Linux Services

1
Linux Services

• Sirak Kaewjamnong

2
Linux DHCP Server

• DHCP is an IP address dynamically assigned from
  DHCP server.
• PC client will most likely get its IP address at
  boot time from the home router instead
• The DHCP server RPM's filename usually starts
  with the word dhcp followed by a version number
• dhcp-3.0.1rc14-1.i386.rpm.

3
The /etc/dhcpd.conf File

• When DHCP starts, it reads the file
  /etc/dhcpd.conf.
• The standard DHCP RPM package doesn't
  automatically install a /etc/dhcpd.conf file, but
  a sample copy of dhcpd.conf is in the following
  directory
• /usr/share/doc/dhcp-ltversion-numbergt/dhcpd.conf.sa
  mple

4
/etc/dhcpd.conf example file

• ddns-update-style interim
• ignore client-updates
• subnet 172.27.21.0 netmask 255.255.255.0
• --- default gateway
• option routers
  172.27.21.254
• option subnet-mask
  255.255.255.0
• option nis-domain
  "cp.su.ac.th"
• option domain-name
  "cp.su.ac.th"
• option domain-name-servers
  202.28.72.66
• option domain-name-servers
  202.44.135.9
• option time-offset -18000
  Eastern Standard Time
• option netbios-node-type 2
• range dynamic-bootp 172.27.21.200
  172.27.21.250
• default-lease-time 21600

5
How to get DHCP started

• Use the chkconfig command to get DHCP configured
  to start at boot
• Use the service command to instruct the
  /etc/init.d/dhcpd script to start/stop/restart
  DHCP after booting

root_at_bigboy tmp chkconfig dhcpd on
root_at_bigboy tmp service dhcpd
start root_at_bigboy tmp service dhcpd
stop root_at_bigboy tmp service dhcpd restart
6
SAMBA

• Samba is a suite of utilities that allows your
  Linux server to share files and other resources,
  such as printers, with Windows clients.

7
Get SMB started

• Configure Samba to start at boot time using the
  chkconfig command
• Start/stop/restart Samba after boot time using
  the smb initialization script as in the examples
  below
• Note Unlike many Linux packages, Samba does not
  need to be restarted after changes have been made
  to its configuration file, as it is read after
  the receipt of every client request.

root_at_bigboy tmp chkconfig smb on
root_at_bigboy tmp service smb start root_at_bigboy
tmp service smb stop root_at_bigboy tmp service
smb restart
8
The Samba Configuration File

The /etc/samba/smb.conf file is the main
configuration
Section Description
global General Samba configuration parameters
printers Used for configuring printers
homes Defines treatment of user logins
netlogon A share for storing logon scripts. (Not created by default.)
profile A share for storing domain logon information such as "favorites" and desktop icons. (Not created by default.)
9
Samba's SWAT web interface

• SWAT, Samba's web based configuration tool to
  enables smb.conf file without needing to
  remember all the formatting.
• Each SWAT screen is actually a form that covers a
  separate section of the smb.conf file into which
  admin fill in the desired parameters, each
  parameter box has its own online help

10
Samba SWAT Main Menu
11
Basic SWAT Setup

• Root must always remember that SWAT edits the
  smb.conf file but also strips out any comments
  that may have manually entered into it
  beforehand.
• The original Samba smb.conf file has many
  worthwhile comments in it, you should save a copy
  as a reference before proceeding with SWAT.
• For example, you could save the original file
  with the name /etc/samba/smb.conf.original

root_at_tmp cp /etc/samba/smb.conf
/etc/samba/smb.conf.original
12
Basic SWAT Setup

• The enabling and disabling, starting and stopping
  of SWAT is controlled by xinetd via a
  configuration file named /etc/xinetd.d/swat

service swat port 901
socket_type stream protocol
tcp wait no user
root server /usr/sbin/swat
log_on_failure USERID disable
no only_from localhost
13
Basic SWAT Setup

• The disable parameter must be set to no to accept
  connections. This can automatically be switched
  between yes and no.
• The default configuration only allows SWAT web
  access from the VGA console only as user root on
  port 901 with the Linux root password.
• This means root have to enter "http//127.0.0.190
  1" in browser to get the login screen.
• root can make SWAT accessible from other servers
  by adding IP address entries to the only_from
  parameter of the SWAT configuration file.
• An example of an entry to allow connections only
  from 192.168.1.3 and localhost.

only_from localhost 192.168.1.3
14
Controlling SWAT

• Same as all xinetd-controlled applications, the
  chkconfig command automatically modifies the
  disable field accordingly in the configuration
  file and activates the change.
• Before SWAT can be used, the xinetd program which
  controls it must be activated in advance.
• You can start/stop/restart xinetd after boot time
  using the xinetd initialization

15
xinetd Programs

• Many network enabled Linux applications do not
  rely on themselves to provide restricted access
  or bind to a particular TCP port
• instead they often offload a lot of this work to
  a program suite made just for this purpose,
  xinetd
• The xinetd RPM is installed by default in Fedora
  Linux and uses /etc/xinetd.conf as its main
  configuration file

16
Controlling xinetd

• The starting and stopping of the xinetd daemon is
  controlled by the by scripts in the /etc/init.d
  directory and it is behavior at boot time is
  controlled by chkconfig.
• You can start/stop/restart xinetd after booting
  by using the following commands
• To get xinetd configured to start at boot you can
  use the chkconfig command.

root_at_bigboy tmp service xinetd
start root_at_bigboy tmp service xinetd
stop root_at_bigboy tmp service xinetd restart
root_at_bigboy tmp chkconfig xinetd on
17
Controlling xinetd-Managed Applications

• Xinetd-managed applications all store their
  configuration files in the /etc/xinetd.d
  directory.
• Each configuration file has a disable statement
  that can set to yes or no. This governs whether
  xinetd is allowed to start them or not.
• You don't have to edit these files to activate or
  deactivate the application. The chkconfig command
  does that automatically will also stops or starts
  the application accordingly too

18
Telnet

• Telnet is a program that allows users to log into
  server and get a command prompt just as if they
  were logged into the VGA console.
• The Telnet server RPM is installed and disabled
  by default on Fedora Linux.
• One of the disadvantages of Telnet is that the
  data is sent as clear text.
• A more secure method for remote logins would be
  via Secure Shell (SSH) which uses varying degrees
  of encryption.
• The older Telnet application remains popular.
  Many network devices don't have SSH clients,
  making telnet the only means of accessing other
  devices and servers from them

19
Installing The Telnet Server Software

• Older versions of RedHat had the Telnet server
  installed by default. Fedora Linux does not
• you will have to install it yourself.
• Most Linux software products are available in a
  precompiled package format. Downloading and
  installing packages
• When searching for the file, the Telnet server
  RPM's filename usually starts with the word
  "telnet-server" followed by a version number as
  in telnet-server-0.17-28.i386.rpm.

20
Setting Up A Telnet Server

• To set up a Telnet server use the chkconfig
  command to activate Telnet.
• Use the chkconfig command to deactivate telnet,
  even after the next reboot.

root_at_bigboy tmp chkconfig telnet on
root_at_bigboy tmp chkconfig telnet off
21
Let Telnet Listen On Another TCP Port

• Letting telnet run on an alternate TCP port does
  not encrypt the traffic, but it makes it less
  likely to be detected as telnet traffic.
• Remember that this is not a foolproof strategy
  good port scanning programs can detect telnet and
  other applications running on alternative ports.

22
Let Telnet Listen On Another TCP Port

• Edit /etc/services file and add an entry for a
  new service. Call it stelnet.
• Copy the telnet configuration file called
  /etc/xinetd.d/telnet and call it
  /etc/xinetd.d/stelnet

Local services stelnet 7777/tcp
"secure" telnet
root_at_bigboy tmp cp /etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
23
Let Telnet Listen On Another TCP Port

1. Edit the new /etc/xinetd.d/stelnet file. Make the
   new service stelnet and add a port statement for
   TCP port 7777.
2. Use chkconfig to activate stelnet.

default on description The telnet server
serves telnet sessions unencrypted
username/password pairs for authentication. servic
e stelnet flags REUSE
socket_type stream wait
no user root server
/usr/sbin/in.telnetd log_on_failure
USERID disable no port
7777
root_at_bigboy tmp chkconfig stelnet on
24
Let Telnet Allow Connections From Trusted
Addresses

• Root can restrict telnet logins access to
  individual remote servers by using the only_from
  keyword in the telnet configuration file.
• Add a list of trusted servers to the
  /etc/xinetd.d/telnet file separated by spaces
• Restart telnet by

service telnet flags REUSE
socket_type stream wait
no user root server
/usr/sbin/in.telnetd
log_on_failure USERID disable
no only_from 192.168.1.100
127.0.0.1 192.168.1.200
chkconfig telnet off chkconfig telnet on
25
Linux FTP

• The File Transfer Protocol (FTP) is used as one
  of the most common means of copying files between
  servers over the Internet.
• Most web based download sites use the built in
  FTP capabilities of web browsers and therefore
  most server oriented operating systems usually
  include an FTP server application as part of the
  software suite.
• Fedora linux ftp sever using default Very Secure
  FTP Daemon (VSFTPD) package

26
FTP overview

• FTP relies on a pair of TCP ports to get the job
  done. It operates in two connection channels
• FTP Control Channel, TCP Port 21 All commands
  send and the ftp server's responses to those
  commands will go over the control connection.
• FTP Data Channel, TCP Port 20 This port is used
  for all subsequent data transfers between the
  client and server.

27
How To Get VSFTPD Started

• With Fedora, Redhat, Ubunbtu and Debian You can
  start, stop, or restart VSFTPD after booting by
  using these commands
• With Redhat / Fedora you can configure VSFTPD to
  start at boot you can use the chkconfig command.

root_at_bigboy tmp /etc/init.d/vsftpd
start root_at_bigboy tmp /etc/init.d/vsftpd
stop root_at_bigboy tmp /etc/init.d/vsftpd restart
root_at_bigboy tmp chkconfig vsftpd on
28
The Apache Web Server

• Apache is probably the most popular Linux-based
  Web server application in use.
• When searching for the file, the Redhat / Fedora
  Apache RPM package's filename usually starts with
  the word httpd followed by a version number, as
  in httpd-2.0.48-1.2.rpm

29
Get Apache started

• Use the chkconfig command to configure Apache to
  start at boot
• Use the httpdltcodegt init script in the
  ltcodegt/etc/init.d directory to start,stop, and
  restart Apache after booting

root_at_bigboy tmp chkconfig httpd on
root_at_bigboy tmp /etc/init.d/httpd
start root_at_bigboy tmp /etc/init.d/httpd
stop root_at_bigboy tmp /etc/init.d/httpd restart
30
General Configuration Steps

• The configuration file used by Apache is
  /etc/httpd/conf/httpd.conf in Redhat / Fedora
  distributions
• /etc/apache/httpd.conf in Debian / Ubuntu
  distributions.
• As for most Linux applications, you must restart
  Apache before changes to this configuration file
  take effect

31
Where To Put Web Pages

• All the statements that define the features of
  each web site are grouped together inside their
  own ltVirtualHostgt section, or container, in the
  httpd.conf file.
• The most commonly used statements, or directives,
  inside a ltVirtualHostgt container are
• servername Defines the name of the website
  managed by the ltVirtualHostgt container. This is
  needed in named virtual hosting only, as I'll
  explain soon.
• DocumentRoot Defines the directory in which the
  web pages for the site can be found.

32
Where To Put Web Pages

• By default, Apache searches the DocumentRoot
  directory for an index, or home, page named
  index.html.
• Example, if a servername of www.my-site.com with
  a DocumentRoot directory of
• /home/www/site1/
• Apache displays the contents of the file
  /home/www/site1/index.html when someone enter
  http//www.my-site.com in his browser.

33
The Default File Location

• By default, Apache expects to find all its web
  page files in the /var/www/html/ directory with
  a generic DocumentRoot statement at the beginning
  of httpd.conf
• Apache will display Web page files as long as
  they are world readable, all the files and
  subdirectories in DocumentRoot should have the
  correct permissions
• Change the permissions on the /home/www directory
  to 755, which allows all users, including the
  Apache's httpd daemon, to read the files inside.

34
Named Virtual Hosting

• Apache allow to make Web server host more than
  one site per IP address by using Apache's named
  virtual hosting feature.
• Use the NameVirtualHost directive in the
  /etc/httpd/conf/httpd.conf file to tell Apache
  which IP addresses will participate in this
  feature.
• The ltVirtualHostgt containers in the file then
  tell Apache where it should look for the Web
  pages used on each Web site.
• Admin must specify the IP address for which each
  ltVirtualHostgt container applies.

35
Named Virtual Hosting Example
ServerName localhost NameVirtualHost
97.158.253.26 ltVirtualHost gt DocumentRoot
/home/www/site1 lt/VirtualHostgt ltVirtualHost
97.158.253.26gt DocumentRoot /home/www/site2
ServerName www.my-site.com ServerAlias
my-site.com, www.my-cool-site.com lt/VirtualHostgt
ltVirtualHost 97.158.253.26gt DocumentRoot
/home/www/site3 ServerName www.test-site.com lt/
VirtualHostgt ltVirtualHost 97.158.253.26gt
DocumentRoot /home/www/site4 ServerName
www.another-site.com lt/VirtualHostgt
36
Protect Web Page Directories With Passwords

• Use Apache's htpasswd password utility to create
  username/password combinations independent of
  system login password for Web page access.
• Specify the location of the password file, and if
  it does not yet exist, should include a -c, or
  create, switch on the command line.
• Placing the file in /etc/httpd/conf directory,
  away from the DocumentRoot tree where Web users
  could possibly view it.

37
htpasswd Example
root_at_bigboy tmp htpasswd -c /etc/httpd/conf/.ht
passwd peter New password Re-type new
password Adding password for user
peter root_at_bigboy tmp root_at_bigboy tmp
htpasswd /etc/httpd/conf/.htpasswd paul New
password Re-type new password Adding password
for user paul root_at_bigboy tmp
38
Protect Web Page Directories With Passwords

• Make the .htpasswd file readable by all users.
• Create a .htaccess file in the directory to which
  you want password control with these entries.

root_at_bigboy tmp chmod 644 /etc/httpd/conf/.htpa
sswd
AuthUserFile /etc/httpd/conf/.htpasswd AuthGroupFi
le /dev/null AuthName EnterPassword AuthType
Basic require user peter
39
Protect Web Page Directories With Passwords

• Set the correct file protections on new .htaccess
  file in the directory /home/www.
• Make sure your /etc/httpd/conf/http.conf file has
  an AllowOverride statement in a ltDirectorygt
  directive for any directory in the tree above
  /home/www.
• In this example below, all directories below
  /var/www/ require password authorization.

root_at_bigboy tmp chmod 644 /home/www/.htaccess
ltDirectory /home/www/gt AllowOverride
AuthConfig lt/Directorygt
40
Protect Web Page Directories With Passwords

• Make sure that a ltVirtualHostgt directive that
  defines access to /home/www or another directory
  higher up in the tree.
• Restart Apache

ltVirtualHost gt ServerName 97.158.253.26
DocumentRoot /home/www lt/VirtualHostgt
41
Linux firewall

• Linux uses iptable for firewall solutions
• A router that will use NAT and port forwarding to
  both protect home network and have another web
  server on home network while sharing the public
  IP address of firewall

42
iptable Features

• Integration with the Linux kernel with the
  capability of loading iptables-specific kernel
  modules designed for improved speed and
  reliability.
• Stateful packet inspection. This means that the
  firewall keeps track of each connection passing
  through it and in certain cases will view the
  contents of data flows in an attempt to
  anticipate the next action of certain protocols.
• Filtering packets based on a MAC address and the
  values of the flags in the TCP header.

43
iptable Features

• System logging that provides the option of
  adjusting the level of detail of the reporting.
• Network address translation.
• Support for transparent integration with such Web
  proxy programs as Squid.
• A rate limiting feature that helps iptables block
  some types of denial of service (DoS) attacks

44
Start iptable

• Start iptable with
• Sample of iptable command
• iptables is being configured to allow the
  firewall to accept TCP packets for routing when
  they enter on interface eth0 from any IP address
  and are destined for an IP address of
  192.168.1.58 that is reachable via interface
  eth1.
• The source port is in the range 1024 to 65535 and
  the destination port is port 80

root_at_bigboy tmp service iptables
start root_at_bigboy tmp service iptables
stop root_at_bigboy tmp service iptables restart
iptables -A FORWARD -s 0/0 -i eth0 -d
192.168.1.58 -o eth1 -p TCP \ --sport
102465535 --dport 80 -j ACCEPT
45
Secure Remote Logins

• OpenSSH, which provides a number of ways to
  create encrypted remote terminal and file
  transfer connections between clients and servers.
  
• The OpenSSH Secure Copy (SCP) and Secure FTP
  (SFTP) programs are secure replacements for FTP,
• Secure Shell (SSH) is often used as a stealthy
  alternative to TELNET

46
Starting OpenSSH

• OpenSSH is installed by default during Linux
  installations
• SSH and SCP are part of the same application,
  they share the same configuration file and are
  governed by the same /etc/init.d/sshd startup
  script
• configure SSH to start at boot by using the
  chkconfig command when running Fedora

root_at_bigboy tmp chkconfig sshd on
47
The /etc/ssh/sshd_config File

• The SSH configuration file is called
  /etc/ssh/sshd_config. By default SSH listens on
  all NICs and uses TCP port 22.
• start, stop, and restart SSH with service comand

The strategy used for options in the default
sshd_config shipped with OpenSSH is to specify
options with their default value where
possible, but leave them commented. Uncommented
options change a default value. Port
22 Protocol 2,1 ListenAddress
0.0.0.0 ListenAddress
48
Other Linux services

• NTP
• Sendmail
• DNS
• MRTG
• Network File System (NFS)
• Etc.