Linux Guide to Linux Certification, Second Edition

1
Linux Guide to Linux Certification, Second
Edition

• Chapter 15
• Configuring Network Services and Security

2
Objectives

• Identify and configure common network services
• Configure routing and firewalls
• Describe the different facets of Linux security
• Increase the security of a Linux computer
• Outline measures that can be used to detect a
  Linux security breach

3
Network Services

• Processes that provide some type of valuable
  service for client computers on network
• Must identify types and features of network
  services before they can be configured
• Important to configure network-related services,
  such as routing and firewalls

4
Identifying Network Services

• Port Number uniquely identifying a network
  service
• Ensure that packets delivered to proper service
• Range from 0 to 65534
• /etc/services file Lists ports and associated
  protocol
• Well-known port Ports from 0 to 1024
• Used by common networking services

5
Identifying Network Services (continued)
Table 15-1 Common well-known ports
6
Identifying Network Services (continued)

• Internet Super Daemon (xinetd) Initializes and
  configures many networking services
• Standalone daemons Daemons normally started at
  boot-up
• e.g., Apache Web server
• Configure themselves without assistance
• ntsysv utility can configure most standalone
  daemons to start in various runlevels

7
Identifying Network Services (continued)
Figure 15-1 Interacting with network services
8
Configuring Common Network Services
Table 15-2 Common network services
9
Configuring Common Network Services (continued)
Table 15-2 (continued) Common network services
10
Configuring Common Network Services (continued)
Table 15-2 (continued) Common network services
11
Configuring Common Network Services (continued)
Table 15-2 (continued) Common network services
12
Configuring Common Network Services (continued)
Table 15-2 (continued) Common network services
13
Configuring DNS

• Zone Portion of DNS administered by one or more
  DNS servers
• Forward lookup FQDN resolved to IP address
• Reverse lookup IP address resolved to FQDN

14
Configuring DNS (continued)
Figure 15-2 The DNS lookup process
15
Configuring DNS (continued)

• Iterative query Resolved without use of
  top-level DNS servers
• Recursive query Resolved with the use of
  top-level DNS servers
• DNS cache file Contains IP addresses of
  top-level DNS servers

16
Configuring DNS (continued)

• Master or primary DNS server Contains read/write
  copy of zone
• Slave or secondary DNS server Contains read-only
  copy of zone
• Zone transfer Copying zone resource records from
  master to slave DNS server

17
Configuring DNS (continued)
Table 15-3 Common zone configuration files
18
Configuring DNS (continued)
Table 15-3 (continued) Common zone configuration
files
19
Configuring DHCP

• Send DHCP broadcast on network
• Request IP configuration information
• DHCP server leases IP address to client computer
  for a period of time
• Ensures each client has unique IP address
• /etc/dhcpd.conf file Configure computer as a
  DHCP server
• List appropriate IP address range for network

20
Configuring Apache

• Most common Web server
• Document root directory Stores default HTML
  content for a Web server
• /var/www/html on Fedora Linux
• Default document is index.html
• /etc/httpd/conf/httpd.conf Default configuration
  file
• Directive Line within a configuration file

21
Configuring Apache (continued)
Table 15-4 Common httpd.conf directives
22
Configuring Samba

• SaMBa daemon Emulates SMB protocol
• Windows computers advertise computer names using
  NetBIOS protocol
• Can use NetBIOS name daemon to create and
  advertise NetBIOS name
• Connect Windows computers to Linux server
• smbpasswd command Generate Samba passwords

23
Configuring Samba (continued)

• /etc/samba/smb.conf Default Samba configuration
  file
• /etc/rc.d/init.d/smb start Start Samba and
  NetBIOS name daemons
• Restart if smb.conf changed

24
Configuring NFS

• Create directory containing information to share
• Edit /etc/exports file
• Add line listing directory to be shared and
  options
• Run exportfs a
• Update list of exported filesystems
• Restart the NFS processes

25
Configuring FTP

• Very secure FTP daemon (vsftpd) Packaged with
  Fedora Linux
• To configure (assuming logon as user1)
• Create directory below user1s home directory to
  host the files
• Ensure user1 owns directory
• Run /etc/rc.d/init.d/vsftpd start
• Start vsftpd daemon

26
Configuring NIS

• Network Information Service (NIS) Coordinate
  common configuration files across several
  computers
• Computers belong to a NIS domain, use NIS map to
  access configuration information
• Most commonly used for password databases

27
Configuring NIS (continued)

• Define the NIS domain via domainname ltNIS_
  domain_namegt command
• Add NISDOMAINNIS_domain to
  /etc/sysconfig/network file
• Configure NIS domain at boot time
• Add domain ltNIS_domaingt server ltNIS_servergt to
  /etc/yp.conf file
• Query specific NIS server

28
Configuring the Secure Shell Daemon

• Secure Shell daemon (sshd) Allows use of ssh
  utility to log in to network servers
• /etc/ssh/sshd_config file Contains configuration
  options
• Uses challenge-response authentication by default

29
Configuring the Secure Shell Daemon (continued)

• Supported encryption standards
• Triple Data Encryption Standard (3DES)
• Advanced Encryption Standard (AES)
• Blowfish
• Carlisle Adams Stafford Tavares (CAST)
• ARCfour

30
Routing and Firewall Services

• Network services not provided entirely by network
  daemons
• Provided by Linux kernel
• Do not listen to a particular port

31
Routing

• Route table Indicates which networks are
  connected to network interfaces
• Route command Manipulate the route table
• Multihomed hosts Computers with multiple network
  interfaces
• IP forwarding Forwarding TCP/IP packets between
  networks
• Routing Forwarding data packets between networks

32
Routing (continued)

• Enabling routing
• Place number 1 in /proc/sys/net/ipv4/ip_forward
  file
• Place net.ipv4.ip_forward 1 in
  /etc/sysctl.conf file

33
Routing (continued)

• Large networks may have several routers
• route add ltroutegt command Add entries to route
  table
• route del ltroutegt command Remove entries from
  route table
• Can use ip command to add entries to route table

34
Routing (continued)
Figure 15-3 A sample routed network
35
Routing (continued)

• Contents of route table lost when computer
  powered off
• Add to /etc/rc.d/rc.local file
• Most routers configured with a default gateway
• For packets addressed to destinations not in
  route table
• traceroute command Troubleshoot routing
• Displays routers between current and remote
  computer

36
Firewall Services

• netfilter/iptables Used to create a firewall
• Discard network packets according to chains of
  rules
• Chains Specify general type of network traffic
  to apply rules to
• Rules Match network traffic to be allowed or
  dropped

37
Firewall Services (continued)

• Three chain types
• INPUT chain Incoming packets
• FORWARD chain Packets passing through computer
• OUTPUT chain Outgoing packets
• iptables command Creates rules for a chain

38
Firewall Services (continued)
Table 15-5 Common iptables commands
39
Security

• Linux systems typically available across networks
  such as the Internet
• Should improve local and network security
• Understand how to detect intruders who breach the
  system

40
Securing the Local Computer

• Limit access to computer itself
• Prevent malicious users from accessing files
• Server closet Secured room to store servers
• Remove floppy and CD-ROM devices from
  workstations
• Ensure BIOS prevents booting from USB ports

41
Securing the Local Computer (continued)

• Ensure BIOS password is set
• Set boot loader password in LILO or GRUB
  configuration file
• Limit access to graphical desktops and shells
• Minimize root users time logged in

42
Securing the Local Computer (continued)

• nohup command Prevents other commands from
  exiting when parent process killed
• su (switch user) command Switch current user
  account to another
• sudo command Perform commands as another user
  via entries in /etc/sudoers file

43
Protecting Against Network Attacks

• Always a possibility that crackers can manipulate
  a network service
• Buffer overrun Network service altered in memory
• Minimize number of running network services
• nmap (network mapper) command Scan ports on
  network computers
• See what network services are running

44
Protecting Against Network Attacks (continued)

• Enable encryption on essential network services
• Ensure network service daemons not run as root
  user when possible
• New network service versions usually include
  fixes for known network attacks
• Keep network services up-to-date

45
Protecting Against Network Attacks (continued)

• TCP wrapper Run network daemon with additional
  security via /etc/hosts.allow and /etc/hosts.deny
  files
• Examine permissions for files and directories
  associated with system and network services

46
Detecting Intrusion

• Log files can contain information or
  irregularities indicating an intrusion
• Review system log files associated with
  authentication
• Pluggable Authentication Module (PAM) Handles
  authentication requests by daemons
• Log file in /var/log/secure

47
Detecting Intrusion (continued)

• Check /var/log/wtmp log file
• Lists users who receive BASH shells
• Tripwire Monitors files and directories
• Intrusion Detection System (IDS) Detect
  unauthorized access

48
Detecting Intrusion (continued)
Table 15-6 Common Linux intrusion detection
systems
49
Summary

• Most network services are started by the Internet
  Super Daemon or as standalone daemons and listen
  for requests on a port
• Commonly configured network services include NIS,
  DNS, DHCP, Samba, Apache, NFS, FTP, and Secure
  Shell
• Routing and firewall services are provided by the
  Linux kernel

50
Summary (continued)

• Securing a Linux computer involves improving
  local and network security as well as monitoring
  to detect intruders
• By restricting access to your Linux computer and
  using the root account only when required, you
  greatly improve local Linux security

51
Summary (continued)

• Reducing the number of network services, using
  firewalls, preventing services from running as
  the root user, restricting permissions on key
  files, and using TCP wrappers can greatly reduce
  the chance of network attacks
• Log files and IDS applications can be used to
  detect intruders on a Linux network