Transcript
Page 1: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, Second Edition

Chapter 15Configuring Network Services

and Security

Page 2: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 2

Objectives

• Identify and configure common network services

• Configure routing and firewalls

• Describe the different facets of Linux security

• Increase the security of a Linux computer

• Outline measures that can be used to detect a Linux security breach

Page 3: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 3

Network Services

• Processes that provide some type of valuable service for client computers on network

• Must identify types and features of network services before they can be configured

• Important to configure network-related services, such as routing and firewalls

Page 4: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 4

Identifying Network Services

• Port: Number uniquely identifying a network service– Ensure that packets delivered to proper service– Range from 0 to 65534

• /etc/services file: Lists ports and associated protocol

• Well-known port: Ports from 0 to 1024 – Used by common networking services

Page 5: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 5

Identifying Network Services (continued)

Table 15-1: Common well-known ports

Page 6: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 6

Identifying Network Services (continued)

• Internet Super Daemon (xinetd): Initializes and configures many networking services

• Standalone daemons: Daemons normally started at boot-up – e.g., Apache Web server– Configure themselves without assistance– ntsysv utility can configure most standalone

daemons to start in various runlevels

Page 7: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 7

Identifying Network Services (continued)

Figure 15-1: Interacting with network services

Page 8: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 8

Configuring Common Network Services

Table 15-2: Common network services

Page 9: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 9

Configuring Common Network Services (continued)

Table 15-2 (continued): Common network services

Page 10: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 10

Configuring Common Network Services (continued)

Table 15-2 (continued): Common network services

Page 11: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 11

Configuring Common Network Services (continued)

Table 15-2 (continued): Common network services

Page 12: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 12

Configuring Common Network Services (continued)

Table 15-2 (continued): Common network services

Page 13: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 13

Configuring DNS

• Zone: Portion of DNS administered by one or more DNS servers

• Forward lookup: FQDN resolved to IP address

• Reverse lookup: IP address resolved to FQDN

Page 14: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 14

Configuring DNS (continued)

Figure 15-2: The DNS lookup process

Page 15: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 15

Configuring DNS (continued)

• Iterative query: Resolved without use of top-level DNS servers

• Recursive query: Resolved with the use of top-level DNS servers

• DNS cache file: Contains IP addresses of top-level DNS servers

Page 16: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 16

Configuring DNS (continued)

• Master or primary DNS server: Contains read/write copy of zone

• Slave or secondary DNS server: Contains read-only copy of zone

• Zone transfer: Copying zone resource records from master to slave DNS server

Page 17: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 17

Configuring DNS (continued)

Table 15-3: Common zone configuration files

Page 18: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 18

Configuring DNS (continued)

Table 15-3 (continued): Common zone configuration files

Page 19: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 19

Configuring DHCP

• Send DHCP broadcast on network – Request IP configuration information

• DHCP server leases IP address to client computer for a period of time– Ensures each client has unique IP address

• /etc/dhcpd.conf file: Configure computer as a DHCP server– List appropriate IP address range for network

Page 20: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 20

Configuring Apache

• Most common Web server

• Document root directory: Stores default HTML content for a Web server– /var/www/html on Fedora Linux– Default document is index.html

• /etc/httpd/conf/httpd.conf: Default configuration file

• Directive: Line within a configuration file

Page 21: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 21

Configuring Apache (continued)

Table 15-4: Common httpd.conf directives

Page 22: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 22

Configuring Samba

• SaMBa daemon: Emulates SMB protocol

• Windows computers advertise computer names using NetBIOS protocol– Can use NetBIOS name daemon to create and

advertise NetBIOS name • Connect Windows computers to Linux server

• smbpasswd command: Generate Samba passwords

Page 23: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 23

Configuring Samba (continued)

• /etc/samba/smb.conf: Default Samba configuration file

• /etc/rc.d/init.d/smb start: Start Samba and NetBIOS name daemons– Restart if smb.conf changed

Page 24: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 24

Configuring NFS

• Create directory containing information to share

• Edit /etc/exports file:– Add line listing directory to be shared and options

• Run exportfs –a – Update list of exported filesystems

• Restart the NFS processes

Page 25: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 25

Configuring FTP

• Very secure FTP daemon (vsftpd): Packaged with Fedora Linux

• To configure (assuming logon as “user1”):– Create directory below user1’s home directory to

host the files• Ensure user1 owns directory

– Run /etc/rc.d/init.d/vsftpd start• Start vsftpd daemon

Page 26: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 26

Configuring NIS

• Network Information Service (NIS): Coordinate common configuration files across several computers– Computers belong to a NIS domain, use NIS map to

access configuration information– Most commonly used for password databases

Page 27: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 27

Configuring NIS (continued)

• Define the NIS domain via domainname <NIS_ domain_name> command

• Add “ NISDOMAIN=‘NIS_domain’ ” to /etc/sysconfig/network file– Configure NIS domain at boot time

• Add “domain <NIS_domain> server <NIS_server>” to /etc/yp.conf file – Query specific NIS server

Page 28: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 28

Configuring the Secure Shell Daemon

• Secure Shell daemon (sshd): Allows use of ssh utility to log in to network servers

• /etc/ssh/sshd_config file: Contains configuration options

• Uses challenge-response authentication by default

Page 29: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 29

Configuring the Secure Shell Daemon (continued)

• Supported encryption standards:– Triple Data Encryption Standard (3DES)– Advanced Encryption Standard (AES)– Blowfish– Carlisle Adams Stafford Tavares (CAST)– ARCfour

Page 30: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 30

Routing and Firewall Services

• Network services not provided entirely by network daemons– Provided by Linux kernel – Do not listen to a particular port

Page 31: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 31

Routing

• Route table: Indicates which networks are connected to network interfaces

• Route command: Manipulate the route table

• Multihomed hosts: Computers with multiple network interfaces

• IP forwarding: Forwarding TCP/IP packets between networks

• Routing: Forwarding data packets between networks

Page 32: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 32

Routing (continued)

• Enabling routing: – Place number 1 in /proc/sys/net/ipv4/ip_forward file– Place “net.ipv4.ip_forward = 1” in /etc/sysctl.conf file

Page 33: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 33

Routing (continued)

• Large networks may have several routers

• route add <route> command: Add entries to route table

• route del <route> command: Remove entries from route table

• Can use ip command to add entries to route table

Page 34: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 34

Routing (continued)

Figure 15-3: A sample routed network

Page 35: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 35

Routing (continued)

• Contents of route table lost when computer powered off– Add to /etc/rc.d/rc.local file

• Most routers configured with a default gateway– For packets addressed to destinations not in route

table

• traceroute command: Troubleshoot routing– Displays routers between current and remote

computer

Page 36: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 36

Firewall Services

• netfilter/iptables: Used to create a firewall– Discard network packets according to chains of rules

• Chains: Specify general type of network traffic to apply rules to

• Rules: Match network traffic to be allowed or dropped

Page 37: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 37

Firewall Services (continued)

• Three chain types:– INPUT chain: Incoming packets – FORWARD chain: Packets passing through

computer– OUTPUT chain: Outgoing packets

• iptables command: Creates rules for a chain

Page 38: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 38

Firewall Services (continued)

Table 15-5: Common iptables commands

Page 39: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 39

Security

• Linux systems typically available across networks such as the Internet

• Should improve local and network security

• Understand how to detect intruders who breach the system

Page 40: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 40

Securing the Local Computer

• Limit access to computer itself– Prevent malicious users from accessing files

• Server closet: Secured room to store servers

• Remove floppy and CD-ROM devices from workstations

• Ensure BIOS prevents booting from USB ports

Page 41: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 41

Securing the Local Computer (continued)

• Ensure BIOS password is set

• Set boot loader password in LILO or GRUB configuration file

• Limit access to graphical desktops and shells

• Minimize root user’s time logged in

Page 42: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 42

Securing the Local Computer (continued)

• nohup command: Prevents other commands from exiting when parent process killed

• su (switch user) command: Switch current user account to another

• sudo command: Perform commands as another user via entries in /etc/sudoers file

Page 43: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 43

Protecting Against Network Attacks

• Always a possibility that crackers can manipulate a network service

• Buffer overrun: Network service altered in memory

• Minimize number of running network services

• nmap (network mapper) command: Scan ports on network computers– See what network services are running

Page 44: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 44

Protecting Against Network Attacks (continued)

• Enable encryption on essential network services

• Ensure network service daemons not run as root user when possible

• New network service versions usually include fixes for known network attacks– Keep network services up-to-date

Page 45: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 45

Protecting Against Network Attacks (continued)

• TCP wrapper: Run network daemon with additional security via /etc/hosts.allow and /etc/hosts.deny files

• Examine permissions for files and directories associated with system and network services

Page 46: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 46

Detecting Intrusion

• Log files can contain information or irregularities indicating an intrusion

• Review system log files associated with authentication

• Pluggable Authentication Module (PAM): Handles authentication requests by daemons– Log file in /var/log/secure

Page 47: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 47

Detecting Intrusion (continued)

• Check /var/log/wtmp log file– Lists users who receive BASH shells

• Tripwire: Monitors files and directories

• Intrusion Detection System (IDS): Detect unauthorized access

Page 48: Linux+ Guide to Linux Certification, Second Edition Chapter 15 Configuring Network Services and Security

Linux+ Guide to Linux Certification, 2e 48

Detecting Intrusion (continued)

Table 15-6: Common Linux intrusion detection systems


Recommended