GNU-FDL-OO-LPI-202-0.3.pdf

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

1/95

Study Guide for

Advanced Linux Network Administration

Lab work for LPI 202

released under the G!L by LinuxI"

A#ril 200$

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

2/95

GN% ree !ocumentation License

Copyright (c) 2005 LinuxIT. Permission is granted to copy, distribute andor modi!y this document under the terms o! the "#$ %ree &ocumentation License, 'ersion .2 or any ater *ersion pubished by the %ree +o!tare %oundation-

ith the In*ariant +ections being istory, /cnoedgements, ith the %ront1Co*er Texts being reeased under the "%&L by LinuxIT3.

GN% ree !ocumentation LicenseVersion 1.2, November 2002

Copyright (C) 2000,200,2002 %ree +o!tare %oundation, Inc.54 Tempe Pace, +uite 0, 6oston, 7/ 02108 $+/9*eryone is permitted to copy and distribute *erbatim copieso! this icense document, but changing it is not aoed.

0& P'(A)*L(

The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the

sense of freedom to assure ever!one the effective freedom to cop! and redistribute it, ith or ithout modif!in#it, either commerciall! or noncommerciall!. $econdaril!, this License preserves for the author and publisher aa! to #et credit for their ork, hile not bein# considered responsible for modifications made b! others.

This License is a kind of "cop!left", hich means that derivative orks of the document must themselves be freein the same sense. %t complements the &N' &eneral (ublic License, hich is a cop!left license desi#ned for freesoftare.

)e have desi#ned this License in order to use it for manuals for free softare, because free softare needs freedocumentation a free pro#ram should come ith manuals providin# the same freedoms that the softare does.*ut this License is not limited to softare manuals+ it can be used for an! textual ork, re#ardless of subectmatter or hether it is published as a printed book. )e recommend this License principall! for orks hosepurpose is instruction or reference.

+& APPLI,A*ILI"- AN! !(INI"I.NS

This License applies to an! manual or other ork, in an! medium, that contains a notice placed b! the cop!ri#htholder sa!in# it can be distributed under the terms of this License. $uch a notice #rants a orld-ide, ro!alt!-freelicense, unlimited in duration, to use that ork under the conditions stated herein. The "ocument", belo, refersto an! such manual or ork. /n! member of the public is a licensee, and is addressed as "!ou". ou accept thelicense if !ou cop!, modif! or distribute the ork in a a! reuirin# permission under cop!ri#ht la.

/ "odified Version" of the ocument means an! ork containin# the ocument or a portion of it, either copiedverbatim, or ith modifications and3or translated into another lan#ua#e.

/ "$econdar! $ection" is a named appendix or a front-matter section of the ocument that deals exclusivel! iththe relationship of the publishers or authors of the ocument to the ocument4s overall subect 5or to relatedmatters6 and contains nothin# that could fall directl! ithin that overall subect. 5Thus, if the ocument is in part atextbook of mathematics, a $econdar! $ection ma! not explain an! mathematics.6 The relationship could be amatter of historical connection ith the subect or ith related matters, or of le#al, commercial, philosophical,

ethical or political position re#ardin# them.The "%nvariant $ections" are certain $econdar! $ections hose titles are desi#nated, as bein# those of %nvariant$ections, in the notice that sa!s that the ocument is released under this License. %f a section does not fit theabove definition of $econdar! then it is not alloed to be desi#nated as %nvariant. The ocument ma! contain7ero %nvariant $ections. %f the ocument does not identif! an! %nvariant $ections then there are none.

The "8over Texts" are certain short passa#es of text that are listed, as 9ront-8over Texts or *ack-8over Texts,in the notice that sa!s that the ocument is released under this License. / 9ront-8over Text ma! be at most :ords, and a *ack-8over Text ma! be at most 2: ords.

2

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

3/95


/ "Transparent" cop! of the ocument means a machine-readable cop!, represented in a format hosespecification is available to the #eneral public, that is suitable for revisin# the document strai#htforardl! ith#eneric text editors or 5for ima#es composed of pixels6 #eneric paint pro#rams or 5for drain#s6 some idel!available drain# editor, and that is suitable for input to text formatters or for automatic translation to a variet! offormats suitable for input to text formatters. / cop! made in an otherise Transparent file format hose markup,or absence of markup, has been arran#ed to thart or discoura#e subseuent modification b! readers is notTransparent. /n ima#e format is not Transparent if used for an! substantial amount of text. / cop! that is not"Transparent" is called ";paue".

TL,(ost$cript or (9 desi#ned for human modification. TL, (ost$cript or (9 produced b! some ord processors for output purposes onl!.

The "Title (a#e" means, for a printed book, the title pa#e itself, plus such folloin# pa#es as are needed to hold,le#ibl!, the material this License reuires to appear in the title pa#e. 9or orks in formats hich do not have an!title pa#e as such, "Title (a#e" means the text near the most prominent appearance of the ork4s title, precedin#the be#innin# of the bod! of the text.

/ section "oever, !ou ma! accept compensation in exchan#e for copies. %f !ou distribute a lar#e enou#h number ofcopies !ou must also follo the conditions in section A.

ou ma! also lend copies, under the same conditions stated above, and !ou ma! publicl! displa! copies.

& ,.P-ING IN 1%AN"I"-

%f !ou publish printed copies 5or copies in media that commonl! have printed covers6 of the ocument,numberin# more than 100, and the ocument4s license notice reuires 8over Texts, !ou must enclose the copiesin covers that carr!, clearl! and le#ibl!, all these 8over Texts 9ront-8over Texts on the front cover, and *ack-8over Texts on the back cover. *oth covers must also clearl! and le#ibl! identif! !ou as the publisher of thesecopies. The front cover must present the full title ith all ords of the title euall! prominent and visible. ou ma!add other material on the covers in addition. 8op!in# ith chan#es limited to the covers, as lon# as the! preserve

the title of the ocument and satisf! these conditions, can be treated as verbatim cop!in# in other respects.

%f the reuired texts for either cover are too voluminous to fit le#ibl!, !ou should put the first ones listed 5as man!as fit reasonabl!6 on the actual cover, and continue the rest onto adacent pa#es.

%f !ou publish or distribute ;paue copies of the ocument numberin# more than 100, !ou must either include amachine-readable Transparent cop! alon# ith each ;paue cop!, or state in or ith each ;paue cop! acomputer-netork location from hich the #eneral netork-usin# public has access to donload usin# public-standard netork protocols a complete Transparent cop! of the ocument, free of added material. %f !ou use the

A

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

4/95


latter option, !ou must take reasonabl! prudent steps, hen !ou be#in distribution of ;paue copies in uantit!,to ensure that this Transparent cop! ill remain thus accessible at the stated location until at least one !ear afterthe last time !ou distribute an ;paue cop! 5directl! or throu#h !our a#ents or retailers6 of that edition to thepublic.

%t is reuested, but not reuired, that !ou contact the authors of the ocument ell before redistributin# an! lar#e

number of copies, to #ive them a chance to provide !ou ith an updated version of the ocument.$& ).!II,A"I.NS

ou ma! cop! and distribute a odified Version of the ocument under the conditions of sections 2 and A above,provided that !ou release the odified Version under precisel! this License, ith the odified Version fillin# therole of the ocument, thus licensin# distribution and modification of the odified Version to hoever possessesa cop! of it. %n addition, !ou must do these thin#s in the odified Version

A&'se in the Title (a#e 5and on the covers, if an!6 a title distinct from that of the ocument, and fromthose of previous versions 5hich should, if there ere an!, be listed in the >istor! section of theocument6. ou ma! use the same title as a previous version if the ori#inal publisher of that version#ives permission.

*&List on the Title (a#e, as authors, one or more persons or entities responsible for authorship of themodifications in the odified Version, to#ether ith at least five of the principal authors of the ocument

5all of its principal authors, if it has feer than five6, unless the! release !ou from this reuirement. ,&$tate on the Title pa#e the name of the publisher of the odified Version, as the publisher. !&(reserve all the cop!ri#ht notices of the ocument. (&/dd an appropriate cop!ri#ht notice for !our modifications adacent to the other cop!ri#ht notices. &%nclude, immediatel! after the cop!ri#ht notices, a license notice #ivin# the public permission to use

the odified Version under the terms of this License, in the form shon in the /ddendum belo. G&(reserve in that license notice the full lists of %nvariant $ections and reuired 8over Texts #iven in the

ocument4s license notice. &%nclude an unaltered cop! of this License. I&(reserve the section

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

5/95

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

6/95

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

7/95

Linux%T Technical istor!.............................................................................................................................................................................. G

!NS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :

+& %sin< di< and host&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& +01.1 Non-recursive ueries..............................................................................................................................................10

2& *asic *ind 9 ,onfiostin#..........................................................................................................................................................2G

2& ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

8/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

9/95

LinuxI" "echnical (ducation ,entre

!NSHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

!NS

!NS&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& :+& %sin< di< and host&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&+0

1.1 Non-recursive ueries.......................................................................................................................................102& *asic *ind 9 ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

10/95



1. Using dig and host

The bind@utilspacka#e 5or dnsutilsfor ebian based s!stems6 provides tools used touer! N$ servers. )e ill use di

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

11/95



names and additional %( address for 2 ne N$ servers authoritative on the .;C&domain.

M'

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

12/95



host -t NS tldp.org

tldp.org name server ns2.unc.edu.tldp.org name server ncnoc.ncren.net.

tldp.org name server ns.unc.edu.

Search )B record for domain

host -t MX tldp.org

tldp.org mail is handled by 0 gabber.metalab.unc.edu

9inall!, it is possible to see all records ith host @a.

2. Basic Bind 8 Configuration

The confi#uration file for a *ind J server is>etc>named&confThis file has the folloin#main entries

ain entries in named&conf

lo

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

13/95



file "localhost.7one"+

allo-update O none+ P+

P+

7one "0.0.12I.in-addr.arpa" %N O

t!pe master+

file "named.local"+

allo-update O none+ P+

P+

2&+ "he Lonamed>6. 9or this e illcreate the channelfoo_channel. Next e ant to lo# queriesusin# this channel.

The entr! in named&confill look like this

logging {

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

14/95



channel foo_channel{

file "LOG";

print-time yes; print-category yes;

print-severity yes;

};

category "queries" {

"foo_channel";

};

};

8ate#ories such as queriesare predefined and listed in the named&confD5Emanpa#es.

>oever some of the names have chan#ed since *%N J, so e include as a referencethe list of cate#ories for *%N K belo

*%N K Lo##in# 8ate#oriesdefault 8ate#or! used hen no specific channels 5lo# levels, files ...6 have been

defined#eneral 8atch all for messa#es that haven4t been classified belodatabase essa#es about the internal 7one filessecurit! /pproval of reuestsconfi# (rocessin# of the confi#uration file

resolver %nfornation about operations performed b! clientsxfer-in or xfer-out

Ceceived or sent 7one files

notif! Lo# N;T%9 messa#esclient 8lient activit!update @one updatesueries 8lient Mueriesdnssec N$

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

15/95



....

};

)e next cover the most common options.

version

anpa#e sa!s QThe version the servershould report via the ndc command. Thedefault is the real version number of thisserver, but some server operators preferthe strin# 5surel! !ou must be okin# 6R

version (surely you must bejoking);

directoryThe orkin# director! of theserver

directory /var/named;

fetch@

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

16/95



allow@uery 5list6/ lists of hosts or netorks that ma! uer! the server

allow@recursion5list6List of hosts that can submit recursive ueries

allow@transfer5list6List of hosts 5usuall! the slaves6 ho are alloed to do 7one transfers

2& "he =one Statement

The s!ntax for a 7one entr! in named&confis as follos

zone domain_name{

type zone_type;

file zone_file;

local_options;

};

)e first look at the local_optionsavailable. $ome of these are the same options ith thesame s!ntax as the #lobal options e have ust covered 5ith some additional ones6. Themost common ones are notify, allow@transferand allow@uery. /dditional ones aremasters5list of master servers6 or dialu#.

The domain_nameis the name of the domain e ant to keep records for. 9or eachdomain name there is usuall! an additional 7one that controls the local in-addr.arpa 7one.

The zone_typecan either bemaster the server has a master cop! of the 7one fileslave the server has a version of the 7one file that as donloaded from a master serverhint predefined 7one containin# a list of root serversstub similar to a slaveserver but onl! keeps the N$ records

The zone_fileis a path to the file containin# the 7one records. %f the path is not anabsolute path then the path is taken relativel! to the director! #iven earlier b! thedirectoryoption 5usuall! 3var3named6.

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

17/95



zone seafront.bar{

type master;

file seafront.zone;allow-transfer{10.1.2.3;);

};

zone 2.1.10.in-addr.arpa {

type master;

file 10.1.2.zone

allow-transfer{10.1.2.3;);

};

The next example is the correspondin# named&confzonesection for the slave server,assumin# the master has the %( 10.1.2.1

zone "seafront.bar" IN {

type slave;

masters {10.1.2.1;};

file "slave/seafront.zone";

};

zone "2.1.10.in-addr.arpa" IN {

type slave;

masters {10.1.2.1;};

file "slave/10.1.2.local";

};

2&$ "he Access ,ontrol Lists DaclE Statement

Cather than use %(s it is possible to #roup lists of %( addresses or netorks and assi#n aname to this #roupin#.

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

18/95



"he Server Statement

This statement is used to assi#n confi#uration options for a specific server. 9or example ifa server is #ivin# bad information it can be marked as bo

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

19/95



1. %f the name of the domain is missin# then E is assumed

2. The full! ualified name of the name-server is ns.seafront.bar.. / host name thatdoesn4t end ith a dot ill automaticall! have the domain-name 4E4 appended to it. >erefor example

ns becomes ns.seafront.bar.

A S Cecords definin# the mail-servers for this domain, = records

domain-nameIN MX PRI mail-server

The PRIentr! is a priorit! number. %f several mail-servers are defined for a domain thenthe servers ith the loest priorit! number are used first.

B S /uthoritative information for hosts on the domain, called / records

host-nameIN A IP-address

Authority !ele

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

20/95



$&+ Server Authentication

N$$8( or a slave server and the master server.

The dnssec@key

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

21/95



type master;

file "seafront.zone";

allow-transfer { key seafront.bar.; };};

zone 2.1.10.in-addr.arpa {

type master;

file 10.1.2.zone

allow-transfer{key seafront.bar.;);

};

Slave ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

22/95



- altered slave 7one files- cache impersonation

- cache poisonin#

New '' records

The inte#rit! and authenticit! of data is #uarantied b! si#nin# the Cesource Cecords usin#a private ke!. These si#natures can be verified usin# a public N$

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

23/95



seafront.zone.signed

This is due to the fact that the dnssec-si#n7one tool doesn4t support the @ksitch hichould allo to make use of a ke! si#nin# ke! 5$6 hich is then forarded to a parent7one to #enerate a $ record ...

%f !ou ant to make use of this si#ned 7one, chan#e the filename in named&conftoQseafront.bar.si#nedR

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

24/95


)ail and ListsHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH

Sendmail

Sendmail&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 2$+& %sin< Sendmail&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 25

1.1 8onfi#uration $ettin#s.......................................................................................................................................2:1.2 Virtual >ostin#...................................................................................................................................................2G

2& ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

25/95



1. Using Send!ail

+&+ ,onfimail. >ere e need to do the

folloin#

1. *! default sendmail is confi#ured to listen for connections ;NL for the 12I.0.0.1interface. %n order to make sendmail listen to all interfaces e need to comment out thefolloin# line in>etc>mail>sendmail&mc usin# 4dnl4 hich stands for Qdo next lineR

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

;nce this is done run

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

26/95



Notice ake sure 3etc3sendmail.cf isn4t also there, if it is, delete it.

Cestart sendmail and tr! the folloin#

telnet test1.seafront.bar 25

8arninetc>mail>accessfile

192.168.246.12 RELAY

B. 9inall!, e also need to tell sendmail to accept mail for @seafront.baraddresses.9or this, add the domain name to>etc>mail>local@host@names

seafront.bar

Cestart sendmail and send a mail to an existin# user. %f !ou have a user tuxon themachine then check the output of the folloin#

mail -v -s test seafront domain [email protected] < /etc/passwd

+&2 /irtual ostin#erlith the path to the perl binar! on !our s!stem

5usuall! 3usr3bin3perl6

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

28/95



PERL = /usr/bin/perl

To make thin#s easier e ill leave the )H>;< as is

W_HOME = /usr/test/majordomo-$(VERSION)

ou need to create the director!>usr>test

mkdir /usr/test

8reate a #roup called ma?ordomoith &% $5, and add a user called ma?ordomoith'% +2

groupadd -g 45 majordomo

useradd -g 45 -u 123 majordomo

2. %n the sam#le&cffile e need to define our domain 5for example seafront.bar6. This isalso here the path to the sendmail binar! is set

$whereami = "seafront.bar";$sendmail_command = "/usr/sbin/sendmail";

No e can run

make install

make install-wrapper

9inall! !ou can test the confi#uration as su##ested ith the folloin#

cd /usr/test/majordomo-1.94.5; ./wrapper config-test

%f all #oes ell !ou ill be prompted to re#ister to the maordomo mailin# list. $ince e donot have a valid email address, anser N; to the uestion.

Sendmail ,onfietc>aliasesfor eachmailin# list e create. *ut before that e need a s!mbolic link in >etc>smrsh pointin# tothe maordomo wra##erbinar!, and here is h!.

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

29/95



%n order to limit the number of pro#rams mail can be piped to 5usin# a 4 command4 insteadof an email address6 sendmail defines a set of commands knon as Qsendmail restrictedshellsR or smrsh. The list of restricted shells is contained in>etc>smrshhich ares!mbolic links to the actual binaries e allo mail to be piped to.

)e ill make the wra##erbinar! available, hich is located in 3usr3test3maordomo-1.KB.:, ith the folloin#

ln -s /usr/test/majordomo-1.94.5/wrapper /etc/smrsh

*efore addin# the entries to>etc>aliasese need to decide on a name for our first list,and e choose ... test.

Cemember that before sendin# mail to the list testEseafront.bar e first need tosubscribe to this list b! sendin# a mail to maordomoEseafront.bar ith the contentssubscribe test. $ome ork needs to be done for this to ork.

8reatin# the list QtestR 5 as documented in Netc>aliases

majordomo: "|/usr/test/majordomo-1.94.5/wrapper majordomo"

test: "|/usr/test/majordomo-1.94.5/wrapper resend -l

test test-list"

test-list: :include:/usr/test/majordomo-1.94.5/lists/test

test-request: "|/usr/test/majordomo-1.94.5/wrapper request-

answer test"

owner-test: tux

test-approval: tux

A. Cun newaliases and restart sendmail.

)a?ordomo "est

$end an email to [email protected] the contentsubscribe test

%f all #oes ell !ou ill receive a response ith further steps to be taken.

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

30/95



3. Managing Mail #raffic

&+ %sin< Procmail

%n depth information can be found in the #rocmail, #rocmailrcand #rocmailexmanpa#es. >ere are a fe examples taken from #rocmailexD5E

/ promailrc file is a seuence of recipes of the form

:0 ;!ags< ; : ;ocaoc!ie< < =>ero or more conditions (one per ine)? =exacty one action ine?

The next tables cover the main fla#s, conditions and actions available.

9la#s escription

>

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

31/95



The action line can start ith one of

/ction line escription

9orards to all the specified mail addresses

$tarts the specified pro#ram

O 9olloed b! at least one space, tab or neline ill mark the start of anestin# block

/n!thin#else

interpret as a mailbox 5file or director! relative to current director! or/%L%C6

(xam#les;

$ort all mail comin# from the lpi-dev mailin# list into the mail folder L(%

:0:@ ATBpi1de*LPI

9orard mails beteen to accounts main.addressand the-other.address.This rule is forthe procmailrc on the main address account. Notice the =-Loop header used to preventloops

:0 c@ DAE1Loop: yournameFmain.addressG !ormai 1/ HE1Loop: yournameFmain.addressH G J+9#&7/IL 1oi yournameFthe1other.address

The c option tells procmail to keep a local cop!.

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

32/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

33/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

34/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

35/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

36/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

37/95

Linux%T Technical osts

)e ill cover virtual hosts hen confi#urin# $$L servers later in this chapter. 9or no edistin#uish to concepts

DVirtual>ost %((;CTF %( based virtual host

DVirtual>ost>;$TN/

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

38/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

39/95

Linux%T Technical ostname, etc.- (ublic e!- TTL- 5optional6 % U $i#nature from a certificate authorit! 58/6

The certificate ill be used to establish the authenticit! of the server. / valid si#naturefrom a knon 8/ is automaticall! reco#nised b! the client4s broser. )ith o7illa forexample these trusted 8/ certificates can be found b! folloin# the links (dit @FPreferences @F Privacy Security @F ,ertificates then clickin# on the QManage&ertificatesR button and the /uthorities T/*

$tart $$L >andshake

$end 8ertificate

$end encr!pted session ke!

TT( session ith session ke!

;n the other hand communications ould be too slo if the session as encr!pted usin#public ke! encr!ption. %nstead, once the authenticit! of the server is established, the client#enerates a uniue secret session ke! hich is encr!pted usin# the servers public ke!

found in the certificate. ;nce the server receives this session ke! it can decr!pt it usin#the private ke! associated ith the certificate. 9rom there on the communication isencr!pted and decr!pted usin# this secrete session ke! #enerated b! the client.

2&2 SSL /irtual osts

/ separate apache server can be used to listen on port BBA and implement $$Lconnections. >oever most default confi#urations involve a sin#le apache server listenin#on both ports J0 and BBA.

9or this an additional Listendirective is set in htt#d&conf askin# the server to listen on

1

client server

2

A

B

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

40/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

41/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

42/95

Linux%T Technical ostF

"ask 2 8reate an $$L aare Virtual>ost for test1- make the certificate and the ke! make host1.seafront.bar- add these lines to htt#d&conf

SSLEngine on

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP

SSLCertificateFile /etc/httpd/conf/test1.seafront.bar.crt

SSLCertificateKeyFile /etc/httpd/conf/test1.seafront.bar.out

ServerAdmin [email protected]

DocumentRoot /var/www/html/test1

ServerName test1.seafront.bar

Notice that the certificate that is presented once !ou connect to the https33test1 site isincorrect. This is because test1.seafront.bar resolves to the servers %( address and theserver ill start the $$L handshake before lookin# at the >TT( reuest. The next sectionill fix that.

IP *ased /irtual osts

)e ill directl! create a series of virtual $$L aare hosts and verif! that the! present theclient ith the correct certificate.

"ask /ssi#n ne %( addresses to the eth0 interface ifconfig eth0:0 X.X.X.X9or each %( enter a ne / record www1 IN A X.X.X.X9or each host create a self si#ned certificateost =.=.=.=BBAF para#raph in htt#d&conf

Notice ou ma! have to chan#e the existin# $$L virtual host from

to

This prevents the default host certificate from bein# presented irrespective of the sitehostname.

Test that https331 and https332 do present the proper certificates.Notice that if !ou permanentl! accept a certificate it ill be added to the list of 8/certificates on !our broser

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

43/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

44/95

Linux%T Technical etc>init&d>suid rc-script that creates the initial cachin#directories. %f this is not the case suid can initialise these cache directories ith the @Csitch.

sKuid 1>

N."I,(

ou ma! need to add an access rule in the suid confi#uration file before bein# able to

rebuild the cache 5see the next section Q/ccess Lists and /ccess 8ontrolR6

The confi#uration file is>etc>suid>suid&conf. The s!ntax of this file can be checkedusin# the @ksitch

sKuid 1 chec

/s ith most netork services the>etc>init&d>suidrc-script is used to start the service.

&2 Access Lists and Access ,ontrol

/ccess Lists 5acl6

%n suid&confthe access lists have the folloin# format

acl aclname aclt!pe strin#3file

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

45/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

46/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

47/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

48/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

49/95

Linux%T Technical ere e re#ister suid to use the (lu##able /uthentication odule.This is done b! addin# a file in>etc>#am&d> called suid ith the folloin# content

etcpam.dsKuid

auth reKuired ibsecuritypamstac.so ser*iceSsystem1auth

auth reKuired ibsecuritypamnoogin.so

account reKuired ibsecuritypamstac.so ser*iceSsystem1auth

passord reKuired ibsecuritypamstac.so ser*iceSsystem1auth

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

50/95

Linux%T Technical etc>#am&d>system@authfile.

/lso note the folloin# from the pamHauth man pa#e.

)hen used for authenticatin# to local 'N%= shado passord databases the pro#rammust be runnin# as root or else it on4t have sufficient permissions to access the userpassord database. $uch use of this pro#ram is not recommended, but if !ou absolutel!need to then make the pro#ram setuid root

chon root pamHauth chmod uUs pamHauth

(lease note that in such confi#urations it is also stron#l! recommended that the pro#ramis moved into a director! here normal users cannot access it, as this mode ofoperation ill allo an! local user to brute-force other users passords. /lso note the

pro#ram has not been full! audited and the author cannot be held responsible for an!securit! issues due to such installations.

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

51/95

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

52/95


!,P ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

53/95


!,P ,onfilib>dhc#>dhc#d&leases

:A

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

54/95


!,P ,onfi8( server to update the 7one fileson the N$ server.

Additional ,onfi8( server add the folloin# to the dhc#d&conffile

ddns-update-st!le interim+i#nore client-updates+ke! seafront.bar. O al#orithm hmac-md:+ secret MNAv%/pnVIG)$Ua2>rAU/@pu(M#V)ee&$*8B + P+

7one seafront.bar. O primar! 1K2.1GJ.A.100+ ke! seafront.bar.+ P

7one A.1GJ.1K2.in-addr.arpa. O primar! 1K2.1GJ.A.100+ ke! seafront.bar.+ P

;ptionall!, it is possible to set a specific host name and domain name for a #iven host iththe ke!ords

ddns-hostname host_nameddns-domain-name domain_name

%f the ddns@hostnameoption are not present then the >8( server ill tr! and use the nameprovided b! the client. The domain on the other hand cannot be set b! the client, so if ddns@domain@name is not present then the >8( server ill use the value #iven b! the domain@nameoption.

:B

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

55/95


!,P ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

56/95


!,P ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

57/95


NIS ,onfisysconfinetwork

The file>etc>sysconfinetworkill be sourced b! the y#servinitscript.

2. ake sure the master server ill push map chan#es to the slave servers. 9or this !ouneed to edit the file3var3!p3akefile and put

NOPUSH=false

A. $tart the !pserv daemon

etcinit.dypser* restart

B. 8heck that the nisdomain has been properl! set

nisdomainname

linis

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

58/95


NIS ,onfiy#>linisas ell as a file called>var>y#>y#servers

2&2 Slave Server ,onfivar>y#>)akefile

2& ,lient Setu#

;n the client the main service is called y#bind 5packa#e name !pbind6. This daemon isresponsible for bindin# to a N%$ server and successfull! resolves names and passordsas needed.The main confi#uration file is>etc>y#&conf.

%f the N%$;/%N variable is set in >etc>sysconfinetworkhich is sourced b! the rc-

script>etc>init&d>y#bindthen the N%$ server ill be detected usin# the broadcast. ;ne canalso confi#ure y#&confand specif!. ;nce this is set one can start y#bind

etcinit.dypbind start

ake sure that the niske!ord is added to>etc>nsswitch&conf&

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

59/95


NIS ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

60/95

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

61/95


L!AP ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

62/95


L!AP ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

63/95


L!AP ,onfietc>o#enlda#>lda#&conf

6/+9 dcSexampe, dcScomB+T 28.0.0.

GA

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

64/95


L!AP ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

65/95


L!AP ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

66/95


L!AP ,onfilib>lda#ith the sla#cat command.

,reatin< L!AP !irectories .nline

The L/( server can be updated online, ithout havin# to shut the ldap service don. 9orthis to ork hoever e must specif! a rootdnand a root#w in>etc>o#enlda#>sla#d&conf.

The passord is #enerated from the command line as follos

sdappassd

#e passord:

GG

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

67/95


L!AP ,onfi

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

68/95


L!AP ,onfietc>share>doc>nssHlda#-version>#am&d>#asswdto

>etc>#am&d

2. /dd the folloin# access rule in>etc>o#enlda#>sla#d&conf

access to attrsSuserPassordby se! rite

by anonymous auth by @ none

,lient ,onfietc>lda#&conf is as follos

The>etc>lda#&conffile

GJ

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

69/95


L!AP ,onfietc>#am&dreplace the file called lousr>share>doc>nssHlda#@207>#am&d>lobin>loetc>nsswitch&confneeds to have the folloin# line

passd dap !ies

8heck the>var>lolda#>lda#&lo

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

70/95

Linux%T Technical /lib/libpam.so.0 (0x00941000)

lo#in (/

files

nis

ldap

nssitch

3etc3passd3etc3#roup3etc3shado

3etc3!p.conf

3etc3ldap.conf

The (/ modules areconfi#ured usin# theauthconfinsswitch&conf

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

71/95

Linux%T Technical #am&conf. This file contains a listof services and a set of instructions, as follos

service t!pe control module-path module-ar#uments

>oever, if the director!>etc>#am&dexists then #am&conf is i#nored and each service isconfi#ured throu#h a separate file in #am&d. These files are similar to #am&confexceptthat the servicename is dropped

t!pe control module-path module-ar#uments

type defines the Qmana#ement #roup t!peR. (/ modules are classified into four

mana#ement #roups hich define different aspects of the authentication processaccount check the validit! of the account 5e#. does the users have a 'N%=accountX is the user authorised to use the application ...6

auth the authentication method. This points to a module5s6 responsible forthe challen#e-response

#assword defines ho to chan#e user passords, if at all.session modules that are run before and after a service is #ranted

control defines hat action to take if the module fails. The simple controls arereuisite a failure of the module results in the immediate termination of the

authentication processreuired a failure of the module ill result in the termination of theauthentication once all the other modules of the same t!pe have been executed

sufficient success of the module is sufficient except if a prior reuiredmodulehas failed

o#tional success or failure of this module are not taken into account unless it isthe onl! reuirement of its t!pe

module-path the path to a (/ module 5usuall! in 3lib3securit!6

module-arguments list of ar#uments for a specific module

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

72/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

73/95

Linux%T Technical I#chains&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&72

1.1 The 8hains...............................................................................................................................................................I21.2 The Tables...............................................................................................................................................................IA1.A The Tar#ets..............................................................................................................................................................IB1.B

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

74/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

75/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

76/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

77/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

78/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

79/95

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

80/95

Linux%T Technical 5$ecure $hell6 Cemote Lo#in (rotocolR at http33.free.lp.se3fish3rfc.txt.

This section covers the server confi#uration file and briefl! discusses other mechanisms that

the $$> protocol offers such as =11 forardin# and port forardin#.

sshdHcon fi< overview

(ort 22 $pecif! hich port to listen on. ultiple Q(ortR options canbe used

(rotocol 2,1 $pecif! version 1 or version 2 $$> protocol. 8an be acomma separated list. %f both are supplied, the! are tried inthe order presented.

en!'sers Z'$;$T en! users from a specific host. )ild cards such as _ can

be used

%#noreChosts !es3no efault is !es S %#nore the 3.rhosts and 3.shosts files

(ermit

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

81/95

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

82/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

83/95

Linux%T Technical urgent? data in the pac7et&

ptionsare tcp options enclosed in angle brac7ets(e.g., =mss 02?)

Capturing TCP packets with particular flag com!inations"e#g S$%-AC&' U()-AC&' etc#*

There are bits in the control bits section of the TP header:

CYQ G 9C9 G $Q" G /CV G P+ G Q+T G +\# G %I#

6et?s assume that we want to watch pac7ets used in establishing a TP

connection& #ecall the structure of a TP header without options:

0 5 11111111111111111111111111111111111111111111111111111111111111111 G source port G destination port G 11111111111111111111111111111111111111111111111111111111111111111 G seKuence number G 11111111111111111111111111111111111111111111111111111111111111111 G acnoedgment number G 11111111111111111111111111111111111111111111111111111111111111111 G L G rs*d |C|E|U|A|P|R|S|F| indo si>e G 11111111111111111111111111111111111111111111111111111111111111111 G TCP checsum G urgent pointer G

11111111111111111111111111111111111111111111111111111111111111111

A TP header usually holds 9B octets of data( unless options are present& The first line of the graph containsoctets B - 0( the second line shows octets - C etc

"tarting to count with B( the relevant TP control bits are contained in octet 10:

JA

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

84/95

Linux%T Technical e G 1111111111111111G111111111111111G111111111111111G1111111111111111 G G th octet G G G

Let]s ha*e a coser oo at octet no. :

G G G111111111111111G GCG9G$G/GPGQG+G%G G111111111111111G G8 5 0G

These are the TP control bits we are interested in& e have numbered

the bits in this octet from B to C( right to left( so the P"= bit is bit number 0( while the !#+ bit is number E&

#ecall that we want to capture pac7ets with only "*N set& 6et?s seewhat happens to octet 10 if a TP datagram arrives with the "*N bit setin its header:

GCG9G$G/GPGQG+G%G G111111111111111G G0 0 0 0 0 0 0G G111111111111111G G8 5 2 0G

6oo7ing at the control bits section we see that only bit number 1 %"*N)is set&

Assuming that octet number 10 is an -bit unsigned integer in networ7 byte order( the binary value of this octetis

0000000

and its decimal representation is

8 5 2 0 0@2 [ 0@2 [ 0@2 [ 0@2 [ 0@2 [ 0@2 [ @2 [ 0@2 S 2

e?re almost done( because now we 7now that if only "*N is set( the value of the 10th octet in the TPheader( when interpreted as a -bit unsigned integer in networ7 byte order( must be e8actly 9&

This relationship can be e8pressed as

tcp;< SS 2

JB

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

85/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

86/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

87/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

88/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

89/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

90/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

91/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

92/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

93/95

Linux%T Technical

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

94/95

Linux%T Technical edeys .shosts, .rhosts

K 2&2+2&5 ",PHwra##ers Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 5

escription The candidate should be able to confi#ure tcprappers to allo connectionsto specified servers from onl! certain hosts or subnets.

e! files, terms, and utilities include inetd.con!, tcpd

hosts.ao, hosts.deny xinetd

K 2&2+2&6 Security tasks Modified0 3445-!ugust-36 Maintainer0 %imitrios 7ogiatzoules 8eight0 :

escription The candidate should be able to install and confi#ure kerberos and performbasic securit! auditin# of source code. This obective includes arran#in# to receive securit!alerts from *u#tra, 8

8/10/2019 GNU-FDL-OO-LPI-202-0.3.pdf

95/95

Linux%T Technical

Documents

GNU-FDL-OO-LPI-202-0.3.pdf