Linux Xinetd Network services

Posted: September 27, 2010 in REDHAT 5 LinUX

The service, xinetd, is a service designed to provide the same functionality as inetd, but with better configuration options and better security. It provides the same services as inetd, so you will not need to run inetd with this service and can substitute this service for inetd. This service is easy to install and run. It is meant as a replacement for inetd, but can be run at the same time inetd is being run. If you decide to run both inetd and xinetd, but you should not run the same services, such as telnet or ftp, on both inetd and xinetd at the same time. Xinetd will support the hosts.allow and hosts.deny features using the tcp wrapper daemon, the same as inetd does.

Obtaining xinetd

It is very easy to obtain, compile, and install xinetd. You may obtain FAQ information from: http://synack.net/xinetd/faq.html and complete documentation with source and binaries may be obtained from http://www.synack.net/xinetd/. Also there is a very good xinetd tutorial which describes installation and configuration (yes, better than this documentation) at http://www.macsecurity.org/resources/xinetd/tutorial.shtml. It is written for users running Linux on a MacIntosh, but it applies very well to xinetd and Linux in general.

Compilation and installation

Download the code to a location like “/usr/local/xinetd” then enter the directory you downloaded xinetd to. Follow the following procedure to unpack a source tar file, compile, and install the package:

  1. Type “tar xvzf xinetd-2_1_8_9p3_tar.gz” to unpack the file.
  2. Type “cd xinetd-2.1.8.8.p3” to enter the directory the files were unpacked to.
  3. Read the README and INSTALL files with the commands “less README” and “less “INSTALL”.
  4. Type “./configure — with-libwrap –with-loadavg”. Some documentation recommends not using the –with-libwrap option since xinit supports its own method of providing the same capabilities of hosts.allow and hosts.deny.
  5. Type “make”.
  6. Type “make install”. This will install the man pages, xinetd.conf, xinet.log, xinetd, and itox. These files will be accessible by typing “man” followed by the name of the file such as “man xinetd”. It will also install the binary programs, xinetd, itox, and xconv.pl.
    1. At this point, you may not have ready access to these programs unless the directory /usr/local/sbin is in your system path. You can find out by issuing the command “env” and looking at the value of your path variable. If the directory is named in the path variable, you are set. If not, you will need to add it to your system path.
    2. If you are only going to require these commands while logged in as root (which is likely), you can edit the .bash_profile file in the root directory (/root/.bash_profile). This assumes you are using the bash shell, otherwise edit the appropriate file for the shell you are running. Add “:/usr/local/bin” to the statement that begins with “PATH”. If no statement starting with “PATH” exists, add the statement “PATH=$PATH:/usr/local/bin”.
    3. If you want this path added for all users, you may add the statements as described above to the /etc/profile file.
  7. The xinetd documentation says to issue the command:xconv.pl < /etc/inetd.conf > /tmp/xinetd.conf

    But I recommend using the command:

    xconv.pl < /etc/inetd.conf > /etc/xinetd.conf

    This will create a configuration file for xinetd from your original inetd.conf file.

  8. You now need to start the service. The easy way to do this is to modify the /etc/rc.d/init.d/inet file and replace all occurrences of inetd by xinetd. Since xinetd is installed to /usr/local/sbin rather than /usr/sbin, you will need to account for this in your file modifications or copy xinetd to /usr/sbin.
  9. If you have a problem getting the service to run right consider the following pitfalls:
    • If you converted your inetd.conf file to xinetd.conf, and were running with tcp wrappers in inetd, and did not compile tcp wrapper support into xinetd with the option –with-libwrap, you will need to either compile the option in or modify your configuration file so tcp wrappers are no longer used. this can generally be done by moving the server arguments to the server value, and the server arguments will be set to what would have been on the server command line or the value -1. For instance the entry:
      server = /usr/sbin/tcpd 
      server_args = in.ftpd -l -a

      becomes:

      server = /usr/sbin/in.ftpd 
      server_args = -l -a

      The entry:

      server = /usr/sbin/tcpd 
      server_args = in.telnetd

      becomes:

      server = /usr/sbin/in.telnetd 
      server_args = -1
    • You may need to add the line “groups = yes” to each service. See the xinetd.conf man page.
Advertisements

Linux Inetd Network services

Posted: September 27, 2010 in REDHAT 5 LinUX
Services typically provided using inetd include:

  • auth or identd – This is a server that returns user information to a remote host that a user is requesting a service from. It can be run as a stand alone daemon from the startup scripts.
  • bootpd – A server that allows remote clients to get their IP addresses from a bootp server using the bootp network protocol. This involves the server having a /etc/bootptab file containing hardware addresses and associated IP addresses for each computer to be serviced. It can be run as a stand alone daemon from the startup scripts.
  • ftp – File transport protocol. Allows users to transport files between remote sites.
  • tftp – Trivial file transport protocol. A way for users to transfer files to/from remote machines without logging in. Normally this transfer is limited to specific areas and is normally used for transporting files to clients which are needed for remote booting.
  • telnet – A protocol used to open user sessions from remote sites.
  • exec – in.rexecd – Remote execution server allows remote users to execute commands on the system provided they have proper authorization.
  • rlogin – An older method of opening remote sessions, being replaced by telnet.
  • rsh – Remote shell, Used to execute commands on a remote host.
  • talk – A communication program that allows two users to talk by copying lines from one user’s terminal to the other.
  • finger – Allows users to get information about users currently logged in on the local system or remote systems.
  • comsat – A server that notifies users when they have received mail. The biff program is used to turn comsat service on and off for each user.
  • pop-2 – ipop2d – Supports POP2 remote mail access protocol.
  • pop-3 -ipop3d – Supports POP3 remote mail access protocol.
  • imap – imapd – Supports the IMAP4rev1 remote mail access protocol which is more powerful than POP3. See RFC 2060.
  • uucp – uucico – The daemon that processes Unix to Unix copy (UUCP) file transfer requests that were queued by uucp or uux.
  • netstat – Displays network connections, routing tables, and other networking information about a system. This works on the local system and over a network.
  • swat – A Samba web administration tool allowing the administrator to configure the /etc/smb.conf file using a web browser.

These services can be controlled (added/removed) by adding or deleting (commenting out) lines in the file “/etc/inedt.conf”. If you make a change to this file, you will want to restart the inetd daemon with the command:

kill -HUP inetd

Although you can use inetd to run services such as Samba and BOOTP normally, I recommend using the startup script files which can be configured using the program “linuxconf” and selecting “Control service activity”. If these services are used often, you will want to run them direct through the startup scripts. To conserve system resources, you may want to use inetd to control these services if they won’t be used very often, but you can’t run them using the start up scripts and using inetd at the same time.

The inedt configuration file

The file /etc/inetd.conf is used to configure these networking services. Its format is:

service    socket type    protocol    flags    user    server path    server arguments

It is explained in more detail in the “How Linux Works” document.

Limiting services to your machine to specific addresses

  1. If your system is not set for services to use the tcpd daemon rather than the usual deamon by substituting the following in the “/etc/inetd.conf” file”
    Change lines like this:
       		finger	stream	tcp	nowait	nobody	/usr/etc/in.fingerd	in.fingerd
    To this:
       		finger	stream	tcp	nowait	nobody	/usr/sbin/tcpd		in.fingerd
  2. Change the hosts deny file so the following lines are included with the comments:
    ALL: ALL
    ALL: PARANOID
  3. Change the hosts.allow file to allow services to desired TCP/IP addresses. Ex:
    ALL:  10.1.0.153, 10.1.2.252
    fingerd: 10.1.1.3
    Note:  To see the address of your windows box, select run and run winipcfg.
  4. Reset the inetd deamon by issuing the command “kill –HUP inetd”.

To disable a network service completely

To disable remote services like finger, who, and w, you will want to modify your /etc/inetd.conf file. To disable finger services for example, change the /etc/inetd.conf file so the line that says “in.fingerd” at the end, is commented out. Do the same for any other services you do not want to run. Then make the inetd daemon reload its configuration file and restart with the command “killall -HUP inetd”.

Linux Novell Access and Printing

Posted: September 27, 2010 in REDHAT 5 LinUX

Novell Network Access

Use the package ncpfs. The function ncpmount can then be used to mount network drives.

  1. Add the line “ipx_configure –auto_interface=on –auto_primary=on” to the end of the file “/etc/rc.d/rc.local”.
    Note : Use “ps ax |more” if you want to see all processes including daemons
  2. Type “slist” for a list of available servers on the network (Note, you must log onto the network using the “ncpmount” command before you can see a list of available servers or printers.)
  3. ncpmount – mount all the volumes on a specified Novell fileserver.
    Ex: ncpmount -S main_serv1 -U george /mnt/network
  4. Note: If you want all users to have this capability, you must install ncpmount suid root. Do the following:cd /usr/bin
    chmod +s ncpmount
    chmod +s ncpumount
  5. When done use ncpumount to unmount the drive.

Misc notes:
Type “pqlist” for a list of print spoolers.
Type “slist” for list of servers on the network.

Network Printing setup and use

If you are using Novell:

  1. After setting ipx_configure up in the above section, Log onto the desired network server using ncpmount. I have written a “neton” and “netoff” script file. To logon type “neton” and your username on the same line. To log off, type netoff. These script files are places in “/usr/bin”.
  2. Find out what printers are available on the server you’re logged in on by typing “pqlist –S servername”. Ex: pqlist -S main_serv1
  3. Type “nprint -S server -U username -P password -q queue name -d jobdescription file”. Ex: nprint -S main_serv1 -q HP_lprinter

To set up the printers:
If you are running Redhat Linux you may want to use printtool to set up your printer. To do this type “startx” to begin an X session. Then bring up a terminal program and type “printtool”. When the printtool screen appears, select “add” to add a printer. The Following is an example of a completed menu:

Names (name1|name2|…) lp
Spool Directory /var/spool/lpd/lp
File Limit in Kb (0 – no limit) 0
Printer Server Name main_serv1
Print Queue Name HP_lprinter
User george
Password ******
Input Filter *auto* – LaserJet4

Don’t forget to enable LF to CRLF translation if you will be printing windows or DOS files. The name is the name you want to call this printer. You could call it fred. The spool directory is where the spool files and any other files for this printer will be stored. Usually I call it “/var/spool/lpd/printername”. The file limit limits the size of the spool files. The print server name is the name of the server the printer is on. For a Novell system, a list of servers can be found (after logging on) by typing “slist”. The print queue name is the name of the printer on the server. On a Novell system it can be found by typing “pqlist -S servername” after logging on. The user and password is your username and password you use to log on to the network. The input filter is setup by printtool. There is no way, that I currently know of, to specify your own custom filter using printtool directly. Below is an example “/etc/printcap file created by printtool:

# /etc/printcap
#
# Please don’t edit this file directly unless you know what you are doing!
# Be warned that the control-panel printtool requires a very strict format!
# Look at the printcap(5) man page for more info.
#
# This file can be edited with the printtool in the control-panel.

##PRINTTOOL3## NCP ljet4 300×300 letter {} LaserJet4 Default 1
lp:\ :sd=/var/spool/lpd/lp:\
:mx#0:\
:sh:\
:if=/var/spool/lpd/lp/marktest:\
:af=/var/spool/lpd/lp/acct:\
:lp=/dev/null:

##PRINTTOOL3## NCP ljet4 300×300 letter {} LaserJet4 Default {}
mylp:\ :sd=/var/spool/lpd/mylp:\
:mx#0:\
:sh:\
:af=/var/spool/lpd/mylp/acct:\
:lp=/dev/null:\
:if=/var/spool/lpd/mylp/filter:

In the script program “/var/spool/lpd/mylp/filter” the contents of the printed file are received as standard input. The type of file the standard input is can be determined by the command “file –” where the “-” sign indicates standard input. There is an undocumented program, apparently for rewinding standard input, probably written by Redhat called “rewindstdin”. This is used to allow the script file to look at the printer file several times. A variable string is built called “bestpath”. This string will for most standard text files include “cat – |”.

For other systems, use a program to format data to avoid the staircase effect like:

  • magicfilter
  • The Redhat printtool. Become root and run printtool. Be sure to SETENV DISPLAY :0.0 and “xhost +”.

Below are a list of files that apply to printing.

  • lpd – Print daemon to provide print services to linux
  • /etc/printcap – Printer capability data base
  • smbclient – Used to print through Samba.
  • nprint – Netware print client
  • pqlist – Netware list of printers
  • pserver – Netware print server (daemon)

To see a list of printers on Netware server “main_serv1”, type “pqlist -S main_serv1”

A listing of the script file “neton”:

main_serv1 $1

A listing of the script file “netoff”:

usernetwork=$HOME/main_serv1
ncpumount $usernetwork

A listing of the script file “main_serv1”:

netserv $0 $1

A listing of the script file “netserv”:

#!/bin/bash
usernetwork=$HOME/$1
status=1

if test -d $usernetwork
then
   echo "Mounting on $usernetwork"
else
   if mkdir $usernetwork
   then
      echo "$usernetwork directory created"
   else
      echo "Failure creating $usernetwork"
      status=0
   fi
fi

if [ $status -eq 1 ]
then
   if ncpmount -S $1 -U $2 $usernetwork 
   then
      echo "$1 server mounted for user $2 on $usernetwork"
   else
      echo "Failure mounting $1 server for user $2 on $usernetwork"
   fi
fi

Linux Network Tools and Terms

Posted: September 27, 2010 in Uncategorized

Linux Networking Tools

arp Address resolution protocol Type “arp -a” to display entries in the arp cache.
ifconfig A command line tool used to configure a network interface. There is a man page available for this program.
ifdown Shuts down a network interface
ifup Starts a network interface such as eth0 or ppp0
ipchains A tool used to administer firewall rules.
netconf The Redhat GUI network configuration tool.
netconfig Another network configuration tool which is usually run when the system is installed. Netconf is better.
netstat Type “netstat -rn” to see the routing table. Type “netstat-in” to see the interface info.
nslookup Used to test DNS configuration by querying DNS servers.
ping A network tool used to sent ICMP test packets to other hosts to determine if they can respond or are reachable.
ripquery A tool to query some routers for their routing table.
route Typing “route -n” will show the routing table
tcpdump A network sniffer tool used to dump headers of packets on a network interface.
traceroute Sends data to a remote host to a port that doesn’t exist with a TTL field at 1,2,etc to get the intermediate hosts to send back their addresses reporting errors. The destination will report an unreachable port error sending its address.

Networking terms

  • ARP – Address resolution protocol. Used to translate hardware addresses (ethernet ports) and IP addresses and vice versa. Uses broadcast messages for resolution.
  • BOOTP – A protocol used to allow client computers to get their IP address from a BOOTP server. DHCP supercedes, though does not replace this protocol.
  • DHCP – Dynamic Host Configuration Protocol, allows clients to get their IP addresses from a DHCP server. This system “leases” IP addresses to clients for limited periods of time. If the client has not used their IP address within the lease time, the IP address is free fro re-assignment.
  • ICMP – Internet Control Message Protocol. Part of the IP layer. Communicates error messages and other messages that require attention.
  • IGMP – Internet Group Management Protocol. Protocol used to manage multicasting through routers.
  • IP – Three kinds of IP addresses are unicast, broadcast and multicast.
  • MBONE – Used to refer to a network that supports multicasting.
  • NIS – Network information service, is a name service created by Sun Microsystems.
  • NFS – Network file sharing, allows two Unix style computers to mount and access part or all of a file system on a remote computer.
  • OSPF – Open Shortest Path First dynamic routing protocol intended as a replacement for RIP.
  • PPP – Point to point protocol is a serial protocol commonly used to connect using a modem to the internet
  • RARP – Reverse ARP, used for clients to determine their IP addresses.
  • RIP – Routing Information Protocol, used by almost all TCP/IP implementation to perform dynamic routing.
  • RPC – Remote procedure call is a set of function calls used by a client program to call functions in a remote server program.
  • SLIP – Serial line internet protocol
  • SMTP – Simple mail transport protocol, commonly uset as the mail message transport protocol.
  • SNMP – Simple network management protocol.
  • UDP – User Datagram Protocol, a transport layer protocol
  • UUCP – Unix to Unix copy is a protocol that allows Unix computers to exchange files.

Linux Networking Setup

Posted: September 27, 2010 in REDHAT 5 LinUX

Required Information

To enable networking, you must configure your network interface card or cards with an IP address and netmask. The kernel must have support for your cards compiled in, either as modular support or direct support. If you don’t have kernel support read the sections about the kernel and how to compile it. To set your cards up, do the following. In my example my network is 192.168.1.0, IP=192.168.1.100, broadcast=192.168.1.255, netmask=255.255.255.0, gateway-192.168.1.1, nameserver=192.168.1.10.

  1. Determine your machines IP address from your network administrator
  2. Your network mask. This determines which portion of the IP address specifies the subnetwork number and which portion specifies the host.Class C (most networks) 255.255.255.0
    Class B 255.255.0.0
  3. Your network address which is your IP address bit wise anded with the network mask.
    Ex: IP: 192.168.1.100 Mask: 255.255.255.0 Net Addr:: 192.168.1.0
  4. Your broadcast address. Used to broadcast packets to every machine on your subnet.
    Ex: IP: 192.168.1.100 Mask: 255.255.255.0 Net Addr: 192.168.1.255
  5. Your gateway address. The address of the machine that is your gateway to the outside world.
    In many cases: Ex: IP: 192.168.1.100 Gateway: 192.168.1.1
  6. Your nameserver address. Translates host names into IP addresses. 192.168.1.10

Configuration tools

There are many network configuration tools today. They are:

netconf A GUI interactive interface available on Redhat 6.1
linuxconf A GUI interactive interface available on Redhat 6.1 which includes netconf configuration.
netconfig A GUI step by step interface
ifconfig A text based program to configure the network interface. Type “man ifconfig” for info.

These programs will modify values in the following files:

  • /etc/sysconfig/network – Defines your network and some of its characteristics.
  • /etc/HOSTNAME – Shows the host name of this host. IF your name is “myhost” then that is exactly the text this file will contain.
  • /etc/resolv.conf – Specifies the domain to be searched for host names to connect to, the nameserver address, and the search order for the nameservers.
  • /etc/host.conf – Specifies the order nameservice looks to resolve names.
  • /etc/hosts – Shows addresses and names of local hosts.
  • /etc/networks – Provides a database of network names with network addresses similar to the /etc/hosts file. This file is not required for operation.
  • /etc/sysconfig/network-scripts/ifcfg-eth* – There is a file for each network interface. This file contains the IP address of the interface and many other setup variables.

Analysis Tools

  • netstat – Displays information about the systems network connections, including port connections, routing tables, and more. The command “netstar -r” will display the routing table.
  • traceroute – This command can be used to determine the network route from your computer to some other computer on your network or the internet. To use it you can type “route IPaddress” of the computer you want to see the route to.
  • nslookup – Used to query DNS servers for information about hosts.
  • arp – This program lets the user read or modify their arp cache.
  • tcpdump – This program allows the user to see TCP traffic on their network.
  • dig(1) – Send domain name query packets to name servers for debugging or testing.

Manual Configuration

You can use one of the above tools or configure the network the old fashioned way as follows:

  1. First to use networking on any permanent basis you should setup the file /etc/sysconfig/network similar to the example shown below.
  2. Assign an ip address with “ifconfig eth0 192.168.1.100 netmask 255.255.255.0 up”.
  3. Tell your machine that a hub is ready for information with the command “route add -net 192.168.0.0 netmask 255.255.255.0 eth0”
  4. To contact hosts outside your network if a machine with IP address 192.168.1.1 is the gateway use the command “route add default gw 192.168.1.1 eth0”
  5. If using a dialup connection use the command “route add default ppp0” The word default says if the packet is not for a machine on your local network, send it to the default device.

These settings are not permanent, but go away the next time you boot. They are normally set up in the directory /etc/sysconfig/network-scripts. Add the network interface to the file /etc/sysconfig/network-scripts/ifcfg-eth*. For example the file ifcfg-eth0 if for the first ethernet interface, ifcfg-eth1 for the second, ifcfg-lo is for the local interface. An example file from my system is:

DEVICE="eth0"
IPADDR="192.168.1.100"
NETMASK="255.255.0.0"
ONBOOT="yes"
BOOTPROTO="none"
IPXNETNUM_802_2=""
IPXPRIMARY_802_2="no"
IPXACTIVE_802_2="no"
IPXNETNUM_802_3=""
IPXPRIMARY_802_3="no"
IPXACTIVE_802_3="no"
IPXNETNUM_ETHERII=""
IPXPRIMARY_ETHERII="no"
IPXACTIVE_ETHERII="no"
IPXNETNUM_SNAP=""
IPXPRIMARY_SNAP="no"
IPXACTIVE_SNAP="no"

Unless you know what you’re doing it is best to use a network configuration tool. I cannot guarantee the accurateness of how to set these files up on your system.

Configuring an interface for multiple IP addresses

If you want to configure your network card to act as more than one IP address, issue the following command:

ifconfig dummy 192.168.1.102 netmask 255.255.255.0

This uses the dummy system interface capability supported in the kernel to setup another virtual interface which operates at IP address 192.168.1.102. Substitute the IP address that you want your virtual interface to be with an appropriate netmask for your network. To disable this, issue the following command.

ifconfig dummy down

Another way to use multiple IP addresses on one ethernet card is to set up a new file in your /etc/sysconfig/network-scripts directory. Copy your ifcfg-eth0 role to ifcfg-eth0:0. Edit that file and rename the device to “eth0:0” and the IP address to the desired IP address. You may also want to modify BROADCAST, NETWORK, or NETMASK. You can continue adding IP addresses by using :1, :2, etc such as ifcfg-eth0:2.

To make it effective, you must reboot your system or issue the command “/etc/rc.d/init.d/network restart” as root.

Dynamically allocated IP addresses

To get the IP address of a dynamically allocated network interface in a script file enter the following:

dynip=`/sbin/ifconfig | grep -A 4 ppp0 | awk ‘/inet/ { print $2 } ‘ | sed -e s/addr://`

Substitute the correct interface that you get your dynamic IP address in for ppp0 in the example above. This script line gets your dynamic IP address for use in a masquerade script. You can use the variable $dynip as in any other configuration. The next time you make a new connection you will need to extract the dynip value again and re-run the masquerade script.

Networking file formats, examples and considerations

Below are listed some more in depth information about the networking files.

  • /etc/sysconfig/network
    The /etc/inittab file contains the entry “si::sysinit:/etc/rc.d/rc.sysinit” which causes the system at startup to run the rc.sysinit script. The rc.sysinit file expects to find the file /etc/sysconfig/network if networking is to be enabled.
    The network file looks like this:NETWORKING=yes
    FORWARD_IPV4=false
    HOSTNAME=mymachine.mycompany.com
    DOMAINNAME=mycompany.com
    GATEWAY=192.168.1.1
    GATEWAYDEV=eth0

    Where GATEWAYDEV is the network interface card that is attached to the network the gateway machine is on. The GATEWAY is the actual IP address of the gateway machine.

  • /etc/hosts – Defines local hosts.
    127.0.0.1	localhost	localhost.localdomain
    192.168.1.100	mymachine.mycompany.com	mymachine
  • /etc/services – Internet network services list. It associates port numbers with names of services. The file contains three fields which are name, port/protocol, and aliases with an optional comment.
  • /etc/protocols – Describes DARPA internet protocols available from the TCP/IP subsystem. Maps protocol ID numbers to protocol names. It includes protocol name, number, and aliases. The protocol file on my system:
    # /etc/protocols:
    # $Id: protocols,v 1.1 1995/02/24 01:09:41 imurdock Exp $
    #
    # Internet (IP) protocols
    #
    #	from: @(#)protocols	5.1 (Berkeley) 4/17/89
    #
    # Updated for NetBSD based on RFC 1340, Assigned Numbers (July 1992).
    
    ip	0	IP		# internet protocol, pseudo protocol number
    icmp	1	ICMP		# internet control message protocol
    igmp	2	IGMP		# Internet Group Management
    ggp	3	GGP		# gateway-gateway protocol
    ipencap	4	IP-ENCAP	# IP encapsulated in IP (officially ``IP'')
    st	5	ST		# ST datagram mode
    tcp	6	TCP		# transmission control protocol
    egp	8	EGP		# exterior gateway protocol
    pup	12	PUP		# PARC universal packet protocol
    udp	17	UDP		# user datagram protocol
    hmp	20	HMP		# host monitoring protocol
    xns-idp	22	XNS-IDP		# Xerox NS IDP
    rdp	27	RDP		# "reliable datagram" protocol
    iso-tp4	29	ISO-TP4		# ISO Transport Protocol class 4
    xtp	36	XTP		# Xpress Tranfer Protocol
    ddp	37	DDP		# Datagram Delivery Protocol
    idpr-cmtp	39	IDPR-CMTP	# IDPR Control Message Transport
    rspf	73	RSPF		#Radio Shortest Path First.
    vmtp	81	VMTP		# Versatile Message Transport
    ospf	89	OSPFIGP		# Open Shortest Path First IGP
    ipip	94	IPIP		# Yet Another IP encapsulation
    encap	98	ENCAP		# Yet Another IP encapsulation
  • /etc/named.conf – Used for domain name service to configure named. Other files used are dependent on this file. This file is explained further in the DNS section
  • /etc/resolv.conf – Specifies the domain to be searched for host names to connect to, the nameserver address, and the search order for the nameservers.
    domain mycompany.com
    search mycompany.com mynet.net
    nameserver 192.168.1.100
    nameserver 192.168.199.1
    nameserver 192.168.1.10

    The third line specifies that DNS should be tried on my machine first then use the normal nameserver on the fifth line. The fourth line specifies that my machine is running nameservices on another network which is using interface 192.168.199.1. This assumes the nameserver is set up on my machine which is explained in another section.

  • /etc/host.conf – Specifies the order nameservice looks to resolve names. An example file:
    	order hosts, bind
    	multi on
    	nospoof on

    The order specifies that when resolving names to first look in the /etc/host file, then use BIND8 (DNS) to resolve the name. The line “multi on” specifies that all valid addresses for a host found in the hosts file should be returned.

The files in /etc/sysconfig/network-scripts control your network interfaces. The network interface file is described above in the section “Manual Configuration”. If you want or need more in depth knowledge about how these files are used, you will need to read the document “How Linux Works CTDP Guide” or “The CTDP Linux Startup Manual”. Otherwise you will need to analyze the system startup scripts which is no small task.

Older X windows configuration

In Xwindows a working configuration is set up as follows:

NAMES:
hostname: mymachine.mycompany.com
Domain: mycompany.com
Nameservers: 192.168.1.10
HOSTS:
IP – 192.168.1.100
Name – mymachine.mycompany.com
INTERFACES:
Interface – eth0
IP- 192.168.1.100
proto – none
atboot – yes
Netmask: 255.255.255.0
Network: 192.168.1.0
Broadcast: 192.168.1.255
ROUTING:
Default gateway: 192.168.1.1
Default gateway device: eth0
Interface – 192.168.1.100
Network Address – 192.168.1.0
Network gateway 192.168.1.1
Netmask – 255.255.255.0

Routing

Routing table information is used to route incoming and outgoing network diagrams to other machines. On most simple configurations, there are three routes. One for sending packets to your own machine, one for sending packets to other machines on your network and one for sending packets to other machines outside your network through the gateway. Two programs (ifconfig and route) are used to configure these parameters. They are described in more detail in the routing section.

Using Linux PAM

Posted: September 24, 2010 in Uncategorized
PAM stands for Pluggable Authentication Modules. PAM is a library, used to control the function of various applications that have the capability to use the PAM libraries. PAM is based on a series of library modules, some of which depend on configuration files. Locations of PAM configuration files and library modules are:

  • All PAM applications are configured in the directory “/etc/pam.d” or in a file “/etc/pam.conf”.
  • The library modules are normally stored in the directory “/lib/security”.
  • The configuration files are located in the directory “/etc/security”.

To configure PAM, on systems already set up for it, you would need to edit the files for the service you want to modify in the “/etc/pam.d” directory, and modify the appropriate configuration file in the directory “/etc/security”. This page will explain how to set up the configuration files and how to configure the modules so applications can use them.

The PAM configuration files

PAM is controlled a main configuration file( /etc/pam.conf) or control directory (/etc/pam.d). Some PAM module’s behavior is controlled with configuration files (in /etc/security)as listed below:

  • access.conf – Login access control. Used for the pam_access.so library.
  • group.conf – Group membership control. Used for the pam_group.so library.
  • limits.conf – Set system resource limits. Used for the pam_limits.so library.
  • pam_env – Control ability to change environment variables. Used for the pam_env.so library.
  • time – Allows time restrictions to be applied to services and user privileges. Used for the pam_time.so library.

The main pam.conf file or the /etc/pam.d files

The configuration for PAM is normally in the /etc/pam.d directory which has a file for each PAM controlled application. This file or directory is used to control the behavior of applications that use the PAM modules. Some examples of PAM controlled applications are login, samba, and shutdown. PAM is controlled using the configuration file /etc/pam.conf or the configuration directory, but not both. The directory structure control has precedence. A general configuration line in one of the PAM application configuration file has the following form:

module-type   control-flag   module-path   arguments

If the /etc/pam.conf file is used to control PAM rather than the /etc/pam.d directory structure, the pam.conf lines are the same except they have an additional parameter at the start which is “service-name”. The various parameters on each line are:

  1. service-name(not in directory files) – The type of service such as rlogin or ftp.
  2. module-type – The type name of the PAM module used which are
    1. auth – Authenticates the user to be sure they are who they claim to be, usually asking a password then checking it, and setting credentials like as group memberships or kerberos tickets.
    2. account – Check to see if the authentication is allowed based on available system resources such as the maximum number of users or the location of the user. Access could be denied if the account has expired or the user is not allowed to log in at this time of day.
    3. password – Used to set passwords. Typically, there is one module for each auth module-type.
    4. session – Used to make it possible for a user to use their account once they have been authenticated. This module does things that need to be done for the user before or after they can be given service such as logging of information concerning the opening or closing of some data exchange with a user, or mounting directories. This module may make the user’s mailbox available.
  3. control-flag
    1. required – The success of the module is required for the module-type facility to succeed. Failure of this module will not be apparent to the user until all of the remaining modules (of the same module-type) have been executed
    2. requisite – If the module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. This flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium.
    3. sufficient – If this module succeeds and no previous required module has failed, no more `stacked’ modules of this type are invoked. This means subsequent required modules are not invoked. A failure of this module is not deemed as fatal to satisfying the application that this module-type has succeeded.
    4. optional – This module is not critical to the success or failure of the user’s application for service. In the absence of any definite successes or failures of previous or subsequent stacked modules this module will determine the nature of the response to the application.
  4. module-path – The path and filename of the PAM library used to control the function.
  5. arguments – Arguments are optional and vary from module to module.

My “/etc/pam.d/rlogin” file looks like this:

#%PAM-1.0
auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_pwdb.so shadow nullok
auth       required	/lib/security/pam_nologin.so
account    required	/lib/security/pam_pwdb.so
password   required	/lib/security/pam_cracklib.so
password   required	/lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session    required	/lib/security/pam_pwdb.so
session    optional	/lib/security/pam_console.so

Linux Configuration

Posted: September 24, 2010 in Uncategorized

In this section, the configuration tool, “linuxconf” is discussed. This configuration tool provides a means to configure much of the system. In this section, attempts are made to describe the files where this configuration information is stored (unless documented in other sections), however its accuracy cannot be guaranteed, and these files will vary somewhat from one Linux system to another.

When filly expanded, the linuxconf menu includes the following:

  • Config
    • Networking
      • Client tasks
        • Basic host information
        • Name server specification (DNS)
        • Routing and Gateways
          • Defaults
          • other routes to networks
          • other routes to hosts
          • routes to alternate local nets
          • the routed daemon
        • Host name search path
        • Network Information System (NIS)
        • IPX interface setup
        • PPP/SLIP/PLIP
      • Server tasks
        • Exported file systems (NFS)
        • IP aliases for virtual hosts
        • Apache Web server
          • Defaults
          • Virtual domains
          • Sub-directory specs
          • Files specs
          • Modules
          • Performance
          • mod_ssl configuration
        • Domain Name Server (DNS)
          • Config
            • domains
            • IP reverse mappings
            • secondaries
            • forward zones
            • forwarders
            • features
            • IP allocation space
          • Add/Edit
            • host information by domain
            • (quick edit)
          • Security
            • Access control lists
            • Access control
        • Mail delivery system (sendmail)
          • Basic
            • Basic information
            • special (domain) routing
            • complex (user) routing
            • masquerading rules
            • mail to fax gateway
            • virtual email domain
            • the mail queue
            • user aliases
            • virtual domain user aliases
            • /etc/sendmail.cf
          • Anti-spam filters
            • Rehected senders
            • ‘Relay for’ by IP
            • ‘Relay for’ by name
            • Relay to hosts
        • Samba file server
          • Defaults
          • Default setup for user’s home
          • Default setup for printers
          • Netlogon setup
          • Disk shares
        • Ftp server (wu-ftpd)
          • Basic configuration
          • Virtual hosts
      • Misc
        • Information about other hosts
        • Information about other networks
        • Linuxconf network access
    • Users accounts
      • Normal
        • User accounts
        • Group definitions
        • Change root password
      • Special accounts
        • PPP accounts
        • SLIP accounts via normal login
        • UUCP accounts
        • POP accounts (mail only)
        • Virtual POP accounts (mail only)
      • Email aliases
        • user aliases
        • virtual domain user aliases
      • Policies
        • Password & account policies
        • Available user shells
        • Available PPP shells
        • Available SLIP shells
        • Message of the day – Allows you to type a new message of the day to be displayed on the console when a user logs in. This file is stored in /etc/motd.
    • File systems
      • Access local drive
      • Access nfs volume
      • Configure swap files and partitions
      • Set quota defaults
      • Check some file permissions
    • Miscellaneous services
      • Initial system services
      • Modem
    • boot mode
      • Lilo
        • LILO defaults (linux boot loader)
        • LILO linux configurations
        • LILO other OS configurations
        • default boot configuration
        • a new kernel
        • a kernel you have compiled
      • Mode
        • default boot mode
  • Control
    • Control panel
      • Activate configuration
      • Shutdown/Reboot
      • Control service activity
      • Mount/Unmount file systems
        • Control configured local drives
        • Control configured nfs volumes
        • Mount other NFS file systems
      • Configure superuser scheduled tasks
      • Archive configurations
      • Switch system profile
      • Control PPP/SLIP.PLIP links
    • Control files and systems
      • Configure all configuration files
      • Configure all commands and daemons
      • Configure file permission and ownership
      • Configure Linuxconf modules
      • Configure system profiles
      • Override Linuxconf addons
      • Create Linuxconf addons – This section allows a newly installed package to be managed using linuxconf
    • logs
      • Boot messages
      • Linuxconf logs – Shows all configuration commands issued by linuxconf
    • date & time – Allows the time zone to be set and the time to be set as stored in GMT format or local time. It also lets the time and date to be set.
    • Features – Defines special behavior of linuxconf including the keyboard map (/etc/sysconfig/keyboard), language selection, and html timeout.

System and Network Configuration

  • linuxconf – A GUI interactive interface available on Redhat 6.0 or later which includes netconf configuration.
  • netconf – A GUI interactive interface available on Redhat 6.0 and later.
  • kbdconf – A Redhat Linux tool which configures the /etc/sysconfig/keyboard file which specifies the location of the keyboard map file. This is a GUI based tool.
  • mouseconfig – A Redhat Linux tool used to configure the /etc/sysconfig.mouse file. This is a GUI tool.
  • timeconfig – A Redhat Linux tool used to configure the /etc/sysconfig/clock file. This is a GUI tool used to set timezone and whether or not the clock is set to GMT time.
  • kernelcfg – A Redhat kernel configuration utility to be started from X.
  • stty – Used to configure and print the console devices.
  • setterm – Set terminal attributes.
  • vmstat – Report statistics on virtual memory.

X Configuration

  • XF86Setup – A newer X configuration program with a GUI interface which modifies the “/etc/X11/XF86Config” configuration file.
  • xf86config – An older X configuration program with a text based interface. It also modifies the “/etc/X11/XF86Config” configuration file.
  • Xconfigurator – The Redhat tool used during system setup to configure X.
  • SuperProbe – A program that probes the video card to determine its type for use with setting up X.
  • xvidtune – This program will test video modes on the fly without modification to your X configuration. Read the usr/X11R6/lib/X11/doc/VideoModes.doc file before running this program.

Library and kernel Dependency Management

Library management:

  • ldd – Used to determine shared libraries used by binary files. Type “ldd /bin/ls” to see the shared libraries used by the “ls” command.
  • ldconfig – Used to update links and cache for system use of the most recent runtime shared libraries.

Kernel Management:

  • lsmod – List currently installed kernel modules.
  • depmod – Creates a dependency file, “modules.dep” in the directory “/lib/modules/x.x.x”, later used by modprobe to automatically load the relevant modules.
  • insmod – Installs a loadable kernel module into the running kernel.
  • rmmod – Unloads modules, Ex: rmmod ftape
  • modprobe – Used to load a module or set of modules. Loads all modules specified in the file “modules.dep”.

General Diagnostic

System resources

  • free – Show system memory availability and usage
  • df – Show the amount of disk free space on each mounted filesystem.
  • du – Show disk usage
  • lspci – List PCI devices
  • pnpdump – Lists ISA PNP device resource information.
  • vmstat – Reports virtual memory statistics.

Other:

  • env – List the current environment variables.
  • printenv – Print a copy of the environment.
  • set – Shows how the environment is set up. This command can be very useful when debugging the environment.
  • runlevel – List the current and previous runlevel.
  • uname – Print system information. In my case, it prints “Linux”.
  • dmesg – Show the last kernel messages printed during the last boot.

Linux Process Control

Posted: September 24, 2010 in Uncategorized

Tools for working with processes

  • accton – Turns process accounting on and off. Uses the file /var/log/pacct. To turn it on type “accton /var/log/pacct”. Use the command with no arguments to turn it off.
  • kill – Kill a process by number
  • killall – Send a signal to a process by name
  • lastcomm (1) – Display information about previous commands in reverse order. Works only if process accounting is on.
  • nice – Set process priority of new processes.
  • ps(1) – Used to report the status of one or more processes.
  • pstree(1) – Display the tree of running processes.
  • renice(8) – Can be used to change the process priority of a currently running process.
  • sa(8) – Generates a summary of information about users’ processes that are stored in the /var/log/pacct file.
  • skill – Report process status.
  • snice – Report process status.
  • top – Displays the processes that are using the most CPU resources.

Checking running processes

While logged in as root, type “ps -ax |more” or “ps -aux |more”. You will get a list of all processes running on your computer. You will see the process id (PID), process status (STAT) various statistics, and the command name. You can kill a process by typing “kill” and the PID number right afterwards similar to the line below.

kill 1721

You can also stop and restart processes by sending them various signals as in the below examples:

kill -STOP 1721 Stops (suspends) process 1721 by sending the STOP signal to the process. This process will still be on the task list. The process can’t catch or ignore the STOP signal.
kill -CONT 1721 Continue process 1721 causing it to resume. The CONT signal is sent to the process.
kill -TERM 1721 Terminates process 1721 by sending the TERM signal to the process. This process will no longer show up on the task list if it is actually terminated. Process terminated cannot be continued. The TERM signal can be caught so TERM is not guaranteed to kill the process.
kill -HUP 1721 Stops, then restarts process 1721. This is usually done when a process is not working properly or the configuration files for that process have been changed. This command sends the HUP signal to the process which means hangup. This signal can be caught by the process.
killall -HUP myprint Restarts any process with the name “myprint”.
kill -TERM myprint Terminates any process with the name “myprint”.

Setting up and doing process control

The examples in this section use the “yes” command as an easy method for an example of a program that runs continually. The “yes” command outputs the string “y” until it is killed or stopped. When the output is ported to the /dev/null (null device or bit bucket), the output is basically dumped. Therefore this command is harmless, but is a good demonstration. To put the process in the background, append an “&” character to the end of the command as shown below.

yes > /dev/null &

The system will respond with a job number and process ID or PID similar to:

[1] 10419

Either number can be used to refer to the job. The “jobs” command can be used to check the job. When the command is entered the system will respond with a list of running jobs similar to the following:

[1]+ Running yes >/dev/null &

The job can be killed using the process ID or the job number. Either

kill %1

or:

kill 10419

Stopping and restarting jobs

Another way to put a job into the background is to

  1. Start the job normally like:yes > /dev/null

    The prompt does not come back.

  2. Use the <Ctrl-Z> key to stop the job.
  3. Use the command “bg” or “bg %1” where 1 is the job number to put the process in the background. The system reports the job number when you stop the job.
    Before the last step, the job was suspended. The “fg” command could have been used to bring the job into the foreground rather than using the “bg” command to put it in the background. If the job is running in the foreground, you can type &@60Ctrl-C> to terminate the process.

Killing or Reconfiguring a Daemon without Restarting

killall -1 inetd Restarts inetd by sending signal number 1 which is the hangup signal.
killall -HUP inetd Causes the daemon to reload its config file by sending the hangup signal. The difference between this example and the previous one is the signal is called by name here rather than number.

To make changes to inetd:

  1. Reconfigure /etc/inetd.conf
  2. Restart inetd by sending it the hangup signal

The easy way to reset a service that was started via the rc script files during system startup:

  1. Find the file for the service, you want to start. For example find the file for the print daemon “lpd”. These files should typically be in the directory “/etc/rc.d/init.d”. The file name in this case is “lpd”. (Note this is a script file, that starts the daemon, not the actual binary daemon file).
  2. Go to that subdirectory “cd /etc/rc.d/init.d” and type “./lpd restart”.
  3. You should get output to the screen that indicates this service has been shut down and then started.

Setting process priority

In Linux, processes have a priority number between -20 and 19. The value of -20 is the highest, and 19 is the lowest priority. Process priority can be set with the nice(1) command and changed using the renice(8) command. To set a process to have the highest priority find the process ID number using the ps command. If your process name is “myprog” type:

ps -ax |grep myprog

You should get something like:

756 tty1 S 0:00 myprog

The first number on the line is your process ID. Enter the command:

renice -20 756

This will set your process (PID=756) to priority of -20. Modify the process ID number for that of your program running on your system. You can use the nice command to determine the default priority of new processes by typing “nice” on the command line. If you want to start a process with a specific priority, use the nice(1) command when you invoke the process.

Setting limits on the number of processes that can run

The command “ulimit” is used to limit the number of processes users can run along with available system resources. All processes which will be started from the shell (bash in many cases), will have the same resource limits. See the bash manual page for more information. To set the limits for daemons which are running at boot time add ulimit command to boot scripts.

The command “ulimit -a” reports the current limits.

Linux Passwords

Posted: September 24, 2010 in Uncategorized

Most versions of Linux come with the shadow password suite of software already installed. This suite of software is recommended to enhance security since all users must be able to access the /etc/passwd file. With full access to this file, a “crack” program can be used by any user to extract all passwords on the system. The shadow password software places the actual encrypted passwords into the /etc/shadow file making this file readable only by the root user. If your system has the file /etc/shadow, you probably already have shadow passwords installed.

Linux Shadow Passwords

If your system did not come with shadow passwords and you are going to install it you will want to read the Shadow-Password-HOWTO and roughly do the following.

  1. Find the latest shadow password suite that will work on your system
  2. Backup a copy of your files listed above that the shadow password suite will replace.
  3. Install the shadow password suite.
  4. Remove old man pages that may interfere with you seeing the correct replacement man pages that came with the shadow password suite.
  5. run pwconv which creates /etc/npasswd and /etc/nshadow
  6. Backup /etc/passwd and copy the files /etc/npasswd and /etc/nshadow to /etc/passwd and /etc/shadow respectively.
  7. Be sure the /etc/shadow and /etc/passwd owners and permissions are the same as shown in listings in this manual.
  8. Verify you can login
  9. When you are sure the system runs OK, remove backup files such as the backed up copy of /etc/passwd.
  10. You may need to upgrade your xlock program to get X working. xlock is the screen saver used to lock the screen.
  11. xdm presents the login screen for X. You may need to upgrade xdm.