Internetworking Model…………....………………………………………….……..1 • The Layered Approach 1 • Advantages of Reference Models 1 • 7 Layers of the OSI Reference Model 1 • Networks devices that operate at all seven layers of the OSI model include 1 • The Application Layer 1 • The Presentation Layer 3 • The Session Layer 3

Remote Procedure Call 4 X-Window 4 Apple Table Session Protocol 4

• The Transport Layer 4 Flow Control 4 Connection Oriented Communication 4 Windowing 6 Acknowledgements 7

• The Network Layer 8 Packets 8 Network Addresses 8 Metric 8

• The Data Link Layer 9 Media Access Control (MAC) 9 Logical Link Control (LLC) 9 Switches & Bridges at the Data Link Layer 9

Internet Protocol……………………………………………………………………10 • TCP/IP and the DoD Model 10 • Telnet 11 • File Transfer Protocol (FTP 12 • Trivial File Transfer Protocol(TFTP) 12 • Network File System 12 • Simple Mail Transfer Protocol(SMTP) 12 • Line Printer Daemon (LPD) 13 • X-Window 13 • Simple Network Management Protocol (SNMP) 13 • The Host-to Host Protocols 13

TCP 14 User Datagram Protocol (UDP) 15

• Key Concepts of Host – to – Host protocols 16 • Port Number 16 • The Internet Layer Protocols 17

Internet protocol ( IP ) 17 Internet Control Message Protocol ( ICMP ) 18 Address Resolution Protocol ( ARP ) 19 Reverse Address Resolution Protocol ( RARP ) 20

IP Addressing……………………………………………………………………… 21 • IP Terminology 21 • The Hierarchical IP Addressing Scheme 21 • Network Addressing 21

Summary of the three classes of networks 21 Network Address Range:: Class A 22 Network Address Range:: Class B 22 Network Address Range:: Class C 22 Network Address Range:: Classes D & E 22 Network Addresses: Special Purposes Reserved IP Address 23

Class A Addresses 23 Class B Addresses 23 Class C Addresses 24

Private IP Address 24 Broadcast Addresses 25 Network Address Translation ( NAT ) 25

Static NAT 25 Dynamic NAT 25 Overloading 25

• Subnetting Basics 25 Benefits of Subnetting 26 Methods to create Subnet 26 Subnet MASKS 27 Classless Inter – Domain Routing ( CIDR ) 27 Subnetting Class C Address 28 The Binary Method: Subnetting a class C Address 28 The Fast Way : : Subnetting a class C Address 29 Subnetting practice Examples : class C Addresses 29 Subnetting Class B Address 32 Subnetting practice Examples:: class B Addresses 32 Subnetting Class A Address 34 Subnetting Practice Examples:: class A address 35 Subnetting in your Head : Class C address 35

• EIA/TIA 37 Straight Through 37 Ethernet Cabling 37 Straight-through Cable 37 Crossover Cable 37 Rolled Cable 38

Discussion on Linux System Administration………………………………..39

• The Linux System Administrator 39 • Responsibilities of a System Administrator 39

Installing and Configuring Servers 39 Installing and Configuring Application Software 40 Creating and Maintaining User Accounts 41 Backing Up and Restoring Files 41 Monitoring and Tuning Performance 42 Configuring a Secure System 42 Using Tools to Monitor Security 43

• Introduction & Installation of Red Hat 8.0 Linux 44 A Rundown of PC Hardware 44 CPU 45 RAM 46 Hard Disk Space 47 Checking BIOS settings 48 Checking for Supported Hardware 49 Creating Red Hat Boot Disk 49 Partitioning the Hard Disk for Red Hat Linux 50 Naming disks and devices 50 Mounting a file system on a device 50 Understanding the swap partition 51 Installing the Boot Loader 51 Configuring password authentication 51 Linux Distribution 52 Tips 54 Points to be Discussed When We Install 54 Concept on MBR & 1st Boot Sector 54 Step by Step installation (Red Hat Linux 8.0) 55

• Practice of Very Useful Important Commands 61 Starting, Stopping, Rebooting, Logout the system 61 To Create Boot Disk 62 To Know the Status of the Current/Existing Directory 62 Check the Home Directory 62 One Way Scrolling 62 Two Way Scrolling 62 To Know About the Linux Version 62

• Discussion on Linux File System 62 The Unix File system 62 Important Directories and Files 63

• Managing User Account 64 • User Password and Password Change 66 • Account LOCK/UNLOCK and ENABLE/DISABLE 66 • Details about Passwd file 67 • Details About Password Lock/Shadow File 67 • To Change the root Password 68

Introduction to the Unix System…………………………………………………69 • What is an Operating System 69 • Unix Features 69 • History of UNIX 70

• The Unix System Layers 71 • The Shell 71

The Major Features of Shell 72 Special Features of C Shell 72 Special Features of Korn Shell 73

• Introduction to Commands 74 The date Command 75 The Commands who, w and whoami 75 The pwd Command 75 The echo Command 75 The ls Command 75 The cat Command 75 The set noclobber Command 76 The cd Command 77 The Commands head and tail 77 The wc Command 77 The cp Command 78 The mv Command 78 The rm Command 79 The mkdir Command 79 The rmdir Command 79 The file Command 80 The Directories . and .. 80

• The vi Editor 80 Text Editing on the Unix System 80 The Two Modes in vi 80 How to Start vi 80 vi Commands 81 Basic vi Commands 81 How to Save an Edited File and Stay in vi 81 How to Save an Edited File and Quit vi 81 How to Quit vi Without Saving an Edited File 81 Advanced vi Commands 82

• The Most Important Commands At A Glance 84 • Cursor movement on the vi editor: 84 • File Creation, Deletion 85 • Concept about change directory 86 • Directory Creation, Deletion 86 • Rename/Remove File & Directory 87 • Copy and Move Files and Directories 87

Linux File/Directory Permission………………………………………………..89 • Access Permissions 89 • Categories of Users and Permissions 89 • How to See Access Permissions on a File 89 • Permissions 90 • Permissions of Directories 92 • Using chmod with Numbers 92 • The umask Command 92 • Effect of cp and mv Command on Permissions 92

• Mounting and Unmounting Local CD-ROM, Floppy and Windows Drive 93 • Linked File of CD-ROM 94 • To Create Linked File 94 • Software Installation and Un-installation 95

Basic About the Configuration…………………..………………………………96

• IP Configuration 97 • More about Linux Files 98 • Boot Sequence Change 98

For RedHat Linux 7.1 98 For RedHat Linux 8.0 98

• Setting the Logon Messages (mtod & issue) 99 • Use of Linux Run Level 100 • Console Enhance/Increase and Decrease 100

Location of the History File 101 To Clear the History 101 e2fsck 101

• CRON 102 • TAR/ZIP/UNZIP 104 • More About Permission 105

How to Write in the hosts allow and hosts deny files 105 Ownership Change 106 Group Change 106 Change Ownership and Group Combined 106

• Group Creation and Giving Permission 106

Telnet……………………………………………………………..………………..107 • Telecommunications Network Protocol ( TELNET ) 107 • TELNET Server Configuration 107 • Using telnet for remote login 107 • Few useful Options 108 • Becoming Super User ( The su Command ) 108 • SSH ( Secure Shell ) 108

File Transfer Protocol (FTP)……………….………………….………………..109 • Red Hat Linux’s choice: WU FTPD 109 • Alternative FTP Servers 109 • Installing WU-FTPD 110 • Installing the binary RPM 110 • Installing and Building the source RPM 110

• Installing the anonftp package 111 • Configuring the Server 111 • Configuring user and host Access 111 • Configuring ftpd 113 • Configuring WU-FTPD Access Control and Permissions 113 • Maintaining the Server 116 • Strengthening FTP Security 118 • Understanding and mitigating the risks 118 • Reconfiguring the System Log 119 • Monitoring the Server 121 • FTP Server Configuration 122 • Step-by-step FTP Server Configuration 123

Network File System (NFS)……………….…………………………………….125 • NFS Overview 125 • Understanding NFS 125 • NFS Advantages 126 • NFS Disadvantages 126 • Configuring an NFS Server 127 • Overview of Server Configuration 127 • Designing an NFS Server 127 • Key Files, Command, and Daemons 129 • NFS Server Configuration and Status Files 129 • /etc/exports Export Options 130 • NFS Server Daemons 133 • NFS Server Scripts and Commands 133 • Configuring an NFS Client 136 • Overview of Client Configuration 136 • Key Files and Commands 136 • NFS Configuration 138

Domain Name System(DNS)…………………….…………………..………….140 • DNS Services and Servers 140 • DNS Name Resolution 140 • Types of Name Resolution 140

Static name resolution 140 Dynamic client / server based name resolution 140

• Types of BIND Name Server: Caching only server 140 Forwarder DNS server 140 Regular DNS server 140

• Regular DNS server 140 Primary DNS server 140 Slave DNS server 140

• DNS query Types 140 Simple / Iterative DNS query 140 Recursive DNS query 140

• Log check and Debugging 141 • DNS process at Linux / UNIX systems 141 • BIND configuration file 141 • DNS zone information files type 141

Forward lookup zone files 141 Reverse lookup zone files 141

• Types of local DNS Server 141 • Examining server Configuration files 141 • The files required for the master domain server are 142

Zone Reverse Zone

• A DNS Query 143 • Step By Step Primary DNS Server Configuration 145

Some Other Information 148 • Secondary DNS 149

Step By Step Secondary DNS Server Configuration 149 • DNS Client Side Configuration 151

Samba Server Configuration…………….……………………………………….152 • Step by Step SAMBA Server Configuration 152

Mail Server……….……………………………………….…………………………155 • Programs 155 • Mail User Agent ( MUA ) 155 • Mail Transfer Agent ( MTA ) 155 • Local Delivery Agent ( LDA ) 155 • Introducing SMTP 156 • Understanding POP3 156 • Understanding IMAP4 156 • The m4 Macro processor 157 • Understanding and managing the mail Queue 157 • Mail Server Configuration 158 • How POP3 Works 161

Web Server………….……………………………………………………………162 • Virtual Hosting 162 • DNS SIDE 163

• WEB SERVER SIDE 164 • Named Based Hosting (More Practical) 165 • IP Based Hosting (More Reliable) 166

Proxy Server Configuration………………………………………………………168 • Pre Works 168 • To Monitor Client PC from the Server Side 170 • Odem Configuration 170

PPP……………………………………..……………………………………………..171 • OUT MOTO 171 • PPP (Point to Point Protocol) 171 • V V I 172 • PPP Client Side 173 • Modem Configuration 173

DHCP Server figuration……………………………………………………………174 • DHCP – Dynamic Host Configuration Protocol 174 • Step by Step DHCP Server Configuration 174

Firewall/ Security………………………………………………………………....177 • Squid 177 • Syntax 178 • SUDO (Execute a command as another user) 178 • ipchains ⇒ firewall 181 • CHAINS 182 • POLICY 182 • IPCHAINS options used in the firewall script 182 • Location of the Port List File 183 • Location of the Configuration File 183 • Stop pinging 183

IP Masquerading…………………….…………………………………………….184 • Server Side 184 • Client Side 184

Radius Server & Terminal Server………….……………………………………185 • AAA Server 185 • Software required for Radius 185 • Software required for Terminal 185

1

CHAPTER-ONE Internetworking models:

When networks first came into being, computers could typically communicate

only with computers from the same manufacturers. For example: companies ran either a complete DECnet solution or an IBM solution - not both together.The OSI reference model was created by the International Organization for Standardization (ISO) to break this barrier.

The OSI model is the primary architectural model for networks. It describes how data and network information are communicated from an application on one computer through the network media, to an application on another computer. The OSI reference model breaks this approach into layers.

The layered Approach: A reference Model is conceptual blueprint of how communications should take place.

Advantages Of Reference Models: Advantages of using the OSI layered model include but are not limited to the following: • Allows multiple - sender development through standardization of network

components. • Allows various types of network hardware and s/w to communicate. • Prevents changes in one layer from affecting other layers. So it does not hamper

development.

7 layers Of The OSI Reference Model: The OSI has seven different layers divided into two groups. • The top three layers define how the applications within the end stations will

communicate with each other and with users. • The bottom four layers define how data is transmitted end - to -end.

Networks devices that operate at all seven layers of the OSI model include: • Network management stations(NMS) • Web and Application Server • Gateways(Not default gateways) • Network hosts

The Application Layer:

The application layer of the OSI model marks the spot where users actually communicate to the computer. This layer actually only comes into play when its apparent that access to the network is going to be needed soon.

2

Provides a user interface

Application

Presentation Presents data

Handles processing such as encryption Keeps different application data separate

Provides reliable or unreliable delivery Performs error correction before retransmit.

Provides logical addressing which routers use for path determination

Session

Transport

Network

Data Link

Physical

Combines packets into bytes and bytes into frames Provides access to media using MAC address Performs error detection – not correction

Moves bits between devices Specifies voltage, wire speed and pin-out of cables.

Fig: The OSI Seven Layers Application File ,print, message, database and application Presentation Data encryption, compression and translation services Session Dialog Control Transport End – to – end connection Network Routing Data link Framing Physical Physical topology

Fig: Layer Functions • The application layer is acting as an interface between the actual application

program - which isn’t at all a part of the layered structure and the next layer down by providing ways for the application to send information down through the protocol stack.

3

• The application layer is also responsible for identifying and establishing the availability of the intended communication partner and determining whether sufficient resources for the intended communication exist.

• They only unite communicating components from more than one network application. Prime examples are file transfers and email as well as enabling remote access, network management activities, client /server process and information location.

Application Layer Example:

Www, Email gateways EID (electronic Data Interchange): Accounting, shipping /receiving and order and inventory tracking between business.

The Presentation Layer: It presents data to the application layer and is responsible for data translation and code formatting. (For example, EBCDIC to ASCII). This layer essentially a translator and provides coding and conversion functions. A successful data transfer technique is to adapt the data into standard format before transmission. By providing translation services, the presentation layer ensures that data transferred from the application layer of one system can be read by the application layer of another system. Tasks like; compression, decompression, encryption and decryption are associated with this layer. Its also involved in multimedia operation too. PICT, TIFF, JPEG, MIDI, MPEG, RTF, QuickTime.

The Session Layer: The session layer is responsible for setting up, managing and the tearing down session between presentation layer entities. This layer also provides dialogue control between devices or nodes. • It coordinates communication between systems by offering three different modes:

simplex , half duplex, full duplex. • To sum up, the session layer basically keeps different applications data

separate from other applications' data. • Example: Session layer protocols and interfaces. • NFS --> to allow transparent access to remote resources. • SQL --> On both local and remote system.

4

Remote Procedure Call (RPC): A broad client/server redirection tool used for disparate service environments. Its procedures created on clients and performed on servers.

X-Window: Used by intelligent terminals for communicating with remote Unix computers, allowing them to operate as though the were locally attached monitors.

Apple Table Session Protocol (ASP): Another client/server mechanism which both establishes and maintains sessions between Apple Talk client /server machines.

Digital Network Architecture Session Control Protocol: A DECnet Session Layer Protocol.

The Transport Layer: The transport layer segments and reassembles data into a data stream. Services located in the transport layer - both segment and reassemble data from upper layer application and unite it on to the same data stream. TCP and UDP both work at the transport layer. TCP is a reliable service, UDP is not. • The transport layer is responsible for providing mechanisms for multiplexing

upper layer applications, establishing sessions and tearing down virtual circuits. It also hides details of any network network-dependent information from the higher layers by providing transparent data transfer.

• The transport layer can be connectionless or connection oriented.

Flow Control: Data integrity is ensured at the transport layer by maintaining flow controlled by allowing users to request reliable data transport between systems. Flow control prevents a sending host an event that can result in lost data. • Ensures that the following will be achieved: 1. The segments delivered are acknowledged back to the sender upon their reception. 2. Any segments not acknowledged are retransmitted. 3. Segments are sequenced back into their proper order upon arrival at their destination. 4. A manageable data flow is maintained in order to avoid congestion, overloading and data loss.

Connection Oriented Communication: In reliable transport operation, a device that wants to transmit sets up a

connection oriented communication with a remote device by creating a session. The transmitting device first establishes a connection oriented sessions with its peer

5

system which is called a call setup or a three way handshake . Data is then transferred, when finished, a call termination takes places to tear down the virtual circuit.

d r

Synchronize

Negotiate Connection

Synchronize

Acknowledge

Data tr

Fig: Establishin

Let me sum up the setup the st• The three way handshake • The first "connection agreem• The second and third segmen

parameters - the rules- betweto be synchronized here as w

• The final segment is also an athe connection agreement hasbeen established. Data transfe

• Transmitting segments with f

CONNECTION

Sen

ansfer (send segmen

g a connection orie

eps in the connectio

ent". Segment is a rets acknowledge the en hosts. The receivell as, so that a bi-dicknowledgement. It been accepted and r can now begin. low control.

Receive

ts)

nted session

n - oriented session:

quest for synchronization. request and establish connection er sequencing is also requested rectional connection is formed. notifies the destination host that that the actual connection has

6

Send Receiver

Okay, So wprocess? It sonly solve tdatagram decapacity wiarrive.

Window And

for an acknoafter the senacknowledgopportunityacknowledg

t

Transmi

STOP Segment Processed GO

t

er Full BuffNot Ready

Transmi

hat happens when machine receives a flood of datagrams too quickly for it to tores them in a memory section called a buffer. But this buffering action can

he problems if the Datagrams are part of a small burst. If not and the luge continues, a device's memory will eventually be exhausted, its flood

ll be exceed and it will react by discarding any additional datagrams that

ing:

as you can imagine, it would be slow if the transmitting machine had to wait wledgement after sending each segment. But because there's time available der transmits the data segment and before it finishes processing ements from the receiving machine, the sender uses the break as an to transmitting machine is allowing to send without receiving an ement for them is called a window.

7

Fig: Windowing

Send Receiver

Window size of 1 Send

Ack

Receive 1

Receive 2 Ack

Send

Window size of 3

Acknowledgements: It's a technique that requires a receiving machine to communicate with the

transmitting source by sending an acknowledgement message back to the sender when it receives data .The sender documents each segment it sends and waits for this acknowledgement before sending the next segments.

Ack

d r

Sen

1 2 3

4 5 6

5

Connection Lost

Fig: Transport Layer Reliable delivery

Receive

Ack 4

Ack 5

Ack 7

8

The Network Layer: The network layer manages device addressing tracks the location of devices on the network and determines the best way to move data, which means that the Network layer must transport traffic between devices that aren't locally attached. Routers (layer-3 device) are specified at the network layer and provide the routing services within an internetwork. IT happens like this: First, when a packet is received on a router interface, the destination IP address is checked .If the packet isn’t destined for the particular, it will look up the destination network address in the routing table. Once the router chooses an exist interface, the packet will be sent out on the local network. If the router cant find an entry for the packet's destination network in the routing table, the router drops the packet.

2 types of packets are used at the network layer: Data and Route updates. ♦ Data packets: Used to transport user data through the internetwork. Protocols used to support data traffic are called routed protocols are IP and IPX. ♦ Route Update Packets: Used to update neighbor routers about the networks connected to all routers within the internetwork. Protocols that and route update packets are called routing protocols; such as:- RIP,EIGRP and OSPF. Route Update packets are used to help build and maintain routing tables on each router.

Network addresses: A route must maintain a routing table for individual routing protocols because each routing protocols keeps track of a network with a different addressing scheme.

Metric: The distance to the remote network, different routing protocols use different ways computing this distance. • The number of routers a packet passes through and route to a remote

network(Some routing protocols use something called a hop count),while others use bandwidth delay of the line , or even tick count(1/18 of a second)

Here are some points about routers you should really commit to memory. • Routers, by default, will not forward any broadcast or multicast packets. • Routers use the logical address in a network layer header to determine the next

hop router to forward the packet to. • Routers can use access lists, created by an administrator to control security on the

types of packets that are allowed to enter or exit an interface. • Routers can provide layer-2 bridging functions if needed and can simultaneously

route through the same interface.

9

• Layer-3 devices provide connections between virtual LANs (VLANs). • Routers can provide quality of services (QoS) for specific types of network

traffic.

The Data Link Layer: The data link layer provides the physical transmission of the data and handles error notification, network topology and flow control. This means that Data link layer will ensure that messages are delivered to the proper device on a LAN using hardware addresses and translates messages from the network layer into bits for the physical layer to transmit. • The Datalink layer formats the message into pieces , each called a data frame and

adds a customized header containing the hardware destination and source address .The IEEE Ethernet Datalink layer has two sub layers:

Media Access Control (MAC): 802.3 defines how packets are placed on the media. Contention media access is "first come/first served" access everyone shares the same bandwidth hence the name. Physical addressing is defined here as well as logical topologies. Line discipline, error notification (not connection) ordered delivery of frames and optional flow control can also be used as this sublayer.

Logical Link Control (LLC): 802.2 Responsible for identifying Network layer protocols and then encapsulating them. An LLC header tells the datalink layer what to do with a packet once a frame is received. It works like this: A host will receive a frame and look in the LLC Reader to find out where the packet is designed for -say the IP protocol at the Network layer. The LLC can also provide flow control and sequencing of control bits.

Switches and bridges at the data link layer: Layer-2 switching is considered hardware based bridging because it uses specialized hardware called an application specific integrated circuit (ASIC). ASIC's can run upto giga bit speeds with very low latency rates.

10

CHAPTER 2 Internet Protocol

The TCP/IP suite was created by the department of defense ( DoD ) to insure and preserve data integrity.

TCP/IP and the DoD Model: • It has four layers. • Process/Application layer. • Host – to - Host layer . • Internet layer. • Network Access layer.

Application

Presentation

Session

Process/ Application

The Process /Acommunicatio

The Host –to –

service for app

Transport

k Internet

Networ

k

DataLin

Physical

Fig: The DoD and OSI Mod

pplication layer defines protocols for nodn and also controls user interface specific

Host layer defines protocols for setting ulications .It tackles issues such as creating

Host – to - Host

s

Network Acces

els

e - to – node application ation.

p the level of transmission reliable end – to – end

11

communication and ensuring the error free delivery of data. It handles packet sequencing and maintains data integrity.

The Internet layer designating the protocols relating to the logical transmission of

packets over the entire network . It takes care of the addressing of hosts by giving them an IP address and it handles the routing of packets among multiple networks.

The network access layer monitors the data exchange between the host and the

network. The network access layer oversees hardware addressing and defines protocols for the physical transmission of data

Telnet FTP LPD SNMP Process/ Application

TFTP SMTP NFS X

Window

Host – to - Host TCP UDP

ICMP ARP RARP INTERNET IP

Network Access

Ethernet Fast Ethernet

Token Ring

FDDI

Fig: TCP/IP Protocol Suite

TELNET: Telnet is the chancellor of protocols – its specially is terminal emulation. It allows a user on a remote client machine, called the Telnet client, to access the resources of another machine ,the Telnet server. Telnet achieves this by pulling a fast one on the Telnet server and making the client machine appear as though it were a terminal directly attached to the local network. This projection is actually a software image – a virtual terminal that can interact with the chosen remote host.

12

File Transfer Protocol(FTP): FTP is the protocol that actually let us transfer of files and it can accomplish this between any two machines using it. But FTP isn’t just a protocol, it’s also a program operating as a protocol. FTP is used by application. FTP allows for access to both directories and files and can accomplish certain types of directory operations, such relocating different ones. Trivial File Transfer Protocol (TFTP): TFTP is stripped down, stock version of FTP, but it’s the protocol of choice if you know exactly what you want and where to find it, plus its so easy to use and its fast too.

TFTP has no directory browsing permission/ abilities. It can do nothing but send and receive files.

Network File System(NFS): NFS allows two different types of file systems to inter operate.

n

Differensystem,length,

NFS allofiles which can i Simple Mail Tr SMTP u

SMT POP

NT

b

t file

ws for a portion of the Rn turn be used by Unix u

ansfer Protocol(SMTP

ses a spooled or queued

P is used to send mail. 3 is used to receive mail

Hu

AM on the NT serversers.

):

method of mail deliver

.

Unix/Li

to transparently store Unix

y.

13

Line Printer Daemon (LPD): LPD protocol is designed for printer sharing .The LPD along with the LPR (Line printer ) program allows print jobs to be spooled and sent to the network’s printers using TCP/IP. X – Window: GUI: Designed for client/server operations. Simple Network Management Protocol (SNMP): It gathers data by pooling the devices on the network from a management station at fixed or random intervals, requiring them to disclose information.

SNMP receives something called baseline – a report delimiting the operational traits of healthy network. The network watchdogs are called agents and when aberrations occur, agents send an alert called a trap to the management station.

The Host – to – Host layer Protocols: The main purpose of the host – to – host layer is to shield the upper layer application from the complexities of the network.

TCP UDP

TCP: TCP takes blocks large blocks of information from an application and breaks them into segments. It numbers and sequences each segment so that the destination’s TCP protocol can put the segments back into the order the application intended. TCP waits for acknowledgement. Before transmitting, sender host’s TCP protocol contacts the destination’s TCP protocol to establish a connection. What is created is known as a virtual circuit, it is called a connection oriented communication. During this initial handshake, the two TCP layer also agree on the amount of information that’s going to be sent before the recipient’s TCP sends back an acknowledgement.

14

TCP is a full - duplex, connection oriented, reliable and accurate protocol, but establishing all these terms and conditions.

TCP Segment Format:

Bit 0 Source port ( 16 ) Destination port ( 16 )

Sequence number (32) Acknowledgement number ( 32 )

Header length (4 ) Reserved ( 6 ) Code bits ( 6 ) Window ( 16 ) Checksum ( 16 ) Urgent ( 16 )

Options ( 0 or 32 if any ) Data (varies)

24 bytes

Bit 15 Bit 16 Bit 31

♦ The TCP Header is 20 bytes long or up to 24 bytes with options.

Source Port:

The port number of the application on the host sending the data.

Destination Port: The port number of the application requested on the destination host.

Sequence Number: The port number puts the data back in the correct order or retransmits missing or damaged data, a process called sequencing .

Acknowledgement number: Acknowledgement number defines which TCP octet is expected next.

Offset: The number of 32-bit words in the TCP Header. This indicates where the data begins. The TCP Header is an integral number of 32-bits in length.

Reserved: Always set to zero.

15

Code Bits: Control functions used to set up and terminate a session.

Window: The window size the sender willing to accept octets.

Check Sum: The CRC, because TCP doesn’t trust the lower layer and check everything .The

CRC checks the header and data fields.

Urgent Pointer: A valid only if the urgent pointer in the code bits is set. This value indicates the offset from the current sequence number, in octets, where the first segment of non urgent data begins.

Option: May be 0 or a multiple of 32 bits if any.

Data: Handed down to the TCP protocol at the Transport layer, which includes the upper layer headers.

User Datagram Protocol (UDP): UDP doesn’t create a virtual circuit nor does it contact the destination before delivering information to it. It’s also considered a connectionless protocol. UDP doesn’t sequence the segments and doesn’t care in which order the segments arrive at the destination.

UDP Segment Format:

Source port ( 16 ) Destination port ( 16 )

Length ( 16 ) Checksum ( 16 ) Data (if any)

Bit 0 Bit 15 Bit 16 Bit 31

8 bytes

The UDP segment contains the following fields:

Source port: port number of the application on the host sending the data. Destination port: port number of the application requested on the destination host.

16

Length of the Segment: Length of UDP header and UDP data. CRC: checksum of both the UDP Header and UDP data Data: upper layer data

UDP, like TCP, doesn’t trust the lower layers and runs its own CRC. Remember that the Frame check sequence ( FCS ) is the field that houses the CRC, which is why you can see the FCS information.

Key Concepts of Host – to – Host protocols:

TCP UDP Sequenced Unsequenced Reliable Unreliable

Connection – oriented connectionless Virtual circuit Low overhead

Acknowledgement No acknowledgement Windowing flow

control No windowing or flow

control Port Number : TCP and UDP must use port numbers to communicate with the upper layers, because they’re what keeps track of different conversations crossing the network simultaneously. Originating source port numbers are dynamically assigned by the source host and will equal some number starting at 1024.1023 and below are defined in RFC 3232. Virtual circuits that don’t use an application with a well- known port number are assigned port numbers randomly from a specific range instead. These port numbers identify the source and destination application or process in the TCP segment.

Fig: Port Numbers for TCP and UDP

Application layer FTP TELNET DNS TFTP POP3 News Port numbers 21 23 666 53 69 110 119 Transport layer TCP UDP

The different port numbers that can be used are explained next:

Numbers below 1024 are considered well known port numbers and are defined in RFC 3232.

17

Numbers 1024 and above are used by the upper layers to set up sessions with other hosts and by TCP to use as source and destination addresses in the TCP segment.

The Internet Layer Protocols: There are two main reasons for the Internet layers existence:

Routing and Providing a single network interface to the upper layers.

None of the other upper or lower layer protocols have any functions relating to routing that complex and important task belongs entirely to the Internet layer. The Internet layer’s second duty is to provide a single network interface to the upper layer protocols.

The following sections describe the protocols at the Internet layer:

Internet protocol ( IP ) Internet Control Message Protocol ( ICMP ) Address Resolution Protocol ( ARP ) Reverse Address Resolution Protocol ( RARP )

Internet Protocol ( IP ) : Internet protocol ( IP ) essentially is the Internet layer. The other protocols found here merely exist to support. Identifying devices on networks requires answering these two questions :

Which network is it on? And What is its ID on that network?

The first answer is the software address or logical address. The second answer is the hardware address.

All hosts on a network have a logical ID called an IP address. This is the s/w or logical address and contains valuable encoded information greatly simplifying the complex task of routing. IP receives segments from the Host – to – Host layer and fragments them into datagrams if necessary. IP then reassembles datagrams back into segments on the receiving side. Each datagram is assigned the IP address of the sender and of the recipient. Each router (layer 3 device) that receives a datagram makes routing decisions based on the packet’s destination IP address. The following fields make up the IP Header:

Version : IP version number. Header Length (HLEN): Header length in 32-bit words.

18

TOS with precedence bits: Type of service tells how the datagrams should be handled. The first 3 bits are priority bits.

Total Length: Length of the packet including header and data. Identifier: Unique IP-packet value. Flags: Specifies whether fragmentation should occur. Fragment offset: Provides fragmentation and reassemble if the packet is too large

to put in a frame. It also allows different maximum transmission units ( MTUs ) on the internet.

TTL: The time to leave is set into a packet when it is originally generated. If it doesn’t get to where it wants to go before the TTL expires, boom its gone. This stops IP packets from continuously circling the network looking for a home.

Protocol: Port of upper layer protocol ( TCP is port 6 or UDP is port 17 ). Also supports network layer protocols.

Header checksum: Cyclic Redundancy Check (CRC ) on header only. Source IP address: 32 bit IP address of sending station. Destination IP address: 32 bit IP address of the station this packet is destined for. IP option: used for network testing, debugging, security and more. Data: After the IP option field will be the upper layer data.

Version (4 ) Header

length ( 4 ) Priority and

type of service ( 8 )

Total length ( 16 )

Identification ( 16 ) Flags ( 3 ) Fragment offset( 13 ) Time to leave ( 8 ) Protocol ( 8) Header checksum ( 16 )

Source IP address ( 32 ) Destination IP address ( 32 )

Options ( 0 or 32 if any ) Data (varies if any )

Bit 0 Bit 15 Bit 16 Bit 31

20 bytes

Fig:The Protocol field in an IP header

Transport layer TCP UDP Port numbers 6 17 Internet layer IP

Internet Control Message Protocol (ICMP): ICMP works at the Network layer and is used by IP for many different services. ICMP is a management protocol and messaging service provider for IP. Its messages are carried as IP datagrams,

The following are some common events and messages that ICMP relates to:

Destination Unreachable: If a router can’t send an IP datagram any further, it uses ICMP to send a message back to the sender, advising it of the situation.

19

Buffer full:

If a router’s memory buffer for receiving incoming datagrams is full, it will use ICMP to send out this message until the congestion abates.

Hops: Each IP datagram is allotted a certain number of routers, called hops, to pass through. If it reaches its limit of limit of hops before arriving at its destination, the last router to receive that datagrams deletes it.

Ping: Ping ( Packet Internet Grouper ) uses ICMP echo messages to check the physical and logical connectivity of machines on an internetworking.

Trace route: Using ICMP timeouts, Trace route is used to discover the path a packet takes as it traverses an internetworking.

Address Resolution protocol(ARP): ARP finds the hardware address of a host from a known IP address. When IP has a datagram to send, it must inform a Network Access Protocol, such as Ethernet or Token Ring, of the destination’s hardware address on the local network. If IP doesn’t find the destination host’s hardware address in the ARP cache, it uses ARP to find this information. As IP’s detective, ARP interrogates the local network by sending out a broadcast asking the machine with the specified IP address to reply with its hardware address. So basically, ARP translates the software ( IP ) address into a hardware address . ARP resolves IP addresses to Ethernet ( MAC ) addresses.

10.1.1.1 10.1.1.2

IP: 10.1.1.2 = ???

IP : 10.1.1.2 Ethernet:

4524.7985.7734

I heard that broadcast. This message is for me. Here is my Ethernet address.

I need the Ethernet address

Fig: Local ARP broadcast

20

Reverse Address Resolution Protocol ( RARP ): When an IP machine happens to be a diskless machine, it has no way of initially knowing its IP address. But it does knows its MAC address. RARP discovers the identity of the IP address for the diskless machines by sending out a packet that includes its MAC address and a request for the IP address assigned to that MAC address. A designated machine called a RARP server, responds with the answer and the identity crisis is over. RARP uses the information it does know about the machine’s MAC address to learn its IP address and complete the machine’s ID portrait.

RARP resolves Ethernet (MAC ) addresses to IP addresses.

I heard that broadcast. Your IP is 192.168.111.4

What’s my IP address?

Ethernet: 4524.7985.7734

IP = ???

Ethernet: 4524.7985.7734

IP : 192.168.111.4

Fig: RARP broadcast Example

21

CHAPTER-THREE IP ADDRESSING

An IP Address is a numeric identifier assigned to each machine on an IP network. An IP address is a software address, not a hardware address – the latter is hard-coded on a NIC and used for finding on a local network. IP TERMINOLOGY: ♦ Bit → A bit is one digit; either a 1 or a 0. ♦ Byte → A byte is 7 or 8 bits, depending on whether parity is used; always assume a byte is 8 bit ♦ Octet → An octet, made up of 8 bits is just an ordinary 8-bit binary number. ♦ Network Address →This designation used in routing to send packets to a remote network. For Example, 10.0.0.0 172.16.0.0 192.168.10.0

♦ Broadcast Address → The address used by application and hosts to send information to all nodes on a network are called the broadcast address. For example, 172.16.255.255 which broadcasts all subnets and hosts on network 172.16.0.0 and 10.255.255.255 which broadcasts to all subnets and hosts on network 10.0.0.0. The Hierarchical IP Addressing Scheme:

An IP address consists of 32 bits of information. These bits are divided into four sections, called octets or bytes, each containing 1 byte ( 8 bits ) .

Dotted decimal, as in 172.16.30.56 . Binary as in 1010 1100. 0001 0000. 0001 1110. 0011 1000 Hexadecimal as in AC.10.1E.38

Network Addressing: The network address uniquely identifies each network. Every machine on the same network shares that network address as part of its IP address. In the IP address 172.16.30.56 for example, 172.16.0.0 is the network address. The node address uniquely identifies each machine on a network. In the sample IP address 172.16.30.56, the 30.56 is the node address.

Summary of the three classes of networks:

Class 8 bits 8 bits 8 bits 8 bits A Network Host Host Host B Network Network Host Host C Network Network Network Host D Multicast E Research

22

Network Address Range:: Class A : The designers of the IP address scheme said that the first bit of the first byte in class A network address must always be off or 0. This means that a class A address must be between 0 to 127 inclusive. Consider the following network address: 0xxx xxxx If we turn the other 7 bits all off and then turn them all on, we’ll find the class A range of network address: 0000 0000 = 0 0111 1111 = 127 In class A address first octet between 0 and 127. Network Address Range:: Class B : In a class B network, the first bit of the first octet must always be turned on but the second bit must always been off. If you turn the other 6 bits all off and then all on, you will find the range for a class B network: 1000 0000 = 128 1011 1111 = 191 A class B network is defined when the first byte is configured from 128 to 191. Network Address Range:: Class C : For class C networks, the first 2 bits of the first octet as always turned on, but the third bit can never be on. 1100 0000 = 192 1101 1111 = 223 So, if you see an IP address that starts at 192 and goes to 223, you will know it is a class C IP address. Network Address Range:: Classes D & E: The addresses between 224 and 255 are reserved for class D and E network. Class D ( 224 – 239 ) is used for multicast address and class E ( 240 – 255 ) for scientific purposes.

23

Network Addresses: Special Purposes Reserved IP Address:

Address Functions Network address of all 0’s Interpreted to mean “this network or segment” Network address of all 1’s Interpreted to mean “all networks” Network 127.0.0.1 Reserved for loop back tests. Designates the local

nodes and allows that node to send a test packet to itself with generating network traffic.

Node address of all 0’s Interpreted to mean “network address” or any host on specified network.

Node address of all 1’s Interpreted to mean “all nodes” on the specified network; for example, 128.2.255.255 means all nodes on network 128.2 class B address.

Entire IP address set to all 0’s (0. 0. 0. 0 ) Used by Cisco routers to designate the default route; could also mean any network.

Entire IP address set to all 1’s (same as 255.255.255.255 )

Broadcast to all nodes on the current network; sometimes called an “all 1’s broadcast” or limited broadcast.

Class A Addresses: In class A, the first byte is assigned to the network address and the three remaining bytes are used for the node addresses. The class A format is : network . node . node . node. For example in the IP address 49.22.102.70, the 49 is the network address and 22. 102.70 is the node address. Every machine on this particular network would have the distinctive network address of 49. The actual number of usable class A network address is 128-2 = 126

Each class A address has three bytes ( 24 bit positions ) for the node address of a machine. This means there are 2^24 or 16,777,216 unique combinations and therefore, precisely that many possible unique node addresses for each class A network. The actual maximum usable number of nodes for a class A network is 2^24 – 2 which equals to 16,777,214.

Class A valid Host IDs:

All host bits off is the network address : 10.0.0.0 All host bits on is the broadcast address : 10.255.255.255

Class B Addresses: In a class B network address, the first two bytes are assigned to the network address and the remaining two bytes are used for node addresses. The format is : network . network . node . node . For example, in the IP address 172.16.30.56, the network address is 172.16 and the node address is 30.56. A class B address uses tow bytes for node addresses. This is 2^16 – 2 ( the two reserved bit patterns) = for a total of 65,534 possible node addresses for each class B network.

24

Class B valid Host IDs:

All host bits turned off is the network address : 172.16.0.0 All host bits turned on is the broadcast address : 172.16.255.255

The valid hosts would be the numbers in between the network address and the broadcast

address : 172.16.0.1 through 172.16.255.255.

Class C Addresses: The first three bytes of a class C network address are dedicated to the network portion of the address, with only one measly remaining for the node address. The format is : network . network . network . node . Using the example, IP address 192.168.100.102, the network address is 192.168.100 and the node address is 102. In a class C network address, the first three bit positions are always the binary 110. The calculation is 3 bytes or 24 bits minus 3 reserved positions, leaves 21 positions. Hence, there are 2^21 or 2,097,152 possible class C network. Each unique class C network has one byte to use for node addresses. This leads to 2^8 or 256 – 2 = 254 node address. Class C valid Host IDs:

All host bits turned off is the network address : 192.168.100.0 All host bits turned on is the broadcast address : 192.168.100.255

The valid hosts would be the numbers in between the network address and the broadcast

address : 192.168.100.1 through 192.168.100.254. Private IP Address: These addresses can be used on a private network, but they are not routable through the internet. This is designed for the purpose of creating a measure of well-needed security, but it also conveniently saves valuable IP address space. This is economical because they can use private IP addresses on their inside networks and get along just five. To accomplish this task, the ISP and the corporation – the end user, no matter who they are – need to use something called a network address translator ( NAT ), which basically takes a private IP address and converts it for use on the internet.

TABLE : Private IP Address:

Address Class Reserved Address Space Class A 10.0.0.0 to 10.255.255.255 Class B 172.31.0.0 to 172.31.255.255 Class C 192.168.110.0 to 192.168.110.255

25

Broadcast Addresses:

Here, we discuss four different types of Broadcast: Layer 2 Broadcasts : These are sent to all nodes on a LAN. Broadcasts Layer 3: These are sent to all nodes on network. Unicast: These are sent to a single destination host.

Network Address Translation ( NAT ): In NAT terminology, the inside network is the set of networks that are subject to translation. The outside network refers to all other addresses – usually those located on internet. NAT operates on a Cisco router – generally only connecting two networks together – and translates your private address within the internal network, into public addresses before any packets are forwarded to another network.

This functionality gives you the option to configure NAT so that it will advertise only a single address for your entire network from the whole world. ⇒ There are different flavors of NAT:

Static NAT:

Designed to allow one – to – one mapping between local and global addresses. This requires you, to have one real internet IP address for every host on your network.

Dynamic NAT: Designed to map an unregistered IP address to a registered IP address from out

of a pool of registered IP addresses. You don’t have statically configure your router to map an inside to an outside address as in Static NAT, but you do have to have enough real IP addresses for everyone who wants to send packets to and from the internet.

Overloading: Popular type. Overloading is a form of dynamic NAT that maps multiple

unregistered IP addresses to a single registered IP Address ( many – to – one ) by using different ports. Therefore, its known as port address translation (PAT ). By using PAT, you can have thousands of users connect to the internet using only one real global address. Subnetting Basics: It’s a question, what happens if you wanted to take one network address and create six networks from it? You would have to do something called Subnetting ; because that’s what allows you to take one larger network and break it into a bunch of smaller networks.

26

Benefits of Subnetting:

Reduced network traffic :

By using routers, most traffic will stay on the local network; only packets destined for other networks will pass through the router. Routers create broadcast domains. The smaller broadcast domains you create, the less network traffic on that network segment.

Optimized Network Performance:

This is a result of reduced network traffic.

Simplified Management: Its easier to identify and isolate network problems in a group of smaller

connected networks than within one gigantic network.

Facilitated Spanning of large geographical distance:

Because WAN links are considerably slower and more expensive than LAN links, a single large network that spans long distance can create problem in every arena listed above. Connecting multiple smaller networks makes the system more efficient. Methods to create Subnets: To create Subnetworks, you take bits from the host portion of the IP address and reserve them to define the subnet address.

To determine how to create subnets follows these steps:

1) Determine the number of required network IDs:

One for each subnet. One for each wide area network connection.

2) Determine the number of required host IDs per subnet:

One for each TCP/IP host. One for each router interface.

3) Based on the above requirement create the following:

One subnet mask for your entire network. A unique subnet ID for each physical segment. A range of host IDs for each subnet.

27

Subnet MASKs: Every machine on the network must know which part of the host address will be used as the subnet address. This is accomplished by assigning a subnetmask to each machine. A subnet mask is a 32 bit value that allows the recipient of the IP packets to distinguish the network ID portion of the IP address from the host ID portion of the IP address. Default subnet mask :

Class Format Default subnet mask

A Network.node.node.node 255.0.0.0 B Network. Network.node.node 255.255.0.0 C Network. Network. Network .node 255.255.255.0

Classless Inter – Domain Routing ( CIDR): It’s a method that ISPs use to allocate an amount of address to a company, a home – a customer.

From an ISP you will find an address like : 192.168.10.32 /28. The slash (/ ) notation means how many bits are turned on (1s). the maximum could only be /32 because a byte is 8bits. Largest subnet mask available can only be a /30 because you have got to keep at least 2 bits for host bits.

For instance, class A subnet mask is 255.0.0.0. the 255.0.0.0 is considered a /8 because it has 8 bits that are 1’s – that is 8 bits that are turned on.

TABLE :: CIDR values

Subnet mask CIDR VALUE 255.0.0.0 /8 255.128.0.0 /9 255.192.0.0 /10 255.224.0.0 /11 255.240.0.0 /12 255.248.0.0 /13 255.252.0.0 /14 255.254.0.0 /15 255.255.0.0 /16

*************************** AND SO ON ********* ENJOY IT*****************************

28

Subnetting Class C Address: In a class C address, only 8 bits are available for defining the hosts. Remember that Subnet bits start at the left and go to the right, without skipping bits. This means that the only class C subnet masks can be the following:

Binary Decimal shorthand 1000 0000 128 /25(not valid on the Cisco Example) 1100 0000 192 /26 1110 0000 224 /27 1111 0000 240 /28 1111 1000 248 /29 1111 1100 252 /30 1111 1110 254 /31 not valid

The Binary Method: Subnetting a class C Address: In this section we will discuss how to subnet a class C address using the binary method. I will start by using the first subnet mask available with a class C address, which borrow 2 bits for subnetting. We use here 255.255.255.192 192 = 1100 0000 The 1’s represent the subnet bits and the 0’s represent the host bits available in each subnet. 192 provides 2 bits for subnetting and 6 bits for defining the hosts in each subnet. What are the subnets? Since the subnet bits can’t both off or on at the same time. The only two valid subnets are these: 0100 0000 = 64 ( all host bits off ) 1000 0000 = 128 ( all host bits off ) The valid hosts would be defined as the numbers between the subnets, minus the all host bits off and all host bits on numbers. TABLE:: SUBNET 64:

Subnet Host meaning 01 00 0000 = 64 The network ( do this ) 01 00 0001 = 65 The 1st valid host. 01 11 1110 = 126 The last valid host 01 11 1111 = 127 The broadcast address ( do this second )

TABLE:: SUBNET 128:

Subnet Host meaning

10 00 0000 = 128 The subnet address 10 00 0001 = 129 The 1st valid host. 10 11 1110 = 190 The last valid host 10 11 1111 = 191 The broadcast address

29

The Fast Way : : Subnetting a class C Address: To subnet a class C address you should have answer of five simple questions:

How many subnets does the chosen subnet mask produce? How many valid hosts per subnet are available ? What are the valid subnets? What’s the broadcast address of each subnet? What are the valid hosts in each subnet?

ANSWER:

How many subnets? 2^x –2 = number of subnets. ‘x’ is the number of masked bits, or the 1s.

For example in 1100 0000, the number of ones gives us 2^2 – 2 subnets. In this example there are 2 subnets.

How many hosts per subnet? 2 ^ y –2 = number of hosts per subnet . ‘y’ is the number of unmasked bits, or the 0s. Example in 1100 0000, the number of zeros gives us 2^6 –2 hosts = 62 hosts per subnet.

What are the valid subnets? 256 – subnet host = block size/ base number. For example, 256 – 192 = 64 is the first subnet. The next subnet would be the base number plus itself or 64 + 64 =128. You keep adding the base number to itself until you reach the value of the subnet mask, which is not a valid subnet because all subnet bits would be turned on ( 1s ).

What’s the broadcast address for each subnet? The broadcast address is all subnet bits turned on, which is the number immediately preceding the next subnets.

What are the valid hosts ? valid hosts are the numbers between the subnets omitting all 0s and all 1s.

**************Subnetting practice Examples : class C Addresses: Practice Example #1C : 255.255.255.192 (/26 ) Network address = 192. 168. 10. 0 Subnet mask = 255. 255. 255 . 192 Now let’s answer the big five questions:

♦ Since 192 is 2 bits on ( 1100 0000 ), the answer would be 2^2 –2 =2 ♦ We have 6 host bits off ( 1100 0000 ), so the equation would be 2 ^6 –2 = 62 hosts. ♦ 256 – 192 = 64, which is the first subnet and our base number or block size. 64 + 64 = 128,

128 + 64 = 192,which is invalid because it is the subnetmask. Two valid subnets are, 64 and 128.

♦ The number right before the values of the next subnet is all host bits turned on and equals the broadcast address.

♦ These are the numbers between the subnet and broadcast address.

30

The subnet (do this first ) 64 128 Our first host 65 129 Our last host 126 190 The broadcast address ( do this second) 127 191

Practice Example #2C : 255.255.255.224 (/27 ) Network address = 192. 168. 10. 0 Subnet mask = 255. 255. 255 . 224

♦ 224 is 1110 0000, so our equation would be 2^3 –2 =6. ♦ 2 ^5 –2 = 30 hosts. ♦ 256 – 224 = 32, 32 + 32 = 64, 64 + 32 = 96, 96 + 32 = 128, 128 + 32 = 160, 160 + 32 = 192,

192 + 32 = 224,which is invalid because it is our subnetmask. Our subnets are, 32,64, 96, 128, 160 and 192.

♦ Broadcast address for each subnet are always the number right before the next subnet. ♦ Valid hosts are the numbers between the subnet and broadcast address.

The subnet address(do this first ) 32 64 96 128 160 192 The first valid host 33 65 97 129 161 193 The last valid host 62 94 126 158 190 222 The broadcast address ( do this second) 63 95 127 159 191 223

Practice Example #3C : 255.255.255.240 (/28 ) Network address = 192. 168. 10. 0 Subnet mask = 255. 255. 255 . 240

♦ 240 is 1111 0000 in binary, so our equation would be 2^4 –2 =14. ♦ 2 ^4 –2 = 14 hosts. ♦ 256 – 240 = 16,16 + 16 = 32, 32 + 16 = 48, 48 + 16 =64, 64 + 16 = 80, 80 + 16 = 96, 96 + 16

= 112, 112 + 16 = 128, 128 + 16 = 144, 144 + 16 = 160, 160 + 16 = 176, 176 + 16 = 192, 192 + 16 = 208, 208 + 16 = 224, 224 + 16 = 240,which is invalid because it is our subnetmask. Our subnets are, 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208 and 224.

♦ Broadcast address for each subnet are always the number right before the next subnet. ♦ Valid hosts are the numbers between the subnet and broadcast address.

The subnet address 16 32 48 64 80 96 112 128 144 160 176 192 208 224 The first valid host 17 33 49 65 81 97 113 129 145 161 177 193 209 225 The last valid host 30 46 62 78 94 110 126 142 158 174 190 206 222 238 The broadcast address 31 47 63 79 95 111 127 143 159 175 191 207 223 239

31

Practice Example #4C : 255.255.255.248 (/29 ) Network address = 192. 168. 10. 0 Subnet mask = 255. 255. 255 . 248

♦ 248 is 1111 1000 in binary, so our equation would be 2^5 –2 =30. ♦ 2 ^3–2 = 6 hosts. ♦ 256 – 248 = 8,16, 24, 32, 40, 48, 56, 64, 72, 80, 88, 96, 104, 112, 120, 128, 136, 144, 152,

160, 168, 176, 184, 192, 200, 208, 216, 224, 232, 240. ♦ Broadcast address for each subnet are always the number right before the next subnet. ♦ Valid hosts are the numbers between the subnet and broadcast address.

Subnet First host Last host broadcast 8 9 14 15

16 17 22 23 24 25 30 31 32 33 38 39 40 41 46 47 48 49 54 55 56 57 62 63 64 65 70 71 72 73 78 79 80 81 86 87 88 89 94 95 96 97 102 103

104 105 110 111 112 113 118 119 120 121 126 127 128 129 134 135 136 137 142 143 144 145 150 151 152 153 158 159 160 161 166 167 168 169 174 175 176 177 182 183 184 185 190 191 192 193 198 199 200 201 206 207 208 209 214 215 216 217 222 223 224 225 230 231 232 233 238 239 240 241 246 247

32

Practice Example #6C : 255.255..255..128 (/25) It’s directed by Cisco that using only 1 subnet bit was considered illegal in the original RFCs and that you ought not to do that. But aren’t most rules meant to be broken? This mask can be used when you need two subnets, each with 126 hosts. Subnet mask = 255. 255. 255. 128 So, if you have an IP address of 192.168.10.5 using the 255.255.255. 128 subnet mask, you know it’s in the range of the 0 subnet and bit number 128 must be off. If you have an IP address of 192.168.10.189, then 128 must be on, and the host is considered to be in the 128 subnet.

NB: Cisco says “ do as we say, not as we do”. ******* ENJOY IT******* Subnetting Class B Address:

Let’s look at all the possible class B subnet mask first: 255. 255.128.0 (/17) 255. 255.192. 0 (/18)

255. 255.224. 0 (/19) 255. 255.240. 0 (/20) 255. 255.248. 0 (/21) 255. 255.252. 0 (/22) 255. 255.254. 0 (/23)

255. 255. 255. 0 (/24) 255. 255. 255. 128 (/25) 255. 255. 255.192 (/26) 255. 255. 255.224 (/27) 255. 255. 255.240 (/28)

255. 255. 255.248 (/29) 255. 255. 255.252 (/30)

****************Subnetting practice Examples:: class B Addresses: Practice Example #1B:

Network address = 172.16.0.0 Subnet mask = 255.255.192.0 ♦ Subnets? 2^2 – 2 = 2 ♦ Hosts? 2 ^ 14 –2 = 16, 382 ( 6 bits in the 3rd octet and 8 bit in the 4th ) ♦ Valid subnets? 256 –192 = 64, 64 + 64 = 128 ♦ Broadcast Address for each Subnet? ♦ Valid Hosts?

The following table shows the two subnets available, the valid host range and the broadcast address for each:

33

The subnet 64.0 128.0 First host 64.1 128.1 Last host 127.254 191.254 The broadcast address 127.255 191.255

Practice Example #2B: 255.255.240.0 ( /20 )

Network address = 172.16.0.0 Subnet mask = 255.255.240.0 ♦ Subnets? 2^4 – 2 = 14 ♦ Hosts? 2 ^ 12 –2 = 4096 ( 6 bits in the 3rd octet and 8 bit in the 4th ) ♦ Valid subnets? 256 –240 = 16, 32, 48, 64, 80, 96, 112, 128, 144, 160, 176, 192, 208 and 224.

Note that, these are the same number as a class C 240 mask. ♦ Broadcast Address for each Subnet? ♦ Valid Hosts?

Subnet First host Last host broadcast 16.0 16.1 31.254 31.255 32.0 32.1 47.254 47.255 48.0 48.1 63.254 63.255 64.0 64.1 79.254 79.255 80.0 80.1 95.254 95.255 96.0 96.1 111.254 111.255 112.0 112.1 127.254 127.255 128.0 128.1 143.254 143.255 144.0 144.1 159.254 159.255 160.0 160.1 175.254 175.255 176.0 176.1 191.254 191.255 192.0 192.1 207.254 207.255 208.0 208.1 223.254 223.255 224.0 224.1 239.254 239.255

Practice Example #6B: 255.255.255.192 ( /26 )

Network address = 172.16.0.0 Subnet mask = 255.255.255.192 ♦ Subnets? 2^10 – 2 = 1022 ♦ Hosts? 2 ^ 6 –2 = 62 ♦ Valid subnets? 256 –192 = 64, 128. ♦ Broadcast Address for each Subnet? ♦ Valid Hosts?

34

Subnet First host Last host broadcast 0.64 0.65 0.126 0.127 0.128 0.129 0.190 0.191 1.0 1.1 1.62 1.63 1.64 1.65 1.126 1.127 1.128 1.129 1.190 1.191 …. …. … …

Practice Example #7B: 255.255.255.224 ( /27 )

Network address = 172.16.0.0 Subnet mask = 255.255.255.224 ♦ Subnets? 2^11 – 2 = 2046 ♦ Hosts? 2 ^ 5 –2 = 30 ♦ Valid subnets? 256 –224 = 32, 64, 96, 128, 160 and 192. ♦ Broadcast Address for each Subnet? ♦ Valid Hosts?

Subnet First host Last host broadcast 0.32 0.33 0.62 0.63 0.64 0.65 0.94 0.95 0.96 0.97 0.126 0.127 0.128 0.129 0.158 0.159 0.160 0.161 0.190 0.191 …. …. … …

Subnetting Class A Address: Class A subnetting is not performed any differently from classes B and C, but there are 24 bits to play with instead of the 16 in a class B address and the 8 bits in a class C address:

Let’s start by listing all the class A subnets: 255.128.0.0 (/9) 255.192.0.0 (/10) 255.224.0.0 (/11) 255.240. 0.0 (/12) 255.248. 0.0 (/13)

255.252. 0.0 (/14) 255.254. 0.0 (/15) 255.255. 0.0 (/16) 255. 255.128.0 (/17) 255. 255.192. 0 (/18)

255. 255.224. 0 (/19)

35

255. 255.240. 0 (/20) 255. 255.248. 0 (/21) 255. 255.252. 0 (/22) 255. 255.254. 0 (/23)

255. 255. 255. 0 (/24) 255. 255. 255. 128 (/25) 255. 255. 255.192 (/26) 255. 255. 255.224 (/27) 255. 255. 255.240 (/28)

255. 255. 255.248 (/29) 255. 255. 255.252 (/30)

******************Subnetting Practice Examples:: class A address: Practice Example #1A: 255.255.0.0 (/16) Network Address = 10.0.0.0 ??

♦ Subnets? 2^8 – 2 = 254 ♦ Hosts? 2 ^16 –2 = 65,534 ♦ Valid subnets? 256 –255 = 1,2,3 etc… ♦ Broadcast Address for each Subnet? ♦ Valid Hosts?

The following table shows the first and last subnet, valid host range and broadcast address:

The subnet 10.1.0.0 … 10.254.0.0 First host 10.1.0.1 … 10.254.0.1 Last host 10.1.255.254 … 10.254.255.254 Broadcast 10.1.255.255 … 10.254.255.255

Subnetting in your Head : Class C address: 192.168.10.33 = Node Address 255.255.255.224 = Subnet Mask First: Determine the subnet and broadcast address of the above IP address. You can do this by answering question 3 of the big five questions: 256 – 224 = 32, 32 + 32 = 64. The address falls between the two

36

subnets and must be part of the 192.168.10.32 subnet. The next subnet is 64. So the broadcast address is 63. The valid host range is 33 to 62. This is too easy! No, it’s not? Okay then , try another one. 192.168.10.33 = Node Address 255.255.255.240 = Subnet Mask

• 256 – 240 = 16, 32, 48 Given the host address is between the 32 and 48 subnets. The subnet is 192.168.10.32 and the broadcast address is 47. The valid host range is 33 – 46.

37

EIA/TIA

Electronic Industries Association of the newer Telecommunications Industry Association. The types of Ethernet cables available are straight-through cable, crossover cable, and rolled cable.

Straight Through

568B 568A 1. O/W – W 1. G/W – W 2. O/W – O 2. G/W –G 3. G/W –W 3. O/W – W

4. BL/W – BL 4. BL/W – BL 5. BL/W – W 5. BL/W – W 6. G/W – G 6. O/W – O

7. BR/W – W 7. BR/W – W 8. BR/W - BR 8. BR/W – BR

O => ORANGE BL => BLUE G => GREEN BR => BROWN RJ => REGISTERED JACK

Ethernet Cabling Ethernet cabling is an important discussion, especially if you are planning on taking the Cisco CCNA exam. The types of Ethernet cables available are straight-through cable, crossover cable, and rolled cable.

Straight-through Cable This type of Ethernet cable is used to connect:

• Host to switch or hub • Router to switch or hub

Four wires are used in straight-through cable to connect Ethernet devices. It is relatively simple to create this type; the following figure shows the four wires used in a straight-through Ethernet cable.

Notice that only pins 1and networking in no ti

Crossover Cabl This type of Ethernet c

• Switch to swit• Hub to hub • Host to host

1

2

3

6

Figure: Straight-through Ethernet cable

,2,3 and 6 are used. Just connect 1 to 1, 2 to 2, 3 to 3, andme.

e

able can be used to connect: ch

1

2

3

6

6 to 6, and you’ll be up

38

The same four wires are used in this cable as in the straight-through cable, but we just connect different pins together. The following figure shows how the four wires are used in a crossover Ethernet cable.

1

2

3

6

Figure: Crossover Ethernet cable Notice that instead of connecting 1 to 1, etc. , here we connect pins 1 to 3 and 2 to 6 on each side of the cable.

Rolled Cable Although this type isn’t used to connect any Ethernet connections together, you can sue a rolled Ethernet cable to connect a host to a router console serial communication (COM) port. If you have a Cisco router or switch, you would use this cable to connect your PC running Hyper Terminal to the Cisco hardware. Eight wires are used in this cable to connect serial devices. The following figure shows the eight wires used in a rolled cable.

Figure: Rolled Ethernet cable These are probably the easiest cables to make, because you just cut the end off on one side of a straight-through cable and reverse the end.

1

2

3

6

1

2

4

5

6

7

8

3

1

2

4

5

6

7

8

3

39

CHAPTER-FOUR Discussion on Linux System Administration

The Linux System Administrator The Linux system administrator is more likely to understand the necessity of active system administration than are those who run whatever came on the computer, assuming that things came from the factory properly configured. The user or enterprise that decides on Linux has decided, too, to assume the control that Linux offers, and the responsibilities that this entails. By its very nature as a modern, multi-user operating system, Linux requires a degree of administration greater than that of less robust home market systems. This means that even if you are using a single machine connected to the Internet by a dial-up-modem – or not even connected at all – you have the benefits of the same system employed by some of the largest businesses in the world, and will do many of the things that the IT professionals employed by those companies are paid to do. Administering your system does involve a degree of learning, but it also means that in setting up and configuring your own system you gain skills and understanding that raise you above mere “computer user” status. The Linux system administrator does not achieve that mantle by having purchased a computer but instead by having taken full control of what his or her computer does and how it does it. The nature of system administration in Linux is surprisingly constant, no matter how large or small your installation. It merely involves enabling and configuring features you already have available. By definition, the Linux system administrator is the person who has “root” access, which is to say the one who is the system’s “super user” (or root user). A standard Linux user is limited as to the things he or she can do with the underlying engine of the system. But the “root” user has unfettered access to everything – all user accounts, their home directories, and the files therein; all system configurations; and all files on the system. A certain body of thought says that no one should ever log in as “root”, because system administration tasks can be performed more easily and safely through other, more specific means, which I discuss in due course.

Responsibilities of a System Administrator The system administrator has full system privileges, so the first duty is to know what you’re doing lest you break something. The word “duties” implies a degree of drudgery; in fact, they’re a manifestation of the tremendous flexibility of the system measured against responsibility to run a tight installation. These duties do not so much constrain the system administrator as free him or her to match the installation to the task. But all are likely employed to some degree in every system. Let’s take a brief look at them.

Installing and Configuring Servers The Linux world, the word “server” has a meaning that is broader than you might be used to. For instance, the standard Red Hat Linux graphical user interface (GUI) requires a graphical layer called Xfree86. This is a server. It runs even on a standalone machine with one user account. It must be configured. (Fortunately, Red Hat Linux has made this a simple and painless part of installation on all but the most obscure combinations of video card and monitor; gone are the days of anguish configuring a graphical desktop.) Likewise, printing in Linux takes place only after you have configured a print server. Again, this has become so easy as to nearly trivial.

40

In certain areas the client-server nomenclature can be confusing, though. While you cannot have a graphical desktop without a server, you can have World Wide Web access without a Web server, file transfer protocol (FTP) access without running an FTP server, and Internet e-mail capabilities without ever starting a mail server. You may well want to user these servers, all of which are included in Red Hat Linux, but then again you may not. And whenever a server is connected to another machines outside your physical control, there are security implications- you want users to have easy access to the things they need, but you don’t want to open up the system you’re administering to the whole wide world. Linux distributions used to be shipped with all imaginable serves turned on by default. This was a reflection of an earlier, more polite era in computing, when people did not consider vandalizing other people’s machines to e good sport. But the realities of a modern, more dangerous world have dictated that all but essential servers are off unless specifically enabled and configured. This duty falls to the system administrator. You need to know what servers you need and hoe to employ them, and to be aware that it is bad practice and a potential security nightmare to enable services that the system isn’t using and doesn’t need. Fortunately, the following pages show you how to carry out this aspect of system administration easily and efficiently.

Installing and Configuring Application Software This may seem redundant, but it’s crucial that the new Linux system administrator understand two characteristics that ser Linux apart from popular commercial operating systems: The first is the idea to the root or super user, and the second is that Linux is a multiuser operating system. Each user has (or shares) an account on the system, be it on a separate machine or on a single machine with multiple accounts. One reason that these concepts are crucial is found in the administration of application software-productivity programs. While it is possible for individual users to install some applications in their home directories-drive space set aside for their own files and customizations-these applications are not available to other users without the intervention of the system administrator. Besides, if an application is to be used by more than one user, it probably needs to be installed higher up in the Linux file hierarchy, which is a job that can be performed by the system administrator only. (The administrator can even decide which users may user which applications by creating a “group” for that application and enrolling individual users into that group.) New software packages might be installed in /opt, if they are likely to be upgraded separately for the Red Hat Linux distribution itself; by so doing, it’s simple to retain the old version until you are certain the new version works and meets expectations. Some packages may need to go in /usr/local or even /usr, if they are upgrades of packages installed as part of Red Hat Linux. (For instance, there are sometimes security upgrades of existing packages). The location of the installation usually matters only if you compile the application from source code; if you use a Red Hat Package Manage (RPM) application package, it automatically goes where it should. Configuration and customization of applications is to some extent at the user’s discretion, but not entirely. “Skeleton” configurations-administrator-determined default configurations-set the baseline for user employment of applications. If there are particular forms, for example, that are used throughout an enterprise, the system administrator would set them up or at least make them available by adding them to the skeleton configuration. The same applies, too, in configuring user desktops and in even deciding what applications should appear on user desktop menus. Your company may not want the games that ship with modern Linux desktops to be available to users. And you may want to add menu items for newly installed or custom applications. The system administrator brings all this to pass.

41

Creating and Maintaining User Accounts Not just anyone can show up and log on to a Linux machine. An account must be created for each user and-you guessed it-no one but the system administrator might do this. That’s simple enough. But there’s more, and it involves decisions that either you or your company must make. You might want to let users select their own passwords, which would no doubt make them easier to remember, but which probably would be easier for a malefactor to crack. You might want to assign passwords, which is more secure in theory but which increases the likelihood that users will write them down on a conveniently located scrap of paper-a risk if many people have access to the area where the machine(s) is located. You might decide that users must change their passwords periodically; and you can configure Red Hat Linux to prompt users to do so. And what to do about old accounts? Perhaps someone has left the company. What happens to his or her account? You probably don’t want him or her to continue to have access to the company network. On the other hand, you don’t want to simple delete the account, perhaps to discover later that essential data resided nowhere else. To what may specific users have access? It might be that there are aspects of your business that make World Wide Web access desirable, but you don’t want everyone spending their working hours surfing the Web. If your system is at home you may wish to limit your children’s access to the Web, which contains sites to which few if any parents would want their children exposed. These issues and other are parts of the system administrator’s duties in managing user accounts. Whether the administrator or his or her employer establishes the policies governing them, those policies should be established-if in an enterprise preferable in writing-for the protection of all concerned.

Backing Up and Restoring Files Until equipment becomes absolutely infallible, and until people lose their desire to harm the property of others (and, truth be known, until system administrators become perfect), there is a need to back up important files so that in the event of a failure of hardware, security, or administration, the system can be up and running again with minimal disruption. Only the system administrator may do this.

(Because of its built-in security features, Linux may not allow users to be able even to back up their own files to floppy disks.) Again, knowing that file backup is your job is not enough. You need to formulate a strategy for making sure obvious. If you have a high-capacity tape drive and several good sets of restore diskettes, you might make a full system backup every few days. If you are managing a system with scores of users, you might find it more sensible to back up user accounts and system configuration files, figuring that reinstallation from the distribution CDs would be quicker and easier than getting the basics off a tape archive. (Don’t forget the applications you’ve installed separate from your Red Hat Linux distribution, especially including heavily customized!) Once you’ve decided what to back up, you need to decide how frequently you want to perform backups and whether you wish to maintain a series of incremental backups-adding only the files that have changed since the last backup-or multiple full backups, and when these backups are to be performed-do you trust an automated unattended process? Or, if you have input as to the equipment used, do you want to use a redundant array of independent disks, or RAID, which is to say multiple hard drives all containing the same data as insurance against the failure of any one of them, in addition to other backup systems. (A RAID is not enough, because hard drive failure is not the only means by which a system can be brought to a halt.)

42

Conversely, you do not want to become complacent or to foster such an attitude among users. Part of your strategy should be the maintenance of perfect backups without ever needing to resort to them. This means encouraging users to keep multiple copies of their own important files, all in their home directories, so that you are not being asked to mount a backup so as to restore a file that a user has corrupted. (And if the system is stand-alone, you as your own system administrator might want to make a practice of backing up configuration and other important files.) The chances are that even if you’re working for a company, you’ll make this decisions-all you boss wants is a system that works perfectly, all the time. Backing up is only half the story, too. You need to formulate a plan for bringing the system back up in the event of a failure. Such a plan extends to areas outside the scope of this book. Sometimes hardware failures are so severe that the only solution is replacing the hard drive, replacing everything except the hard drive, or even restoring from backup to a whole new machine.

Monitoring and Tuning Performance The default installation of Red Hat Linux goes a long way toward capitalizing on existing system resources. But there is no “one size fits all” configuration, and Linux is infinitely configurable or close to it. On a modern stand-alone system, Linux is going to be pretty quick, and if it isn’t, there’s something wrong-something that is up to the system administrator to fix. But you might want to squeeze that one last little bit of performance out of your hardware. Or you might have a number of people using the same fileserver, mail server, or other shared machine, in which case seemingly small improvements in system performance can mean a lot. System tuning is an ongoing process aided by a variety of diagnostic and monitoring tools. Some performance decisions are made at installation time, while others are added or tweaked later. A good example is the use of the hdparm utility, which can increase throughput in IDE drives considerably-but for some high-speed modes a check of system logs will show that faulty or inexpensive cables can, in combination with hdparm, produce an enormity of nondestructive but system slowing errors. Proper monitoring allows you to detect a misbehaving application that might be consuming more resources than it should or failing to exit completely on close. Through the use of system performance tools you can determine when hardware such as memory, added storage, or even something as elaborate as a hardware RAID-should be upgraded for more cost-effective use of a machine in the enterprise or for complicated computational tasks such as three-dimensional rendering. Possibly most important, careful system monitoring and diagnostic practices give you an early heads-up when a system component is showing early signs of failure, so that any potential downtime can be minimized. Combined with the resources for determining which components Red Hat Linux best supports, performance monitoring can result in replacement components, which are far more robust and efficient in some cases.

Configuring a Secure System If there is a common thread in Linux system administration, something that is a constant presence in everything you do, it is the security of the computer and data integrity. What does this mean? Well, just about everything. The system administrator’s task, first and foremost, is to make certain that no data on the machine or network are likely to become corrupted, whether by hardware or power failure, by misconfiguration or user or user error (to the extent that the letter can be avoided), or by malicious or inadvertent intrusion from elsewhere. It means doing all the tasks described throughout this chapter well and with a full understanding of their implication, and it means much more.

43

No one involved in computing can have failed to hear of the succession of increasingly serous attacks upon machines connected to the Internet. The majority of these have not targeted Linux systems, but that doesn’t mean that Linux systems have been entirely immune, either to direct attack or to the effects of attacks on machines running other operating systems. In one Distributed Denial of Service (DDoS) attack aimed at several major online companies, many of the “zombie” machines-those which had been exploited so that the vandals could employ thousands of machines instead of just a few-were running Linux that had not been patched to guard against a well-known security flaw. In the various “Code Ted” attacks of the summer of 2001, Linux machines themselves were invulnerable, but the huge amount of traffic generated by this “worm” infection nevertheless prevented many Linux machines from getting much Web-based work done for several weeks, so fierce was the storm raging across the Internet. And few Internet e-mail users have gone without receiving at least some “SirCam” messages-nonsensical messages from strangers with randomly selected files from the strangers’ machine attached. While this infection did not corrupt Linux machines as it did those running a different operating system, anyone on a dial-up connection who had to endure the download of several megabytes of infected mail would scarcely describe himself or herself as unaffected by the attack. Depending on how and to what a Linux machine is connected, the sensitivity of the data it contains and the uses to which it is put, security can be as simple as turning off unneeded services, monitoring the Red Hat Linux security mailing list to make sure that all security advisories are followed, and otherwise engaging in good computing practices to make sure the system runs robustly. Or it can be an almost full-time job involving levels of security permissions within the system and system to which it is connected, elaborate fire walling to protect not just Linux machines but machines that, through their use of non-Linux software, are far more vulnerable, and physical security-making sure no one steals the machine itself! For any machine that is connected to any other machine, security means hardening against attack and making certain that no one is using your machine as a platform for launching attacks against others. If you are running Web, ftp, or mail servers, it means giving access to those who are entitled to it while locking out everyone else. It means making sure that passwords are not easily guessed and not made available to unauthorized persons, that disgruntled former employees no longer have access to the system, and that no unauthorized person may copy files from you machine or machines. Security is an ongoing process-it has been said that the only really secure computer is one that contains no data and that is unplugged from networks and even power supplies, has no keyboard attached, and resides in a locked vault. While that is theoretically true, it also implies that security diminishes the usefulness of the machine, don’t you think? So your job as a system administrator is to strike just the right balance between maximum utility and maximum safety, all the while bearing in mind that confidence in a secure machine today says nothing about the machine’s security tomorrow. In pages that follow, you’ll learn about the many tools that Red Hat Linux provides to help you guard against intrusion, even to help you prevent intrusion into non-Linux machines that may reside on your network. Linux is designed from the beginning with security in mind, and in all of your tasks you should maintain that same security awareness.

Using Tools to Monitor Security Crackers-people who, for purposes to larceny or to amuse them, like to break into other people’s computers-are a clever bunch. If there is vulnerability in a system, they will find it. Fortunately, the Linux development community is quick to find potential exploits and to find ways of slamming shut the door before crackers can enter. Fortunately, too, Red Hat is diligent in making available new, patched versions of packages in which potential exploits have been found. So your first and best security tool is making sure that whenever a security advisory is issued, you download and install the repaired package. This line of defense can be annoying, but it is nothing compared to rebuilding a compromised system. And as good as the but g5rackers are, something their job is reactive. Preventing the use of your machine for nefarious purposes and guarding against intrusion are, in the end, your responsibility alone.

44

Again, Red Hat Linux equips you with tools to detect and deal with unauthorized access to many kinds. As this book unfolds, you’ll learn how to install and configure these tools and how to make sense of the warnings they provide. Pay careful attention to those sections and do what they say. If your machine is connected to the Internet, you will be amazed at the number of attempts that are made to break into your machine. And you’ll be struck by how critical an issue security is.

Introduction & Installation of Red Hat 8.0 Linux

A Rundown of PC Hardware Computers are built from several components that must interact with each other in highly controlled ways. If a single component misbehaves or if the interactions go awry, the computer as a whole will malfunction in subtle or obvious ways. Major components in computers include the following:

Motherboard: the motherboard (also sometimes called the mainboard) holds the CPU, RAM, and plug-in cards. It contains circuitry that “glues” all these components together. The motherboard determines what type of memory and CPU the computer can hold. It also includes the BIOS, which controls the boot process, and it usually has built-in support for hard disks, floppy disks, serial ports, and other common hardware.

CPU: the CPU is the computer’s brain-it performs most of the computations that result in a system’s ability to crunch numbers in a spreadsheet, lay out text in a word processor, transform PostScript to printer-specific formats for a print queue, and so on. To be sure, some computations are performed by other components, such as some video computations by a video card, but the CPU does the bulk of the computational work.

Memory: Computers hold various types of memory; the most common general classes of these are random access memory (RAM) and read-only memory (ROM). There are several varieties of each of these. Memory holds data, which can include Linux software and the data upon which that software operates. Memory varies in access speed and capacity.

Disk storage: Disk storage, like memory, is used to retain data. Disk storage is slower than memory, but usually higher in capacity. Typically, Linux itself resides on disk storage, and when the system boots, parts of Linux are loaded into RAM. In addition to the common hard disks, there are lower-capacity removable disks, CD-ROMs, and so on. Disks are controlled through EIDE or SCSI circuitry on the motherboard or separate cards. As a general rule, Linux doesn’t need specific drivers for disks, but Linux does need drivers for the controller.

Video hardware: Video hardware includes the video card and the monitor. The video card may or may not literally be a separate card; sometimes it’s built into the motherboard. Collectively, video hardware provides the primary means for a computer to communicate with its user, but Linux has the ability to do so through other computers’ video hardware. Linux’s video support is provided in two ways: through standard text-mode features in the kernel that work with just about any video card; and through drivers in Xfree86, Linux’s GUI package, that work with most cards, but not absolutely all of them.

Input devices: the keyboard and mouse allow you to give commands to the computer. These devices are well standardized, although there are a few variants of each type. Linux requires no unusual drivers, for most common keyboards and mice (including trackballs and similar mouse alternatives), but if you use USB devices, you may need to use a recent kernel-2.2.18 ro 2.4.0 or later.

45

Network devices: in most business settings, network hardware consists of an Ethernet card or a card for a similar type of computer network. Such networks link several computers together over a few tens or hundreds of feet, and they can interface to larger networks. Even many homes now use such a network. It’s also possible to link computers via modems, which use telephone lines to create a low-speed network over potentially thousands of miles. These devices are usually quiescent until late in the boot process, when Linux may launch programs to begin network interactions. There are ways to boot a computer via network connections, though.

Audio hardware: Many workstations include audio hardware, which lets the system create sounds and digitize sounds using microphones or other audio input devices. These aren’t critical to basic system functioning, though; Linux will boot quite well without a sound card. ♦ CPU

Linux was originally developed for Intel’s popular 80x86 (or x86 for short) line of CPUs. In particular, a 386 was the original development platform. (Earlier CPUs in the line lack features required by Linux.) Linux also works on subsequent CPUs, including 486, Pentium, Pentium MMX, Pentium Pro, Pentium II, Pentium III, Pentium 4, and Celeron. In addition to working on Intel-brand CPUs, x86 versions of Linux also work on competitors’ x86 compatible chips. Today, the most important of these are the AMD K6 series, Athlon, and Duron. VIA also sells a line of CPUs originally developed by Cyrix and IDR, but in 2001, these lag substantially behind the offerings from Intel and AMD in speed. A few other companies have sold x86-compatible CPUs in the past, but these companies have failed or been consumed by others. As a general rule, Linux has no problems with CPUs from any of the x86 CPU manufacturers. When a new CPU is introduced, Linux distributions occasionally have problems booting and installing on it, but such problems are usually fixed quickly. In addition to x86 CPUs, Linux runs on many other CPUs, including the Apple/IBM/Motorola PowerPC (PPC), Compaq’s (formerly DEC’s) Alpha, and the SPARC CPU in Sun workstations. Linux is most mature on x86 hardware, and that hardware tends to be less expensive than hardware for other architectures, so it’s generally best to buy x86 hardware for Linux. To date, x86 systems use 32-bit internal registers, although Pentium systems and above have 64-bit links to memory. Some non-x86 system use 64-bit internal registers, and both Intel and AMD are developing 64-bit variants implemented in Intel’s Itanium CPU. IA-64 works best with code that has been specially designed for the IA-64 architecture. The Linux kernel works on IA-64, and some IA-64 Linux distributions are available. AMD is developing a different 64-bit version of the x86 architecture, known as x86-64. the code name for AMD’s 64-bit CPU is Hammer, and the company hopes to release this CPU by the end of 2001. When comparing CPU performance, most people look at the chips’ speeds in megahertz (MHz) or gigahertz (GHz; 1 GHz is 1,000 MHz). This measure is useful when comparing CPUs of the same type; for instance, a 750 MHz Athlon is slower than a 900 MHz Athlon. Comparing across CPU models is trickier, because one model may be able to do more in a single CPU cycle than another can. What’s worse, this comparison may differ according to the nature of the computation. For instance, in general, x 86 CPUs have a reputation for poor floating-point math performance, although they’ve been improving on this measure in recent years. Thus, an Intel CPU might be the equal of an Alpha in most tasks, but the Alpha might have a substantial advantage in applications that require floating-point math, such as ray tracing and certain scientific applications. When comparing different CPUs (for instance, Pentium 4 to Athlon), you should look at a measure such as MIPS (millions of instructions per second) or a benchmark test that’s relevant to your intended application. The Linux kernel uses a measure called Bogo-MIPS as a calibration loop when it boots, but this is not a valid measure of CPU performance; it’s used only to calibrate some internal timing loops. The best measure is how quickly the software you use runs on both CPUs.

46

CPUs plug into specific motherboards, which are the main (and sometimes the only) major circuit board in a computer. The motherboard contains a chipset, which implements major functions such as an EIDE controller, an interface between the CPU and memory, an interface to the keyboard, and so on. Linux works with most motherboards, although on occasion, Linux doesn’t support an integrated video or audio chipset for which Linux drivers are immature or non-existent. The key consideration in choosing a motherboard is that it is compatible with the CPU you buy-both its model and its speed. If you buy a preassembled system, this won’t be a concern. ♦ RAM RAM comes in several forms, the most common of which in 2001 is the dual inline memory module (DIMM). Older motherboards and some other components use the single inline memory module (SIMM) format, which comes in both 30-pin and 72-pin varieties. A few motherboards use RDRAM inline memory modules (RIMMs), which physically resemble DIMMs, but use a special type of RAM known as RAMbus dynamic RAM (RDRAM). Motherboards host sockets for particular types of memory-30-pin SIMM sockets in many 486 and older motherboards, 72-pin SIMM sockets in some 486 and Pentium class motherboards, and RIMM sockets in some Pentium II and later motherboards. Depending upon the module and CPU type, you may need to add module singly, in pairs, or in groups of four. Pentium and later systems take 72-pin SIMMs in pairs and DIMMs or RIMMs singly. In addition to differences in physical interfaces, RAM varies in its electronic characteristics. RAM today is largely derived from dynamic RAM (DRAM), which has spawned many improved variants, such as fast page mode (FPM) DRAM, extended data out (EDO) DRAM, synchronous DRAM (SDRAM), double data rate (DDR) SDRAM, and RDRAM. Most motherboards accept just one or two types of RAM, and with the exception of RDRAM and RIMMs, the physical format of the memory does not clearly indicate the RAM’s electronic type. In 2001, most motherboards accept some combination of SDRAM, DDR SDRAM, or RDRAM, and possibly one or two lesser varieties. DDR SDRAM are the speed champions today. Each has its adherents. DDR SDRAM uses fairly conventional improvements to regular DRAM, delivering fast memory access by using a wide (64-bit) and moderately fast (66-133 MHz) bus. RDRAM uses a more unusual design in which the RIMM uses a narrow (16-bit) but unusually fast (800 MHz) bus externally and a separate bus within the RIMM that uses a more conventional configuration. RAM also varies in how well in copes with errors. Computer memory is composed of individual bits, which are binary (base 2) numbers- each digit is either 1 or 0. a byte is composed of eight bits. If a single bit changes its value, say because of a cosmic ray hitting the memory, the data becomes corrupt. This can cause subtle or extreme errors in computations or it can result in other data being corrupted. Some memory modules incorporate a ninth bit in each byte as an error-detection bit. This bit is encoded to indicate whenever an even or odd number of bits in the other eight bits in the byte are set. If an error occurs, the motherboard’s memory controller can detect this fact. Unfortunately, the usual result is a system crash, the idea being that it’s better to crash the computer than to propagate bad data. All of these characteristics apply to main memory, which, as you might imagine, is the main type of memory in a computer. Motherboards or CPUs also support another type of memory, though-cache memory. A computer has much less cache memory than main memory (typically under 1MB), but the cache memory is much faster. The system stores frequently used memory in the cache, which results in a substantial performance increase. Typically, two caches exist. The first, know as the L1 cache, resides in the main part of the CPU and is a few kilobytes in size. On Pentium-class and earlier systems, the second cache, known as L2, is on the motherboard and can sometimes be upgraded. On Pentium Pro, Athlon, and later systems, the L2 cache is on the CPU package, but it’s not part of the same chip as the CPU. A few motherboards that take CPUs with an on-board L2 cache also provide a cache on the motherboard. In this configuration, the motherboard’s cache is known as the L3 cache. Linux itself is unconcerned with these details. To Linux, memory is memory, and the OS doesn’t particularly care about what physical or electronic form the memory takes or whether it supports any form

47

of error detection or correction. All these details are handled by the motherboard, which is why it’s so important that your memory match the motherboard’s requirements. ♦ Hard Disk Space The great divide in hard disks is between EIDE and SCSI devices. Both of these busses come in a variety of speeds, ranging from less than 10Mbps to 160 Mbps, with higher speeds on the way. In order to achieve a given speed, both the hard disk and its interface must support the same speed. For instance, using an old 10Mbps Fast SCSI drive with an 80 Mbps Ultra2 Wide SCSI host adapter will yield only 10Mbps speeds, not 80Mbps speeds. It’s important to distinguish between the speed of the interface and the speed of the device. Manufacturers typically emphasize the speed of the interface, but the mechanical device usually can’t support these speeds. A hard disk might have an 80Mbps Ultra2 Wide SCSI interface but be capable of only 35Mbps sustained transfer rates. Manufacturers express the device’s true maximum speeds as an internal transfer rate, as opposed to the external transfer rate (of the interface). To further confuse matters, many manufacturers give the internal transfer rate in megabits per second (Mbps), but the external rate in megabytes per second (MBps). If you fail to do the appropriate conversion (dividing or multiplying by 8), you’ll erroneously believe that the interface is the bottleneck in data transfers to and from the device. Disks can transfer data at their external transfer rate only when they’ve previously stored data from the disk in the internal caches. For this reason, external speeds substantially higher than internal speeds can produce modest speed benefits, and disks with large caches are preferable to those with small caches. As a general rule, SCSI devices are preferred in computer in which disk performance is important. There are several reasons for this:

• Depending upon the variety of SCSI, each SCSI host adapter can support 7-15 devices on one hardware interrupt. There are only 15 interrupts available in the x86 architecture, and many are reserved for critical hardware like the keyboard. EIDE, by contrast, supports just two devices per cable (and here per interrupt), although most motherboards include support for two chains (using two interrupts), for a total of four devices.

• SCSI devices multitask better than do EIDE devices. Given sufficient capacity on the SCSI host adapter, multiple SCSI devices can be engaged in data transfers at full speed. EIDE, by contrast, dedicates its full capacity to one device per chain, even if that device can’t use the EIDE controller’s full capacity.

• Hard disk manufacturers tend to release their fastest and highest capacity drives in SCSI format. EIDE drives tend to be slower and smaller.

These advantages are substantial, but for many situations, they’re overwhelmed by one advantage of EIDE: it’s less expensive. As just mentioned, modern x86 motherboards ship with support for two EIDE chains, so there’s no need to buy an EIDE controller. EIDE hard disks are also typically less expensive than SCSI devices of the same capacity, although the EIDE drives are often slower. On the whole, SCSI is worthwhile when disk performance is important or when you need to support a large number of storage devices (including CD-ROM, DVD-ROM, removable disk, and tape drives). For most low-end and even mid-range workstations, though, EIDE’s lower cost makes it appealing, and EIDE performance is adequate for many such systems. Fortunately, Linux’s support for both EIDE and SCSI adapters is excellent. Most EIDE controllers can be run in an old-style (and slow) mode using generic drivers, but faster speeds often require explicit driver support. Therefore, you may want to check on Linux’s EIDE drivers for your motherboard or EIDE controller. There is no generic SCSI host adapter support, so you must have support for your specific SCSI host adapter. Once you configure Linux to work with an EIDE controller or a SCSI host adapter, you don’t need to worry about support for specific models of disk. If you recompile you kernel, you need to explicitly

48

include support for hard disks or any other device attached to you adapter, but this support is present by default in all major Linux distributions. You can purchase hard disks and other storage devices on the basis of capacity, speed, and the reputation for quality of a manufacturer or model. ♦ Checking BIOS Settings The Basic Input/Output System (BIOS) is the lowest-level software component in a computer. The CPU runs BIOS code as part of its startup procedure. As a result, the BIOS configures many fundamental aspects of the computer before Linux has a chance to boot. The BIOS also provides tools that the computer uses to load the Linux kernel into memory. Although the x86 BIOS provides some standard features, it’s not entirely standardized. In particular, modern BIOSes provide a setup tool, often referred to as the Complementary Metal Oxide Semiconductor (CMOS) setup utility, that you can use to set various low-level options. The options available in a computer’s CMOS setup utility differs from one computer to another, both because of difference in hardware and because of different BIOS designs. Most computers display a prompt at boot time that tells you how to get into the CMOS setup utility. This is usually done by hitting a key, such as Delete or F2, at a critical point during the boot process. Once you’ve done this, you’ll see a BIOS setup and set various options, typically by moving through menus by pressing the arrow keys on the keyboard. Most systems come with reasonable default BIOS settings, but you may want to check, and possibly adjust, a few. These include the following:

Disk Settings: there are two common hard disk settings you may need to adjust. The first specifies the size of the disk. An auto-detection feature normally works well for this. The second settings determines how the BIOS interprets the disk’s cylinder/head/sector (CHS) addresses. On most BIOSes, a linear block addressing (LBA) mode is the best choice. If you use SCSI hard disks, the main motherboard BIOS won’t detect them. This is normal; the SCSI BIOS provides the necessary support.

On-board ports: Modern motherboards includes RS-232 serial, parallel, USB, EIDE, and frequently other types of ports. You can enable or disable these or change their settings (for instance, you can change the IRQs used by the devices). Disabling unused ports can free up resources for other devices.

PCI settings: Some BIOSes allow you to specify how the system treats PCI devices. Most commonly, you can choose from two or more rules for how the BIOS assigns IRQa to PCI devices. Sometimes, one rule results in IRQ conflicts and another doesn’t, so such a setting is worth investigating if you have problems booting and suspect IRQ conflicts.

Passwords: In a high-security environment, you may want to set a BIOS password. This prevent the system from booting unless the correct password is entered. It can slow down intruders who have physical access to the compute and boot with their own boot disk, but if intruders have physical access to the computer, they can bypass this feature in various ways. Setting a BIOS password also prevents automatic reboots in the event of a power failure. Nonetheless, slowing down an intruder may be worthwhile in some environments.

Memory settings: BIOSes can be configured to copy parts of themselves, or of BIOSes stored on other devices, to RAM. This practice, which is known as shadowing, speeds up access to the BIOS, and it is useful in DOS, which relies on the BIOS for input/output. Linux doesn’t use the BIOS as much, so it’s generally best to disable all shadowing in Linux, which can result in slightly more memory available in Linux. Some BIOSes also allow you to control one or more memory holes-regions of the CPU’s memory map that are unusable. These sometimes cause Linux to misdetect the amount of RAM installed in the computer, so you may want to experiment with different memory hole settings.

49

Boot Devices: Modern BIOSes support booting from a wide variety of disk and disk-like devices, including floppy disks, EIDE disks, SCSI disks, CD-ROM drives, and high-capacity removable disk like Zip or LS-120 disks. You can usually set the system to boot from some subset of these devices in any order you like. The BIOS tries each medium in turn, and if it’s not present or isn’t bootable, it tries the next one. For highest security, set the system boot from your EIDE or SCSI hard disk first; for convenient booting of installation or emergency media, set it to boot from a CD-ROM, floppy, or other removable media drive first. In practice, you may need to experiment with a particular computer’s CMOS settings to determine which work best. It’s generally not a good idea to try random changes on a working system, though; experiment with these settings only if they’re having trouble. Making changes without cause can produce an unbootable system, although if you remember what you changed, you can usually recover you system to a working state. Checking for Supported Hardware

To check if Red Hat Linux supports the hardware in your PC, follow these steps:

1. Make a list of the make, model, and other technical details of all hardware installed in your PC. Most of this information is in the manuals that came with your hardware. If you don’t have the manuals, you already have an operating system on the PC, you may be able to obtain this information from that operating system.

2. Next, go to the Red Hat Web site at http://www.redhat.com/hardware. Compare your hardware list to the list of hardware that the latest version of Red Hat Linux supports. If the components listed earlier are supported you can prepare to install Red Hat.

Creating the Red Hat Boot Disk

To boot Red Hat Linux for the first time and start the Red Hat Linux installation program, you need a Red Hat boot disk. For this step, you should turn on your PC without any disk in the A: drive and then run Windows as usual. The Red Hat boot disk starts your PC and the Red Hat Linux installation program. After you install Red Hat Linux, you no longer need the Red Hat boot disk, and load the rest of the installation program. Creating the Red Hat boot disk involves using a utility program called RAWRITE.EXE to copy a special file called the Red Hat Linux boot image to a disk.

To create the Red Hat boot disk under Windows, follow these steps:

1. Open an MS-DOS window (select Start => Programs => MS-DOS Prompt). 2. In the MS-DOS window, enter the following commands at the MS-DOS prompt.

d: (use the drive letter for the CD-ROM drive) cd \dosutils rawrite Enter disk image source file name: \image\boot.img Enter target diskette drive: a Please insert a formatted diskette into drive A: and press – ENTER- :

3. As instructed, you should put a formatted disk into your PC’s A: drive and then press ENTER. RAWEITE.EXE copies the boot-image file to the disk.

50

When the DOS prompt returns, remove the Red Hat boot disk from the A: drive and label it as a Red Hat boot disk. Partitioning the Hard Disk for Red Hat Linux

Red Hat Linux installation program offers you several choices for partitioning your hard drive. You can chose to have the installation program automatically partition your disk, you can choose to use Disk Druid, or you can use fdisk. For this installation, you will choose Disk Druid, a utility program that enables you to partition the disk and, at the same time, specify which parts of the Linux file system you want to load on which partition. Before you begin to use Disk Druid to partition your disk, you need to know how to refer to the disk drives and partitions in Linux. Also, you should understand the terms mount points and swap partition. In the next three sections, you learn these terms and concepts and then proceed to use Disk Druid. Naming disks and devices

The first step is to understand how Red Hat Linux refers to the various disks. Linux treats all devices as files and has actual files that represent each device. In Red Hat Linux, these device files are located in the /dev directory. If you are new to Unix, you may not yet know about Unix filenames. But you learn more as you continue to use Red Hat Linux. If you know how MS-DOS filenames work, you find that Linux filenames are similar. However, they have two exceptions: they do not use drive letters (such as A: and C:), and they substitute the slash (/) for the MS_DOS backslash (\) as the separator between directory names. Because Linux treats a device as a file in the /dev directory, the hard disk names start with /dev. The following table lists the hard disk and floppy drive names that you may have to use.

HARD DISK AND FLOPPY DRIVE NAMES Name Description /dev/hda First Integrated Drive Electronics (IDE) hard drive (the C: drive in DOS and

Windows) connected to the first IDE controller as the master drive. /dev/hdb Second (IDE) hard drive connected to the first IDE controller as the slave drive. /dev/hdc First (IDE) hard drive connected to the second IDE controller as the master drive /dev/hdd Second (IDE) hard drive connected to the second IDE controller as the slave drive. /dev/sda First Small Computer System Interface (SCSI) drive. /dev/sdb Second SCSI drive. /dev/fd0 First floppy drive (the A: drive in DOS) /dev/fd1 Second floppy drive (the B: drive in DOS) Mounting a file system on a device

In Red Hat Linux, you use a physical disk partition by associating it with a specific part of the file system. This arrangement is a hierarchical directory-a directory tree. If you have more than one disk partition (you may have a second disk with a Linux partition), you can use all of them in Red Hat Linux under a single directory tree. All you have to do is decide which part of the Linux directory tree should be located on each partition-a process known in Linux as mounting a file system on a device. (The disk partition is a device.) Suppose that you have two disks on your PC, and you have created Linux partitions on both disks. The following figure illustrates how you can mount different parts of the Linux directory tree (the file system) on these two partitions.

51

Understanding the swap partition Most advanced operating systems support the concept of virtual memory, in which part of your

system’s hard disk functions as an extension of the physical memory (RAM). When the operating system runs out of physical memory, it can move (or swap out) the contents of currently unneeded parts of RAM to make room for a program that needs more memory. When the operating system needs to access anything in the swapped-out data, it has to find something else to swap out and then it swaps in the required data from disk. This process of swapping data back and forth between the RAM and the disk is also known as paging. Installing the Boot Loader

The Red Hat installation program displays the Boot Loader Configuration screen, which asks you where you want to install the boot loader. A boot loader is a program that resides on your disk and starts Red Hat Linux from the hard disk. Red Hat version 7.2 provides two choices of boot loaders, LILO and GRUB. Previous versions of Red Hat offered only LILO. LILO stands for Linux Loader, and GRUB stands for Grand Unified Bootloader. The next part of the Boot Loader Configuration screen gives you the option of installing the boot loader in one of two locations:

• Master Boot Record (MBR), which is located in the first sector of your PC’s hard disk. • First sector of the partition where you loaded Red Hat Linux.

Configuring password authentication

The installation program displays the Authentication Configuration screen, from which you can configure the password authentication options. You can enable or disable several options. Of these, the first two are already selected:

• Enable MD5 passwords: Select this option to enable users to use long passwords of up to 256 characters instead of the standard password that can be, at most, eight characters long. Note that MD5 refers to Message Digest 5, an algorithm developed by RSA, Inc. to computer the digest of the entire data of a message. Essentially, MD5 reduces a message to a digest consisting of four 32-bit numbers.

• Enable shadow passwords: This option causes the /etc/psswd file to be replaced by /etc/shadow, which only the superuser (root) can read. This option provides an added level of security.

Linux operating system traced all Integrated Device Electronics (IDE) as hd. IDE device means: CD-ROM, Hard Disk, CD Writer etc.

Section 1.01 d

IDE0/ Primary IDE

Primary Master (PM)

Primary Slave (PS)

Mother Boar

IDE1/ Secondary IDE

Secondary Slave (SS)

Secondary Master (SS)

52

Note: PM → hda PS → hdb SM → hdc SS → hdd Linux Distribution: Red Hat 9.0 Caldera Mandrake Suse 7.0 Debian 7.3 Slackware 8.0 And others 9.0 Windows Linux

1 No Wi PriEx

No Wi

C:

2 D:

.

E: : . F

te:

You can not format ext2

ndwos

mary DOS partition – 5 -> C: tended DOS partition – 10 -> L

-> L -> L

n-DOS partition -> 5

ndows File System

FAT16 FAT32 NTFS

hda

hda

.

.

.

partition by fdisk of DOS (please see third party software).

ogical-D: ogical-E: ogical-F:

Linux File System

Ext2 Ext3

53

C:

Infinity C Win

Directories Root (Origin) Drive

Iqbal Road Monipuri Para

D:

Software Games

J X

Root (Origin) Drive /

hda4 /root /var /faisal

/home /etc /Infinity

/Teachers /NetAdminDirectories

54

Tips:

0 1 2 . . .

8.4 . . . .

20

NOTE: Only First partition (/) have to be within 8.4 GB. Sometimes we have to face the above problem at the time of installing if the first partition of linux exceed 8.4 GB. Points to be Discussed When We Install Root Password - passwd (minima 6 character at the time of installation from GUI) Default Login - shadow Mount Point - MBR File System - 1s Boot sector MD5 - LILO (Linux Loader upto 9.0) Network - GRUB (Grand Unified Boot Loader 7.2 onwards) Firewall - Bootable Sequence - Time Zone - Concept on MBR & 1st Boot Sector

Infinity Building

D1

LNX 4GB

WIN 3GB

WIN 4GB

WIN 4GB

WIN 3GB

LNX 4GB

WIN 7GB

LNX 4GB

WIN 3GB

LNX 4GB

LNX 4GB

LNX 4GB

OKAY OKAYProblems May

Appear OKAY

RCP

D2 D3 D4 Diploma

NetLAB

Graphics LAB

55

D1 – Entry Point of the Reception. – Also the Main Door of Infinity D2 Entry Point of the Linux room/LAB. D3 – Entry Point of the Diploma Room. D4 – Entry Point of the Graphics LAB.

= 1st boot sector of harddisk.

40 GB HDD

WinP1 1st boot sector of P1

1st boot sector of P2 WinP2

LNXP3

LNXP4

1st boot sector of P3

1st boot sector of P4

= MBR (Master Boot Record) To install Linux and Windows O/S the following sequence is better

1. Windows 98 2. Windows 2000 Server 3. Linux 8.0

Step by Step installation (Red Hat Linux 8.0) Step-1:

Switch on your PC. Change the Boot sequence to CDROM, C, A from the BIOS. Insert the CD#1 of Red Hat Linux 8.0 on the CD-ROM tray.

Step-2:

To install or upgrade Red Hat Linux in Graphical mode, press the <ENTER> To install or upgrade Red Hat Linux in Text mode, type Linux text <ENTER> Boot:

Step-3:

Media Test

OK/ SKIP <ENTER>

56

Step-4: Welcome

Next <ENTER> Step-5:

Language Selection

English Next <ENTER>

Step-6:

Key Board U.S. English

Next <ENTER> Step-7:

Mouse Configuration list of the mouse Next <ENTER>

Step-8:

Installation Type • Personal/Desktop • Workstation • Server • Custom • Upgrade Existing System

Step-9:

Partitioning Setup • Automatic Partition • Manually Partition with disk druid • Manually Partition with fdisk [experts only]

Next <ENTER>

Step-10

• New HDD

Add Partitioning

File System Type Size (MB) (Double of the RAM recommended)

SWAP

S128

57

Next <ENTER>

Add Partitioning Mount Point File System Type Allowable Drives Size (MB) Additional Size Options

• Fixed size

• Fill all space upto (MB

Add Partitionin

Mount Point File System Type Size (MB) Additional Size Options

• Fixed size

• Fill all space upto (MB

Next <ENTER>

Next <ENTER>

Step-11 Bootloader Configuration

a. Change Boot Loader • GRUB (Grand Unified Boot Loader) • LILO (Linux Loader) • Do not install a boot loader.

b. Use a boot loader password

=> 6 Character recommended (Be careful about this password)

c. Configure advanced boot loader options

/

ext3

a

hd

0

400

)

g

)

/

ext3

0

400

58

• MBR (Master Boot Record) • 1st Boot Partition

Next <ENTER>

Step-12 Network Configuration

Next <ENTER>

Step-13

Firewall Configuration

High Medium No firewall Choose “No firewall”; Deault is Medium. Next <ENTER>

Step-14 Additional Language Support English (USA)

Next <ENTER> Step-15 Time Zone Selection

Asia/Dhaka Next <ENTER>

Step-16 Account Configuration Root password: Confirm password:

• Minimum length of password is 6 (six) characters (case sensitive). • You can also add user from here (Optional).

Next <ENTER>

Step-17 Authentication Configuration

Enable MD5 password Enable Shadow passowrd

Next <ENTER>

Step-18

Package group Selection

59

You can give Everything. Total size will be 4680 MB. But for you class we would like to add the following package in additional to the default.

• Desktop KDE

• Application Editors

• Servers Everything

• Development Development tools Kernel Development

• Systems Administration tools System tools

Total Size will be 2080 MB

Step-19 About to Install This is the last screen. You cannot back after clicking the next button. Installation will start.

Next <ENTER> Step-20 Installing Packages Inset 2nd and 3rd CD to the computer if you are requested by the computer. Step-21 Boot disk creator

Yes [Choose as per] No [Your requirement] Next <ENTER> Step-22 Graphical Interface (X) Configuration

Next <ENTER> Step-23 Monitor Configuration Next <ENTER> Step-24 Customize Graphical Configuration Please choose your login type as default Graphical Text Next <ENTER>

60

Step-25 Congratulations Next <ENTER> Step-26 Now your CD-ROM’s tray will be ejected automatically. Please bring the CD from the CD-ROM’s tray. Your tray will be closed automatically.

QUIT

Installation completed. Now we can try to login. Login (CLI and GUI Mode) Login: root we will get # prompt Password: linux Login: faisal we will get $ prompt Password: 123

61

Practice of Very Useful Important Commands

F1, F2, F3, F4, F5, F6 F7 F8 ... F12

CLI (TEXT) GUI Not Usable (Command Line Interface)(Graphical User Interface) (By default) You can move from one console to the another console by pressing the following: ALT+CTRL+F1, ALT+CTRL+F2,............. and so on.

To Clean the Screen

To clean the screen you use # clear

or # CTRL+ l(small L)

Starting, Stopping, Rebooting, Logout the system

To logout you may use the any one of the following commands: # logout # exit # CTRL+d

To reboot the system (PC) you may use the following command For right now

# shutdown –r now For after 6 minutes

# shutdown –r 6m For after 1 hour

# shutdown –r 1h For right now

# reboot or # init 6

To shutdown the system (PC) you may use the following any one command: # shutdown –h now # shutdown –h 5m (After 5 minutes) # shutdown –h 2h (After 2 hours) # init 0 (Right now) # halt (Right now)

62

To Create Boot Disk # uname –r 2.4.2-2 # mkbootdisk 2.4.2-2

This is the kernel version of the RedHat Linux Note: You can’t use one PC’s boot disk to the another PC for booting.

To Know the Status of the Current/Existing Directory # pwd => present directory/print directory

Check the Home Directory by Typing the Following Command # cd /home # ls –la

List directory

Long listing format

One Way Scrolling # ls –ls | more ENTER (Line by line) SPACEBAR (Page by page)

Two Way Scrolling # ls –la | less ENTER (Line by line) SPACEBAR (Page by page)

To Know About the Linux Version

# cat /etc/redhaat –release

Discussion on Linux File System

The Unix Filesystem

• A file is a collection of information under one name, called the filename. The Unix filesystem is

organized into directories and files, in a treelike structure. The first directory in the structure is the root directory. The root directory contains several files and directories, these directories in turn contain more directories and files.

• The Unix system treats almost every object as a file. A directory is a file, and the physical memory can be accessed and manipulated as if it were a file.

• When you login, you are automatically placed in a directory called you home directory.

63

• Remember the following rules regarding filenames: • Filenames can consist of up to 14 characters. • Do not use the following special characters in a filename:

\, >, <, /, &, ?, $, [ , ], and * • Do not use spaces in a filename. • Using the underscore character ( _ ) in filename is permitted. Use the underscore to separate

multiple words in a filename. • A period ( . ) in a filename is just like any other character, except when it is placed at the

beginning of a filename. Placing a period at the beginning of a filename has special significance: it designates the file as “hidden.” Such a hidden file will not be displayed by using the usual directory listing command. Such files are called dot files. Furthermore, certain dot files have special meanings to the system.

• Filenames are case sensitive.

Important Directories and Files The Unix file system is organized as a tree-structured hierarchy of directories and files. Each Unix system comes with hundreds of directories and files. Following is a list of major directories in the system and a brief description of their contents. / (root) The root of the file system. It contains the kernel (/vmunix) and important directories /etc,

/bin, /dev, /lib, /tmp, /stand, /lost+found, /mnt, /pub, /private, / and /usr. /etc The etcetera directory contains various commands and data files, primarily those used for

system administration. /bin This is one of the three major Unix directories containing user commands. The

commands in /bin are the most important and most commonly used. The name “bin” means binary. Most of the files in the directory /bin are binary, but there are ASCII shell scripts also.

/dev The device directory contains all of the devices special files. /lib The library directory contains files crucial to the C compiler (also FORTRAN compiler)

and library functions of the languages. /tmp Various Unix utilities, such as vi, create temporary data files in /tmp. Every time the

system is rebooted, the system removes all files in /tmp except for subdirectories. /usr Contains many important sub-directories described below. /usr/bin One of the three major directories (other two are: /bin and / user/ucb). The commands in

/usr/bin are usually not as important as those in bin. /usr/include Contains all the standard include files or header files used to compile C programs. /usr/lib Contains over a hundred files used by Unix utilities. /usr/man Holds the on-line manual pages. →The list above is a partial list of important directories on any system.

64

Managing User Account

User Creation and Deletion:

To Add a User # adduser (username) Example: # adduser faisal

To Create a User Under a Particular Directory # adduser –d (directory name with full path) –m (username)

Directory Move to the directory Example:

# adduser –d /infinity –m limon

Pictorial View of the User’s Home Directory

/

home

faisal

others

others

infinity

limon

Users’ Home Directory

65

When we add a user the following changes have been occurred:

1. One line will be inserted (at the bottom of the file) i.e. append into each of the following fie a. /etc/passed b. /etc/shadow c. /etc/group

2. One directory will be created under the /home directory (by default). The name of the directory will be the same as the username (by default). We can treat this directory as the home directory of that user.

3. One blank file will be created under the directory /var/spool/mail (by default). The file will be the same as the user name.

To Know About the Logged Users

# w => Details with login time # who => Details without login time # whoami => Name of the user #tty

To Know About the Existence of a User # finger <username> Example: # finger faisal

To Give Comments to a User # adduser –c “comments” (username) Example: # adduser –c Bangladesh faisal => By giving the following command see the comments # finger faisal

To Modify the User’s Comments for an Existing User # usermod –c America faisal Again type the following command and see the changes # finger faisal

User Delete # userdel (username)

[without home directory] # userdel –r (username) [including home directory] Example: # userdel faisal # userdel –r robin

66

USER PASSWORD AND PASSWORD CHANGE:

To Set Password for a New User # passwd <username> Example: # passwd faisal Type you r password: 123 Retype your password: 123

• If it is successful then OK. • We just ignore

o Too short o Directory word o Bad password

Note: We can’t see the password on the screen. We can also change the password for an existing user by the same command Example: # passwd faisal Unix password: 123 New Unix password: abc Now previous password 123 will be replaced by abc for user faisal. Note: From CLI mode minimum password length single characters (by default) . From GUI mode minimum password length six character (by default). *** Password is case sensitive

ACCOUNT LOCK/UNLOCK ENABLE/DISABLE:

Password Disable/Remove # passwd –d <username>

e Example: # passwd –d Now we can login into

disabl

faisal

the computer without typing any password for the user faisal.

67

To Lock Password # passwd –l <username> Example: # passwd –l faisal

To Unlock the Password # passwd –u <username> Example: # passwd –u faisal

To Know the Status of the User Password # passwd –S <username> Example: # passwd –S faisal

Alternate: To Lock => # usermod –L rana To unlock => # usermod –U rana

Details About Passwd File # cd /etc # cat passwd wahed : R : 509 : 509 : America : /home/wahed : /bin/bash username userID groupID user’s home shell directory encrypted comments password (optional)

Details About Password Lock/Shadow File # cd /etc # cat shadow shapon : !! : 12242 ....................... [password not given] shagor : : 12242 .......................... [password disable] MR : $ 727 pqrst ....... 12242.. [ password given] limon : !! $ 722 pqrst ....12242 .. [password given]

For Quit from the man (Manual) Page Type Only “q”.

68

To Change the root Password # passwd root Unix password : Retype Unix password :

69

CHAPTER-FIVE Introduction to the Unix System

What is an Operating System?

An operating system is a program that manages the resources of a computer and monitors the jobs

submitted to the computer. A computer cannot operate without an operating system. Once the system is on, all hardware and software on the system are under the control of the operating system.

Commonly used operating systems are:

• DOS, OS/2 [on PCs] • Unix, VMS, MVS [on mainframes]

Following are some of the primary tasks that an operating system performs:

• Manages computer resources: CPU, memory, disk, printer, terminals, modems. • Provides an interface with the user. • Controls the flow of requests from users: giving, on multi-user systems, the impression that the

system is working solely on their particular job.

Unix Features

• Hierarchical File System

The Unix file system has a root directory that contains other files and directories, which in turn contain other files, and directories. • File permissions

Each file on the file system is associated with an access permission code. This code determines show can access the file, read the file, modify the file, etc.

• Compact and efficient

The central part of the Unix system, Kernel, is relatively small and efficient in comparison to other time-sharing systems.

• Multi-tasking

The Unix system can run several jobs at once. The Unix operating system manages resources appropriately so that each job submitted has a fair share.

• Multi-user

The Unix system lets several users muse the system at the same time. The system manages the requests made by the users in such a way that each user thinks the computer is occupied exclusively with his/her job.

• Redefinable user interface

The Unix system includes features with which the user can customize the way the system appears and behaves. It is possible for the user to create his/her own commands to do specific jobs.

70

• Portable

The Unix system is the only operating system that has made its way into all types of computers--ranging from laptop to Super Computer.

History of UNIX • 1969

Developed at Bell Labs, the research arm of AT&T, by Ken Thomson on DEC PDP-7.

• 1970

Dennis Ritchie, who designed the programming language C at about the same time, moved the system from PDP-7 to PDP-11.

• 1973

Prior to this the Unix system was written in machine language. In 1973 Ritchie and Thompson rewrote the system in C language. This enabled system to be moved from one architecture to another without much difficulty.

• Late 1970s

AT&T released Unix to universities. In 1977, another implementation of Unix widely known as BSD Unix (Berkeley Software Distribution) was released by University of California at Berkeley.

• 1980s

AT&T released their successful version called System V. the release 2 under System V is called SVR3 and release 3 is called SVR3.

• Today

Today there are many versions of Unix on many different kind of machines. Basically, they are derived from either System V or BSD 4.3, or have features both. Some popular versions of Unix today are AIX (IBM), ULTRIX (DEC), HP-UX (HP), and XENIX (Microsoft). Popular PC versions of Unix are Solaris 2.0 (SUN), SCO (Santa Cruz Operations), and Coherent.

The Unix System Layers

Below is the basic diagram of a Unix system:

• Core

At the center is the hardware.

• Kernel

Surrounding the hardware are some programs that handle hardware resources. This layer of software is called kernel.

71

• Utilities

The next layer consists of certain utility prog

• Shell

The outermost layer represents the Shell. Thand the rest of the system.

The Shell

The Shell is the command interpreter for Unix systemstarted that displays the prompt($). The command enshell, and the shell then arranges to run the appropria There are three shells that are commonly available on

The Three Common Shells There are three versions of Shell that are commonly aand Korn Shell.

• The Bourne Shell

- First major shell created - Named after its creator, S.R. Bourn- Is the standard on version 7 Unix s- Denoted by sh

CORE

SHELL

UTILITIES

KERNEL

rams, independent of the hardware.

e Shell establishes the interface between users

. When the user logs in, a shell is automatically tered following the prompt is interpreted by the te program.

Unix systems.

vailable on Unix systems. Bourne Shell, C-Shell

e ystems

72

C-Shell

- Implemented by William N Joy of University of California at Berkely. - Commonly used shell in BSD based systems] - Denoted by csh

Korn Shell

- Designed by David Korn or AT&T Bell labs (around 1986) - Is the new shell which is superset of Bourne Shell - Denoted by ksh

The Major Features of Shell

Analyze the command line and run command

The shell starts the indicated command, and passes the remainder of the command line as arguments to the command. The shell runs each command as a separate job. Such a job can be run “while you wait”, in the foreground or in the background, so that the Shell returns immediately and the user can continue typing more commands.

I/O redirection

The shell redirects the standard input, standard output, and standard error files of the command as defined by the user.

Pipes

The Shell can arrange for the standard output of one command to be used as the standard input of the next command in line. Multiple commands can be connected together in this way. Such a connection is called a pipeline.

Metacharacter expansion

Shell provides metacharacter usage. The metacharacter? matches any single character in a file name. The metacharacter * matches any string of characters (including the empty string) in a file name. The metacharacters [ and ] form character classes. The metacharacter substitution is performed by shell first before taking any further action.

Set path

Shell provides a way for the user to set the search path for finding commands.

Programming language

Shell can be uses as a programming language. When a collection of Shell commands are placed in a file (along with control structures), the filename can be used just like a Shell command. This command runs the Shell statements in the file.

Special Features of C Shell

The following lists some of the major features of C-Shell.

History Facility

73

The history mechanism maintains a list of previously used commands. Any command from the list can be reissued by just indicating the number of the command on the list.

Job Control

Jobs when they are running can be “put on hold”. These jobs are not terminated completely, but only stopped. This means you will have the shell prompt to do other things. You can reactivate the stopped jobs whenever you wish. The stopped jobs now continue from the point at which they were stopped.

Alias Mechanism

Alias is a facility by which users can give their own names for frequently used and/or long commands.

The syntax of C Shell commands resembles the C programming language, whereas Bourne Shell resembles Algol-68.

Special Features of Korn Shell

The following lists some of the major features of Korn shell.

Superset of Bourne shell

Korn shell has all the features available in Bourne shell, plus more. There are many convenient features in Korn shell that are not in Bourne shell.

Includes best features of C shell

Korn shell includes all the useful features of C shell, with a slightly different syntax.

History Facility

The history mechanism maintains a list of previously used commands. Any command from the list can be reissued by just indicating the number of the command on the list.

Job Control Jobs that are running can be “put on hold”. These jobs are not terminated completely, but only

stopped temporarily. This frees the shell prompt to do other things. The user can reactivate the stopped jobs at any time. Reactivated jobs will continue from the point at which they were stopped.

Alias Mechanism

Alias is a facility by which user can give his/her own names for frequently used and/or long commands.

Command-line editing

Korn shell has a very useful mechanism by which the user can display the previous commands on the command line, make changes in the command, and then execute the command.

Easy integer arithmetic

74

Handling integer arithmetic in Korn shell is more convenient than in Bourne shell. In Bourne shell it is necessary to use a command with complicated syntax, while in Korn shell it is as simple as issuing commands in the usual way, with arithmetic operators and the assignment symbol.

Functions

Korn shell supports memory resident functions as well as functions in shell programming.

Introduction to Commands

As you know, once you login successfully, you see the shell prompt $. In our case, it is the Korn shell prompt. The shell prompt indicates that the shell is ready to receive commands and take action. All commands are typed following the shell prompt ($), and are case sensitive (generally lower case).

Once you type a command and press the ENTER key, the shell takes action and executes the command.

Most of the commands you type are really programs, and these programs are generally found in the directory /bin. When a command is given, shell invokes the program and executes it. Most commands take “options”. Options to a command alter the default behavior and cause the output to be slightly varied. Options follow the command name, and are usually indicated by a minus sign ( - ) following by a single letter. Example: The command: $ ps

displays all your processes, along with their pids. Example: The command: $ ps –f also displays all your processes along with their pids, but gives more information about each process. Here ps is the base command, and –f is an option of ps. Example: Normally each command can be used with several options. Two or more options can be combined with a single minus sign ( - ). In the command:

$ ps –ef the options e and f are combined.

75

When a command is introduced in these notes, we will discuss only the important options used with that command. To see all possible options with each command and their functions, you must consult the command reference manual or online manual pages.

The date Command This command displays the current date and time.

$ date Thu Sep 22 13:25:37 EDT 2004

You can change the format of the output by including a proper argument to the date command. Syntax for the argument: ‘+ string : %x’ Where string is any string that will be printed, and x is a letter called field descriptor. The symbols + and % are required. • The following table lists more useful field descriptors and their actions.

m month of year – 01 to 12 d day of month – 01 to 31 y last two digit of year – 00 to 99 D date in the format mm/dd/yy H hour in the format 00 - 23 M minute – 00 – 59 S second – 00 – 59 T time in the format HH:MM:SS a abbreviated weekday – Sun – Sat h abbreviated month – Jan – Dec n insert a new-line

The Commands who, w and who am i

The command who lists all login name, terminal name and login time for each current user.

The command w gives more information than who. w displays the user’s login name, the name of tty (terminal) the user is on, the time of day the user logged on (in hours:minutes), the idle time, which is the number of minutes since the user last typed anything (in hours:minutes), the CPU time used by all processes (in min:sec), the CPU time used by the currently active processes (in min:sec), the name and arguments of the current process. The command who am i displays you hostname, login name, terminal name, and login time.

The pwd Command The command pwd (print working directory) print the path of the current working directory. Example: $ pwd /u/train50

76

The echo Command The command echo writes its arguments on the screen. $ echo New York New York

The ls Command Lists files in the current directory. $ ls lists files in the current directory in alphaberical order. This command will not display filenames starting with a period (.). • Important Options: -a List all files including dor files -l List in long format -d If the argument is a directory, list its name only -t Sort by modified time instead of by name.

The cat Command The cat command is used for several purposes:

a. To display the contents of a small file. b. To create a small file. c. To concatenate several files.

$ cat file1 Displays contents of file1 on screen $ cat > file1 will enable you to type text for the file; do control d to terminate input mode. Whenever you typed becomes the content of the file. $ cat file1 file 2 > file3 Combines file1 and file2 and saves it as file3.

Important options: -v Displays non-printing characters -e Displays end of line character as $ -t Displays tabs as ^I

NOTE: You must type -v option with –e and –t options.

The set noclobber Command Consider the command:

77

$ cat file1 > file2 If file2 exists, it is emptied first, then the contents of file1 are copied into it. the old contents of file2 are permanently deleted.

• The following command $ set –o noclobber avoids this danger. With noclobber set, if file2 exists, the command $ cat file1 > file2 results in a message

ksh: file2: file already exists and no copying will be performed.

• The command

$ cat file1 >| file2

overrides the noclobber feature.

• The command

$ set +o noclobber turns off the noclobber feature.

The cd Command The command cd changes to the specified directory. $ cd sam switches to directory sam (sam is assumed to be a directory in the current directory).

The Commands head and tail The command head displays several lines at the beginning of a file. The command tail displays several lines from the end of a file. $ head file1 displays first 10 lines of the file file1. $ tail file1 displays the last 10 lines of the file file1.

The wc Command

78

The command wc counts the number of lines, words, and characters in a specified file. $ wc file1 displays something like: 105 359 2670 file1 these numbers corresponds to the number of lines, the number of words, and the number of characters in the file file1.

The cp Command The cp command is used to make copies of files. $ cp file1 file2 copies the contents of file1 into file2

• If file2 is and existing file, the contents are replaced by file1. • If file2 does not exist, it is created with contents of file1.

$ cp file1 file2 file3 directory1 copies file1, file2, and file3 to directory1.

The ln Command The cp command makes a copy of the specified file. This means that there will be two copies of the file on the disk. It is possible to have a “copy” of the file using a different name, without actually making a copy of it on the disk, thereby saving diskspace. The command ln (for link) is used to do this The syntax for using ln is: $ ln file1 file2 where file1 is the existing file, and file2 is the new filename. Both file1 and file2 refer to the same area of the disk. There is no hierarchy between file1 and file2 (no distinction is made between the “original” file and the “copy”, for instance). Both names refer to the same file on the disk. When you use the ls –l command, notice that the number under links will be 2 instead of 1.

The mv Command The command mv is used to move files and directories around in the file system $ mv file1 file2 moves file1 into file2. in other words, file1 is renamed file2.

• If file2 already exists, its contents are replaced by file1.

79

• If file2 does not exist, a new file, file2, is created with the contents.

$ mv directory1 directory2

moves directory1 to directory2.

• If directory2 does not exist, it is created. • If directory already exists, mv will not work.

$ move file1 file2 directory1

moves file1 and file2 to directory1.

The rm Command The rm command removes one or more files. Important Options and Variations:

1. $ rm file1 removes file1

2. $ rm file1 file2 file3 removes all three files.

3. $ rm –r directory1 removes, recursively, all files and directories in directory1, and directory1 itself.

4. $ rm –i filename asks user to confirm deletion.

5. $ rm –f filename removes the file without asking confirmation

The mkdir Command The command mkdir is used to create a new directory. Important Options and Variations:

1. $ mkdir dir1 creates a directory called dir1

2. $ mkdir directory1 directory2 directory3 creates three directories.

The rmdir Command The command rmdir removes directories that are empty. $ rmdir dir1 removes dir1, if it is empty.

80

The file Command

The command file is used to determine the type of a file.

Home Directory Symbol ~ The symbol ~ represents the home directory. In other words, ~mays is equivalent to the home directory of the user mays.

The Directories . and .. A dot (.) in place of a directory name in a command represents the current directory. A double dot (..) in place of a directory name in a command represents the parent directory.

THE vi EDITOR

Text Editing on the Unix System

The following editors are available on all Unix systems:

• ed was the original editor on the Unix system. It is a line editor. • ex is an improved version of ed. ex is also a line editor. • vi, stands for “visual editor”. It is a screen –editor “built on top of ex”, which means that vi has all

the features of ex and many more. vi is the most commonly used editor on Unix system.

The Two Modes in vi The text editor commonly used on Unix systems is vi (for visual editor). When you are using vi, you can be in one of two modes:

• vi command mode • Text insert mode

How to Start vi

$ vi filename If the specified file exists in the directory, the system displays that file for you to edit. If the file does not exist, the system displays a clear screen to create a file. Example: $ vi sample screen looks like this: - - - - - - “sample” [New file]

81

the cursor will be at the top left cornet. The bottom line on the screen displays a message. This line is called the status line. You are now in what is called vi command mode.

vi Commands

All vi commands are given in vi command mode. These commands o not appear on the screen. As we will see, there are several commands that switch you from vi command mode to text insert mode. If you are in the text insert mode, you can return to vi command mode by pressing the Esc key. vi contains a large number of commands. We will introduce only the most commonly used commands. For a complete list of vi commands, see manual pages.

Basic vi Commands You give these commands only in vi command mode

h move left j move down k move up l move right $ move cursor to end of line ^ move cursor to beginning of line a insert to right of cursor i insert to left of cursor o insert a blank line below cursor O insert a blank line above cursor s substitute string for character under cursor x delete character at cursor dd delete entire line ZZ save file and exit ~ change case

How to Save an Edited File and Stay in vi

• Press the Esc key to switch to vi command mode • Type: :

You will see : on the status line, with the cursor immediately to the right of : • Following the : , type w • Press the Enter key.

vi displays hoe many lines and characters were saved on the status line.

How to Save an Edited File and Quit vi

• Press the Esc key to switch to vi command mode • Type: :

You will see : on the status line, with the cursor immediately to the right of : • Following the : , type wq • Press the Enter key.

You will be returned to the shell prompt

82

How to Quit vi Without Saving an Edited File

• Press the Esc key to switch to vi command mode • Type: :

You will see : on the status line, with the cursor immediately to the right of : • Following the : , type q! • Press the Enter key.

Advanced vi Commands

Starting commands

vi filename open or create file vi +10 filename open file to line 10 vi +/”string” filename open file to first occurrence to the indicated string vi –r filename recover crashed file view filename open file read-only Cursor commands

h move left j move down k move up l move right w move right one word W move right one word (past punctuation) b move left one word B move left one word (past punctuation) Enter move down one line Back Space move left one character Space Bar move right one character H move to top of screen M move to middle of screen L move to bottom of screen Ctrl-F scroll forward one screen Ctrl-D scroll forward one-half screen Ctrl-B scroll backward one screen Ctrl-U scroll backward one-half screen Ctrl-E expose one line at bottom Ctrl-Y expose one line at top ( move cursor to beginning of previous sentence ) move cursor to beginning of next sentence { move cursor to the previous paragraph } move cursor to the next paragraph + move cursor down one line - move cursor up one line $ move cursor to end of line ^ move cursor to beginning of line Inserting Characters and Lines

a insert to right of cursor A move cursor to the end of line, and insert i insert to the left of cursor I insert at beginning of line o insert a blank line below cursor

83

O insert a blank line above cursor Changing Text

cw change word (or part of word right of cursor) cr change entire line C change part of line to the right of cursor s substitute string for character under cursor r replace character under cursor with one other character r-Return break line J join current line with line below xp transpose character at cursor and character to right ~ change case of letter u undo previous command U undo all changes to line :u undo previous last-line command Deleting Text

x delete character at cursor 4x delete 4 character dw delete word (or part of word to right of cursor) dd delete entire line 3dd delete 3 lines D delete part of line to right of cursor :5,10 d delete line 5-10 (notice you hate to type : first) Copying and Moving Text

yy yank or copy line Y yank or copy line P put yanked or deleted line above current line p put yanked or deleted line below current line :1,2 co 3 copy lines 1-2 and put after line 3 :4,5 m 6 move lines 4-5 and put after line 6 Setting Line Numbers

:set nu show line numbers :set nonu hide line numbers Finding a Line

G go to last line 20G go to line 20 Searching and Replacing

/string/ search for string ?string? search backward for string n find next (or previous) occurrence of string :g/search-string/s//replace-string/gc search and replace, consulting at each occurrence Inserting a File Into a File

:r filename insert (read) file after cursor

84

:30 r filename insert file after line 30 Saving and Quitting :w save changes (write buffer) :w filename save as specified file :wq save and quit vi ZZ A quick way to save and quit vi :q! quit vi without saving :q quit vi. You can do this only when you have not made any changes to the file Other Commands

Ctrl-L close scrambled screen

The Most Important Commands At A Glance

To open a file or create a new file → # vi <file name> To insert into a file → press insert To save an exit → : x To save without exit → : w To exit without saving → : q To exit without saving → : q ! To save as and exit → : x <file name> To save as and without exit → : w <filename > To append a file → : r <filename>

Cursor movement on the vi editor:

o → insert a line after the cursor position O→ insert a line before the cursor position x→ to delete a single character nx→ to delete n single characters dd→ to delete a line ndd→ to delete n lines yy→ to copy a line p → to paste a line nyy→ to copy n lines np→ to paste n lines

u(undo)→ to undelete ctrl + r → to redo ctrl + g → to know the cursor position : n → to go to the nth line shift + g → to go to the bottom : 1 → to go to the top

85

gg → to go to the top shift + d / D → to delete up to end of the line from the cursor position : 1, $ , s /< find what > / < replace with > / g → to replace <find what > with <replace with> / string → to search a string n → for next string to search shift + n → for previous one

File Creation, Deletion

To create a file you may use the following command: # cd /infinity / infinity # touch a1 /mnt/a20 /tmp/a30 /infinity # touch a2 a3 a4 b1 b2 b3 c1 c2 c3 touch => A file will be created if it was not created earlier.

If the file was created earlier than only the time stamp will be updated without changing the contents of the file.

/

/tmp

/etc

/mnt

/infinity

a1 a2 a3 b1 b2 b3 c1 c2 c3

Consider another example with fig:

/

a1 a2 a3 b1 b2 b3 c1 c2 c3

/infinity /etc

/d100

/tmp

/d3

x1 y1 z1

/d1 /d2

p1 q1 r1

86

# cd /infinity /infinity # touch a1 a2 a3 b1 b2 b3 c1 c2 c3 # cd d1 # touch x1 y1 z1 # cd ../d2 # touch p1 q1 r1

Concept about change directory

6th

7th

banani sy

rd4 rd3

dd ff

aa

pp qq

mm nn

. => Present Directory

.. => Parent Directory # pwd => Print working directory (present/

Directory Cr To create a directory you may use the following com # cd /infinity /infinity # mkdir d1 d2 d3 d60 /etc /d100

/

lhet ctg

bb GECTPP

yy zz

banani dhanmondi

rd2 rd3 xx yy

existing working directory)

eation, Deletion

mand

87

Rename/Remove File & Directory

File Remove/Delete # cd /infinity # rm a1 <ENTER> (? mark will appear) # rem a* <ENTER> (? mark will appear) # (press y for the above two confirmation) # rm –f b* (? mark will appear) # rm –f * (all file will be deleted excluding directories if any)

Directory Remove

force

# rmdir d3 (if the directory is empty) # rm –r d1 (if the directory is empty or not empty) Recursively # rm –rf d2 (no ‘?’ mark will appear) Warning: Very careful to do this. Don’t do this

force

# rm rf * (All files and directories will be deleted without asking any question) DOS Linux Remarks EDIT vi To edit/create a file TYPE cat To see the contents of the file without enter into the file

Copy and Move Files and Directories

/

/test50 /test100

/etc

/test200 hellow

thanks

passwd

88

Existing Partition

Command Source Directory

Source File/Dir Target Directory

Target Files/Dir

/test50 #cp /test50 /thanks /test100 /thanks /test100 #cp /etc /paswd /test100 /paswd /test50 #cp /etc /paswd /test100 /paswd /test50 #cp /etc /paswd /test100 /paswd /test100 #cp /etc /paswd /test100 /paswd

To copy directory we just add –R after cp. Example: # cp –R /test50 /test100 <ENTER> To move directory or files we use only mv instead of cp. In this case “-R” will not be required for directory move.

89

CHAPTER-SIX Linux File/Directory Permission

Access Permissions

Each file on the system is associated with a code called access mode, that determines who may access

the file and who may not. The user who created the file can install and change this code.

Categories of Users and Permissions The system users, with respect to accessibility of the files on the system, are classified into three categories: the owner, the group, and others.

• The owner - the user who originally created the file. • The group - the group of users (defined by the system administrator) to which the

user belogns. • Others - all others. Each file will have the following permission categories for each of the three categories of users:

o Read - read the contents of the file. o Write - change the contents of the file. o Execute - can execute the file (if an executable file).

Thus, for each file there will be nine attributes. These are called access permissions of the file. The set of attributes is also called access mode of the file.

How to See Access Permissions on a File The command ls with option –l is used to display the access mode of a file. The command $ Ls –l will display the long listing of the files in the current directory.

total 132 -rw-rw-r-x l sam staff 77171 Oct 10 18:29 one.c

the list would consist of several lines like the above.

90

Consider the line

-rw-rw-r-x l sam staff 77171 Oct 10 18:29 one.c Item 1 indicaItem 2 indicaItem 3 is namItem 4 is theItem 5 is theItem 6 is theItem 7 is theItem 8 is theItem 9 is the

Permis Consider the

_ _0 1

position 0 in - in d in (ign positions 1 2 1 is 2 is 3 is positions 4 5 4 is 5 is 6 is positions 7 8 7 is 8 is 9 is

1

tes permisstes numbere of owne

group nam file size in month the day the file time the fil file name.

sions

permission

_ _ _ _ 2 3 4 5

dicate the n

dicates a stadicates a diore other p

3 indicate

read permi write perm execute pe

6 indicate

read permi write perm execute pe

9 indicate

read permi write perm execute pe

2

ions. of links.

r-the person we. bytes. file was creat was created/e was created

field:

_ _ _ _ 6 7 8 9

ature of file:

ndard file rectory ossibilities: b

access permis

ssion: r yes, -ission: w yes,rmission: x ye

access permis

ssion: r yes, -ission: w yes,rmission: x ye

access permis

ssion: r yes, -ission: w yes,rmission: x ye

3

ho create

ed/editededited. /edited.

, c, s for n

sions for

no - no s, - no

sions for

no - no s, - no

sions for

no - no s, - no

4

d the file

.

ow)

owner:

each gro

each gro

5

.

up:

up:

6

7 8 9

91

Example: the access mode -rwxr-x—x indicates that

• File is an ordinary file (-) • Owner can read, write and execute (rwx) • Group can read and execute but cannot write (r-x) • All other users can execute but cannot read or write (--x)

Permissions of Directories With directories, the access modes have slightly different meaning. You need read permission to use ls on a directory. You need write permission to add or delete files from the directory. You need execute permission to enter (cd into) the directory. Note: Think of the consequences of these. Examples: Assume the following: drw-rw-rw- planet You cannot cd into planet. You can still list files in planet. You can remove files from planet, you can add files to planet. d-wx-wx-wx planet You can cd into planet. you cannot list files. You can still add files to planet, you can delete files from planet (if you know file name). Changing Access Mode Only the owner (or the superuser) can change the access mode of a file The command for changing the access mode is chmod (for changing mode). General syntax is $ chmod ... ... ... ....

file name permission operation class

where: class is u user g group o others a all (ugo)

92

• operatino is = assign permission absolutely (assigns indicated permissions and removes all others) - remove access + give access • permission r read w write x execute class is optional. If it is omitted, all is assumed.

Using chmod with Numbers Permissions can be specified using a 3-digit octal number. To understand how the 3-digit octal number represents permissions, first convert the number to binary form by replacing each octal bits with its 3-bit equivalent. In the resulting 9-bit representation, the first group of 3 bits are permission for the owner, the middle 3 bits are permission for the group, and the last 3 bits are permission for all others. A 1 indicates enable, and a 0 indicates disable. Example: An access code of 532 indicates 101011010 which is r-x-wx-w- The command chmod can be used with numbers: $ chmod ... ...

file name

a three digit number

The umask Command When a new file is created, the system gives a default access mode. The command umask displays the default values. The umask value displayed is in octal format – an umask bit of 0 indicates that permission is enabled, while a bit of 1 indicates denial of permission. An umask value of 22, for example, specifies 000010010, which means the actual permissions are 111101101. All permissions are enabled except write permission to group and others. To change umask value, the command is: $ umask newvalue

Effect of cp and mv Command on Permissions

• cp command retains original permissions. • mv command retains original permissions, ownership and group id. (if in the same file system). • To copy a file from a directory you need x permission on the directory. • To move a file from a directory you need w permission on the directory.

93

Mounting and Unmounting Local CD-ROM, Floppy and Windows Drive • To know about the IDE device

# dmesg | grep hd • To know about the NIC

# dmesg | grep eth • To know about the CD-ROM

# dmesg | grep CD • To know about the Floppy

# dmesg | grep floppy • To Know About the Mounted Device

# mount <ENTER>

/

Password Shadow

/mnt

/floppy /cdrom

/tmp /iit /etc

a1 a2 a3

Fig: The Distribution of directories and files in a machine

Mount and Unmount

# eject <ENTER> (tray out) Put the CD into the tray

# eject –t (tray in)

94

# mount /dev/hdd /iit

command device mount point

# cd /iit

# ls –l Now we can see the contents of the CD. But we can’t see the a1, a2, and a3 file into the /iit directory. Actually these files are hidden right now. To see the files again we have to unmount the CD-ROM. So it is better to mount anything with an empty directory. • Unmout

# cd / # umount /iit

NOTE: Before unmounting we have to quit from the iit directory. Otherwise we will see the message –

“device is busy”

Linked File of CD-ROM

# cd /dev # ls –l cdrom*

lrwxrwxrwx .................cdrom -> /dev/hdd linked file

To Create Linked File # ln –s /dev/hdd sky Softlink # ls –ls sky

lrwxrwxrwx .................sky -> /dev/hdd

So we can mount the CD-ROM as follows- # mount /dev/cdrom /mnt

or # mount /dev/sky /mnt

95

Software Installation and Un-installation

Software Installation

# eject (insert the CD)

# eject –t

# mount /dev/cdrom /mnt

# cd /mnt/RedHat/RPMS

# rpm –ivb samba-client....rpm

install verbose bash If Dependency Arise # rpm –ivh –nodeps samba-client.....rpm

Software Un-installation # rpm –e samba-common-2.0.7-36

If Dependency Arise #rpm –e –nodeps samba-common-2.0.7-36

Software Reinstallation # cd /mnt/RedHat/RPMS # rpm –ivh samba*

If Another Software Needed # rpm –ivh –force samba*

To Know About the Installed Software # rpm –qa | grep samba <ENTER>

query all global regular expression point samba-common-2.0.7-36-SSC samba-client-2.0.7-26-HSC samba-2.0.7-36-Dimloma samba-swat-2.0.7-36

96

CHAPTER-SEVEN BASIC ABOUT THE CONFIGURATION

IP CONFIGURATION • To Know About the IP of Your PC # ifconfig • To Set IP (Temporary) # ifconfig eth 192.168.110.7 up To deactivate just write down instead of “up” Or # ifconfig eth down • To Set IP Permanently # netconfig <ENTER> I N G N

K

# #

• Loca

##

• To C

# • To S

C

O

P – M – W – S –

K

O

service network restart

ifconfig <ENTER>

tion of the IP Configuration File

cd /etc/sysconfig/network-scripts cat ifcfg-eth

heck the Connectivity

ping 192.168.110.2

top the Pinging

trl+C

97

• For 5 Times Ping Response

# ping 192.168.110.2 –c 5 • For 100 Bytes Data Transmit by Pinging

# ping –s 100 192.168.110.2 Note: Maximum data size 65507 • Hostname Assign

# cd /etc/sysconfig # vi network Networking = YES HOSTNAME = localhost.localdomain # reboot or # hostname sky -> (this is temporary)

• To Know the Hostname # hostname • Name Resolv # cd /etc # vi hosts 192.168.110.1 T Linux 1 192.168.110.2 T Linux 2 . . . . . . 192.168.110.8 T Linux 8

:x

:x Now we can ping by name i.e. hostname # ping linux5 • Ntsysv Command Which service should be started automatically i.e. at the boot time. # ntsysv <ENTER>

98

[ * ] network [ * ] xinetd [ ] sendmain K Note:

• S• N

Boo

• F

#

#

d

i

l

-

-

o

-

-

l

:

#

#

• For R

#

#

O

endmail service should not be started at the boot time automatically. etwork and xinetd services will be started at the boot time.

MORE ABOUT LINUX FILES

t Sequence Change

or RedHat Linux 7.1

cd /etc

vi lilo.conf

efault = linux we have to change here either Linux or windows

mage = ---------

abel = linux

-------------------

-------------------

ther = -----------

-------------------

-------------------

abel = windows

x

lilo ENTER

reboot

edHat Linux 8.0

cd /boot/grub

vi grub.conf

99

default = 0 1

timeout = 10

splashimage ----------------

title RedHat Linux (2.4.18-14)

--------------------

--------------------

--------------------

title WINDOWS

--------------------

--------------------

: x NOTE:

Here 0 means 1st title. i.e. linux Here 1 means 1st title. i.e. WINDOWS

Setting the Logon Messages (mtod & issue)

• MOTD – Message of the Day # cd /etc # vi motd Welcome to IIT This message will come after login. :x Now logout from the console and try to login again and see the output. • ISSUE # cd /etc # vi issue Welcome to IIT This message will come before login. :x Now logout from the console and see the output.

100

Use of Linux Run Level # cd /etc # cat inittab | less

0 – halt/shutdown 1 – single user mode 2 – Multiuser (without NFS) mode 3 – Full multiuser 4 – Not used yet 5 – Graphics mode (X11) 6 – reboot

id : 5 : initdefault We have to change here to change the run level q NOTE:

Please don’t use 0 and 6 as default run level.

Console Enhance/Increase and Decrease # cd /etc # vi inittab (go to bottom of the file) 1: 2345: respawn: /sbin/mimgetty tty1

2 tty2 3 tty3 ------------------------------------------------ 6 tty6 7 tty7 8 tty8

:x

# reboot

OR # init q

NOTE

If we add tty7 and tty8 line then CLI mode increased up to F8 and GUI will be F9. If we delete the line tty6 then CLI mode reduced by F6 and GUI mode will be F6.

101

Location of the History File # cd /root # cat .bash_history Now we can see the command lists. By default the history size is 1000. To modify the history size- # cd /etc #vi profile OR # cat profile | less

HISTSIZE = 1000

We have to change here :x

To Clear the History # history –c

Clear

e2fsck For unauthorized shutdown sometimes we can see the following message Give root password for maintenance (or type Ctrl+D normal startup)

Generally by typing Ctrl+D we cannot get login prompt So we have to give root password.

If we give root password we will get the following prompt for maintenance # fidsk /dev/had OR # cfdisk

/ dev/hda7

# e2fsck –y /dev/hda7

# reboot

Hopefully your PC will eb okay.

102

CRON

/

t

c/beauty

ps

For scheduling we have to do following

To Check the Existing Crontab # corntab –l

list the contents of currFor newly installed PC we will see the following “no corntab for root”

To Assign the Schedule Syntax:

* * * minute hour day of the

month m

(0-59) (0-23) (1-31) (1 # corntab –e

Edit the current corntab # corntab –r Remove the current corntab

Use of Single User Mode (7.1) => For LILO 1. Switch on the PC.

/roo

/et

asswd hadow

ent corntab

* * Command onth day of the week

-12) (0-6)

103

2. Select the level of linux and press Ctrl+x boot:

3. Press tab key. linux windows boot: boot: linux 1/s/single ENTER (any one of these three)

sh-2.04# [We get the above prompt without password]

Restriction # cd /etc # vi lilo.conf default = linux Password = iit123 restricted image = ----------- add the 2 lines in between the above two lines.

:x # lilo ENTER # reboot Try again and see what happens.

Use of Single User Mode (8.) => For GRUB

1. Switch on the PC. 2. Select the level of linux and press e 3. Select the level “kernel…….” and press e 4. Write 1/s/single ENTER (any one of these three) 5. Press b for reboot 6. Now you can log in as single user mode

sh-2.05b# [We get the above prompt without password]

Restriction # cd /boot/grub

# vi grub.conf

timeout = 10

password = iit123

splash image = -----------

Add this line in between the above two lines.

104

:x

# reboot Try again and see what happens.

TAR/ZIP/UNZIP

/

/etc

/sky

/d2

/d1

/star

passwd shadowgroup

services named.conf

• ZIP # cd /sky # zip new1.gz passwd shadow star [Note: Directory contents will not be compressed] # zip –r new2.gz * [Note: File and Directory including directory contents will be compressed] • UNZIP # unzip new1.gz # unzip new2.gz [Note: It will decompress file & directory including directory contents] • TAR # cd # tar cvf new3.tar * create verbose file

105

• UNTAR # tar xvf new3.tar

extract • TAR and ZIP Combined # tar zcvf new4.tar.gz * • UNTAR # tar zxvf new4.tar.gz

MORE ABOUT PERMISSION

How to Write in the hosts allow and hosts deny files # vi /etc /hosts.deny

ALL : ALL

ALL PC/HOST/NETWORK

ALL Services

:x # vi /etc/hosts.allow

in.telnetd : linux2

ALL : ALL EXCEPT LINUX3 (host)

in.ftpd : linux4 AND linux5

in.telnetd : 192.168.110. (network)

ALL : 192.168.110.7 (ip)

ALL : iit.org (domain)

:x

If we want to deny we have to write into /etc/hosts.deny file If we want to allow we have to write into /etc/hosts.allow file.

106

Ownership Change rw-|r--|r-- alam kaly a1 robin # chown robin a1

Group Change

rw-|r--|r-- poly shahin

rony # chgrp rony a2

Change Ownership and Group Combined

rw-|r--|r-- ruhul sonia

sultan polash # chwon sultan polash a3

Group Creation and Giving Permission

Group Creation

# groupadd marketing # groupadd sales

Group Deletion # groupdel sales

Adding User to a Particular Group # gpasswd –M u1, u2, u3 marketing

multiple user’s name groupname [Please note that this command will replace the previous users] # gpasswd –a u4 marketing

append # gpasswd –d u2 marketing

107

CHAPTER-EIGHT TELNET

Telecommunications Network Protocol ( TELNET ): An application layer TCP/IP client/server protocol used to remotely control a computer at another location. A mainstay of UNIX networking, TELNET is a true remote control application. When you access another computer and run a program, it is the processor in the remote computer that executes that program. The TELNET service is command-line-based, making it relatively useless on Windows computers, which rely on a graphical interface. However, all versions of Windows include a Telnet client. Windows 2000 also includes a Telnet server. But compared to a UNIX Telnet implementation, there are relatively few things that you can do with it.

TELNET Server Configuration:

1. RPM Required # rpm –qa | grep telnet

2. Step-by-step Telnet Server Configuration

a. # cd /etc/xinetd.d b. # vi telnet

disable = YES => No :x

3. # service xinetd restart

Using telnet for remote login

Telnet is a service provided by many different types of computer systems to enable remote users to log in to their machines over TCP/IP networks. The telnet command is the client program that you use to do the remote login. The most common way to use telnet is with a hostname or IP address.

# telnet 192.168.110.3 (IP of the Server) [where 192.168.111.3 is the IP of linux3] -------------- ---------------- ---------------- ---------------- login : alam password : ****** Last login: Mon Mar 31 13:15:57 [alam@linux3 alam]$

108

Few useful Options:

♦ -a : Automatic login ♦ -l user: User name ♦ -r: Rlogin style interface ♦ ~. ( tilde + dot ) : To disconnect while in rlogin mode/ if ur remote shell is hung ♦ ~ ^ z ( tilde + ctrl + z ) : To suspend the telnet session ♦ fg : To put telnet back in the foreground ( return to telnet if you suspend a telnet session or

escape to the shell ) ♦ ctrl + ] : To return to the telnet session at any time ♦ ? : Print help information ♦ ! : Escape the shell ♦ close : To close an connection, if you have an open connection ♦ display: Shows the operating parameters that are in effect ♦ logout : Logs you off any remote connection in this session and closes it ♦ mode : Tries to enter line mode or character mode ♦ quit : Close telnet and exit ♦ z : Suspend the current telnet session

Becoming Super User ( The su Command ) :

• To become super user is to log in as root:

$ su Password: ***** #

• To become another user other than root:

$ su – chum

• To exit : # exit

SSH ( Secure Shell ): The secure shell package ( SSH ) is a package that provides shell services but encrypts the network traffic. It uses Private – key – Cryptography. Remote users use ssh command to login to your system securely. $ ssh <host name or IP address>

109

CHAPTER-NINE

FTP In today’s pecking order of Internet services, FTP, the File Transfer Protocol, arguably places third behind e-mail’s enormous popularity and the Web’s visual appeal. Nevertheless, FTP is a core Internet service, one that almost every Internet user has used at one time or another. This lesson shows you how to configure and maintain WU-FTP, the FTP server package that comes with Red Hat Linux. FTP itself is relatively straightforward and uncomplicated to install, configure, maintain, and monitor. The few difficulties most administrators encounter are the result of FTP’s interaction with firewalls, the TCP Wrappers package, and other measures intended to increase the overall security of a Red Hat Linux system. This lesson steps through the entire process of installing, configuring, maintaining, and monitoring an FTP server. It also outlines the security issues involved in running an FTP server and suggests measures you can take to minimize security risks.

Red Hat Linux’s choice: WU FTPD The only FTP server available in any of the Red Hat Linux installation profiles is WU-FTPD, the Washington University FTP daemon, maintained by the WU-FTPD Development Group. To the standard FTP services defined in RFC 959, the core RFC (Request For Comment) that defines the FTP protocol, WU-FTPD adds the security and feature enhancements listed here:

• Logging all incoming and outgoing file transfer • Logging all commands executed by users logged in to the server • Compressing downloaded files and directories on fly • Organizing users into classes and setting limits on a per class basis • Controlling uploads on a per directory basis • Displaying systemwide or per directory messages, as when users log in and as logged in users

navigate the FTP file system • Supporting virtual hosts

In order to enable anonymous FTP support, you also need to install the anonftp RPM, which creates the necessary directory and file structure enabling anonymous FTP. A complete Red Hat Linux installation also installs tftp-server package, a server implementing the Trivial File Transfer Protocol (TFTP). However, TFTP is used almost exclusively for booting diskless workstations, such as X terminals and slave nodes in clusters, or transferring files to other diskless devices, such as network routers and bridges, so it will not be mentioned again in this lesson.

Alternative FTP Servers Although Red Hat Linux uses WU-FTPD, two other popular FTP servers, ProFTP and NcFTPD, deserve mention because they are widely used throughout the Unix and Linux community. ProFTPD (http://www.proftpd.org/) is a free FTP server licensed under GPL (the General Public License) and roughly modeled after the Apache Web server and designed to be more configurable and more secure than WU-FTPD. ProFTPD was written from scratch, unlike other Linux and Unix FTP servers, including WU-FTPD, which have evolved from the original BSD ftpd server. Key features that distinguish ProFTPD from WU-FTPD include:

110

• Per directory access configuration using .ftpaccess files, much like Apache’s .htaccess file. • An anonymous FTP root directory unencumbered by required directory structures and system

binaries. • Support for hidden files and directories • Complete independence form external programs – ProFTPD is self-contained, reducing the

likelihood of exploits that take advantages of external programs • Runs as an unprivileged user in stand-alone mode, decreasing exposure to security attacks that

attempt to exploit its root privileges. NcFTPD (http://www.ncftp.com/) is a commercial FTP server, also written from scratch, optimized for anonymous FTP service and high performance. Its primary architectural features are its self-described “no-forks” design – not spawning child processes to handle incoming connections and individual directory listings – and its independence from inetd and xinetd. It runs as a stand-alone server. It is not free software, but its features, security, and performance make it a popular FTP server.

Installing WU-FTPD Depending on the type of installation you selected when you installed Red Hat Linux, anaconda, and the Red Hat Installation program may or may not have installed WU-FTPD. To find out, execute the command rpm –q wu-ftpd. If the output resembles the following, WU-FTPD is installed: Wu-ftpd-2.6.2-16 If WU-FTPD is installed, you can skip ahead to the section titled “Installing the anonftp package”. Or, you might consider customizing WU-FTPD for your system by following instructions in “Installing and building the source RPM” later in this section. Better still, you can install WU-FTPD’s most recent version, which includes the latest security patches and bug fixes, by downloading, compiling, and installing it from the source distribution as described in the section titled “Installing and building the source distribution” later in this section. If, on the other hand, you see the message package wu-ftpd is not installed, you must at least install the binary RPM before continuing with this lesson.

Installing the binary RPM To install the WU-FTPD binary RPM from the Red Hat installation CD-ROMS, follow these steps:

1. Log in as the root user or use su to become root. 2. Mount the Red Hat Linux installation CD-ROM (disk 1). 3. Type the following command to install WU-FTPD (replace /mnt/cdrom with the mount point of

your CD-ROM drive if it is different):

# rpm –ivh /mnt/cdrom/RedHat/RPMS/wu-ftpd*rmp 4. Continue with the section titled “Installing the anonftp package.”

Installing and Building the source RPM

If you choose to install and build the source RPM, follow these steps:

1. Log in as the root user or use su to become root. 2. Mount the Red Hat Linux installation CD-ROM (disk 2). 3. Type the following command to install WU-FTPD (replace /mnt/cdrom with the mount point

of your CD-ROM drive if it is different): # rpm –rebuild /mnt/cdrom/SRPMS/wu-ftpd*src.rpm # rpm –ivh /usr/src/redhat/RPMS/i386/wu-ftpd*rpm

4. Continue with the section titled “Installing the anonftp package”.

111

Installing the anonftp package

As stated previously, the anonftp package creates a sage environment for anonymous FTP. In particular, it creates a chroot environment for anonymous FTP in /var/ftp and copies key files into the /var/ftp/lib, /var/ftp/bin, and /var/ftp/etc subdirectories. A chroot (change root) directory is a directory “jail” of the sorts that severely restricts the user’s view of the system. After a remote user logs in to the FTP server as the user anonymous or ftp, the FTP daemon, ftpd, places the user in a special directory, /var/ftp, that is changed to the user’s root (/) directory. /var/ftp (the user’s /) and its subdirectories constitute the user’s entire view of the system because the user cannot cd out of the directory and, as a result, cannot see the layout of the real file system. However, because of these restrictions, certain binaries, libraries, and configuration files have to be copied into the chroot jail in order for the user to execute certain commands. This copying is what the anonftp package does. If the command rpm –q anonftp returns the message package anonftp is not installed, install it using the following steps:

1. Log in as the root user or use su to become root. 2. Mount the Red Hat installation CD-ROM (disk 1). 3. Type the following command to install the anonftp RPM (replace /mnt/cdrom with the mount

point of your CD-ROM drive if it is different): # rpm –ivh /mnt/cdrom/RedHat/RPMS/anonftp*rpm

Configuring the Server

Installing the WU-FTPD and anonftp packages creates a basic functioning FTP server that works for users with their own login accounts on the system and for anonymous FTP, using either the anonymous or ftp login names. However, the stock configuration is only a start, a base that you should customize to enhance security and to fit your needs. In this section, you learn how to fine-tune the default FTP server configuration. The first step in FTP server configuration is to become familiar with the configuration files that control the server’s behavior. The following table lists and briefly describes WU-FTPD’s configuration files.

WU-FTPD Configuration Files File Name Description

/etc/ftpaccess Controls the operation of FTP daemon, ftpd. /etc/ftpconversions Controls the dynamic file conversions the FTP daemon performs.

/etc/ftpgroups Lists the group names and passwords for FTP private groups. /etc/ftphosts Lists specific hosts permitted or denied FTP access. /etc/ftpusers Lists user names not permitted to log in using FTP.

Configuring user and host Access The /etc/ftpusers file is the simplest to understand. It contains a list of user or account names, one per line, that are not allowed to log in using FTP. This file is used to increase security. For example, if a cracker somehow obtains the root password but (stupidly) tries to log in as root using FTP, the login attempt will fail. Not that the file name is counterintuitive: user accounts listed in this file are not permitted to log in to the system-using FTP. In general, /etc/ftpusers is used to prevent privileged user accounts, such as root, from using FTP to obtain access to the system. A standard /etc/ftpusers file is shown below:

112

A Standard /etc/ftpusers File

root bin daemon adm lp sync shutdown halt mail news uucp operator games nobody

So, to prevent the user bubba from using FTP to log in, or, rather, to prevent user bubba from

logging in to the system via FTP, append bubba to the end of /etc/ftpusers. In most cases, the default entries shown in the standard file should be sufficient, but if you install a software package, such as a database package, that requires one or more special user accounts, consider adding such special accounts to /etc/ftpusers in order to maintain strict limits on how the FTP server can be accessed. The /etc/ftphosts file serves a purpose similar to /etc/ftpusers, limiting FTP access, but it is more flexible. /etc/ftphosts defines access rules, one per line that permits or denies access to the FTP server based on the host from which the login originates. Each access rule consists of one of the keywords allow or deny, a user name, and one or more IP addresses. The general format for access rules is allow username ipaddr[…] deny username ipaddr[…] username identifies the user name to which the rule applies, and ipaddr indicates the IP address to which the rule applies. Lines beginning with # are comments and ignored. An allow rule permits connections only from the host whose IP address matches ipaddr to log in to the FTP server as username. A deny rule prevents an FTP login using username from any connection whose host IP address matches ipaddr. As you might expect, if username is anonymous or ftp, the corresponding rule applies to the anonymous FTP user. Multiple IP addresses can be specified by separating each address with whitspace. For example, the rule allow bubba 192.168.0.1 permits the user named bubba to log in to the FTP server if the connection originates from the IP address 192.168.0.1. Conversely, the rule deny kwall 127.0.0.1 prevents the user named kwall from logging in if the source connection is 127.0.0.1. One feature of access rule specification in /etc/ftphosts needs to be noted. You can specify a range of IP addresses using CIDR (classless InterDomain Routing) notation or by appending a colon followed by a netmask to ipaddr. For example, to allow bubba to log in from any IP address in the subnet 166.70.186.8, you can specify ipaddr as 166.70.186.8:255.255.255.248 or 166.70.186.8/29. So, the complete rule would be one of the following:

allow bubba 166.70.186.8:255.255.255.248 allow bubba 166.70.186.8/29

113

Configuring ftpd By far the most important (and largest) ftpd configuration file is /etc/ftpaccess. The configuration directives in this file enable you to exercise finely grained control over ftpd’s behavior. To organize the discussion of /etc/ftpaccess., its configuration directives are divided into groups of related functionality. These groups include access control and permissions, messages, logging, and WU-FTPD features.

Configuring WU-FTPD Access Control and Permissions The first group of configuration statements, listed in the following table, control overall access to the FTP server and establish limits on what can be done, and how, once users have logged in to the FTP server.

WU-FTPD Access Control Directives Directive Description

allow-gid [%]gid Permits the group with GID gid to access the FTP server; gid may be a single group name, a single

numeric GID, or a range of GIDs (numeric values must be prefixed with %).

allow-uid [%]uid Permits the group with UID uid to access the FTP server; uid may be a single group name, a single

numeric UID, or a range of UIDs (numeric values must be prefixed with %).

anonymous-root rootdir [class]

Identifies rootdir as the chrooted directory for anonymous FTP for class (all classes if class is

omitted). chmod yes|no type Enables or disables users of type (one or more of

real, guest, anonymous, or class=class) to change file modes (the default is yes for all users except

anonymous). class class type addr Defines a class of type users named class with

source addresses addr; type is one or more of real, guest, or anonymous;addr may be a single IP or a range of addresses specified with address;netmask

or address/netmask notation. defaultserver allow

username Enables access to anonymous FTP for one or more

usernames. defaultserver deny

username Disables access to anonymous FTP for one or more

usernames. defaultserver private Disables access to anonymous FTP.

delete yes|no type Enables or disables users of type (one or more of real, guest, anonymous, or class=class) to delete

files (the default is yes for all users except anonymous).

deny addr file Denies access to the FTP server to connections from addr and display the message in file;addr may be a

single IP, a range of addresses specified with address;netmask or address/netmask notation, or !nameserved to indicate sites lacking a working

nameserver. deny-gid [%]gid Denies the group with GID gid to access the FTP

server; gid may be a single group name, a single numeric GID, or a range of GIDs (numeric values

must be prefixed with %). deny-uid [%]uid Permits the group with UID uid to access the FTP

114

server; uid may be a single group name, a single numeric UID, or a range of UIDs (numeric values

must be prefixed with %). dns refuse_mismatch

file [override] Displays the contents of file and denies access

(unless override is specified) to the FTP server if forward and reverse DNS lookups do not match.

dns refuse_no_reverse file [override]

Displays the contents of file and denies access (unless override is specified) to the FTP server if the

connection fails a reverse DNS lookup. limit class n times file Limits the number of connections from class users

to n during the times times, displaying the message in file if the limit has been exceeded.

loginfails n Permits n failed login attempts before closing the connection (default is 5).

overwrite yes|no type Enables or disables users of type (one or more of real, guest, anonymous, or class=class) to overwrite

files (the default is yes for all users except anonymous).

passwd-check none|trivial|rfc822 (enforce|warn)

Specifies the type of password checking used with anonymous FTP and whether the policy is strictly enforced (enforce) or if only a warning is issued (warn); none disables password checking, trivial

requires an @ in the password, and rfc822 forces an RFC822-compliant address.

rename yes|no type Enables or disables users of type (one or more of real, guest, anonymous, or class=class) to rename

files (the default is yes for all users except anonymous).

Timeout accept secs Server times out after waiting secs seconds (default is 120) to establish an incoming connection.

timeout connect secs Server times out after waiting secs seconds (default is 120) to establish an outgoing connection.

timeout data secs Server times out after waiting secs seconds (default is 1200) for activity on the data connection.

timeout idle secs Server times out after waiting secs seconds (default is 900) for another command.

timeout RFC931 secs Server times out after waiting secs seconds (default is 1200) to complete user identification using the

RFC931 IDENT protocol. Umask yes|no type Enables or disables users of type(one or more of

real, guest, anonymous, or class=class) to exucute the umask command (the default is yes for all users

except anonymous). As stated earlier, the stock FTP configuration created when you install the WU-FTPD and anonftp packages is only a starting point that can and should be improved before opening your server up to the world. Consider, for example, following listing, an excerpt from the standard Red Hat Linux /etc/ftpaccess file (with comments removed) showing the access control directives it uses. After analyzing the existing access control configuration, I suggest some additional directives to add to the stock configuration.

Listing: Access Control in the Standard /etc/ftpaccess File

deny-uid %-99 %65534 deny-gid %-99 %65534

115

allow-uid ftp

overwrite no anonymous rename no anonymous

The loginfails directive allows five failed login attempts (mistyped passwords) before disconnecting the user. The next four directives deny the anonymous FTP user permission to change file modes, delete files, overwrite files, or rename files. The chmod directive also prevents a guest account from using chmod. Although the default for the anonymous user is no, specifically including this information in /etc/ftpaccess makes ftpd’s configuration clearer, especially to newer administrators who might not be familiar with the default values. The final directive, passwd-check rfc822 warn, requires the anonymous FTP user to use a standard e-mail address as the password. If it does not match, ftpd displays a warning message before permitting the login.

dns refuse_no_reverse dns-no-reverse.msg

allow-gid ftp class all real, guest, anonymous * loginfails 5 chmod no guest, anonymous delete no anonymous

passwd-check rfc822 warn The first two statements prevent any system user or group account (%-99) and any account with a UID or GID greater than or equal to 65534 (%65534-) from logging in to the FTP server. Note the use of % to prefix the numeric values and how a range of values is denoted. Using the deny-uid and deny-gid directives in a range of values is denoted. Using the deny-uid and deny-gid directives in /etc/ftpaccess has the same effect as placing account names in /etc/ftpusers, and is actually more flexible that /etc/ftpusers. In fact, using /etc/ftpusers is deprecated, although still supported, so it is best to use /etc/ftpaccess. After denying access to system accounts, the ftp user and group account is specifically enabled using allow-uid and allow-gid. This method illustrates a solid general approach to controlling FTP access: disable access across the board using deny-uid and deny-gid, then selectively enable access using allow-uid and allow –gid. A key caveat, however, is that you cannot use the deny-uid and deny-gid directives to disable anonymous FTP access. Instead, you have to use the defaultserver private directive.

To improve access control, first change passwd-check to passwd-check rfc822 enforce. It might seem harsh to disconnect someone due to a typing mistake, and it might also seem foolish to enforce compliance because passwd-check validates only the form, not the content, of the supplied e-mail address, but it sets a tone from the very start that lets users know you take security seriously. You can improve the FTP server’s access control by adding the directives in the following list to /etc/ftpaccess:

deny !nameservd no-dns.msg dns refuse_mismatch dns-mismatch.msg

limit all 10 Any too-many-users.msg umask no anonymous

The first three directives deny access to connections without a valid nameserver, for which forward and reverse lookups do not match, and for which a reverse lookup fails. The primary concern is to take steps to strengthen the audit trail and to prevent connections that deliberately hide information. Of course, accidentally misconfigured systems also fail to connect, so the message files can make this clear and recommend fixing problem. Obviously, the names of all the message files are up to you. The limit directive uses the all class (which consists, in this case, of all FTP users) to set an upper limit of ten simultaneous FTP sessions. You can modify this number of course, but the point is to set some kind of connection limit so that your system does not become bogged down due to excessive network traffic or download activity. The time specification Any enforces the limit at all times every day. Finally, the umask

116

directive further limits the activity of the anonymous FTP account. Its absence from the default configuration is probably a simple oversight.

Maintaining the Server WU-FTPD includes a number of commands for monitoring and administering the serve, including ftpwho, ftpcount, ckconfig, xferstats, ftpshut, and ftprestart. ftpwho and ftpcount provide a snapshot of users currently logged in to the FTP server and how many users in each class, as defined using the class directive in /etc/ftpaccess, are logged in. Neither command accepts any options (except –V, which displays version information), so they are very simple to use. The output from ftpwho should resemble the following, depending on usage of the FTP server: # ftpwho 3959 SN 0:00 ftpd: h1.none.com: anonymous/bubba@none.com 3959 SN 0:00 ftpd: localhost: kwall: IDLE

You can obtain the same total count using ftpwho, so, unless you need the per class counts, stick with ftpwho.

The ckconfig performs a simple sanity check on ftpd’s configuration files, making sure they all exist in the path(s) defined at compile time. Unfortunately, however, it verifies only the existence of the files, not their content, and displays something spurious error messages. For example, here is ckconfig’s output after building and installing the latest WU-FTPD release:

Checking _PATH_FTPPIDNAMES :: /etc/ftp.pids-%s

3959 SN 0:00 ftpd: h2.none.com: anonymous/kwall@: LIST

- users (10 maximum) Each line of output show the PID of the ftpd instance serving the login, the terminal if any, on which ftpd (not the login session) is running, the status of the ftpd process, the CPU time the ftpd instance has consumed, and the host name of the ftpd process, the CPU time the ftpd instance has consumed, and the host name of the originating connection. The last field shows the user name and connection status if the login is a real user, or the word anonymous and the given password of the anonymous FTP user. In the example shown, ftpwho shows three connected users. The first line shows an anonymous login from h1.none.com using the password (e-mail address) bubba@none.com. The third line also shows an anonymous login, but instead of the complete password, it shows the command (LIST) that the server is currently running in that session. The second line shows that the user kwall has logged in to the FTP server from the server’s own host (localhost) and that the connection is currently idle. The ftpcount command shown in the following example merely displays a breakdown of current FTP server usage by class: # ftpcount Service class all - 3 users (10 maximum)

# /usr/local/sbin/ckconfig Checking _PATH_FTPUSERS :: /etc/ftpusers I can’t find it… look in doc/examples for an example.

Checking _PATH_FTPSERVERS :: /etc/ftpservers I can’t find it… look in doc/examples for an example. Checking _PATH_FTPACCESS :: /etc/ftpaccess Ok.

117

Ok.

Ok.

Ok.

Invoked with no options, xferstats displays a report for the entire period of time covered in the transfer log, for the anonymous user. The report includes summary information on daily transfer volumes, total transfers by directory (xferstats peculiarly calls directories archive sections), and hourly transfer statistics. –f file tells xferstats to read the transfer log in file rather than read from the default log, /var/log/xferlog. –D domain limits the resulting report to the domain specified by domain. –s section specifies a section named section on which to report. –l depth, defines how deeply into the directory tree (sections) xferstats should recurse as it complies and displays the report (the default level of detail is three subdirectories). –a, the default, includes transfer statistics for the anonymous FTP account, and –r includes statistics for real user accounts. –h, also a default, adds hourly statistics to the report. Use –d if you want to see transfers by domain name.

Listing: An xferstats Repost for the Anonymous FTP Account.

# xferstats TOTALS FOR SUMMERY PERIOD Tue Nov 27 2003 TO Wed Nov 2003 Files Transmitted During Summary Period 8 Bytes Transmitted During Summary Period 23751600 Systems Using Archives 2 Average Files Transmitted Daily 8

Checking _PATH_CVT :: /etc/ftpconversions Ok. Checking _PATH_XFERLOG :: /var/log/xferlog Ok. Checking _PATH_PRIVATE :: /etc/ftpgroups

Checking _PATH_FTPHOSTS :: /etc/ftphosts

As the output shows, ckconfig complained that it could not find /etc/ftpusers and /etc/ftpserves. These two error messages are red herrings, though. In the first place, /etc/ftpuser’s absence is acceptable because, as you learned in the previous section, it has been deprecated in favor of the deny-uid, deny-gid, allow-uid and allow-gid directives in /etc/ftpaccess. The missing /etc/ftpservers file is an issue only if the FTP server must support virtual FTP servers, a requirement typically limited to ISPs. The xferstats program is Perl script that slices and dices ftpd’s transfer log and then displays a very nicely formatted report summarizing file transfer over a given period of time. Its complete syntax is: xferstats [-addr] [-f file] [-D domain] [-l depth] [-s section]

The following listing shows the output from a bare xferstats command, which is equivalent to xferstats –a –h.

Average Bytes Transmitted Daily 23751600

118

Daily Transmission Statistics

Files Sent Average Xmit

Rate Percent Of

----------------------- --------------- Wed Nov 28 2003 8 2968.9 KB/ 100.00

Total Transfers from each Archive Section (By bytes)

Bytes Sent --------------------------

100.00

Time Bytes Sent

Percent Of Percent Of

--------------- --------------- 23571600 100.00

Date Number of Number Of Bytes Sent

Percent Of Files Sent Bytes Sent

--------------- --------------- --------------- --------------- 23571600 100.00

---- Percent Of ----

Archive Section Files Sent Bytes Sent Files Sent ---------------

/var/ftp/pub 8 23751600 100.00 Hourly Transmission Statistics

Number of Files Sent

Number Of Average Xmit Rate Files Sent Bytes Sent

----------------------- --------------- --------------- --------------- 14 8 2968.9 KB/ 100.00 After the summary transfer data at the top of the report, such as the total number of files transferred and the number of unique connections to the FTP server, the report is broken into three sections for daily download statistics, downloads per directory, and downloads distributed by hour. Keep in mind that these statistics are for the anonymous FTP user only. To see the report for other users, use the –r option. In order to create a report for all users, combine the –r and –a options (that is, execute the command xferstats –ar). The last two commands you look at in this lesson are ftpshut and frprestart. ftpshut performs on orderly shutdown the FTP server, and frprestart, as the name suggests, restarts it. An orderly shutdown means probiding advance notification of a pending server halt and preventing new users from logging in as the scheduled shutdown time approaches. ftpshut satisfies all these requirements, as its syntax, shown next, makes clear.

ftpshut [-l min] [-d min] time [message]

message defines the shutdown notification message users see when they log in to the server. –l min disables new logins to the FTP server min minutes (the default is 10 minutes) before the scheduled shutdown. –d min disconnects currently logged in users mi minutes (the default is 5 minutes). Time specifies the time when the FTP server will close. It can be the word now, +mins, or HHMM. now results in an immediate shutdown, +min sets the shutdown time min minutes in the future, and HHMM sets the shutdown time to the 24-hour time HHMM. For example, if time is +30, the server will close 30 minutes from now. If time is 1930, the server will shut down at 19:30, or 7:30 p.m.

Strengthening FTP Security FTP is insecure. While some FTP server daemons have better security records (or at least better public security records) than others, the protocol itself, the underlying design, is inherently flawed, resulting in significant exposure to security attacks. The final section of the lesson highlights (or reiterates) potential FTP security problems and offers suggestions for eliminating or reducing the risk.

Understanding and mitigating the risks The FTP protocol’s primary shortcoming is that the server and the client exchange authentication information as clear, unencrypted text. Indeed, all communication between FTP server and FTP clients takes place using unencrypted text, which is easily captured and displayed using a packet sniffer such as tcpdump. So, allowing real users to access a host using FTP exposes their login passwords to ne’er-do-

119

wells. Because FTP transmits authentication information as clear text, system accounts, such as root, are routinely denied access to a system via FTP. So, the first suggestion to reduce FTP security risks is to deny real users FTP access to the server; that is, permit only anonymous FTP. One of the biggest criticisms of WU-FTP is its poor security record. Every few months, it seems, a new exploit, or potential exploit, is discovered in it. Unless you are prepared to audit the code yourself to identify possible security problems and then to write and apply patches that address those flaws, the only way to reduce the risk of running WU-FTPD is to use a different server package that has a better security record. That said, the suggested modifications and additions to the /etc/ftpaccess configuration file will result in tighter security on the sever. On a related note, bear in mind that WU-FTPD’s frpd daemon runs as a system account, that is, using a privileged user ID, so it is frequently a source of attacks designed to exploit its root privileges.

ftp.*

Perhaps you should not run an FTP server at all. Each service your system provides represents another potential point of attack and compromise. If you do run an FTP server exposed to the internet and if resources permit, run it on a dedicated machine on which no other services (Web, e-mail and so forth) are running and which has limited access to and from the internal network. In fact, some sites place the FTP server outside their firewall, hiding the internal network from the Internet. Providing a dedicated host limits the number of attack and compromise opportunities and permits you to close all ports and disable all programs not related to FTP services. If the FTP server is compromised, limiting access to and from the internal network prevents the cracker from sniffing packets containing passwords or other sensitive information that might increase the ability to compromise the internal network and also gives crackers fewer access paths into the internal network. All of these benefits are considerably enhanced if the FTP server is placed outside of the firewall. Administration becomes a bit more difficult, but the added difficulty is a small price to pay for increasing and maintaining the security of your network.

Reconfiguring the System Log

In addition to WU-FTPD’s internal logging capabilities described in the section titled “Configuring WU-FTPD logging”, you can modify system logger, syslogd, to provide more information, a modification that will facilitate timely identification of security problems related to the FTP server. The process has three steps:

1. Modify the system logger. As root, edit the file /etc/syslogd.conf and add the following line:

/var/log/frp.log

so that it reads:

Adding ftp.none

You can use spaces or tabs to separate the fields. This entry redirects all messages ftpd sends to the system logger (you must use the log syslog+xferlog directive in /etc/ftpaccess for this method to work) to /var/log/ftp/log. To reduce duplication and clutter in the main system log, /var/log/messages, you might want to modify the line in /etc/syslogd.conf that reads: *.info;mail.none;news.none;authpriv.none;corn.none /var/log/messages

*.info;mail.none;news.none;authpriv.none;corn.none;ftp.none

/var/log/messages

at the end of the first field prevents the system logger from writing any log messages ftpd creates to /var/log/messages. These entries appear on two lines in the text, but appear as a single line in the configuration file.

2. Restart the system logger. Execute the command /etc/rc.d/init.d/syslog restart. If the output you see resembles the following, the changes are in place:

120

Shutting down kernel logger : [ OK ]

2>/dev/null || true

4. Run the following script, monftp.sh, usin cron:

# mail the current day’s FTP log to root

LOGDATE=$(date+’%b %e’) LOGFILE=”/var/log/ftp.log” SUBJECT=”FTP Log for $LOGDATE” Grep ^”$LOGDATE” $LOGFILE | mail –s “$SUBJECT” root

The following listing illustrates what the contents of /var/log/ftp.log look like, if you use the suggested /etc/ftpaccess configuration file shown earlier. Essentially, it is an almost complete transcript of an FTP session, from the daemon’s perspective. Each log entry begins with date, time, hostname, program name (ftpd) and the PID of the process making the entry, followed by a colon, a space and the message.

Jul 14 13:43:52 h1 ftpd[1577]: USER kwall

Jul 14 13:44:00 h1 ftpd[1577]: FTP LOGIN FROM h2.none.com

Jul 14 13:44:16 h1 ftpd[1578]: USER ftp Jul 14 13:44:22 h1 ftpd[1578]: PASS kwall@none.com

Shutting down system logger : [ OK ] Starting system logger : [ OK ] Starting kernel logger : [ OK ]

3. Modify the log rotation scheme to include the new FTP log file by adding the following lines to the end of /etc/logrotate.d/syslogd:

/var/log/ftp/log { postrotate /bin/kill –HUP ‘cat/var/run/syslogd.pid 2>/dev/null’

endscript } this entry enables the logrotate program to rotate the new log file in the same manner as other

syslogd-reladed files.

# monftp.sh

Monftp.sh uses grep to extract the current day’s entries from /var/log/ftp.log and pipes the output

to the mail program, which sends it to root. A suggested crontab entry for monftp.sh is 23 59 * * * /path/to/monftp.sh This entry executes monftp.sh each day at 23:59 (1 minute before midnight). /path/to/monftp.sh must contain the complete specification in order for corn to find the script.

Jul 14 13:44:00 h1 ftpd[1577]: PASS secretword

[192.168.0.2] Jul 14 13:44:05 h1 ftpd[1577]: PORT Jul 14 13:44:05 h1 ftpd[1577]: NLST Jul 14 13:44:11 h1 ftpd[1577]: QUIT Jul 14 13:44:11 h1 ftpd[1577]: FTP session closed

Jul 14 13:44:22 h1 ftpd[1578]: ANONYMOUS FTP LOGIN FROM h2.none.com [192.168.0.2], kwall@none.com Jul 14 13:44:34 h1 ftpd[1578]: CWD pub

121

Jul 14 13:44:35 h1 ftpd[1578]: PORT Jul 14 13:44:35 h1 ftpd[1578]: NLST Jul 14 13:45:42 h1 ftpd[1578]: TYPE image Jul 14 13:45:48 h1 ftpd[1578]: PORT Jul 14 13:45:48 h1 ftpd[1578]: STOR badfile Jul 14 13:45:48 h1 ftpd[1578]: anonymous (kwall@none.com) of h2.none.com [192.168.0.2] tried to upload /var/ftp/pub/badfile

Jul 14 13:46:50 h1 ftpd[1579]: FTP LOGIN REFUSED (username in denied-uid) FROM h2.none.com [192.168.0.2], root

Finally, you should carefully review file uploads (if you allow them) by using the upload notifications created using the incmail, mailfrom, and mailserver directives in /etc/ftpaccess. Security attacks, particularly attempts to compromise the root account, called rooting the box, often begin with such an upload.

(upload denied) Jul 14 13:45:53 h1 ftpd[1578]: QUIT Jul 14 13:45:53 h1 ftpd[1578]: FTP session closed

Jul 14 13:47:07 h1 ftpd[1579]: FTP session closed Each messages indicates the FTP command (CWD, PORT, STOR) or another action executed, the arguments to that command, or error messages. Note, however, that the clear text. For this reason, /var/log/ftp.log must be readable by the root user only (which is the default). As you can see, using the system logger as described here gives you detailed information about the FTP server’s activiy.

Monitoring the Server

In addition to the detailed logging described in the previous section, you should also use the ftpcount or ftpwho commands, described in the previous section, to find out who is logged in and what they are doing. Of the two, ftpwho provides better informant and is easily scripted. Take advantages of the report the xferstats command creates. Although it provides only summary information, if you review it regularly, it is easy to identify file transfer statistics that deviate form your server’s normal usage patterns. When such a deviation occurs, you can drill down into the detailed log information provided in .var/log/ftp.log to identify exactly what the deviation is and whether or not it represents a security issue.

122

FTP Server Configuration

FTP

Linux2 ftp client

Linux6 ftp server

/

c

t

/

p1 p2 p

1. mget → To get file2. mput → To put fil3. mdel → To delete

/et

/ii

/sa

3 g d

1. get (g1, g2, g3)

2. put (p1, p2, p3)

3. delete (d1, d2, d3)

Fig : Pictorial View of the FTP server and client

s from the Server to the Client. es to the Server from the Client files of the Server

/home

gor

/test

1 g2 g3

1 d2 d3

123

Step-by-step FTP Server Configuration

2. # cd /etc/xinetd.d

disable = YES => No

:x

Setting Up Directories in the Server:

Creating a user and setting a password

# mkdir ftptest

# chmod 777 /home/faisal/testftp/

# ftp 192.168.110.6 ( IP of the FTP server )

1. RPM Required

# rpm –qa | grep ftp

3. # vi wu – ftpd

4. # service xinetd restart

# adduser faisal #passwd faisal

Making files under a directory in the user’s home directory

# cd /home/faisal

# cd ftptest # touch g1 g2 g3 d1 d2 d3 # cd /

Giving Full permission

Client Side

Setting Up Directories in the Client:

# cd /etc # mkdir iit # cd /iit # touch p1 p2 p3 # chmod 777 /etc/iit/

Running the ftp client:

name : faisal

password : *******

124

ftp > pwd → /home/faisal (7.1) → (Server)

/ (8.0) → (Server)

g1 g2 g3 d1 d2 d3 → (Server)

# ftp 192.168.110.5

>lcd → /etc/ iit( the path of the current [client ] directory from where the ftp command execute )

>cd testftp6 → (Accessing Server files)

>ls –la

>!ls –la

p1 p2 p3 → (Client)

To download a file from server:

> mget g1 g2 g3

To delete a file in the server: >mdel d1 d2 d3

To upload a file in the server: >mput p1 p2 p3

Restriction On FTP User

Server Side # cd /etc

# vi ftpusers

rony

:x

Now rony can’t ftp the linux server from any PC.

Anonymous FTP

Client Side

name : anonymous

password : abc@pqr.com

OR just ENTER

ftp >

In anonymous ftp we can only get files; we can’t put or delete files.

To Quit From FTP Prompt ftp > bye

125

CHAPTER-TEN NFS

Network File System NFS Overview

NFS, the Network File System, is the most common method for providing file sharing services on Linux and Unix networks. It is a distributed file system that enables local access to remote disks and file system. Indeed, in a properly designed and implemented NFS environment, NFS’s operation is totally transparent to clients using remote file systems. NFS is also a popular file sharing protocol, so NFS clients are available for many non-Unix operating systems, including the various Windows versions, MacOS, VAX/VMS, and MVS.

Understanding NFS NFS uses standard client/server architecture. The server portion consists of the physical disks containing shard file systems and several daemons that make the shared file systems (or entire disks, for that matter) visible to and available for use by client systems on the network. This process is normally referred to as exporting a file system. Server daemons also provide for file locking and, optionally, quota management on NFS exports. NFS clients simply mount the exported file systems, colloquially but accurately called NFS mounts, on their local system just as they would mount file systems on local disks. The possible uses of NFS are quite varied. For example, many sites store users’ home directories on a central server and use NFS to mount the home directory when users log in or boot their systems. Of course, in this case, the exported directories must be mounted as /home/username on the local (client) systems, but the export itself can be stored anywhere on the NFS server, say, /exports/users/username. Another common scheme is to export public data or project-specific files from an NFS server and to enable clients to mount these remote file systems anywhere they see fit on the local system. The following figure illustrates both of these examples:

126

The network shown in the above figure shows that all the client systems (pear, mango and so forth) mount their home directories from an NFS server named diskbeast. On diskbeast, the exported file systems are stored in the /exports/homes directory (/exports/homes/u1, /exports/homes/u2, and so on). When users log in to any given system, their home directory is automatically mounted on /home/username on the system. So, if the user u1 logs in on pear, /exports/homes/u1 is mounted on pear’s file system as /home/u1 (often written in host:/mount/point format, for example, pear:/home/u1). Of course, logging in on two systems this way is potentially dangerous because changes to files in the exported file system made from one login session may affect the behavior of the other, but it is also very convenient, in other situations, for such changes to be immediately visible.

The above figure also shows that three users, u5, u6, and u7, mount a project-specific file system, /proj, also exported form diskbeast, in various locations on their local file systems, kiwi:/work/proj, lime:/projects, and peach:/home/work. NFS is also used to provide diskless clients, such as X terminals or the slave nodes in a cluster,

ith their entire file system, including the kernel image and other boot files. Although the examples mentioned illustrate typical NFS usage, NFS can be used in almost any situation requiring transparent local ccess to remote file systems. In fact, you can use NFS and NIS together to create a highly centralized

protect ess

than it is to back up ome directories scattered throughout the network, on systems that are geographically dispersed, and that

with NIS,

e file

mes a point at the new

pplication.

ntages

NFS has its shortcoming, of course, primarily in terms of performance and security. As a istributed, network-based file system, NFS is sensitive to network congestion. Heavy network traffic

tem ts a

ash or server failure), no one can access that resource.

its design assumes a trusted network, not a hostile nvironment in which systems are constantly being probed and attacked. The primary weakness is that the

ets of xported from or mounted on systems

w

anetwork environment that makes it easier to administer the network, add and delete user accounts,and back up key data and file systems, and give users a uniform, consistent view of the network regardlof where they log in.

NFS Advantages Clearly, the biggest advantages NFS provides is centralized administration. It is much easier, for example, to back up a file system stored on a server (such as the /home file system) /hmight or might not be accessible when the backup is made. Similarly, NFS, especially when usedmakes it trivially simple to update key configuration files, provide access to shared disk space, or limit access to sensitive data. NFS can also conserve disk space and prevent duplication of resources becaussystems that change infrequently or that are usually read-only, such as /usr, can be exported as read-only NFS mounts. Likewise, upgrading application employed by users throughout a network simply becomatter of installing the new application and changing the exported file system toa End users also benefits from NFS. When NFS is combined with NIS, users can log in from any system, even remotely, and still have access to their home directories and see a uniform view of shared data. Users can protect important or sensitive data or information that would be impossible or time consuming to recreate by storing it on an NFS mounted file system that is regularly backed up.

NFS Disadva

dslows down NFS performance. Similarly, heavy disk activity on the NFS server adversely affects NFS’s performance. In both cases, NFS clients seem to be running slowly because disk reads and writes take longer. If an exported file system is not available when a client attempts to mount it, the client syshangs, although this can be mitigated using a specific mount. An exported file system also represensingle point of failure. If the disk or system exporting vital data or application becomes unavailable for any reason (say, due to a disk cr NFS has security problems because eNFS protocol is based on RPC, remote procedure calls, which are one of the most common targexploit attempts. As a result, sensitive information should never be e

127

expo d ternet, that is, one that is on or outside firewall. Indeed, security experts generally recomm be used across the Internet under any circumstances. a firewall, providing all users access to all files might pose greater risks than user convenien inistrative simplicity justify. Care must be taken when exporting directories or file

ed

r

boils down to design and implementation. Of these two steps, design is the m that the implementation is transparent to end-users and trivial to

ion highlights the server igu process, discusses the key desig entifies the key files and

comman process using a typi

e

ing

namimplobviou aming convention and mounting scheme works as designed and identifies

te

doe

s

restrnum tips and

gf

•

d file systems that contain application binaries and

se to the Inend that NFS not

Even inside ce and adm

systems to limit access to the appropriate users and also to limit what those users are permitted to do with the data. NFS also has quirks that pose potential security risks. For example, when the root user on a clientsystem mounts an NFS export, you do not want root on the client to have root privileges on the exportfile system. By default, NFS prevents this, a procedure called root squashing, but a careless administratomight override it.

Configuring an NFS Server Configuring an NFS server

ost important because it ensuresadminister. The implementation is remarkably straightforward. This sectconf ration n issues to keep in mind, id

ds you use to implement, maintain, and monitor the NFS server, and illustrates the cal NFS configuration.

Ov rview of Server Configuration

Although the breakdown is somewhat artificial because NFS server configuration is uncomplicated, you can divide server configuration into four steps:

• Design • Implementation • Test• Monitoring

Designing the server consists of deciding what file systems to export to which users and selecting a ing convention and mounting scheme that maintains network transparency. With the design in place, ementation is a matter of configuring the exports and starting the appropriate daemons. Testing,

sly, makes sure that the npo ntial performance bottlenecks. Monitoring, finally, extends the testing process: you need to ensure that exported file system continue to be available and that heavy usage or a poorly conceived export scheme

s not adversely affect overall performance.

Designing an NFS Server A suggested a moment ago, designing a useful NFS server involves:

• Selecting the file systems to export. • Choosing which users (or hosts) are permitted to mount the exported file systems • Selecting a naming convention and mounting scheme that maintains network transparency and

ease of use. • Configuring the server and client systems to follow the convention.

Alas, there are few general rules to guide the design process, though, because NFS imposes little iction beyond what file systems can be exported and because the design of the underlying network, the ber and type of servers and clients, and the needs of each site vary. That said, here are some

sug estions for designing an NFS server and its exports that ease administrative overhead and reduce user con usion:

Good candidates for NFS exports include any file system that is shared among a large number of users, such as /usr/share, the mail spool (/var/mail), an

128

data used by many users on the network. File system that are relatively static, such as /usr, are also good candidates for NFS exports because there is no need to replicate the same static data and binaries across multiple machines.

• seidiosoft have more

eway as to where to store home directories, but see the next suggestion. • se

/opt mounted as /opt/mysql on the client. This convention not only facilitates transparent access to shared file systems, it also makes it easier to track down problems on the se yo ave to remem ng from an exported file system to a mounted a file system.

icularly network file systems, and so design NFS servers with growth in mind. For example, avoid the temptation to drop all third-party software on a single exported file

to be subdivided, leading to administrative headaches when client mounts must be updated to reflect a new set of exports.

Sim ll dis rman d file systems are distributed across multiple servers rather than concentrated on a single server. If using multiple servers is not possible, at least try to situate NFS exports on separate physical devices and/or on separate disk controllers. Doing so reduces disk I/O contention.

When identifying the file system to export, keep in mind the following three rules that restrict how file system can be exported:

o You can export only local file systems and their subdirectories. To express this restriction in another way, you cannot export a file system that is itself already an NFS mount. For example, if a system named diskbeast mounts /home from a server named homebeast, diskbeast cannot re-

t /home from homebeast must do so directly.

suppose diskbeast, an NFS server, has the following entry in its /etc/fstab:

/dev /local ext3 defaults 1 2

If you export /usr/local, you cannot also export /usr/local/devtools because /usr/local/devtools is on the sam is If however, diskbeast’s /etc/fstab showed the following disk configuration: /dev local ext3 defaults 1 2 /dev local/devtools ext3 defaults 1 2 You could ex al and /usr/local/devtools because they reside on different physical disks.

o Con t directory of an exported subdirectory cannot be exported unless the parent dire ory resides on a different physical disk. This is, if you export /usr/local/devtools, you

/usr/local unless /usr/local is on a different disk device than /usr le just extends the logic of Rule 2 in the opposite direction.

U r /home/username to mount home directories. This is one of the most fundamental directory

ms in the Unix/Linux world, so disregarding it not only antagonizes users but also breaks a lot of ware that presumes user home directories live in /home. Of course, on the server, you

le

U the same path names on the server and on clients. That is, if an exported file system is named /mysql on the serve, it should be

server becau u do not h ber the mappi

• Few networks are static, part

system because, over time, the file system grows to the point that it need

• ilarly, overa k and network perfo ce improves if exporte

export /home. Clients wishing to moun

o A subdirectory of an exported file system cannot be exported unless the subdirectory resides on a different physical disk than its parent. For example,

/sda1 /usr

e d k as /usr/local.

/sda1 /usr//sdb1 /usr/

port both /usr/loc

versely, the parenct

cannot also export /local/devtools. This ru

129

Key File C d, and Daemons

nd daemons that make up an NFS server. On most inux systems these files and programs include the following:

o /var/lib/nfs/rmtab

o /etc/hosts.allow o /etc/hosts.deny

• Daemons o rpc.portmap o rpc.mounted

rpc.nfsd

nfstat

rpcinfo

NFS Server Configuration and Status Files

The server configuration file is /etc/exports, which contains a list of file systems to export, the

ied as a single name, an NIS netgroup, as a group of hosts using the form address/netmask, or as a group of hosts using the wildcard

st(options) entries are accepted, which enables you to specify different xport options depending on the host or hosts mounting the directory.

When specified as a single name, host can be lve to an IP address. If host is an NIS netgroup, it is k can be specified in ad format (/255.255.may also specify host using the wildcards * and ?, subject t ch the dots in a hostname, so that *.kurtereks.com matchexample, hosts in the subdomain guru.kurtwreks.com. Consider the following sample /etc/exports file:

/usr/local *.kurtwerks.com(ro) /home 192.168.0.0/255.25/projects @dev(rw) /var/tmp 192.168.0.1(rw)

s, omman This subsection discusses the key files, command, aL

• Configuration and status files o /etc/exports

o /var/lib/nfs/xtab

oo rpc.statd o rpc.lockd o rpc.rquotad

• Scripts and commands o /etc/rc.d/init.d/nfs oo showmount oo exportfs

clients permitted to mount them, and the export options that apply to client mounts. Each line in /etc/exports has the following format: dir host(options) [host(options)] …

Where dir is a directory or file system to export, host specifies one or more hosts permitted to mount dir, and options specifies on e or more mount options. Host can be specif

characters ? and *. Multiple hoe

any name that DNS or the resolver library can resospecified as network or subnet. In this case the netmas

dotted qu 252.0, for example) or as a mask length (such as /22). You o the caveat that * and ? do not mat

es all hosts in the kurtwerks.com domain, but not, for

5.255.0(rw)

130

The first line permits all hosts with a na t /usr/local. T ermits any host with an IP 192.168.0.0 to 192.168.0.255 to ome. The third line mount /projects. The final line permits only the ho The expo etermine the characte le lists valid values with the default val /etc/exports Export Options

me of the format somehost.kurtwerks.com to mounhe second line p address in the range

mount /h permits any member of the NIS netgroup named dev tost whose IP address is 192.168.0.1 to mount /var/tmp.

rts options d ristics of the exported file system. The following tab for options, ues appearing in bold face.

Option Description Secure Req re

(privileg 1024. uires client request to originate from a secu

ed) port, less than that is, one numberedInsecure Perm rts its client request to originate form unprivileged po

(those numbered 1024 and higher). Ro Export ion s the file system read-only, disabling any operat

that changes the file system. Rw Exports the file system read-write, permitting operations

that change the file system Async Allows the server to cache disk writes to improve

performance Sync Forces the server to perform a disk write before the request

is considered complete. Subtree_check If only part of a file system, such as a subdirectory, is

exported, subtree checking makes sure that file request apply to files in the exported portion of the file system.

no_subtree_check Disables subtree_check Wdelay Allows server to delay a disk write if it believes another

related disk write may be requested soon or if one is in progress, improving overall performance

no_wdelay Disables wdelay (must be used with the sync option) root_squash Maps all requests from a UID or GID of 0 to the UID or

GID respectively, of the anonymous user (-2 in Red Hat Linux)

no_root_squash Disables root_squash all_squash Maps all requests from all UIDs or GIDs to the UID or

GID, respectively, of the anonymous user no_all_squash Disables all_squash Anonuid=uid Sets the UID of the anonymous account to uid Anongid=gid Sets the GID of the anonymous account to gid

The various squash options, and the anonuid and anongid options bear additional explanation.

s

. The root-squash option preserves o that of a less privileged user, -2. The

ng so poses significant curity r system have root access to the file

system c sers, not ust the ers that access files on NFS xported file systems are already merely mortal users, that is, their UIDs and GIDs are unprivileged, so

they do not have the power of the root account. Use the anonuid and anongid options to specify the UID

root_squash prevent the root user on an NFS client from having root privileges on an NFS mount. The Linux security model ordinarily grants root full access to the file system on a host. However, in an NFS environment, exported file system are shared resources and are properly “owned” by the root user of the NFS server, not by the root users of the client systems that mount themthe Linux security model by re-mapping the root UID and GID (0) tno_root_squash option disables this behavior, but should not be used because doise isks. Consider the implications, for example, of letting a client

ontaining sensitive payroll information.

The all_sq ption has a similar effect to root_squash, except that it applies to all uuash oroot user. The default is no_all_squash, however, because most usj

e

131

and GID of the anonymous user. The default UID and GID of the anonymous user is –2, which should be adequate in most cases. subtree_check and no_subtree_check also deserve some elaboration. When a file system subdirectory is exported but its parent directory is not, the NFS server must verify that the accessed file resides in the exported portion of the file system, a check that is programmatically nontrivial. To facilitate this verification, called a subtree check, the server stores file location information in the file handle given to clients when they request a file. In most cases, this is not a problem, but can be (potentially) troublesome if a client is accessing a file that is renamed or moved while the file is open because renaming or moving the file invalidates the location information stored in the file handle. Disabling the subtree check using no_subtree_check avoids the problem and has the beneficial side effect of improving performance, specially on exported file systems that are highly dynamic, such as /home.

/usr/local *.kurtwerks.com(ro, secure) 192.168.0.0/255.255.255.0(rw, secure, no_subtree_check)

, secure, anonuid=600, anongid=600, sync, no_wdelay) rw, insecure, no_subtree_check)

pped to the UID and GID 600, as cated by the anonuid=600 and anongid=600 options. note, however, that because only members of the

NIS netgroup dev are permitted to mount /projects, only their UIDs and GIDs are remapped. /home and e exported using the no_subtree_check option because they see a high volume disable write

s would be n this manner also imposes a

ce penalty because the kernels normal disk caching and buffering heuristics cannot be applied.

/var/lib/nfs/rmtab and nfs/xtab. Each time the rpc.mountd daemon, which services mount request for exported file

nversely, when mountd e corresponding entry from

/var/lib/nfs/rmtab. The following short listing shows the contents of /var/lib/nfs/rmtab on an NFS server at exports /home in read-write mode and /usr/local in read-only mode. In this case, the host with IP

cat /var/lib/nfs/rmtab

tem, and e mount options specified in /etc/exports. Rather than try to decipher the hexadecimal options field, you

can read the mount options directly from /var/lib/nfs/xtab. The exportfs command, explored in the bsection contains the current table of exported file systems. The following listing shows the contents of

used for testing this lesson’s examples.

e Unfortunately, disabling subtree checking also poses a security risk. The subtree check routine ensures that files to which only root has access can be accessed only if the file system is exported with no_root_squash, even if the file itself enable more general access. Here is a modified version of the /etc/exports file presented earlier.

/home /projects @dev(rw/var/tmp 192.168.0.1(

The hosts have not changed, but additional export options have been added. For example, /usr/local is exported read-only (ro) because it does not change, but the other three file systems are exported in read-write (rw) mode. /usr/local, /home and /project can be accessed only from clients using secure ports (the secure option), but the server accepts request destined for /var/tmp from any port because the insecure option is specified. For /projects, the anonymous user is maindi

/var/tmp arcaching and delayed writes to the /project fie system, presumably because the impact of data lossignificant in the event the server crashes. However, forcing disk syncs iperforman Two additional files store status information about NFS exports, /var/lib/systems, receives a mount request, it adds an entry to /var/lib/nfs/rmtab. Coreceives a request to unmount an exported file system, it removes th

thaddress 192.168.0.2 has mounted both exports: $192.168.0.2: /home:0x00000002 192.168.0.2: /usr/local:0x00000001 Fields in rmtab are colon-delimited, so it has three fields: the host, the exported file systh

su/var/lib/nfs/xtab on the system I $ cat /var/lib/nfs/xtab /usr/local

132

192.168.0.2 (ro,async,wdelay,hide,secure,root_squash,no_all_squash,su tree_check,secure_locks,mapping=identity,anonuid=-2,anongid=-2)

id=-2) ome

192.168 ecure,root_squash,no_all_squash,su tree_check,secure_locks,mapping=identity,anonuid=-2,anongid=-2)

hat xtab sts the default values for options not specified in /etc/exports in addition to the options specifically listed.

The last two configuration files to discuss, /etc/hosts.allow and /etc/hosts.deny, are not properly part of an NFS server because you can configure an NFS server without them and the server functions

erfectly. However, using the access control features of these files helps enhance both the overall security of the se ystem. They are part of the TCP Wrappers package.

lockd:ALL

to NFS services to all hosts not explicitly permitted access in tc/hosts.allow. accordingly, the next step is to add entries to /etc/hosts.allow to permit access to NFS

daemon:host_list [host_list]

daemon is a daemon such as portmap or lockd, and host_list is a list of one or more hosts specified s host names, IP address, IP address patterns using wildcards, or address/netmask pairs. For example, the

he next entry permits access to all hosts on the subnetworks 192.168.0.0 and 192.168.1.0

Portmap:.192.168.0. 192 You ne entries for each host or host g he five daemons listed in /etc/ .deny. So, for ex the following s to /etc/hosts.al por urtwerks.com lock .com

mountd: .kurtwerks.com

nlike the syntax of /etc/exports, a name of the form .domain.dom matches all hosts, including hosts subdomains like .subdom.domain.dom.

b/tmp/foo 192.168.0.2 (ro,async,wdelay,hide,secure,root_squash,no_all_squash,su btree_check,secure_locks,mapping=identity,anonuid=-2,anong/h

.0.2 (rw,async,wdelay,hide,sb/tmp/foo As you can see in the listing, the format of the xtab file mirrors that of /etc/exports, except tli

prver and the security of the NFS subs

First, add the following entries to /etc/hosts.deny: portmap:ALL mountd:ALL rquotad:ALL statd:ALL These entries deny access/eservices to specific hosts. Entries in /etc/hosts.allow take the form:

afollowing entry permits access to the portmap daemon to all hosts in the kurtwerks.com domain: portmap:.kurtwerks.com T

.168.1.

ed to add roup permitted NFS access for each of thosts ample, to permit access to all hosts in the kurtwerks.com domain, add entrie low:

tmap:.kd: .kurtwerks

rquotad: .kurtwerks.com statd: rtwerks.com .ku

Note that, u in

133

NFS Server Daemons

Daemon Function

Providing NFS services requires the services of six daemons: /sbin/portmap, /usr/sbin/rpc.mountd, /usr/sbin/rpc.nfsd, /sbin/rpc.statd, /sbin/rpc.lockd, and, if necessary, /usr/sbin/rpc.rquotad. They are generally referred to as portmap, mountd, nfssd, statd, lockd, and rquotad, respectively. The following table describes each daemon’s function.

portmap Enables NFS clients to discover the NFS services available on a given server

mountd Processes NFS clients mount requests nfsd Provides all NFS services except file locking and quota management statd Implements NFS lock recovery when an NFS server system crashes lockd Starts the kernel’s NFS lock manager rquotd Provides file system quota information NFS exports to NFS clients

using file system quotas The NFS daemons should be started in the following order to work properly:

1. portmap 2. nfsd 3. mountd 4. statd 5. rquotad (if necessary)

Notice that the list omits lockd. nfsd starts it on an as-needed basis, so you should rarely, if ever, need to invoke it manually. Fortunately, the Red Hat Linux initialization script for NFS, /etc/rc.d/init.d/nfs, takes care of starting up the NFS server daemons for you. Nevertheless, you might one day find it helpful to know the proper order in which to start the daemons. By default, the startup script starts eight copies of nfsd in order to enable the server to process multiple requests simultaneously. To change this value, make a backup copy of /etc/rc.d/init.d/nfs, edit the script, and change the line that reads

Starting server requires surprisingly few commands. Three initialization /etc/rc.d/init.d/portmap, /etc/rc.d/init.d/nfs, and

tc/rc.d st of current exports on e fly w formation about clients

and the fsstat command displays detailed information about the

r

RPCNFSDCOUNT=8 Change the value from 8 to one that suit you. Busy servers with many active connections might benefit from doubling or tripling this number. If file system quotas for exported file system have not been enabled on the NFS server, it is unnecessary to start the quota manager, rquotad, but be aware that the Red Hat initialization script starts rquotad whether quotas have been enabled or not.

NFS Server Scripts and Commands and maintaining an NFS scripts start the required daemons, /e /init.d/nfslock. The exportsnfs command enables you to manipulate the lith ithout needing to edit /etc/exports. The showmount command provides in

file system they have mounted. The nstatus of e NFS subsystem. The protmap script stats the portmap daemon, frequently referred to as the portmapper, needed by all programs that use RPC, such as NIS and NFS. The Red Hat Linux boot process starts the portmappe

th

automatically, so you rarely need to worry about it, but it is good to know the script exists. Like most startup scripts, it requires a single argument, either start, stop, restart, or status. As you can probably guess, the start and stop arguments start and stop the portmapper, restart restarts it and status indicates whether or not the portmapper is running, showing its PID if it is.

134

The primary NFS startup script is /etc/rc.d/init.d/nfs. Like the portmapper it requires a single argument, start, stop, status, restart or reload. start and stop arguments start and stop the NFS server

ent stops and starts the server processes in a single command and should be contents of /etc/exports. However, it is not necessary to reinitialize the NFS

rver daemons in this way. Rather, you can use the script’s reload argument, hich causes exportfs, discussed shortly, to reread /etc/exports and to re-export the file system listed

e NFS lock file used by the initialization ript, /var/lock/subsys/nfs. The status argument displays the PIDs of the moundt, nfsd, and rquotad

tatus rpc.mountd (pid 4358) is running…

NFS services also require the file locking daemons lockd and statd. As noted earlier, nfsd start lockd still must start statd separately. Red Hat Linux includes an initialization script for this

tc/rc. /n I pts almost the same arguments as /etc/rc.d/init.d/nfs, with the arg oes not require a configuration file).

er manually, the proper invocation sequence is to start the , e NFS lock manager, that is:

it.d/po p st sta

to sh n e procedure:

sto

it.d/po p s

se oth ogra s y require portmapper’s service, I suggest you let it run unless ou drop the system to run level 1 to perform maintenance.

cinfo –p on a fairly quiescent NFS server:

00003 3 udp 2049 nfs 0000300021 1 udp 1031 nlockmgr

100021 3 udp 1031 nlockmgr 100021 4 udp 1031 nlockmgr

1055 mountd

respectivey. The restart argumused after changing the subsystem by bouncing the sewthere. Both restart and reload also update the time stamp on thscdaemons. For example, $ /etc/rc.d/init.d/nfs s nfsd (pid 1241 1240 1239 1238 1235 1234 1233 1232) is running…

rpc.rquotad (pid 1221) is running…

The output of the command confirms that the three daemons are running and shows the PIDs for each instance of each daemon. All users are permitted to invoke the NFS initialization script with the status argument, but all the other arguments (start, stop, restart, and reload) do require root privileges. itself, but youpurpose, /e d/init.d fslock. t acceexception of the reload ument (because statd d Thus, if you ever need to start the NFS servportmapper first followed by NFS, followed by th/etc/rc.d/in rtma tart /etc/rc.d/init.d/nfs star/etc/rc.d/init.d/nfslock rt Conversely, ut dow the serv r, reverse the start /etc/rc.d/init.d/nfslock p /etc/rc.d/init.d/nfs stop/etc/rc.d/in rtma top Becau er pr ms and ervers may You can also find out what NFS daemons are running using rpcinfo command with the –p option. rpcinfo is a general purpose program that displays information about programs that use the RPC protocol, of which NFS is one. The –p option queries the portmapper and displays a list of all registered RPC programs. The following listing shows the output of rp $ rpcinfo –p program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100011 1 udp 974 rquotad 100011 3 udp 974 rquotad 11 3 udp 2049 nfs 1

100005 1 udp

135

1 1 tcp 1297 mountd 0000500005 2 udp 1055 mountd

00005 3 tcp 1297 mountd

cinfo’s output shows the RPC program’s ID number, version number, the network protocol it is using, name

from the file /etc/rpc, which maps program numbers to program names nd also lists aliases for program names. At a bare minimum, to have a functioning NFS server, rpcinfo ould l rtmapper, nfs, and mountd.

The exportfs command enables you to manipulate the list of available exports, in some cases

, the NFS initialization script discussed arlier in this subsection uses exportfs extensively. For example exportfs –a initializes the xtab file, nchron s. To add a new export to xtab and to the kernel’s internal

e following syntax:

exportfs –o exp_opts host:directory

host, and the directory use the same syntax as that described for /etc/exports earlier. Consider e following:

# exportfs –o async,rw 192.168.0.3:/var/tmp

3. in /etc/exports:

c,rw)

ed file systems, and using –v lists currently exported file

# exportfs –v uash)

o remove an exported file system, use the –u option with exportfs. For example, the following command

unexports the /home file system shown in the previous example. # exportfs –v –u 192.168.0.*:/home unexporting 192.168.0.*:/hom unexp g 192.168.0.*:/home from ke The show and queries th s

ntax is:

t]

1100005 2 tcp 1297 mountd 100005 3 udp 1055 mountd 1 rpthe port number it is using, and an alias name for the program number. The program number and (first and fifth columns) are takenash ist entries for po without ending /etc/exports. It also maintains the list of currently exported file system in /var/lib/nfs/xtab and the kernel’s internal table of exported file systems. In factesy izing it with the contents of /etc/exporttable of NFS exports without editing /etc/exports, use th exp_opts,th This command exports /var/tmp with the async and rw options to the host whose IP address is 192.168.0.This invocation is exactly equivalent to the following entry /var/tmp 192.168.0.3(asyn A bare exportfs call lists all currently exportsystem with their mount options: /home 192.168.0.*(rw,async,rdelay,root_sq

T

e ortin renl

mount comm e mount daemon, mountd, about the status of the NFS server. Itsy showmount [-adehv] [hos Invoked with no options, showmount displays a list of all clients that have mounted file systems from the current host. Specify host to query the mount daemon on that host, where host can be a resolvable DNS host name or, as in the following example, an IP address:

# showmount 198.60.22. Hosts on 198.60.22.2: Hammer.xmission.com

136

mammon.xmission.com

:

Option Description

news.xmission.com The following table describes the effect of showmount’s options

-a Displays client host names and mounted directories in host:directory -d Displays only the directories clients have mounted -e Displays the NFS server’s list of exported file system -h Displays a short usage summary -v Displays showmout’s version number

--no-headers Disables displaying descriptive heading for showmount’s output

Configuring an NFS Client Con lient systems to mount NFS exports is even simpler than configuring the NFS server itself. This section of the lesson provide es and commands involved in configconfigure a client to access the NFS exports co

Overview of Client Configuration Co nt system to use N NFS file lockin and lockd are av the NFS exports, and m nting the expor

Key Files and Command From S client’s persp systems. Th you might expe S exports on th , just as you wo should add entries to the file system mount table, /etc/fstab. As ed file system, NFS is sensitive to network c ions, so the mo peculiarities. following tablpage(man nfs).

O

figuring cs a brief overview of client configuration, identifies the key fil

uring and mounting NFS exported file systems, and shows you how to nfigured in the previous section.

nfiguring a clie FS involves making sure that the portmapper and the g daemons statd ailable, adding entries to the client’s /etc/fstab for

ou ts using the mount command.

s

an NF ective, NFS exported file systems are functionally equivalent to local fileus, ase fly

ct, you use the mount command at the command line to mount NFuld a local file system. Similarly, to mount NFS exports at boot time, you

a networkonditThe

unt command support special options that address NFS’s sensitivities ande list and discussion of all NFS-specific options, see the NFS manual

NFS-Specific Mount Options ption Description

rsize=n Sets the NFS read b he default is 4096) uffer size to n bytes (twsize=n Sets the NFS write buffer size to n bytes (the default is 4096) timeo=n Sets the RPC transmission time nths of a second (the default is

7). Especially useful with the soft mount option out to n te

retry=n Sets the time to retry a mount operation before giving up to n minutes (the default is 10,000)

port=n Sets the NFS server port to which to connect to n (the default is 2049) mountport=n Sets the mountd server port to connect to n (no default)

mounthost=name Sets the name of the server running mountd to name bg Enables mount attempts to run in the background if the first mount attempt

times out (disable with nobg) fg Causes mount attempts to run in the foreground if the first mount attempt

times out, the default behavior (disable with nofg) soft Allows an NFS file operation to fail and terminate (disable with nosoft) hard Enables failed NFS file operations to continue retrying after reporting

137

“server not responding” on the system, the default behavior (disable with nohard).

intr Allows signals (such as Ctrl+C) to interrupt a failed NFS file operation if the file system is mounted with the hard option (disable with nointr). Has

no effect unless the hard option is also specified or if soft or nohard is specified

tcp Mount the NFS file system using the TCP protocol (disable with notcp) udp Mount the NFS file system using the UDP protocol, the default behavior

(disable with noudp) lock Enables NFS locking and starts the statd and lockd daemons (disable with

nolock) The most commonly used and useful NFS-specific mount options are rsize=8192, wsize=8192, hard, intr, and nolock. Increasing the default size of the NFS read and write buffers improves NFS’s performance. The suggested value is 8192 bytes, but you might find that you get better performance with

rger or sm so improve performance because it eliminates the cking over NFS. If an NFS file operation

rupt the operation if the exported file system om hanging.

As he portmap daemon to process and route RPC calls and ordingly, make sure the portmapper is

t, /etc/rc.d/init.d/portmap.

Once you have configured the mount table and started the requisite daemons, all that remains is to ount the file systems. During the initial configuration and testing, it is easiest to mount and unmount NFS

export at the command line. For example, to mount /home from the server configured at the end of the previous section, execute the following c

luther:/home /home

You ca lient mount options using mount’s –o option, as shown in the following xample:

# mount –t nmfs luther:/home /home -o 2,wsize=8192,hard,intr,nolock Alternat an embedded newline in the command: me /home \ size=8192,hard,intr,nolock After ying yourself that the configuration works properly, you probably want to mount the exports at boot time. Fortunately, Red Hat Linux makes this easy because the initialization script /etc/rc.d/init.d/netfs, which runs at boot time, mounts all networked file systems automatically, including NFS file ystems. It does this by parsing /etc/fstab looking for file systems of type nfs and mounting those file syste s.

la aller value. The nolock option can alo of file locking calls, but not all servers suppoverhead rt file lofails, you can use a keyboard interrupt, usually Ctrl+C, to interwas mounted with both the intr and hard options. This prevents NFS clients fr with an NFS server, an NFS client needs tre rom the server to the appropriate port anturns f t programs. Accrunning on the client system using the portmap initialization scrip In order to use NFS file locking, both an NFS server and any NFS clients need to run statd and lockd As explained in the previous section, the simplest way to accomplish this is to use the initialization script, /etc/rc.d/init.d/nfslock. Presumably, you have already started nfslock on the server system, so all that remains is to start it on the clients system. m

ommand as root:

# mount –t nfs

n, if you wish, specify ce

rsize=829

ively, you can use \ to escape

# mount –t nmfs luther:/ho-o rsize=8292,w

satisf

sm

138

NFS Configuration

1. RPM Required

rpm –qa | grep nfs

2. tep-by-step nfs Server Configuration

vi exports → blank file

kt linux2(rw)

oft *(ro)

:x

d /mkt /soft

#

S

# cd /etc

#

/prod linux3(ro)

/m

/s

# chmod –R 777 /pro

d

ro → read only rw → read write

/

t

m1 m2 s1 s2 s3

Switch

/pro

p1 p2 p3

/mkt

/sof

m3

Linux2

Linux3

Linux6 NFS Server

Linux4

139

# service nfs stop

fs start

w he nfs server i.e. linux6

# showmount –e linux6

mman export list o e of the nfs server

To share the files with server:

# mount linux6 : /soft /mnt

mmand Host e of Shared directory the NFS Server of NFS Server

# cd /mnt # ls -la

ow we can see the following:

s1 s2 s3

#service n

Client Side To kno about the shared directory of t

co d f the nfs server hostnam

co nam N

140

CHAPTER-ELEVEN DNS Server

Domain Name System

DNS Services and Servers:

NS service at Linux/ Unix platform is provided by BIND. Another important service at UNIX like platform is DJB-DNS.

DN a

Sresolve and I

tion:

o

D

S N me Resolution:

DN services provide us name resolution service. Name resolution means name to IP address

P address to name resolve.

Types of Name Resolu

Tw types of name resolution are exists:

• Static name resolution: That is depends on “hosts” file. UNIX/Linux host file is “/etc/hosts”, which needs to

machine.

• Dynamic client / server based name resolution:

r name resolution, every OS has its DNS server information entry configuration. UNIX DNS server information file is “/etc/resolv.conf”.

Types of BIND Name Server:

• Caching only server: Response client queries depending on its local cache information.

er: Forward client queries to a regular DNS server.

DNS server using recursion.

Reg

ver • Slave DNS server: which depends on its primary DNS server.

ypes:

Here DNS will response by reading its own DNS zones. This type of query is unable to response beyond its zone database.

• Recursivto resolve a name resolution query.

configure at per

Here name resolution server is the DNS server, which requires only DNS server side configuration. To use a DNS server fo

• Forwarder DNS serv

• Regular DNS server: Response client queries depending on its zone information and other

ular DNS server:

• Primary DNS ser

DNS query T

• Simple / Iterative DNS query:

e DNS query :

Here DNS will check own zone and ask other DNS

141

Log check and Debugging :

IND use syslog to display its log information. So check “/var/log/syslog” or “/var/log/message”.

BIND is identified as “named” service at most UNIX like systems.

BIND configuration file:

S configuration file of DNS boot file is “ /etc/named.conf ”. And its zone formation files are usually exists at “ /var/named ”.

DNS zone information files type:

formation files:

B

DNS process at Linux / UNIX systems:

The main DNin

The forward zone file is “ localhost.zone ”. And the reverse zone file is “ named.local ”.

DNS has its two types of zone in

Three types of local DNS Server:

all the information about the domain and supplies this information when requested. A master server is listed as an authoritative server when it contains the information you are seeking a i

The slave is intended as a backup in case the master server goes down or is not available.

This server contains the same information as the master and provides it when requested if the master server cannot be connected. A caching server does not provide information to outside sources; it is used to provide domain

information to other servers and workstations on the local network. The caching server remembers the domains that have been accessed. Use of a caching server speeds up searches, since the domain information is already stored in memory and the server knows exactly where to go rather than having to send out a request for domain information.

Examining server Configuration files:

You need five files to setup the named server hree files are required regardless of the configuration as a master, slave or caching – only serv r and two files are used on the master server.

The three required files are:

• Forward lookup zone files: Used to response name to IP address resolve. • Reverse lookup zone files: Used to response IP address to name resolve.

The master contains

nd t can provide that information.

. Te

named.conf: Found in the /etc directory. This file contains global properties and sources of configuration files.

142

named.ca: Found in /var/named. This file contains the names and address of root servers.

named.local: Found in /var/named. This file provides information for resolving the loopback address for the localhost.

The two files required for the master domain server are:

Zone: This file contains the names and the addresses of servers and workstations in the local domain and maps names to the IP addresses.

Reverse Zone: This file provides information to map IP addresses to names.

welcome is the hostname. training is the subdomain. iit is the second-level domain purchased by the organization. org is the top-level domain under which this organization registered its record-level domain. . is the root.

143

File Pathname

/usr/lib/test

Domain Name

ing.iit.org.

in-addr.orpa is the special top-level domain in which all reverse domain located.

DNS QUERY

welcome.train A

144

A DNS QUERY (Example)

client B (i.e. linux4) gives the following commands then what will happen (follow the lecture) # ww.iit.orgIf

ping w ping linux3

#

145

Step By Step Primary DNS Server Configuration

1. PM Required

rpm –qa | grep bind

Ber ley Internet Name Domain

2. iles Required for Configuration

1) /etc/sysconfig/network 2) /etc/resolv.conf 3) /etc/named.conf 4) /var/named/named.ca 5) /var/named/localhost.zone 6) /var/named/named.local

Step-1: # cd /etc/sysconfig # vi network NETWORKING = YES HOSTNAME = localhost.localdomain (pc name. DNS name. top level domain)

linux .iit.org ( for example)

# hostname linux10.iit.org

Step-2:

nameserver 192.168.110.10 (IP of the Primary DNS) search iit.org

# cd /etc

# vi named.conf

R

# ke

F

10

# cd /etc # vi resolv.conf

Step–3:

:x

:x

# cp named.conf named.conf.iit

146

Step-4:

cd /var/name

# cat named.caust see the file

Step-5: # cd /var/name # cp localhost.z

# vi iit.org.for

$ TTL 86400

(no need for co

#

[J

$ ORIGIN loca

root.iit

1D

Forward Zone File (Name to IP)

Reverse Zone File (IP to Name)

:x

@ 1D

zone “ . “ IN {

hi“na

};

type nt; file med.ca”;

iit.org

iit.org.for

zone “ localhost “ IN { type master;

“localhost.zonew-update {none; };

};

file allo

”;

iit.org.rev

110.168.192.in-addr.arpa

zone “ 0.0.127.in-addr.arpa“ IN { type master; file “named.local allow-update {none; };

”;

};

d | less

– don’t change]

d one iit.org.for

leted

linux10.iit.org. ( replacing @ sign by this line)

NS @ ---------- replace @ sign by linux10.iit.org.

nfiguration)

lhost //this line should be de

.org.

IN

); minimum

IN SOA @ root (

147

1D IN A 127.0.0.1----- replace it by 192.168.110.10(ip of DNS erver) linux10 IN A 192.168.110.10 (this line is added) linux8 IN A 192.168.110.10 (this line is added)

Step # cd /var/named # cp named.local iit.org.rev # vi iit.org.rev 0 linux10.iit.org.(full qualified name have to be written) .

localhost.------ replace it by linux10.iit.org. # uld be added

# IP ID IN PTR localhost

1 IN PTR localhost.------ replace it by linux10.iit.org. 2 IN PTR linux2.iit.org. . . .

8 IN PTR linux8.iit.org.

Details of Abbreviation:

– International M - Minute – Address (Name to Address) H - Hour

A – Start of Authority D - Day TL – Time-to-live W - Week S – Name Server MX – Mail Exchange

– Pointer (Address to name) CNAME – Cononical name

3. To Check the Forwaed Zone File

# cd /var/named # /usr/sbin/named-checkzone zone iit.org.for

s

:x

-6:

$ TTL 8640

@ IN SOA localhost. root.localhost. (

root.iit.org); minimum

IN NS The following lines sho

:x

INASOTNPTR

148

OUTPUT OK

4. To Check the Server Zone File # cd /var/named # /usr/sbin/named-checkzone zone iit.org.rev

5. # service named restart 6. DNS Testing Utility

# nslookup –siL ↵ > iit.org ↵ > linux10 ↵ > 192.168.110.10 ↵ > linux10.iit.org ↵ > set type=any ↵ > iit.org ↵

Some Other Information

IP

CLASS – A → 10.20.30.40 CLASS – B → 172.16.10.20 CLASS – C → 192.168.110.10

NETWORK CLASS – A → 10 CLASS – B → 172.16 CLASS – C → 192.168.110

To be written onfile as follows

CLASS – A 10.in-ad .arpa…

B 16.172.

110.168

the /etc/named.conf

dr

CLASS – in-addr.arpa…

CLASS – C .192. in-addr.arpa…

HOST CLASS – A → 20.30.40CLASS – B → 10.20 CLASS – C → 10

To be written on the reverse zofollows

ne file as

CLASS – A 40.30.20 IN PTR

CLASS – B 20.10 IN PTR

CLASS – C 10 IN PTR

149

SECONDARY DNS

PRIMARY DNS CLIENT – 1

ostname – linux10 Hostname – linux3 omain – iit.org IP – 192.168.110.3 – 192.168.110.10

SECON ARY DNS CLIENT – 2 Hostnam – linux2 Hostname – linux5 domain iit.org IP – 192.168.110.5 IP – 192. 68.110.2

Step By Step Secondary DNS Server Configuration

HdIP

D

e– 1

1. RPM Required

a | grep bind

RKING = Yes OSTNAME =

linux2.iit.org

# rpm –q

2. # cd /etc/sysconfig # vi network NETWOH localhost.localdomain

:x

150

# hostname linux2.iit.org 3. # cd /etc

# vi resolv.conf search iit.org

er 192.168.110.2 (IP of Secondary DNS)

4. # cd /etc # cp named.conf named.conf.iit # vi named.conf

5. # service named restar6. # cd /var/named

# ls –la Now see the output. The

nameserv :x

:x

masters

masters

zone “ . “ IN { type hint; file “named.ca”;};

iit.org

iit.org.for.slave

slave

192.168.110.10

zone “ localhost “ type master file “localhost.zone”;

allow-update {};

IN { ;

none; };

110.168.192 (IP of Primary DNS)

e

slave

192.168.110.10

zone “0.0.127.in-addr-arpa type master file “named.local”; allow-update {};

“ IN {;

none; };

t

two files automatically created.

iit.org.rev.slav

(IP of Primary DNS)

151

DNS CLIENT SIDE Configuration

# cd /etc # vi resolv.conf search iit.org

nameserver 192.168.1nameserver 192.168.110.2 (IP of the Secondary DNS)

# cd /etc/sysconfig

NETWORKING = Yes HOSTNAME =

2.iit.org

# hostname linux2.iit.org

10.10 (IP of the Primary DNS)

:x

# vi network

localhost.localdomain

linux

:x

Don’t need to write the line if Secondary DNS is not available.

152

CHAPTER-TWELVE onfigurationSamba Server C

s created in 1992 by Andrew Tridgell to allow Linux workstation to share resources with Win icrosoft network. Lets try t i Linux PC to the Windows PC including some files. ba welcome YOU? IT” > thanks Now giv ermission to the directory as per your requirement.

Step by Step SAMBA Server Configuration

Samba wadows workstations on a M

o give share a particular d rectory of

# mkdir /iitsam # cd /iitsamba

LINUX1 --- IIT” > # echo “WE ARE AT# echo “HOW ARE --- I

e the p

# chmod –R 777 /iitsamba

e

ep samba

SL. No. RPM CD# (7.1) CD# (8.0)

1. Check the Softwar

#rpm –qa | gr

1 Samba-common…………………..……rpm 1st 2nd 2 a ………………Samb -client… ..……….rpm 1st 2nd 3 Samba…………………..………………rpm 2nd 2nd 4 Samba-swar…………………..………..rpm 2nd 3rd

2. If not availabl

e we have to install the software by the following command from the source/CD

(By default it is yes) Only_from = 192.168.110.1

4.

o ServerName 192.168.110.1 (IP of the PC)

7. 8. ode for opening a browser)

#rpm –ivh samba*

IP of that computer from which you would like to configure the samba server through browser.

3. #cd /etc/xinetd.d# vi swat disable = no

Save the file (:x) # cd /etc/httpd/conf # vi httpd.conf Search ServerName localhost (/ServerName localhost) => For 7.1 Search ServerName new (/ServerName new) => For 8.0 Change “#ServerName localhost/#ServerName new” tSave the file (:x)

5. # service xinetd restart 6. # service httpd restart

# service ipchains/iptables stop (if required) Ctrl+Alt+F7 (To move to graphics m

9. Open a browser and type http://192.168.110.1 10. Then a dialogue box will appear

Please type login = root and password = root password (e.g. linux1)

ba Screen will appear in the monitor Then Sam

153

11. Step I (GL

iit

linux1 (Hostname of the Samba Server) hostname server string This is Samba (You can write anything ) – Optional

encrypted password yes

hostallow all

Note: Others as per default setting

Commit Changes

Step - II (SHARES)

create share iitshare (this is a share name, it could be anything)

path /iitsamba (Have to write the actual full path) yes => For 7.1

read only no => For 8.0

Step – III (STATUS) Start smbd

Start nmbd

rom CLI mode we can also start the service by following command.

# service smb restart

If everything is complete correctly then we will see running nmbd & running smbd.

Now Share a drive of Windows computer for others.

rom linux computer if we want to see the windows shared files:

- OBAL)

workgroupnetbios name

security share

updated encryption yes

deny

choose share iitshare

writable

guest ok yes

Note: Others as per default setting

Commit Changes

F

F # smbclient –L linux5 (this is the hostname of windows computer) (Password not required, just enter)

rom Linux computer if you want to copy/edit windows files:

F

# smbmount //linux5/c /mnt Here “c” is the shared drive of the windows computer linux5 is the hostname of the windows computer /mnt is the mount point

154

# cd /mnt # ls –la

we can see the full contents of “C” drive of windows computer.

Printer Sharing

s ter after configuring the printer, select the PRINTER as step – IV and do the following:

p

or from the CLI mode.

Note: Ot s etting

ow we can see the shared printer from the windows PC.

Now Note: Location of the configuration file: # cd /etc/samba # cat smb.conf

To hare the prin Ste – IV (PRINTER) guest ok yes

Commit Changes And then start the service again either from the GUI mode

her as per default s

N

155

CHAPTER-THIRTEEN MAIL SERVER

Before configuring an e-mail client or server, you need to understand how e-mail works and the

ograms to use or make avaipr lable to your users. Several key components are essential for e-mail to work roperly and as a system administrator it is your responsibility to configure the following items. These ems are

A Mail User Agent ( MUA ) for users to be able to read and write e-mail. A Mail Transfer Agent ( MTA ) to deliver the e-mail messages between computers across a network. A Local Delivery Agent ( LDA ) to del s mailbox files. An mail notification program to tell users th ail.

The

• Ports

Ma

ram called a Mail Users Agent ( MUA ). mail messages. Two types of MUAs are

vailable: a graphical user interface ( GUI ), such as Netscape Messenger and a command line interface h as pine.

nsfer agent ( MTA ). The MTA is rk without any intervention by

led

nding machine can establish a connection, it sends the message to the MTA on the recipient’s sever using e Simple Message Transfer Protocol (SMTP ).

erver adds header information to the message. The header contains format

ion

pit explained in more detail later in this chapter.

Programs:

iver messages to user’at they have new m

TCP/IP protocols for storing email messages and transferring email between MTAs.

Other communication and mail storage components:

• Mail queues • Mailbox files.

il User Agent ( MUA ) : To be able to send mail, you, or your users, need a prog

he MUA, also called a mail client, enables users to write and readTasuc

Mail Transfer Agent ( MTA ): After the message is composed, the MUA sends it to the mail tra

e program that sends the message out across the network and does its woththe user. Now that the MTA has received the message from the MUA, it can do its jobs. The MTA instalby default on your Red Hat System is called Send Mail. The MTA reads the information in the To section of the email message and determines the IP address of the recipient’s mail server. Then MTA tries to open a connection to the recipient’s server through a communication port, typically port 25. If the MTA on the seth

The MTA on the receiving s in ion that is used for tracking the message and ensuring that it is received. Next the receiving MTA passes the message to another program to inform the reciever that new mail has arrived.

Local Delivery Agent ( LDA ): After the LDA receives the message from the MTA, it places the message in the receiver’s mailbox file that is identified by the user name. RedHat System called this program procmail. The locatof the user’s mailbox file is /usr/spool/mail/<user’s name>

156

It’s the final step in this process when user read his / her message. The user does this using the MUA on his / her PC.

An optional program is a mail notifier that periodically checks your mailbox file for new mail. If you have such a program installed, it notifies you of the new mail.

hell has a built – in mail notifier that looks at your mailbox file once a minute. a new mail has

The RedHat Linux sIf arrived, the shell displays a message just before it displays the next system prompt.

Introducing SMTP The messages are sent between MTAs using SMTP. This section explains SMTP and two other

ost Office Protocol ( POP3 ) and ternet essage

The SMTP protocol can transfer only ASCII text. It can’t handle fonts, colors, graphics or attachments. If you want to be able to send these items, you need to add another protocol to SMTP. For this you may use Multipurpose Internet Mail Extension or MIME.

Understanding POP3: POP3 is widely used to retrieve mail stored by one SMTP server. POP3 is the Post Office Protocol version 3. This protocol runs on a server that is connected to a network and continuously sends and receives mail. The POP3 server stores any messages it receives. POP3 was developed to solve the problem of what happens to messages when the recipient is not connected to the network. Without POP3, the m cipient were offline. But with POP3, when you want to er to retrieve your messages

at w re etrieve your messages, you can use the MUA on your PC to read them stand the POP3 to be able to communicate with the POP3 server.

Und :

version 4 ( IMAP4 ) provides sophisticated client / server s you to store your email on a networked mail server, just as

POP3 do email before your MUA reads it, whereas server, from which you can access your ma P4 to retrieve message from an IMAP4 server. are email clients and servers that speak both protocol you can’t use a POP3 client to communicate with an IMAP4 server or an IMAP4 client to communicate with a POP3 server. When you configure an email server, you must decide whether your users need POP3 or IMAP4 functionality ( or both ). IMAP4 servers usually require much more disk space than administrator dele

protocols used to send mail: PIn M Access Protocol ( IMAP4 ). SMTP is the TCP/IP protocol for transferring e-mail messages between computers on a network. SMTP specifies message movement between MTAs, by the path the message takes. Messages may go directlyfrom the sending to the receiving MTA through other MTAs on other network computers.

essage could not be sent to the recipient if the re check your email, you connect to the POP3 serv

th e stored by the server. After you r. Of course, your MUA has to under

erstanding IMAP4

he Internet Message Access Protocol functionality for handling email. IMAP4 enable

T

es. The difference is that POP3 requires you to download youIMAP4 enables your email to reside permanently on a remoteil. Your MUA must understand IMA

POP3 and IMAP4 don’t interoperate, while theres,

POP3 servers because the email remains on the mail server unless the users or systemtes it.

157

The

What is a macro??

m4 Macro processor:

olic name for a long string, string of characters, much like a keyboard macro is a shorthand way to type a long series of keystrokes. Sendmail gets its rules from the entries in a send location of the generic sendmail macro file for RedHat is /usr/lib/sendmail-cf/ generic mail macro file generate the default sendmail configuration file, sendmail.cf. the m4 is a macro processor that reads the macro file and generates the configuration file.

Und Sometimes email messages can’t go out immediately, and the reasons are varied. Perhaps your network is d nnection to the internet is sporadic. May be the recipient’s computer is unavailable. Whatever the reason, users can continue to compose email with their MUAs. When th e message into the mail queue and keeps trying to send the message at in rvals defined for the sendmail-daemon. #file #/etc/rc

A macro is a symb

mail macrofile. The – linux.mc. The rules in the send

erstanding and managing the mail Queue:

own. May be your intranet’s co

ey send the mail, sendmail puts thte

.d/rc2.d/S80 sendmail.

Fig: Configuration of Mail server In a network

158

MAIL SERVER CONFIGURATION

1. our DNS has to run properly. zone file

# cd /var/named

at the bottom

1D IN MX 10 linux3.river.com.

preference number

#In t e case of two Mail Server we have to add two line at the forward zone file.

1D IN MX 10 linux3.river.com. 1D IN MX 20 linux4.iit.org.

3. # service named restart 4. cd /etc/mail

cp sendmail.mc sendmail.iit vi sendmail.mc

a. /DAEMON

dnl DAEMON …………………………… MTA)

Add this word before the line b. Go to the bottom of the file

MAILER (smtp) dnl MAILER (local) dnl MAILER (procmail) dnl Add this line in between the given two lines.

5. # cd /etc/mail domains (new file)

192.168.110.

2. Go to your forwardY

# vi river.com.for

#Add the following line

:x h

###

:x

# vi relay-

:x

159

6. # cd /etc/mail # vi local-host-names

r.com river.com

7.

RPM Required # rpm –qa | grep sendmail

8. c > /etc/mail/sendmail.cf (For Red Hat 8.0)

OR /sendmail.cf (For Red Hat 7.0)

9. # service sendmail restart

To Send Mail

linux3.rive

PRE WORKS

# m4 /etc/mail/sendmail.m

# m4 /etc/mail/sendmail.mc > /etc

# mail –v rubel@river.com ssage ↵ With thanks

. ↵ ( to end the mail ) Cc: ↵ (Optional)

To Check the Mail

# cd /var/spool/mail

# cat <username>

Subject: Test meWe are fine

-IIT ↵

To Restrict Mail for robin@river.com

# cd /etc/mail

# vi access omrobin@river.c REJECT

start

ny

# service sendmail re

:x

:x

MAIL FORWARDING

# cd /home/ro

160

# vi .forward (new file)

rony@river.com, “summon@river.com ”

Now if any mail comes to rony@river.com

:x then it will be forwarded to sumon@river.com.

sendmail restart

alam – production rana – production polin – production sabuz – Marketing

gor – Marketing i

rubel – M irector vi aliases Go to th ottom the following lines-

prod: alam, rana, polin, rubel mkt: sabuz, sagor, sufia, rubel all: prod, mkt

# service sendmail restart

To retrieve the Mail from the Serv

RPM Required # rpm –qa | grep imap # rpm –ivh imap-20…………………. .rpm # cd /etc/xinetd # vi ipop3 disable = yes → no

# service xinetd restart

#service

MAIL ALIASING

These are the user name and their corresponding sa

suf a – Marketing dept./designation arketing D

# cd /etc #

e b of the file and add

:x

:x

er

161

HOW POP3 WORKS 1. Because the POP server listens to TCP port 110, I can Telnet to my POP server

blackhole.evoknow.com as follows: Telnet blackhole.evoknow.com 110 . I am greeted with the following message from the POP server: + OK POP3 blackhole.evoknow.com V4.47 server ready

2. Then I type the following POP command to tell the server which user’s mailbox I want to open:

User shabuz It responds with the following message: + OK user name accepted. Password please:

3. Then I enter the password for the user shabuz using the following POP command:

Pass mypwd1

he POP server responds with the following message:

+ OK Mailbox open. 3 messages

As you c server.

Next, I product a listing of the messages using th ollowing POP command:

List / LIST

he POP server replies as follows: + OK Mailbox scan listing follows:

1 1387 2 588 3 590

To retrieve one of these messages ( # 3 ), I enter the following POP command: PETER 3 The server returns the message with the following response code: + OK 590 octect

T

an see, I have three messages on the 4. e f

T

5.

162

CHAPTER-FOURTEEN WEB SERVER

Virtual

IP BASED (i.e. different IP) NAME BASED (i.e. same IP)

Hosting

- -

163

Fig: Classifica

1. Your N2. Go to yo

# cd /var/named # vi iit.org.for Add bottom www linux20.iit.org. IN A

3. # servic

DNS SIDE

D . S has to run properlyur forward zone file

the following line at the

IN CNA

:x

e named restart

/fire

index.html 192ww

.168.110.20 w.moon.org

index.html 192.168.110.20 www.sun.org

D

/

tio

ME

index.html 192.168.110.10

r

i192

w

N

/va

n

0 www.fire.com

w

nd.1ww

OR

/ww

of Web server

linux20.iit.org. 192.168.110.20

/html

r

ex.html 68.110.20

.iit.org

MAL

/wate

/moon

index.html 192.168.110.200 www.water.com

/sun

NAME BASE

IP BASED

164

WEB SERV

1. RPM Required

# rpm – # rpm –qa | grep apache (not required for Red Hat Linux 8.0)

NORMAL:

ER SIDE

qa | grep http

2. # cd etc/httpd/conf # cp http# vi httpd.conf

e localhost (for Red Hat Linux 7.1) /ServerName new (for Red Hat Linux 8.0) ServerName 192.168.110.20 ServerName www.iit.org

/d.conf httpd.conf.iit

a. /ServerNam

ot “/var/www/html”

c. /DirectoryIndex

3. cd /var/www/html

# mv /index.html index.html.iit (Not required for Red Hat Linux 8.0) # vi index.html <HTML> <BO YThis s l 2.168.110.20

b. /DocumentRoot

DocumentRo

#

D BGCOLOR=”orange”> i inux20 – www.iit.org(19 )

</BODY> </HTML>

4. # se Now open a browser and browse.

NOTE: Before configuring web server you have to be client of DNS Server. From CLI Mode # lynx www.iit.org

rvice httpd restart

RPM Required # rpm –qa | grep lynx

:x

:x

165

Named Based Hosting (More Practical) # cd /etc/httpd/conf # vi http

a. /ServerName localhost (for Red Hat Linux 7.1)

w (for Red Hat Linux 8.0)

ServerName 192.168.110.20 ServerName www.iit.org

d.conf

/ServerName ne

b. /DocumentRoot

#DocumentRoot “/var/www/html”

Add his host before the line

c. /NameVirtualHost (for Red Hat Linux 7.1)

# NameVirtualHost 12.34.56.78:80 NameVirtualHost 192.168.110.20 <VirtualHost 192.168.110.20> DocumentRoot /var/www/html

t

ServerName www.iit.org </VirtualHost>

<VirtualHost 192.168.110.20>

ServerName www.sun.orgDocumentRoot /var/www/html/sun

</VirtualHost>

<VirtualHost 192.168.110.20> DocumentRoot /var/www/html/moon

gServerName www.moon.or

ow we file –

# vi iit.org.for Add the following lines at the bottom: www.sun.org

</VirtualHost>

N have to edit the forward zone # cd /var/named

IN A 192.168.110.20 www.moon.org IN A 192.168.110.20

#service named restart

:x

For Red Hat Linux 8.0 please write at the bottom of the file

:x

166

# service httpd restart

Based Hosting (More Reliable) IP

# cd /etc/httpd/conf # vi httpd.conf

a. /ServerName localhost (for Red Hat Linux 7.1) /ServerName new (for Red Hat Linux 8.0)

ServerName 192.168.110.20 ServerName www.iit.org

b. /DocumentRoot

DocumentRoot “/var/www/html”

c. /NameVirtualHost (for Red Hat Linux 7.1)

<VirtualHost 192.168.110.100> DocumentRoot /fire ServerName www.fire.org </VirtualHost>

<VirtualHost 192.168.110.200> DocumentRoot /water ServerName www.water.org

For Red Hat Linux 8.0 write at the bottom of the file

</VirtualHost>

Now we have to edit the forward zone file –

# cd /var/na # vi iit.org.for Add the following lines at the bottom: www.fire.org

med

IN A 192.168.110.100 www.water.org IN A 192.168.110.200

# cd /etc/sysconfig/network-scripts # cp ifcfg-eth@ ifcft-eth@:1 # cp ifcfg-eth@ ifcft-eth@:2

# vi ifcfg-eth@:1 DEVICE=eth@:1 IPADDR=192.168.110.20

:x

:x

:x 100

167

# vi ifcfg-eth@:2

VICE=eth@:12 IPADDR=192.168.110.20

# service network restart # service named restart

DE

200

:x

# service httpd restart

168

CHAPTER-FIFTEEN PROXY SERVER Configuration

PRE WORKS

ither yo erl

R

he following thins has to work properly – 1. IP set

hostname /etc/hosts file

E ur DNS has to run prop y – O T

2. 3.

169

quired –qa | grep squid

2. # cd /etc/squid .oct21

.conf

a. /http_port

# http_port 3128

b. /cache_mem

# cache_mem 8 MB

c. /cache_dir

# cache_dir ufs /var/spool/squid 1

NOTE 100 → Space of hard disk in MB 16 → 1st Level Directory 256 → 2nd Level Directory ** You can change the above as per your configuration/requirement.

d. /cache_access_log

# cache_access_log /var/log/squid/access.log NOTE

We can monitor client from the access.log file.

e. /client_netmask

# cache_netmask 255.255.255.255 NOTE

II. If 255.255.255.255 → We can see IP fo client PC. III. If 255.255.255.0 → We can seee the network of the client PC.

f. /cache_effective

# cache_ effective_user squid # cache_ effective_group squid

g. /INSERT

2004 src 192.168.110.0/24

1. # rpm re

# cp squid.conf squid.conf# vi squid Remo

this ve

Remove this

R ove this

em00 16 256

Remove this

Remove this

Remove this

acl iithttp_access allow iit2004

170

NOTE acl = access control list

sec = source

3. # squid –z

4.

To Monitor Client PC from the Server Side # cd /var/log/squid

Modem Configuration grep wvdial cd /etc vi wvdial.conf phone = 0101306 (ISP’s hunting number) ame = flame (ISP’s user name) ssword = 123 (And your password) # netconfig – 192.168.110.8 M – 255.255.255.0 GW – 202.84.232.67 S – 202.84.232.67 service network restart # wvdial ↵

It will create swap directories # service squid restart

# tail –f access.log

# rpm –qa |## wvdialconf wvdial.conf #

;

; usern

; pa

IPN

N

#

Now Dial

Remove these

:x

:x

OK

171

CHAPTER-SIXTEEN PPP

OUT MOTO

1. To be connected to linux7 from linux4 through PPP. 2. Would like to telnet to linux7 from linux4 as usr and then super user. 3. Again would like to telnet to linux3 from linux7 as user and then root; finally reboot.

PPP (Point to Point Protocol)

erver Side

S

1. RPM Required

# rpm –qa | grep mgetty

2. PPP Account Creation and Giving Password # adduser –s /usr/bin/ppd mahbub # passwd mahbub type – 123 retype – 123

3. Set User ID to PPP User

172

# cd /usr/bin # chmod u+s pppd

s : 2345 : respawn

# init q

5.

6. # cd /etc/ppp # vi options.ttyS (new file)

IP of Local PC IP of Remote PC

V V I

4. # cd /etc # vi inittab

: /sbin/mgerry tty S

:x

OR # reboot

# cd /etc/ppp # vi options

lock → noauth

192.168.110.2 : 192.168.110.222

:x

:x

173

PPP Client Side

MODEM Configuration

# svdialconf wvdial.conf

This is a new file (It will be created)

# vi wvdial.conf

phone : 9669134

username : mahbub password : 123

N

#

# cd /etc

remove

; ; ;

ow Dial

wvdial ↵

:x

174

CHAPTER- SEVENTEEN DHCP SERVER CONFIGURATION

DHCP – Dynamic Host Configuration Pro

Step by Step DHCP Server Configuration

tocol

RPM Required # rpm –qa | grep dhcp # rpm –qa | grep linuxconf control

dhcpd [X] DHCP Server Configuration for local net.

# linuxconf ↵

Config

Networking

Boot Services

Server

# linuxconf ↵

control files and system

configuration linuxconf modules SELECT

ACCEPT

QUIT

DO IT

DHCP/BootP

175

Server Identification Default Lease Time Max Lease Time

Network Nu Network

IP Range Start IP Range S

Domain Name Name Server (DNS) Host Na Name S

ACCEPT

linux8

360000

3600000

mber

ADD NET

192.168.110.0

255.255.255.0

192.168.110.101

top 192.168.110.200

ocean.com

linux8.ocean.com

linuxme

erver (NetBIOS)

8

linux8

Only required if DNS is available

ACCEPT

DISMIS

QUIT

DO IT

176

# service dhcpd restart

DHCP Client Side

yes

[*] Use ………………….[BOOTP/DHCP]

K

ifconfig ↵

Now we e DHCP server.

# netconfig ↵

O # service network restart ↵#

will get a new IP from th

177

CHAPTER-EIGHTEEN Firewall/Security

⇒⇒

Application Level Security ⇒ y Level Security ⇒ vel Security

Exa pl

. Application Level Security a. squid b. NIS c. NIS+ and others

. ty

b. PAM (plugable Authentication Module) and others

. el Lev

# cd /etc/squid # vi squid.conf

ERT

regex bd yahoo.com ords

w localhost

d restart

ow we can not browse the following address- dcom.com, aitlbd.net, bdjobs.com yahoo.com etc.

Network Security System Security

⇒

LibrarKernel Le

m e:

1

2 Library Level Securia. sudo

3 Kern el Security i.e. firewall a. ipchains b. iptables c. ipfwadm d. netfilters and others

squid

/INS

acl BadWords url_http_access deny BadW

acl mylan7 src 192.168.110.0/24

ttp_acc ss allow mylan h e 7

http_access alloaccess deny allhttp_

:x

# service squi Nb

178

We can allow some clients to use the cache at specific times

# cd /etc/squid # vi squid.conf /INSERT acl LOVE sec 192.168.110.2 192.168.110.4

acl WORKING time MTH 14:30-16:45 http_access allow LOVE WORKING http_access deny LOVE acl mylan8 src 192.168.110.0/24 http_access allow mylan8 http_access allow localhost http_access deny all

Now l 192.168.110.4 workstations be allowed to the internet during 2:30 pm to 4:45 pm on M d Thursday.

acl

cess List

Sunday Monday – M Tue y Wednesday – W Thursday – H Friday – F Saturday – S

SUD ser)

Step 1:

RPM Required

:x

# service squid restart

on y 192.168.110.2 andnonday, Tuesday, a

Syntax

aclname time deny_abbreviation h1:m1 – h2:m2

h2:m2 > h1:m1

Syntax of Ac

– S

sda – T

O (Execute a command as another u

-

# rpm –qa | grep sudo

179

Step

# w r/sbin/adduser # which passwd → /usr/bin/passwd # which shutdown → /sbin/shutdown

# vi go t he bottom of the file and add the following line – huvo ALL = /usr/sbin/adduser, /usr/bin/passwd, /sbin/shutdown Step-4: # cd /home/shuvo ome directory of shuvo

n:/usr/

It was written We have to add this Step-5: Now login as shuvo $ sudo adduser polash password: password of shuvo $ finger po See what happen $ sudo pas

type – retype – Now you can log

-2:

hich adduser → /us

Step-3:

sudo

o t

s

:x

h

# vi .bash_profile

PATH=$PATH:$HOME/bi sbin:/usr/bin”/sbin

:x

( it will appear for the first time)

lash

s

swd polash

in as polash easily.

180

PAM

–qa | grep pam

Fig: Location of the library file

RPM Required # rpm

Only chaina and root can login

/srcurity # vi access.conf

Syntax

<permission> : <login account> : <from where>

+ ⇒ allow - ⇒ deny

- : ALL EXCEPT root chaina : ALL - : summon : linux5 - : sultan : tty3 tty5 - : salma : 192.168.110.2 (write any one)

** Related Library File ⇒ pam_access.so

# cd /etc/pam.d # vi system_auth

account required /lib/security/pam_access.so

surma can’t login only Tuesday between 2 pm to 10 pm.

# cd /etc

:x

:x

181

# cd /etc/security # time.conf

Syntax 5;users;times

y FIle ⇒ pam_time.so

uired /lib/security/pam_time.so

ipchains all

gateway = Common exit point. The server which is connected to the internet will be the gateway server. Router itself can treat as firewall server.

servicex;tty

login;tty*;surma;!Th1400-2200

:x

** Related Librar

# cd /etc/pam.d # vi system_auth

account req

:x

⇒ firew

Internet

Firewa

ll Server (Gateway)

Internet

⇒⇒⇒

182

Chain Means Rule

AIN

PT HAIN R HAIN

O

ACCEPDENY →REJECTMASQ

IPCHAINS options used in the firewall script -A → le/chain -D → le -L → Li-F → Fl h the chains -s →-d → Destination -p → otocol - j → m

CH S

INO

UT CHAIN U PUT CO WARD CF

P LICY

T No reply → Reply will appear

Add a new ru Delete an existing ru

st of chains as

Source

Pr Ju p to the target

P0

ORT to 65535

WELL KNOWN PORTS 0 to 1023

REGISTERED PORTS 1024 to 49151

DYNAMIC AND/OR PRIVATE PORTS 49152 to 65535

183

Location of the Port List File

# cat /etc/services

Port# Services Port# tp 21 http 80

nfs 2049 lnet 23

110 tp 25 at 901

Configuration File

sconfig # ls –la ipchains

ote w 1st and deny later on.

# vi ipchains

-A input –s 192.168.110.3 –d 192.168.110.2 23 –p tcp –j ACCEPT 21:23 –p tcp –j REJECT

Only linux3 can telnet linux5. Nobody can do anything. Also linux3 can’t do other things.

-A input –s @/@ –d 192.168.110.6–p icmp –j REJECT

# service ipchains restart

Services ftssh 22 tepop smswdomain 53

Location of the # cd /etc/sy N We hate to write allo

-A input –s @/@ –d 192.168.110.5

# service ipchains restart

To Stop pinging

# vi ipchains

184

CHAPTER-NINETEEN IP MASQUERADING

⇒ ing must be required. ⇒ To forward private IP to real IP – IP Masquerading required.

Ser ide

10.1 NM – 255.255.255.0 GW – 202.84.232.67 – ISP NS – 202.84.232.67 – ISP

2. # cd /etc # vi sysctl.conf net.ipv4.ip_forward = 0 → 1

network restart

nfig

–s @/@ -d @/@ -j MASQ /@ -d @/@ -j ACCEPT

service ipchains restart Now initialize modem and dial.

– 192.168.110.5 M – 255.255.255.0 W – 192.168.110.1 – (IP of Server) S – 202.84.232.67 – (IP of ISP’s DNS)

service network restart

To handshake different network – Rout

ver S

1. # netconfg

IP – 192.168.1

:x

:x

3. # service 4. # cd /etc/sysco

# vi ipchains -A forward –p all -A input –s @

:x

#

Client Side

# netconfig

IPNGN

#

185

CHAPTER-TWEENTY

RMINAL SERVERRADIUS SERVER AND TE

ACCESS SERVER TERMINAL SERVER SER RAD In User Service.

Will arrange multiple serial port

IAL CARD

IUS → Remote Authentication Dial

AAA SERVER AUTHORIZATION AUTHENTICATION ACCOUT

ING

IRE SOFTWARE REQU D FOR RADIUS

D FOR TERMINAL

radiusd-cistron-1.6.4.tar.gz

SOFTWARE REQUIRE

ese software and then copy these to hard disc.

ter directory.

e have to configure

1. # cd /ra r

2. # tar zx

3. # tar zxvf portslave……….tar.gz

4. # cd /rad_ter /portslave-1.2.0.pre12

ls –la

9. # cd /etc/portslave

p psl ak

portslave-1.2.0pre12.tar.gz 1st of all we have to collect th # mkdir /rad_ter Lets assum ave copied the files ie we h nto the /rad_

w Now

d_te

vf radius……….tar.gz

5. #

6. # ./install.sh

7. # make

8. # make install

10. # c ave.conf pslave.conf.b

186

11. # vi pslave.conf

edit as per your lecture sheet)

12.

14.

15. # cp Makefile.lnx Makefile

↵

18. # cd /var/log

19. # mkdir

20. # /etc/raddb

21. # vi users

(Now edit as per your lecture sheet)

22. # cd /etc/raddb

23. # vi clients

localhost testing123

192.168.110.8 testing123

24. # cd /etc

(Now

# cd /rad_ter/radiusd-cistron-1.6.4

13. # vi INSTALL

# cd src

(overwrite - ?) Yes

16. # make

17. # make install

radacct

:x

:x

:x

cd /

mak

src ls cp Makefile.os Makefile

e make install

:q

187

25. # vi inittab

x : 2345 : respawn : /usr/local/sbin/portslave

& 15 : …………………………………… 15

26. # init q

27. # radius

# vi /etc/portslave/pslave.conf

conf.hostname linux8 conf.ipno 192.168..110.8 conf.lockdir /var/lock conf.rlogin /usr/local/bin/rlogin-radius conf.pppd /usr/local/sbin/pppd-raduis conf.telnet /usr/bin/telnet conf.ssh /usr/bin/ssh conf.locallogins 1 conf.syslogd linux8 conf.facility 6 conf.filterdir /etc/portslave/filters conf.stripnames 0 all.debug 1 all.authtype radius all.authhost 192.168.110.8 all.accthost 192.168.110.8 all.radtimeout 3 all.secret testenig123 all.protocol rlogin all.host linux8 all.ipno 192.168.110.165+ all.netmask 255.255.255.255 all.mtu 1500 all.issue \n\

Portslave Internet Sercives\n\ \n\ Welcome to IIT’s Termnal Server %h port S%p \n\ \n\ Customer Support: 123-555-1212 Thttp://www.myisp.net\n\T \n

all.prompt %h login: all.term vt100 all.sysutmp 1 all.syswtmp 0 all.prottype 0 all.speed 115200 all.initchat “\d\l\dATZ OK\r\n-ATZ-OK\r\n all.waitfor RING all.answer “ ATA CONNECT @

:x

188

all.aa 0 all.checktime 60 all.checkchat “”AT OK all.flow hard all.dcd 1 all.autoppp proxyarp modem asyncmap 0 %i: \ noipx noccp login auth require-pap refuse-chap \

mtu%t mru %t \ ms-dns 192.168.1.1 ms-dns 192.168.1.2 \ uselib /usr/local/bin/libpsr.so

all.pppopt proxyarp modem asyncmap 0 %i: %j \ noipx noccp mtu%t mru %t \ netmaskl %m \

idle %l maxconnect %T \ ms-dns 192.168.1.1 ms-dns 192.168.1.2 \ uselib /usr/local/bin/libpsr.so

s0.tty ttyS1

# vi /etc/raddb/vi users DEFAULT Auth-Type = System

Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 576, Framed-Compression = Van-Jacobson-TCP-IP

# vi /etc/raddb/clients

localhost testing123 192.168.110.8 testing123