Linux+ Guide to Linux Certification, Second Edition
Chapter 15Configuring Network Services
and Security
Linux+ Guide to Linux Certification, 2e 2
Objectives
• Identify and configure common network services
• Configure routing and firewalls
• Describe the different facets of Linux security
• Increase the security of a Linux computer
• Outline measures that can be used to detect a Linux security breach
Linux+ Guide to Linux Certification, 2e 3
Network Services
• Processes that provide some type of valuable service for client computers on network
• Must identify types and features of network services before they can be configured
• Important to configure network-related services, such as routing and firewalls
Linux+ Guide to Linux Certification, 2e 4
Identifying Network Services
• Port: Number uniquely identifying a network service– Ensure that packets delivered to proper service– Range from 0 to 65534
• /etc/services file: Lists ports and associated protocol
• Well-known port: Ports from 0 to 1024 – Used by common networking services
Linux+ Guide to Linux Certification, 2e 5
Identifying Network Services (continued)
Table 15-1: Common well-known ports
Linux+ Guide to Linux Certification, 2e 6
Identifying Network Services (continued)
• Internet Super Daemon (xinetd): Initializes and configures many networking services
• Standalone daemons: Daemons normally started at boot-up – e.g., Apache Web server– Configure themselves without assistance– ntsysv utility can configure most standalone
daemons to start in various runlevels
Linux+ Guide to Linux Certification, 2e 7
Identifying Network Services (continued)
Figure 15-1: Interacting with network services
Linux+ Guide to Linux Certification, 2e 8
Configuring Common Network Services
Table 15-2: Common network services
Linux+ Guide to Linux Certification, 2e 9
Configuring Common Network Services (continued)
Table 15-2 (continued): Common network services
Linux+ Guide to Linux Certification, 2e 10
Configuring Common Network Services (continued)
Table 15-2 (continued): Common network services
Linux+ Guide to Linux Certification, 2e 11
Configuring Common Network Services (continued)
Table 15-2 (continued): Common network services
Linux+ Guide to Linux Certification, 2e 12
Configuring Common Network Services (continued)
Table 15-2 (continued): Common network services
Linux+ Guide to Linux Certification, 2e 13
Configuring DNS
• Zone: Portion of DNS administered by one or more DNS servers
• Forward lookup: FQDN resolved to IP address
• Reverse lookup: IP address resolved to FQDN
Linux+ Guide to Linux Certification, 2e 14
Configuring DNS (continued)
Figure 15-2: The DNS lookup process
Linux+ Guide to Linux Certification, 2e 15
Configuring DNS (continued)
• Iterative query: Resolved without use of top-level DNS servers
• Recursive query: Resolved with the use of top-level DNS servers
• DNS cache file: Contains IP addresses of top-level DNS servers
Linux+ Guide to Linux Certification, 2e 16
Configuring DNS (continued)
• Master or primary DNS server: Contains read/write copy of zone
• Slave or secondary DNS server: Contains read-only copy of zone
• Zone transfer: Copying zone resource records from master to slave DNS server
Linux+ Guide to Linux Certification, 2e 17
Configuring DNS (continued)
Table 15-3: Common zone configuration files
Linux+ Guide to Linux Certification, 2e 18
Configuring DNS (continued)
Table 15-3 (continued): Common zone configuration files
Linux+ Guide to Linux Certification, 2e 19
Configuring DHCP
• Send DHCP broadcast on network – Request IP configuration information
• DHCP server leases IP address to client computer for a period of time– Ensures each client has unique IP address
• /etc/dhcpd.conf file: Configure computer as a DHCP server– List appropriate IP address range for network
Linux+ Guide to Linux Certification, 2e 20
Configuring Apache
• Most common Web server
• Document root directory: Stores default HTML content for a Web server– /var/www/html on Fedora Linux– Default document is index.html
• /etc/httpd/conf/httpd.conf: Default configuration file
• Directive: Line within a configuration file
Linux+ Guide to Linux Certification, 2e 21
Configuring Apache (continued)
Table 15-4: Common httpd.conf directives
Linux+ Guide to Linux Certification, 2e 22
Configuring Samba
• SaMBa daemon: Emulates SMB protocol
• Windows computers advertise computer names using NetBIOS protocol– Can use NetBIOS name daemon to create and
advertise NetBIOS name • Connect Windows computers to Linux server
• smbpasswd command: Generate Samba passwords
Linux+ Guide to Linux Certification, 2e 23
Configuring Samba (continued)
• /etc/samba/smb.conf: Default Samba configuration file
• /etc/rc.d/init.d/smb start: Start Samba and NetBIOS name daemons– Restart if smb.conf changed
Linux+ Guide to Linux Certification, 2e 24
Configuring NFS
• Create directory containing information to share
• Edit /etc/exports file:– Add line listing directory to be shared and options
• Run exportfs –a – Update list of exported filesystems
• Restart the NFS processes
Linux+ Guide to Linux Certification, 2e 25
Configuring FTP
• Very secure FTP daemon (vsftpd): Packaged with Fedora Linux
• To configure (assuming logon as “user1”):– Create directory below user1’s home directory to
host the files• Ensure user1 owns directory
– Run /etc/rc.d/init.d/vsftpd start• Start vsftpd daemon
Linux+ Guide to Linux Certification, 2e 26
Configuring NIS
• Network Information Service (NIS): Coordinate common configuration files across several computers– Computers belong to a NIS domain, use NIS map to
access configuration information– Most commonly used for password databases
Linux+ Guide to Linux Certification, 2e 27
Configuring NIS (continued)
• Define the NIS domain via domainname <NIS_ domain_name> command
• Add “ NISDOMAIN=‘NIS_domain’ ” to /etc/sysconfig/network file– Configure NIS domain at boot time
• Add “domain <NIS_domain> server <NIS_server>” to /etc/yp.conf file – Query specific NIS server
Linux+ Guide to Linux Certification, 2e 28
Configuring the Secure Shell Daemon
• Secure Shell daemon (sshd): Allows use of ssh utility to log in to network servers
• /etc/ssh/sshd_config file: Contains configuration options
• Uses challenge-response authentication by default
Linux+ Guide to Linux Certification, 2e 29
Configuring the Secure Shell Daemon (continued)
• Supported encryption standards:– Triple Data Encryption Standard (3DES)– Advanced Encryption Standard (AES)– Blowfish– Carlisle Adams Stafford Tavares (CAST)– ARCfour
Linux+ Guide to Linux Certification, 2e 30
Routing and Firewall Services
• Network services not provided entirely by network daemons– Provided by Linux kernel – Do not listen to a particular port
Linux+ Guide to Linux Certification, 2e 31
Routing
• Route table: Indicates which networks are connected to network interfaces
• Route command: Manipulate the route table
• Multihomed hosts: Computers with multiple network interfaces
• IP forwarding: Forwarding TCP/IP packets between networks
• Routing: Forwarding data packets between networks
Linux+ Guide to Linux Certification, 2e 32
Routing (continued)
• Enabling routing: – Place number 1 in /proc/sys/net/ipv4/ip_forward file– Place “net.ipv4.ip_forward = 1” in /etc/sysctl.conf file
Linux+ Guide to Linux Certification, 2e 33
Routing (continued)
• Large networks may have several routers
• route add <route> command: Add entries to route table
• route del <route> command: Remove entries from route table
• Can use ip command to add entries to route table
Linux+ Guide to Linux Certification, 2e 34
Routing (continued)
Figure 15-3: A sample routed network
Linux+ Guide to Linux Certification, 2e 35
Routing (continued)
• Contents of route table lost when computer powered off– Add to /etc/rc.d/rc.local file
• Most routers configured with a default gateway– For packets addressed to destinations not in route
table
• traceroute command: Troubleshoot routing– Displays routers between current and remote
computer
Linux+ Guide to Linux Certification, 2e 36
Firewall Services
• netfilter/iptables: Used to create a firewall– Discard network packets according to chains of rules
• Chains: Specify general type of network traffic to apply rules to
• Rules: Match network traffic to be allowed or dropped
Linux+ Guide to Linux Certification, 2e 37
Firewall Services (continued)
• Three chain types:– INPUT chain: Incoming packets – FORWARD chain: Packets passing through
computer– OUTPUT chain: Outgoing packets
• iptables command: Creates rules for a chain
Linux+ Guide to Linux Certification, 2e 38
Firewall Services (continued)
Table 15-5: Common iptables commands
Linux+ Guide to Linux Certification, 2e 39
Security
• Linux systems typically available across networks such as the Internet
• Should improve local and network security
• Understand how to detect intruders who breach the system
Linux+ Guide to Linux Certification, 2e 40
Securing the Local Computer
• Limit access to computer itself– Prevent malicious users from accessing files
• Server closet: Secured room to store servers
• Remove floppy and CD-ROM devices from workstations
• Ensure BIOS prevents booting from USB ports
Linux+ Guide to Linux Certification, 2e 41
Securing the Local Computer (continued)
• Ensure BIOS password is set
• Set boot loader password in LILO or GRUB configuration file
• Limit access to graphical desktops and shells
• Minimize root user’s time logged in
Linux+ Guide to Linux Certification, 2e 42
Securing the Local Computer (continued)
• nohup command: Prevents other commands from exiting when parent process killed
• su (switch user) command: Switch current user account to another
• sudo command: Perform commands as another user via entries in /etc/sudoers file
Linux+ Guide to Linux Certification, 2e 43
Protecting Against Network Attacks
• Always a possibility that crackers can manipulate a network service
• Buffer overrun: Network service altered in memory
• Minimize number of running network services
• nmap (network mapper) command: Scan ports on network computers– See what network services are running
Linux+ Guide to Linux Certification, 2e 44
Protecting Against Network Attacks (continued)
• Enable encryption on essential network services
• Ensure network service daemons not run as root user when possible
• New network service versions usually include fixes for known network attacks– Keep network services up-to-date
Linux+ Guide to Linux Certification, 2e 45
Protecting Against Network Attacks (continued)
• TCP wrapper: Run network daemon with additional security via /etc/hosts.allow and /etc/hosts.deny files
• Examine permissions for files and directories associated with system and network services
Linux+ Guide to Linux Certification, 2e 46
Detecting Intrusion
• Log files can contain information or irregularities indicating an intrusion
• Review system log files associated with authentication
• Pluggable Authentication Module (PAM): Handles authentication requests by daemons– Log file in /var/log/secure
Linux+ Guide to Linux Certification, 2e 47
Detecting Intrusion (continued)
• Check /var/log/wtmp log file– Lists users who receive BASH shells
• Tripwire: Monitors files and directories
• Intrusion Detection System (IDS): Detect unauthorized access
Linux+ Guide to Linux Certification, 2e 48
Detecting Intrusion (continued)
Table 15-6: Common Linux intrusion detection systems