iti-481: unix administration meeting 3. today’s agenda hands-on exercises with booting and...
TRANSCRIPT
ITI-481: Unix Administration
Meeting 3
Today’s Agenda
• Hands-on exercises with booting and software installation.
• Account Management
• Basic Network Configuration Setting
• Inetd
• Exercise: Disabling Services with Inetd
Exercise: Using Red Hat Package Manager• Place your Linux CD in your drive - the files on your CD
can be accessed via the directory /mnt/cdrom. You may have to issue the “mountcd” command on your system to mount the CD ROM.
• The RedHat/RPMS directory on your CDROM contains many RPM files.
• Install tcpdump off of the Red Hat CD:> cd /mnt/cdrom/RedHat/RPMS> rpm –ivh tcpdump-3.4-16.i386.rpm
• Uninstall elm software :> rpm -e elm
• Question: Is pine installed on your system? If so, what is the version number?
Exercise: Installing ssh1 from Source
• SSH is a program that allows you to securely access a server from a remote location.
• Download ssh1 from http://iti.rutgers.edu/~chrisjur/software/ssh-1.2.31.tar.gz
• From the download directory:> tar -xvzf ssh-1.2.27.tar.gz > cd ssh-1.2.27>./configure> make> make install
Exercise: Changing Runlevels
• As root, type the following:shutdown –t 30 –h “System Downtime Beginning”
• Hit the power switch on your machine to turn the system back on after the shutdown process is complete (you should see a bash# prompt). NEVER turn power off without a proper shutdown.
• At the LILO prompt, enter “linux 1.” (Linux only)• After booting into single-user mode, type:init 5
Unix System Accounts
• Access to system resources is controlled through user and group assignment.
• Two types of user accounts:– Normal user– Root user
Components for Account Creation
• /etc/password• /etc/shadow• /etc/group• Home Directory (/home/username)• Initialization scripts
(.login, .bash_profile, .cshrc) – copied from /etc/skel
Passwords
• Should always be encrypted– Crypt – up to 8 characters– MD5 – up to 256 characters
• Should be a combination of random letters, numbers, and special characters.
• Stored in /etc/password or /etc/shadow (preferred).
• Can be disabled by putting * in password field.
/etc/password
• Entry format (One Entry Per Line):username:encrypted password:user ID (UID):default group (GID):name (GECOS): home directory:login shell
• Sample entry (no shadow file):kkaplan:boQavhhaCKaXG:500:500:Kellee Kaplan:/home/kkaplan:/bin/tcsh
• Sample entry (with shadow file):kkaplan:x:500:500:Kellee Kaplan:/home/kkaplan:/bin/bash
• Typical file permissions:-rw-r--r-- 1 root root 865 Mar 28 10:44 /etc/passwd
/etc/shadow
• Entry format:login name:encrypted password: other options for password expiration and changing
• Sample entry:kkaplan:$1$iwdVDnei&aBcxvpyYi06qu2wll.MAE.:10987:0:99999:7:-1:-1:134549860
• Typical permissions:-r-------- 1 root root 752 Jan 31 11:45 /etc/shadow
/etc/group
• Entry format:group name:encrypted group password:GID:comma-separated list of group members
• Sample entry:staff:x:103:kkaplan,jsmith,jdoe
Account Management Tools
• Command line– Users: useradd, userdel, usermod,– Groups: groupadd, groupdel, groupmod– Specific fields: passwd, chsh
• Graphical– LinuxConf– Control-panel
Exercise: Account Creation
• Create an entry in /etc/group for a new group called “students:”students:x:103:
• Create an entry by hand in /etc/passwd for an account called student2:student2:x:501:103:Student 2:/home/student2:/bin/bash
• Create an entry for student2 in /etc/shadow. Leave the password field with an * for now:student2:*:::::::
• Use passwd to change the password for the account.• Create a home directory for your new account. Change
ownership of the directory to the username for your new account and set permissions on the directory to 755.
• Login to the student2 account and verify that it is working.
Exercise: Account Creation with Command Line Tools
• Use useradd to create an account for student3. Use the appropriate flags to set a default group of “students,” a home directory of /home/student3, and a password of your choosing.
• Login to the student3 account.• Use userdel to remove the student3
account.
Basic TCP/IP Network Configuration
• If the install program detects a NIC card during the install process, you will be prompted to enter network settings.
• Network setting are configured at boot time through an rc script: /etc/rc.d/init.d/network
• Network rc script sets network settings designated in /etc/sysconfig:– /etc/sysconfig/network
Hostname and gateway– /etc/sysconfig/network-scripts/ifcfg-eth0
IP address, broadcast, netmask– (These are the files that contain the network address
settings your network admin gives you).
Domain Name Service Client Configuration• Local IP address, host name combination set in /etc/hosts.
• To use DNS for host name resolution, need to enable it in /etc/nsswitch.conf:hosts: files dns
• DNS servers defined in /etc/resolv.conf:search domainnamenameserver IP-addressSample File:search rutgers.edunameserver 128.6.4.4nameserver 128.6.21.9
Network Configuration Utilities
• Text-based– ifconfig
Shows various network setting, such as the IP address associated with a NIC.
– hostnameDisplays and sets the machine’s hostname
– routeDisplays and sets network routes and gateways.
• Network Monitoring Utilities– ping– traceroute– netstat
Daemons
• A unix process designed to handle a specialized function, usually to run server based processes.
• Run in the background.• Run two possible ways:
– Standalone - Usually started through rc scripts. Always resident in process table (ps –ef or ps –aux show Unix processes running on the system)
– Inetd - started via the Inetd network server
Inetd
• Inetd is a "Superserver" for network server-related processes.
• Configuration file: /etc/inetd.conf
• Controls starting and stopping of network services like telnet and ftp.
• Connections made on specific ports are handed over to the appropriate daemon.
/etc/inetd.conf
• Define specific services run through inetd. • Per service format:
srvce_name sock_type protocol [no]wait user srvr_orig srvr_prog_args
• Sample entry: telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
• For security reasons, comment out entries for services not being used.
• Administrators rarely manually add entries to inetd.conf• Restart inetd after making any configuration changes: kill -HUP `cat /var/run/inetd.pid`
/etc/services• Inetd needs to know on what port (network
application identification number) the service being started needs to listen.
• Maps servcies to specific ports. /etc/services: • Entry format:service port/protocol
• Sample entry:telnet 23/tcp
• This file is already configured and populated for you but can be a good reference for “well known” TCP ports
TCP Wrappers
• Access restrictions to TCP applications can be enabled using TCP Wrappers.
• In inetd.conf, the network service is called through /usr/sbin/tcpd instead of directly.
• Access control set through /etc/hosts.allow and /etc/hosts.deny allows you to selectively allow/deny remote access to network services based on IP address and/or hostname.
• Connections to TCP wrapped services are logged. • Generally used for security reasons.
Example: Denying Access via /etc/hosts.allow file• The format of /etc/hosts.allow and
/etc/hosts.deny is:• Service name: [ip or host], [ip or host]…
• Adding the following entries to the /etc/hosts.allow files will stop users from AOL and the IP address range 128.6.6.* from accessing your system via telnet:in.telnetd:128.6.6.,.aol.com
Exercise: Disabling Services in Inetd
• Disable telnet access to your system by commenting out the entry for telnet.
• Restart inetd: kill -HUP `cat /var/run/inetd.pid`
• Verify that the telnet daemon has been disabled – what happens when you type…>telnet localhost
Homework
• Read Chapters 8,18, and 20 in Linux Administration: A Beginner’s Guide.