L120: Linux System Administration II

1. The inetd daemon (old)

This daemon is started at boot time and listens for connections on specific ports. This allows the server to run a specific network daemon only when needed.

service-name port/protocol [aliases]

2. The xinetd Daemon

This is the most recent version of inetd. The tcpd daemon is no longer used, instead xinetd does everything. Configuration is done either through a single file /etc/xinetd.conf or by editing individual files in /etc/xinetd.d/ corresponding to the services being monitored by xinetd. It is possible to migrate from the old inetd configuration file to the configuration files for the modern xinetd. Nothing else needs to be done.

3. Telnet and FTP

Telnet and ftp are common examples of services using the inetd/xinetd mechanism to listen for incoming connections.

The server runs a telnet daemon (usually in.telnetd) and communications are initiated from the client using a telnet client (called telnet too). For RPM based machines the server package is called telnet-server and the client package is called telnet.

The next command attempts to connect to the host 192.168.10.23. Notice that the content of /etc/issue.net is also displayed:

telnet 192.168.10.23

Trying 192.168.10.23...

Connected to ws001 (192.168.10.23).

Escape character is '^]'.

Fedora Core release 3 (Heidelberg)

Kernel 2.6.11-1.14_FC3 on an i686

login:

There are several ftp servers available for Linux. In these notes we choose to configure vsftpd (very safe FTP server) which is available as a package of the same name. There are many FTP clients provided by the packages ftp, ncftp, lftp or gftp (graphical).

It is possible to log onto an FTP server either as an anomymous user or as a regular system user (e.g a user with an entry in /etc/passwd). Anonymous FTP allows a user to login with the username-password pair anonymous and email-address. A regular user will initially have access to his or her home directory where as anonymous users can only browse the contents of /var/ftp/.

ftp 192.168.10.23

Connected to 192.168.10.23.

220 (vsFTPd 2.0.1)

530 Please login with USER and PASS.

KERBEROS_V4 rejected as an authentication type

Name (192.168.10.23:tux)

4. TCP wrappers

If programs have been compiled with the libwrap library then they can be listed in the files /etc/hosts.allow and /etc/hosts.deny. The libwrap library will verify these files for matching hosts.

DAEMON : hosts [EXCEPT hosts ] [: spawn command]

One can also use these files to log unauthorised services. This can also help as an early warning system. Here are a few examples.

• 
  /etc/hosts.allow
  

• 
  /etc/hosts.deny
  

• 
  /etc/hosts.allow
  

The last example comes from the dtk (Deception Tool Kit) that can be downloaded from http://all.net/dtk/download.html

ldd /usr/sbin/xinetd | grep libwrap

libwrap.so.0 => /usr/lib/libwrap.so.0 (0x003da000)

ldd /usr/sbin/xinetd | grep libwrap

libwrap.so.0 => /usr/lib/libwrap.so.0 (0x003da000)

ldd /usr/sbin/vsftpd | grep libwrap

libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00204000)

5. Setting up NFS

• 
  Client settings
  

For a Linux client to mount remote file systems

2. the rpc daemon must be running.

If no entry is set in /etc/fstab then the complete command would be:

mount -t nfs nfs-server:/shared/dir /mnt/nfs

• 
  Server settings
  

A NFS server needs portmap (rpcbind) to be running before starting the nfs server. The nfs server should be started or stopped with the /etc/rc.d/init.d/nfs script.

The main configuration file is /etc/exports.

The /usr/local/docs directory is exported to all hosts as read-only, and read-write to all hosts in the .local.org domain.

The default root_squash option which avoids the root user (uid = 0) on the client to access the share on the server can be changed with the no_root_squash option.

The /etc/exports file matches hosts such as *.machine.com where as /etc/hosts.allow/deny match hosts such as .machine.com

exportfs -ua ; exportfs -a

6. SMB and NMB

Linux machines can access and provide Windows shared resources (directories and printers). The protocol used for this is the MS Windows Server Message Block SMB. Samba is the most common Linux tool which provides client and server software.

The smbclient utility is used to list shared resources. Remote directories are typically mounted with smbmount although ‘mount –t smbfs’ can also be used.

smbclient -M win98desk

Mount the shared directory of the winserv computer

smbmount //winserver/shared /mnt/winserver/shared

The Samba server is configured with the /etc/smb.conf file. The server is stopped and started with the /etc/rc.d/init.d/smb script. Notice that smb will also starts the NMB services. This is the NetBIOS Message Block which enables name resolution in the Windows realm.

Another popular general administration tool is webmin. It can be downloaded at www.webmin.com

7. DNS services

• 
  Finding a Name with /etc/nsswitch.conf
  

The file /etc/nsswitch.conf (previously /etc/host.conf) holds all the information needed by an application to find a name. The types of names are designated by a keyword.

Names are searched in a number of 'databases'. Each database can be accessed by a specialised library. For example there will be libraries called libnss_files, libnss_nis and libnss_dns to deal with each databases listed below.

/etc/nsswitch.conf

nis

dns

The first line indicates that files (here /etc/hosts) should be queried first and then a DNS server if this fails. The second line instructs to use the /etc/networks file for network information.

• 
  The Resolver
  

When a program needs to resolve a host name using a DNS server it uses a library called a resolver. The resolver will first consult the /etc/resolv.conf file and determine which DNS server to contact.

/etc/resolv.conf

If the resolver needs to use a domain name server (DNS) then it will consult the /etc/resolv.conf file for a list of available servers to query from.

The /etc/hosts file
With a small number of networked computers it is possible to convert decimal IP numbers into names using the /etc/hosts file. The fields are as follows:

IP machine machine.domain alias

• 
  Hierarchical structure
  

Name servers have a hierarchical structure. Depending on the location in the fully qualified domain name (FQDM) a domain is called top-level, second-level or third-level.

• 
  Types of DNS servers
  

Domains can be further divided into sub-domains. This limits the amount of information needed to administer a domain. Zones have a master domain name server (previously called a primary DNS) and one or several slave domain name servers (previously called secondary). Administration of a name server consists of updating the information about a particular zone. The master servers are said to be authoritative.

• 
  DNS Configuration Files
  

In old versions of BIND (prior to BIND version 8) the configuration file was /etc/named.boot. With BIND version 8 the /etc/named.conf file is used instead. One can use the named-bootconf.pl utility to convert old configuration files.

cache . named.ca

primary myco.org named.myco

primary 0.0.127.in-addr.arp named.local

primary 1.168.192.in-addr.arp named.rev

The first line defines the base directory to be used. The name.ca file will contain a list of DNS IP addresses for querying external addresses. The third line is optional and contains records for the local LAN. The two next entries are for reverse lookups.

In :
cache is replaced by hint

secondary is replaced by slave

primary is replaced by master.
Applying these changes to BIND4 configuration files will generate BIND8 and BIND9 files such as the following.

The /etc/named.conf file:
options {

directory “/var/named”;

};
zone “.” {

type hint;

file “named.ca”;

};
zone “myco.org” {

type master;

file “named.myco”;

};
zone “1.168.192.in-addr.arp” {

type master;

file “named.rev”;

};
zone “0.0.127.in-addr.arpa” {

type master;

file “named.local”;

};

• 
  DNS zone files
  

2001022700 ; Serial

28800 ; Refresh

14400 ; Retry

3600000 ; Expire

86400 ) ; Minimum

IN NS localhost.

1 IN PTR localhost.

This is a very simple zone file but it gives us enough information to understand the basic mechanism of a name server.
The @ sign will resolve to the related zone declared in /etc/named.conf. This allows any zone file to be used as a template for further zones (see the exercises).

Table1:Common Record Types

Table2: Zone parameters

• 
  Check local domain: and do the same thing except that dig will printout results that can be used in a zone file:
  

dig @127.0.0.1 srce.hr MX

host -t mx srce.hr 127.0.0.1

• 
  Use local caching server to query any domain: replace the domain gogo.com in the commands above with any other domain you wish to query.
  

8. Sendmail main Configuration

Sendmail is the most popular mail transfer agent (MTA) on the Internet. It uses the Simple Mail Transfer Protocol (SMTP) and runs as a daemon listening for connections on port 25.

The sendmail script which stops or starts the sendmail daemon is usually located in the /etc/rc.d/init.d/ directory.
Configuration Features
The main configuration file is /etc/mail/sendmail.cf (or /etc/sendmail.cf). Here you can specify the name of the server as well as the names of the hosts from which and to which mail relay is allowed.

WARNING

You do not need to know how to write sendmail.cf rules. In fact all the rules can be generated using the sendmail.m4 or sendmail.mc macro file to produce a sendmail.cf file by running the following

m4 sendmail.mc > sendmail.cf

This process is not part of the LPI objectives

sendmail.cf options
Cw	the mailer hostname. Can also contain a list of hostnames or domain names the mailer will assume but it is better to use Fw for this
Fw	path to the file containing domain names sendmail will receive mail for
Ds	address for 'smart host' , this is a mailer that will relay our outgoing mail

Files in /etc/mail
access	list of hosts authorised to use the server to relay mail
local-host-names	list of domain names

Aliases and mail forwarding
The /etc/aliases file contains two fields as follows:
alias: user
For example if the mail server has a regular UNIX account for user foo then maill addressed to mr.foo will reach this user only if the following line is included in /etc/aliases:
mr.foo: foo
Or if you want to forward all mail to an external address:
mr.foo: foo@someisp.net

For other options see the manpage aliases(5).

When changes to the /etc/aliases file are made the newaliases command must be run to rebuild the database /etc/aliases.db.
When mail is addressed to a local user (say foo) then this user can choose to forward this mail to a list of other users using a local file ~/.forward (one address per line).
In LPI 202 we will see that mail can also be forwarded to a file, a pipe or an include file.


The Mail Queues
When mail is accepted by the server it is concatenated in a single file with the name of the user. These files are stored in /var/spool/mail/.
Depending on the Mail User Agent used (mutt, pine, elm ...), a user can either store these messages in his home directory or download them on another machine.
All outgoing mail is spooled in /var/spool/mqueue
If the network is down or very slow, or if many messages are being sent, then mail accumulates in the mail queue /var/spool/mqueue. You can query the queue with the mailq utility or sendmail –bp.
An administrator can flush the server’s queue with sendmail –q.


Registering a Mailer for a Domain
Finally in order to use a domain name as a valid email address an MX record needs to be added on an authoritative name server for your domain (usually your ISP).
For example if mail.company.com is a mail server, then in order for it to receive mail such as joe@company.com you should have the following configuration:
1. Add company.com to /etc/mail/local-host-names

2. company.com MX 10 mail.company.com in a DNS zone file

9. The Apache server

• 
  Configuration Files
  

The /etc/httpd/conf/httpd.conf file contains all the configuration settings

Older releases of apache had two extra files, one called access.conf where restricted directories were declared, and another file called srm.conf specifying the server’s root directory.

Configuration Highlights:

ServerType standalone/inetd
ServerRoot “/etc/httpd”
DocumentRoot “/var/www/html”

AllowOverride None

Options ExecCGI

Order allow,deny

Allow from all

DocumentRoot “/www/docs/server1”

ServerName virtual.mydomain.org

• 
  Running Apache
  

To stop and start the server one can use the /etc/rc.d/init.d/httpd script. On a busy server it is preferable to use apachectl especially with the graceful option which will restart the server only when current connections have been dealt with.

The main log files are in /var/log/httpd/. It may be useful for security reasons to regularly check the error_log and access_log files.

10. Exercises and Summary

Files

File	Description
/etc/hosts.allow /etc/hosts.deny	file used by the libwrap library to determine access to a service from a given host, network or domain
/etc/aliases	aliases(5) - file describes user ID aliases used by sendmail. Each line is of the form name: addr_1, addr_2, ... where name is a local username to alias and addr_n can be another alias, a local username, a local file name, a command, an include file, or an external address
/etc/exports	exports(8) – the file /etc/exports serves as the access control list for file systems which may be exported to NFS clients. It is used by exportfs(8) to give information to mountd(8) and to the kernel based NFS file server daemon nfsd(8)
/etc/host.conf	main configuration filefor the resolver
/etc/hosts	database of host IPs and names
/etc/inetd.conf	configuratiion file for the inetd daemon
/etc/mail/*	directory containing all the sendmail configuration files
/etc/named.boot	name of the BIND4 version of named
/etc/named.conf	name of the BIND8 and 9 versions of named
/etc/nsswitch.conf	nsswitch.conf(5) – System Databases and Name Service Switch configuration file.
/etc/resolv.conf	list of DNS servers used by the resolver to determine host names
/etc/sendmail.cf	the main configuration file for sendmail
Cw	option within sendmail.cf that specifies the name of the server (may be a domain name)
Ds	option to specify a smarthost in sendmail.cf
Fw	option setting the name of the file that contains all the names of the mail server
/etc/smb.conf	main configuration file for the samba server smbd
/etc/xinetd.conf	configuration file for the xinetd daemon
/var/spool/mail/	directory containing received mail for local users
/var/spool/mqueue	spool directory for outgoing mail
~/.forward	file containing a list of addresses where valid local account mail is forwarded to
/etc/httpd/conf/access.conf	configuration file containing web directories that need extra identification mechanisms such as htaccess (old)
/etc/httpd/conf/httpd.conf	main configuration file for web server daemon httpd
/etc/httpd/conf/srm.conf	configuration file defining the document root of the web server (old)

Commands

Command	Description
apachectl	apachectl(8) – apache HTTP server control interface. On the command line the script will simply pass all the given arguments to the httpd server
dig	dig(1) – (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried
host	host(1) – a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa
exportfs	exportfs(8) – command is used to maintain the current table of exported file systems for NFS. This list is kept in a separate file named /var/lib/nfs/xtab which is read by mountd when a remote host requests access to mount a file tree, and parts of the list which are active are kept in the kernel’s export table
inetd	see xinetd
mailq	mailq(1) – prints a summary of the mail messages queued for future delivery
portmap	portmap(8) – is a server that converts RPC program numbers into DARPA protocol port numbers. It must be running in order to make RPC calls. When an RPC server is started, it will tell portmap what port number it is listening to, and what RPC program numbers it is prepared to serve. When a client wishes to make an RPC call to a given program number, it will first contact portmap on the server machine to determine the port number where RPC packets should be sent. Portmap must be started before any RPC servers are invoked
smbclient	smbclient(1) – is a client that can ’talk’ to an SMB/CIFS server. It offers an interface similar to that of the ftp program (see ftp(1)). Operations include things like getting files from the server to the local machine, putting files from the local machine to the server, retrieving directory information from the server and so on
smbmount	smbmount(8) – mounts a Linux SMB filesystem. It is usually invoked as mount.smbfs by the mount(8) command when using the "-t smbfs" option. This command only works in Linux, and the kernel must support the smbfs filesystem
sendmail	sendmail(8) – sends a message to one or more recipients, routing the message over whatever networks are necessary. Sendmail does internetwork forwarding as necessary to deliver the message to the correct place
xinetd	xinetd(8) – performs the same function as inetd: it starts programs that provide Internet services. Instead of having such servers started at system initialization time, and be dormant until a connection request arrives, xinetd is the only daemon process started and it listens on all service ports for the services listed in its configuration file. When a request comes in, xinetd starts the appropriate server. Because of the way it operates, xinetd (as well as inetd) is also referred to as a super-server

Yüklə 1,05 Mb.

Dostları ilə paylaş: