

Commands for administering disk quotas
edquota -u ltusernamegt
edquota -g ltgroupnamegt
edquota p ltproto-usernamegt ltusernamegt
repquota -a

58
Must-Know Administration Tools and Techniques

cp /etc/fstab /etc/fstab.bak
vi /etc/fstab
Add ,usrquota,grpquota to the line LABEL/home as
shown in the example below
LABEL/home /home ext3 defaults,usrquota,grpqu
ota 1 2
Write and quit vi
umount /home

59
Must-Know Administration Tools and Techniques

mount /home
touch /home/aquota.user
touch /home/aquota.group
quotacheck -avug
quotaon -avug
edquota -g ltgroupnamegt or edquota -u ltusernamegt

60
Must-Know Administration Tools and Techniques

Monitoring and controlling processes
ps - process status for running applications
ps -aux less display output one page at a
time
ps -aux grep ltstringgt - locate running
processes
top - listing of all currently running processes
uptime - display time passed since the system was
booted up
vmstat - virtual memory statistics
kill ltprocess IDgt - terminate processes

61
Simplifying the Complexities of Network
Administration
62
Simplifying the Complexities of Network
Administration

How TCP/IP addressing works
The InterNIC is the governing body that
classifies and delegates IP addresses
An IP address is 32-bits long and consists of two
parts, the network number and host number
The four-byte value, or IP number, converts each
byte into a decimal number (0-255) separated by a
period

63
Simplifying the Complexities of Network
Administration
128 64 192
64
Simplifying the Complexities of Network
Administration
128 32 8 168
65
Simplifying the Complexities of Network
Administration
192
0
168
2
11000000 10101000 00000000 00000010
66
Simplifying the Complexities of Network
Administration
128 64 32 16 8 4 2 1 255
67
Simplifying the Complexities of Network
Administration
255
255
255
0
11111111 11111111 11111111 00000000
68
Simplifying the Complexities of Network
Administration
11000000 10101000 00000000 00000010
11111111 11111111 11111111 00000000
11000000 10101000 00000000 00000000
192
0
168
0
69
Simplifying the Complexities of Network
Administration
Class A 10. Class B 172.16 - 172.31 Class C
192.168.0 - 192.168.255
Private IP Addresses
70
Simplifying the Complexities of Network
Administration

Network administrators utilities
ifconfig - report the status of network
interfaces or disconnect them
netstat - report TCP and UDP traffic across
network devices and ports
dig - for IP/host mappings from a DNS server
(replaces nslookup)

71
Simplifying the Complexities of Network
Administration

Configuring network interfaces on your Linux
systems
Host information
/etc/hosts
/etc/sysconfig/network
/etc/resolv.conf
Interface information
/etc/sysconfig/network-scripts/ifcfg-eth0

72
Simplifying the Complexities of Network
Administration

Configuring network interfaces on your Linux
systems
Network hardware can be manipulated dynamically
without a reboot
ifup ifcfg-eth0
ifdown ifcfg-eth0

73
Simplifying the Complexities of Network
Administration

hostname labltxgt.class.com
cd /etc/sysconfig
ls
vi network
Change line HOSTNAMElocalhost.localdomain to
HOSTNAMElabltxgt.class.com
Add line GATEWAY192.168.0.254

74
Simplifying the Complexities of Network
Administration

Write and quit vi
cd /etc/sysconfig/network-scripts
ls
vi ifcfg-eth0
Change BOOTPROTOdhcp to BOOTPROTOstatic
Change ONBOOTno to ONBOOTyes

75
Simplifying the Complexities of Network
Administration

Add line IPADDR192.168.0.ltxgt
Add line NETMASK255.255.255.0
Write and quit vi
vi /etc/hosts
Add line
192.168.0.ltxgt labltxgt.class.com labltxgt

76
Simplifying the Complexities of Network
Administration

Write and quit vi
vi /etc/resolv.conf
Add line search class.com
Write and quit vi
ifup ifcfg-eth0
ifconfig

77
Simplifying the Complexities of Network
Administration

How to assign multiple IP addresses to a single
network interface
Use the ifup-aliases script
Create a range template in /etc/sysconfig/network-
scripts for a currently identified device
Provide a start and stop range of additional IP
addresses
Range templates are started at boot without any
further modification

78
Simplifying the Complexities of Network
Administration

cd /etc/sysconfig/network-scripts
ls
cp ifcfg-eth0 ifcfg-eth0-range0
ls
vi ifcfg-eth0-range0
Change line IPADDR to
IPADDR_START"ltfirst IP address in rangegt"

79
Simplifying the Complexities of Network
Administration

Add line below IPADDR_START
IPADDR_END"ltlast IP address in rangegt"
Write and quit vi
ifup ifcfg-eth0-range0
ifconfig

80
Setting Up Internet and Intranet Services

DNS
Domain Name System
Converts (resolves) hostnames to IP addresses
Also known as forward mapping
Converts (resolves) IP addresses to hostnames
Also known as reverse mapping

81
Setting Up Internet and Intranet Services

DNS terminology
Forward Master (Primary) Zone
Host names are converted into IP addresses
Reverse Master (Primary) Zone
IP addresses are converted into host names
Slave (Secondary) Zone
Nameserver that copies zone files from a master
A zone is only copied if the serial number on the
master is larger than on the slave

82
Setting Up Internet and Intranet Services

DNS terminology
State of Authority (SOA)
The best resource of information for this domain
Mail Exchanger (MX)
The host that handles email for this domain (the
email server)
Full hostname
Hostname that includes the domain and a period
(.) at the end

83
Setting Up Internet and Intranet Services

DNS configuration
named nameserver daemon
Part of the BIND package
Berkley Internet Name Daemon

84
Setting Up Internet and Intranet Services

DNS configuration
/etc/named.conf configuration file for named
/var/named default directory for zone files
.zone files
named.ca
named.local
/etc/resolv.conf used by the resolver to locate
nameservers

85
Setting Up Internet and Intranet Services

Pointing clients to the DNS servers
/etc/resolv.conf

86
Setting Up Internet and Intranet Services

1. Main menu -gt System Settings --gtServer
Settings -gt Domain Name Service
Add a Forward Master Zone
Add a Reverse Master Zone
Apply changes and quit
/etc/rc.d/init.d/service named start
cd /etc/rc.d/rc3.d

87
Setting Up Internet and Intranet Services

7.ls
mv K45named S45named
vi /etc/resolv.conf
Add line nameserver 192.168.0.ltxgt
Write and quit vi

88
Setting Up Internet and Intranet Services

vi /etc/resolv.conf
Add line nameserver 192.168.0.ltxgt
Write and quit vi

89
Integrating Linux with UNIX-Based Systems
90
Integrating Linux with UNIX-Based Systems

How to map users between an NFS server and
clients
To share resources across nix based systems, you
will need NFS
The NFS packages and an additional package called
portmap are required
The portmap utility must be utilized to grant or
deny permissions using /etc/hosts.allow and
/etc/hosts.deny

91
Integrating Linux with UNIX-Based Systems

How an NFS server can allow access to those with
privileges, and tips on security
Users, groups and domains can be granted access
to individual filesystems through /etc/exports
Define (ro) and (rw) permissions on filesystems
Beware the lack of an authentication process

92
Integrating Linux with UNIX-Based Systems

NFS client installation and configuration tips
and techniques
An NFS client is included as default with any Red
Hat installation
The client is also available as a separate RPM
NFS shares can be loaded at boot time through run
level management
Create a mount point at /mnt/

93
Integrating Linux with UNIX-Based Systems

mkdir /home/data
chmod 777 /home/data
vi /etc/exports
Add line
/home/data 192.168.0.0/24(rw)(no spaces)
Write and quit vi
vi /etc/hosts.allow

94
Integrating Linux with UNIX-Based Systems

Add line
portmap 192.168.0.
Write and quit vi
vi /etc/hosts.deny
Add line
portmap ALL
Write and quit vi

95
Integrating Linux with UNIX-Based Systems

exportfs -vra
/etc/rc.d/init.d/nfs start
cd /etc/rc.d/rc3.d
ls
mv K20nfs S20nfs

96
Integrating Linux with UNIX-Based Systems

NFS commands
rpcinfo -p
showmount
showmount -e lthostgt

97
Integrating Linux with UNIX-Based Systems

mkdir /mnt/remote
mount labltxgt/home/data /mnt/remote
cd /mnt/remote
ls
touch ltfilenamegt
ls

98
Integrating Linux with UNIX-Based Systems

cd
umount /mnt/remote

99
Your Key To Success - Integrating Linux with
Windows-Based Computers
100
Integrating Linux with Windows-Based Computers

The Server Message Block protocol
The SMB protocol overcomes the shortfalls of NFS
by allowing for expanded file and printer sharing
services
SMB is supported by all major operating systems
today, including Windows, Windows NT, OS/2, BeOS,
Linux and many variations of Unix

101
Integrating Linux with Windows-Based Computers

Security and Access Control
Samba inherits the username from the login
session on the client computer
guest and nobody accounts are enabled by default

102
Integrating Linux with Windows-Based Computers

Connecting Linux to a Windows share
mkdir /mnt/win
smbmount //lab100/test /mnt/win -o usernamelinux
cd /mnt/win
ls
touch ltfilenamegt

103
Integrating Linux with Windows-Based Computers

ls
cd
umount /mnt/win

104
Integrating Linux with Windows-Based Computers

Configuring Samba
cd /etc/samba
cp smb.conf smb.conf.bak
vi smb.conf
Change line workgroup MYGROUP to
workgroup class.com

105
Integrating Linux with Windows-Based Computers

Uncomment and change line hosts allow to
hosts allow 192.168.0. 127.
At the end of the file add the following lines
data
path /home/data
writable yes

106
Integrating Linux with Windows-Based Computers

Write and quit vi
service smb start
May also want to change run-level script to start
automatically at boot up
smbpasswd -a ltusergt

107
Integrating Linux with Windows-Based Computers

To Use SWAT
Edit /etc/services to make sure the following
line exists
swat 901/tcp Samba Web Administration Tool
Edit /etc/xinetd.d/swat to change disable to no
To have changes take effect, restart xinetd

108
Integrating Linux with Windows-Based Computers

vi /etc/services
Locate the line
swat 901/tcp Samba Web Administration Tool
Quit vi
cd /etc/xinetd.d
ls

109
Integrating Linux with Windows-Based Computers

vi swat
Change line disable yes to disable no
Write and quit vi
service xinetd restart

110
Setting Up Internet and Intranet Services
111
Setting Up Internet and Intranet Services

Mail administration consists of three parts
MTA (Mail Transport Agent)
Sendmail, Exchange
MDA (Mail Delivery Agent)
POP3 QPopper, Procmail
MUA (Mail User Agent)
Outlook Express, Netscape Messenger, KMail

112
Setting Up Internet and Intranet Services

Managing mail (user)
mail - view recent messages
mail ltemail addressgt - send a new message

113
Setting Up Internet and Intranet Services

To route mail from one address to another, edit
/etc/aliases
When editing aliases the database needs to be
rebuilt with the newaliases command

114
Setting Up Internet and Intranet Services

vi /etc/aliases
Add/edit aliases
Write and quit vi
newaliases

115
Setting Up Internet and Intranet Services

Managing mail (administrator)
User mailboxes located in /var/spool/mail
Log files located in /var/log/maillog

116
Setting Up Internet and Intranet Services

Sendmail configuration
Directives are located in /etc/mail/sendmail.cf
/etc/mail/sendmail.mc -- friendlier configuration
file

117
Setting Up Internet and Intranet Services

cd /etc/mail
ls
cp sendmail.cf sendmail.cf.bak
ls
cp sendmail.mc sendmail.mc.bak
ls

118
Setting Up Internet and Intranet Services

vi sendmail.mc - delete line DAEMON_OPTIONS
Write and quit vi
m4 /etc/mail/sendmail.mc gt /etc/mail/sendmail.cf
service sendmail restart

119
Setting Up Internet and Intranet Services

Installing the MDA
To transfer mail from the server to a client
application, a POP daemon needs to be installed
Qpopper, from Qualcomm, is a high performance
POP3 daemon available for free
The POP3 process is installation specific, so
this application needs to be built on a per
machine basis

120
Setting Up Internet and Intranet Services

Installing the MDA
Unpack the popper tarball
tar -zxvf
Configure the installation
./configure --enable-standalone
--enable-specialauth
Build the binary
make
Install to the path
cp popper /usr/sbin/popper

121
Setting Up Internet and Intranet Services

mount /mnt/cdrom
cd /mnt/cdrom/Console/-mail servers
ls
cp qptab /usr
cd /usr
ls

122
Setting Up Internet and Intranet Services

tar -zxvf qptab
ls
cd qptab
Ls
./configure --enable-standalone
--enable-specialauth
make

123
Setting Up Internet and Intranet Services

cd popper
ls
cp popper /usr/sbin
popper 192.168.0.ltxgt110 -S -s

124
Setting Up Internet and Intranet Services

cd /etc/rc.d
ls
vi rc.local
Add popper 192.168.0.ltxgt110 -S -s on a new line
at the end of the file

125
Setting Up Internet and Intranet Services

Installation of the Apache Web Server
Apache is a server daemon which controls the
httpd process on port 80 (sending web pages)
Apache should work properly out of the box
Configuration options are located in
/etc/httpd/conf/httpd.conf
The home page location may vary
/var/www/html in Sys-V (Red Hat 7.0)
/home/httpd/html for Linux default (Red Hat 6.2-)

126
Setting Up Internet and Intranet Services

cd /etc/httpd/conf
ls
cp httpd.conf httpd.conf.bak
ls
vi httpd.conf

127
Setting Up Internet and Intranet Services

service httpd start
ps -aux grep httpd
Open your web browser, type localhost in URL
address field and press the Enter key

128
Setting Up Internet and Intranet Services

How to install, configure and secure FTP services
on your Linux server
FTP is a standard xinetd server process installed
as a default
Anonymous users are automatically given an FTP
directory as their root directory
/var/ftp
Can only access files and directories below that
point

129
Setting Up Internet and Intranet Services

How to install, configure and secure FTP services
on your Linux server
/etc/vsftpd/vsftpd.conf - defines most of the
access control
/etc/vsftpd.user_list used to deny access to
certain accounts
or set userlist_denyNO to include only names of
users to whom you want to allow

130
Setting Up Internet and Intranet Services

vi /etc/vsftpd/vsftpd.conf
service vsftpd restart

131
Setting Up Internet and Intranet Services

Managing log activity
Daemon processes log output in /var/log
/var/log/httpd
/var/log/maillog
/var/log/vsftpd.log
Xinetd processes will utilize syslogd
/var/log/messages
View running log information with tail -f
Caution! Do NOT write lock a log file!

132
Securing Linux-Based Computers
133
Securing Linux-Based Computers

Who is on the system (server)? At the command
line type
w
This will produce a list of users currently
logged on the system
passwd -l username
Will lock the account of a user

134
Securing Linux-Based Computers

Check the history
last
Runs the activity report from the /var/log/wtmp
file
grep fail /var/log/messages
Grep repeat /var/log/messages

135
Securing Linux-Based Computers

Rpm -Va gt /tmp/rpmVa.log
S file size changed
M Mode (permissions)
5 MD5 checksum
D device node
L link has changed
U Owner of a file has changed
G Group ownership of file has changed
T Modification Timestamp is changed

136
Securing Linux-Based Computers

How to restrict access to sensitive areas by
normal and super-users
Break habits of logging in as root
Log in under your own user account and substitute
to root as necessary
su -

137
Securing Linux-Based Computers

How to disable root from logging in
/etc/securetty contains a list of
terminals/consoles from which root is allowed to
log in
Comment-out the terminals/consoles for which you
wish to disable

138
Securing Linux-Based Computers

vi /etc/securetty
Comment-out the line tty3
Write and quit vi

139
Securing Linux-Based Computers

How to check for root logons
grep -session opened for user root -
/var/log/messages less

140
Securing Linux-Based Computers

How to check for weak passwords
Test passwords with Crack 5.0
Cracking passwords may take hours or days
Crack will run in the background and exit
automatically when completed

141
Securing Linux-Based Computers

mount /mnt/cdrom
cd /mnt/cdrom/crack5.0
ls
cp /root
cd
ls
tar -zxvf crack5.0.tar.gz

142
Securing Linux-Based Computers

ls
cp crack_Makefile.txt ./c50a/src/util/Makefile
Overwrite? y
cd c50a
ls
./Crack -makeonly

143
Securing Linux-Based Computers

./Crack -makedict
./scripts/shadmrg.sv gt passwords
ls
chmod 600 passwords
ls -l passwords
./Crack passwords
./Reporter less

144
Securing Linux-Based Computers

To stop Crack
./Crack -kill ltpassword_filegt

145
Securing Linux-Based Computers

Using PAM
Works only with privilege granting applications
that are PAM-aware
PAM libraries are located in /lib/security
Configuration is managed from two locations
/etc/security/
/etc/pam.d/

146
Securing Linux-Based Computers

Use Tripwire to detect spoofed files
Tripwire reads system critical files and builds
checksums
For maintenance, Tripwire will rescan the
filesystem to detect checksum mismatches
For this security model to be effective, the
Tripwire database should be kept on a
write-locked device (like a CD-ROM)

147
Securing Linux-Based Computers

1. Customize sample configuration file
vi /etc/tripwire/twcfg.txt
2. Customize sample policy file
vi /etc/tripwire/twpol.txt
3. Run configuration script
/etc/tripwire/twinstall.sh
4. Initialize the database
tripwire --init

148
Securing Linux-Based Computers

5. Run integrity check
tripwire --check
6. cd /var/lib/tripwire/report
7. List reports created by tripwire check
ls
8. View report
twprint -m r --twrfile ltreport_namegt
command should be all on one line

149
Securing Linux-Based Computers

9. Update the database after an integrity check
tripwire --update --twrfile ltreport_namegt
Command should be all on one line
Will show report in default editor
Proposed updates start with X
Remove the X from box to exclude from update
Save file and close editor
As soon as editor closes, database will be written

150
Securing Linux-Based Computers

Can update the policy and configuration files as
necessary using twadmin

151
Protecting Networked Systems
152
Protecting Networked Systems

Take the machine off the network
Determine the required services
Determine Service Dependences
Prevent Services From Running
Reboot
Check Configuration for Unnecessary services
Check configuration for Necessary Services
Return Machine to Network

153
Protecting Networked Systems

Take the machine off the network
ifconfig eth0 down
If not in runlevel 3 already, then...
init 3

154
Protecting Networked Systems

Determine the required services

155
Protecting Networked Systems
Determine the required services
156
Protecting Networked Systems

Determine Service Dependences
Always Check the specific distro
Good place to start
http//www.redhat.com/docs/manuals/linux/RHL-9-Man
ual/install-guide/
RH Linux Bible

157
Protecting Networked Systems

Prevent Services From Running
su root
Insert screen capture for services (p 37)
chkconfig --level 2345
/sbin/chkconfig -- list more

158
Protecting Networked Systems

Reboot
syncsync init 6
Or
reboot

159
Protecting Networked Systems

Check Configuration for unnecessary services
What services were halted?
services status-all grep v stopped

160
Protecting Networked Systems

Check Configuration for necessary services
Is the mail daemon running?
ps aux grep v grep grep sendmail

161
Protecting Networked Systems

Return Machine to the Network
Ping the gateway
ip route
ping 192.168.xxx.xxx

162
Protecting Networked Systems

IP Spoofing
R services allow for remote connectivity under
a model called trusted hosts
You only have to authenticate once
Services like rlogin, rexec, and rcp should be
disabled or replaced
Non-routable IP addresses
Use loopback IP addresses on the LAN for PCs
not requiring Internet services

163
Protecting Networked Systems

iptables
A table is a set of chains
A chain is a list of rules
Each table has a group of built-in chains

164
Protecting Networked Systems

iptables
A chain is a checklist of rules. Each rule says
if the packet header looks like this, then
here's what to do with the packet'. If the rule
doesn't match the packet, then the next rule in
the chain is consulted. Finally, if there are no
more rules to consult, then the kernel looks at
the chain policy to decide what to do. In a
security-conscious system, this policy usually
tells the kernel to reject or deny the packet.

165
Protecting Networked Systems

iptables
filter default table that handles network
packets
INPUT applies to packets received via a network
interface
OUTPUT applies to packets sent out via the same
interface which received the packets
FORWARD applies to packets received on one
network interface and sent out on another

166
Protecting Networked Systems

iptables
nat used to alter packets that create new
connections
PREROUTING alters packets received via a
network interface when they arrive
OUTPUT alters locally-generated packets before
they are routed via a network interface
POSTROUTING alters packets before they are sent
out via a network interface

167
Protecting Networked Systems

iptables
mangle used to alter packets in specialized
ways
PREROUTING alters packets received via a
network interface before they are routed
OUTPUT alters locally-generated packets before
they are routed via a network interface

168
Protecting Networked Systems

iptables
iptables stops examining a rule after finding the
first match
Rules with very specific conditions should go
before those with similar but broader conditions

169
Protecting Networked Systems

iptables commands
iptables -L v list all rules in effect
-N create new chain
-A append a new rule to the end of the
specified list
-P - set the policy for the chain to the
specified target
The policy of a chain describes what action to
take if no rule matches the packet.
The default policy for all chains is ACCEPT.

170
Protecting Networked Systems

iptables parameters
-t table to use
-j name of the action to execute when the rule
matches
-i incoming interface to which this rule
applies
-o outgoing interface to which this rule applies

171
Protecting Networked Systems

iptables parameters
-s source address to match
-d destination address to match
-p protocol to match

172
Protecting Networked Systems

iptables options
-m module to use
--syn match against a syn packet which requests
a new connection
--state connection states to match

173
Protecting Networked Systems
Routing Decision
FORWARD
POSTROUTING
INPUT
OUTPUT
Local Process
174
Protecting Networked Systems

Firewall configuration
As root
-gt Start Here
-gt System Settings
-gt Security Level
Review Firewall Configuration Tool

175
Protecting Networked Systems

How to configure Linux as a router
Need two network interfaces
eth0
eth1
Turn on packet forwarding
Set gateway device
Enable IP Masquerading

176
Protecting Networked Systems

1.vi /etc/sysctl.conf
2. Change line net.ipv4.ip_forward 0 to
net.ipv4.ip_forward 1
3.vi /etc/sysconfig/network
4. Add line GATEWAYDEVeth1
5. Enable NAT/IP Masquerading

177
Protecting Networked Systems

IP Masquerading
Allows packets from non-routable IP addresses to
be forwarded with a routable IP address
Similar to NAT (Network Address Translation)
Effectively creates a firewall against remote
connections directly to the masqueraded network
Requires two NICs on an Ethernet network

178
Protecting Networked Systems

IP Masquerading
When a packet comes into the Linux router from a
host on the internal network, it will assign the
packet to a new TCP/IP source port number and
insert its own IP address inside the packet
header, saving the originals. The MASQ server
will then send the modified packet onto the
Internet.

179
Protecting Networked Systems

IP Masquerading
When a packet returns from the Internet into the
Linux router, Linux examines if the port number
is one of those ports that was assigned above. If
so, the MASQ server will then take the original
port and IP address, put them back in the
returned packet header, and send the packet to
the host on the internal network.

180
Protecting Networked Systems

iptables set policies so that any packet must
be specifically matched by one of the other rules
to get through
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

181
Protecting Networked Systems

iptables incoming from LAN
iptables -A INPUT -p ALL -i eth0 -s
192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j
ACCEPT
iptables -A INPUT -p ALL -i lo -s
ltinternal_ip_addressgt -j ACCEPT
iptables -A INPUT -p ALL -i lo -s
ltexternal_ip_addressgt -j ACCEPT

182
Protecting Networked Systems

iptables incoming from internet established
connections only
iptables -A INPUT -p ALL -d ltexternal_ip_addressgt
-m state -state ESTABLISHED,RELATED -j
ACCEPT

183
Protecting Networked Systems

iptables forwarding/routing
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -m state -state
ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j SNAT
-to-source ltexternal_ip_addressgt

184
Protecting Networked Systems

iptables forwarding/routing
For dynamically assigned external IP addresses
use
iptables -t nat -A POSTROUTING -o eth1 -j
MASQUERADE

185
Protecting Networked Systems

Saving your firewall settings
service iptables save
iptables-save
iptables-restore

186
Protecting Networked Systems

Squid Proxy Server
High-performance proxy-caching server
Supports HTTP and FTP protocols and SSL
encryption data
Utilizes ICP (Internet Cache Protocol) and
integrates with Cidera SkyCache and CacheFlow
appliances
Duplicates client requests to increase speed and
reduce network overhead

187
Protecting Networked Systems

cd /etc/squid
cp squid.conf squid.conf.bak
vi squid.conf
Locate the line INSERT YOUR OWN RULE

188
Protecting Networked Systems

Above the line http_access deny all add
acl class.com src 192.168.0.0/24
http_access allow class.com

189
Protecting Networked Systems

Write and quit vi
service squid start
May also want to change run-level script to start
automatically at boot up

190
Protecting Networked Systems

Other acl options
acl valid_clients src 192.168.0.2 192.168.0.3
192.168.0.4
http_access allow valid_clients
http_access deny !valid_clients

191
Protecting Networked Systems

Other acl options
acl clientA src 192.168.0.1
acl clientB src 192.168.0.2
acl morning time 0800-1200
acl lunch time 1230-1330
acl evening time 1500-2100
http_access allow clientA morning
http_access allow clientB evening
http_access allow clientA lunch

192
Protecting Networked Systems

Other acl options
acl hotmail dstdomain .hotmail.com
always_direct allow hotmail

193
Protecting Networked Systems

The Security Administrators Integrated Network
Tool (SAINT)
Examines network services searching for
vulnerabilities
Provides reports based on its analysis to suggest
possible remedies

194
Protecting Networked Systems

mount /mnt/cdrom
cd /mnt/cdrom
ls
cp sainttab /root
cd
ls
tar -zxvf sainttab

195
Protecting Networked Systems

cd sainttab
ls
cd config
ls
vi paths.pl
Change line MOSAIC to MOSAICusr/bin/mozilla

196
Protecting Networked Systems

Write and quit vi
cd ..
ls
./configure
make
make install
./saint

197
Virtual Network Computing Sharing Remote
Desktops
198
VNC Sharing Remote Desktops

Using VNC to share desktops with other machines
Virtual Network Computing is free
Linux, WinNT, Win9x, MacOS,
Allows users to open desktop sessions remotely to
administer machines
Only the screen state is transferred through the
connection, processing is done server-side

199
VNC Sharing Remote Desktops

Launching a server
vncserver - starts a new server process
IDs can be forced with the vncserver nn options
Launching a viewer
vncviewer spawns a viewer in X
Specify a machine name vncviewer lthostgtltdesktop
numbergt
Netscape or Internet Explorer - vncviewer
includes a Java applet to run in a Web browser
Specify the display number 5800 (lthostgt5801)

200
VNC - Sharing Remote Desktops

Starting vncserver
1. cd
2. vncserver
VNC will ask you to set the password the first
time you run vncserver
Stopping vncserver
1. vncserver kill ltdesktop numbergt

201
VNC - Sharing Remote Desktops

Connecting to a remote VNC desktop
vncviewer lthostgtltdesktop numbergt
Enter password of remote host
To stop vncviewer, simply close the vncviewer
window

202
VNC - Sharing Remote Desktops

Tunneling a remote VNC desktop using ssh
vncviewer -via lthost_ipgt lthost_ipgtltdesktop
numbergt
Enter ssh password of remote host and then the
vnc password
To stop vncviewer, simply close the vncviewer
window

203
Performance Monitoring and Troubleshooting
204
Performance Monitoring and Troubleshooting

How to schedule tasks to run after regular
business hours
Linux uses the cron daemon for scheduling
cron information is located in /etc with .daily
and .weekly cron scripts and folders
Scheduling might also be committed with the
crontab -e command

205
Performance Monitoring and Troubleshooting