Secure System Administration & Certification The Linux Network Administration Guide (Ch. 1-5,...

Preview:

Citation preview

Secure System Administration & Secure System Administration & CertificationCertification

The Linux Network Administration Guide The Linux Network Administration Guide(Ch. 1-5, part of 11)(Ch. 1-5, part of 11)

Jim ArrowoodJim Arrowood Michael Linnenburger Michael Linnenburger

Nick Davis Nick Davis

University of TulsaUniversity of TulsaDepartment of Mathematical & Computer SciencesDepartment of Mathematical & Computer Sciences

CS 5493/7493 Secure System Administration & CertificationCS 5493/7493 Secure System Administration & CertificationDr. Mauricio PapaDr. Mauricio Papa

Guide Overview

Chapter 1

• History of Networking

• UUCP

• TCP/IP

• Various Protocols

• Various Hardware

• General Security

Chapter 2

• Classes

• Subnets

• ARP

• Gateways

• ICMP

Chapter 3

• Network Hardware

• Kernel Configuration

• Ethernet

• PPP

Chapter 4

• Introduction to Serial Devices

• Serial Login

Chapter 5

• TCP/IP Networking• Setting Hostname• IP Address Assignment• ifconfig/ping/route• Ethernet Interface• ifconfig in Detail• netstat in Detail• Checking ARP

Chapter 11

• NAT

Chapter 1Introduction to Networking

History of Networking

• Stone Age (A->B->C)• Network - a collection of hosts that are able to

communicate with each other.• Hosts are often computers, but need not be• Small collections of hosts are called sites• Communication is impossible without some sort

of language or code– In computer networks, these languages are collectively

referred to as protocols

TCP/IP Networks

• Packet - a small chunk of data that is transferred from one machine to another across the network

• Packet Switching-shares a single network link among many users by alternately sending packets from one user to another across that link

TCP/IP In Action

• $ rlogin quark.physics • Welcome to the Physics Department at GMU (ttyq2) • login:

• $ DISPLAY=erdos.maths:0.0 • $ export DISPLAY

• The X windows system is a fully network-aware graphical user environment

• $startx – starts an X windows session.

Ethernets

• Most common type of LAN hardware

• Inexpensive

• Net transfer rate of 10, 100, or even 1,000 Megabits per second

• Thick, thin, and twisted pair

Thick & Thin Ethernet

• Thin - T-shaped “BNC” connector, 200 M Distance, 10base-2

• Thick - Vampire Tap, 500M Distance, 10base-5

Twisted Pair

• Uses two pairs of copper wires

• Requires additional hardware known as active hubs

• RJ45, 100M, 10base-T, 100base-T.

Adding a Machine

• Thin-take network down

• Thick-complicated, but doesn’t take network down

• Twisted Pair - easy, plug into hub/switch

Ethernet Drawback

• Cable Length – limits use to LANsThe solution:Repeaters - copy the signals between two or more segments

so that all segments together will act as if they are one Ethernet.

Due to timing requirements, there may not be more than four repeaters between any two hosts on the network.

Bridges and routers are more sophisticated. They analyze incoming data and forward it only when the recipient host is not on the local Ethernet.

Ethernet Bus

• Host may send packets of up to 1,500 bytes to another host on the same Ethernet.

• A host is addressed by a six-byte address hardcoded into the firmware of its Ethernet network interface card (NIC).

• Addresses are usually written as a sequence of two-digit hex numbers separated by colons, as in aa:bb:cc:dd:ee:ff (MAC Address).

Collision

• If two stations try to send at the same time, a collision occurs.

• Detected very quickly by NICs and are resolved by the two stations aborting the send, each waiting a random interval and re-attempting the transmission

• Shouldn't be surprised to see collision rates of up to about 30 percent

IP

• Turns physically dissimilar networks into “one” network

• Requires a hardware-independent addressing scheme

• Achieved by assigning each host a unique 32-bit number called the IP address

• An IP address is usually written as four decimal numbers, one for each 8-bit portion, separated by dots. For example a machine might have an IP address of 0x954C0C04, which would be written as 149.76.12.4.

TCP

• IP is not reliable…then comes TCP• Checks the integrity and completeness of the data

and retransmits it in case of error• TCP identifies the end points of a connection by

the IP addresses of the two hosts involved and the number of a port on each host.

• Ports may be viewed as attachment points for network connections.

TCP Drawback

• Overhead

• It takes at least three datagrams to establish a TCP connection, another three to send and confirm a small amount of data each way, and another three to close the connection

UDP

• User Datagram Protocol

• UDP provides us with a means of using only two datagrams to achieve almost the same result.

• UDP is said to be connectionless, and it doesn't require us to establish and close a session

More on Ports

• The IETF (Internet Engineering Task Force), regularly releases an RFC titled Assigned Numbers (RFC-1700).

• It describes, among other things, the port numbers assigned to well-known services.

• Linux uses a file called /etc/services that maps service names to numbers.

A Mention of UUCP

• Unix to Unix Copy

• Main application is still in Wide Area Networks, based on periodic dialup telephone links

• Operates in Batch Mode

Linux Networking

• Net-4 Linux Network code offers a wide variety of device drivers and advanced features.

• Includes SLIP, PPP, PLIP (for parallel lines), IPX, Appletalk, AX.25, NetRom, and Rose (for amateur radio networks), SAMBA, and Novell NCP.

• Other standard Net-4 features include IP firewalling, IP accounting, and IP Masquerading.

• IP tunnelling in a couple of different flavors and advanced policy routing are supported.

System Maintenance

• Log File Scripts

• cron jobs

System Security

• Mail Alias for Root

• The COPS program will check your file system and common configuration files for unusual permissions

• When making a service accessible to the network, make sure to give it least privilege

System Security Ctd.

• Tripwire - allows you to check vital system files to see if their contents or permissions have been changed.

• Computes various strong checksums over these files and stores them in a database

• During subsequent runs, the checksums are recomputed and compared to the stored ones to detect any modifications.

Chapter 2Issues of TCP/IP Networking

Networking Interfaces

• For each peripheral networking device, a corresponding interface has to be present in the kernel.

• For example, Ethernet interfaces in Linux are called by such names as eth0 and eth1; PPP interfaces are named ppp0 and ppp1

IP Address Classes

• Class A comprises networks 1.0.0.0 through 127.0.0.0. The network number is contained in the first octet

• Allowing roughly 1.6 million hosts per network

• Class B contains networks 128.0.0.0 through 191.255.0.0; the network number is in the first two octets

• Allows for 16,320 nets with 65,024 hosts each

• Class C networks range from 192.0.0.0 through 223.255.255.0, with the network number contained in the first three octets

• Allows for nearly 2 million networks with up to 254 hosts

• Classes D, E, and F Addresses falling into the range of 224.0.0.0 through 254.0.0.0 are either experimental or are reserved for special purpose use and don't specify any network.

Private IP Use

• Class Networks– A 10.0.0.0 through 10.255.255.255– B 172.16.0.0 through 172.31.0.0– C 192.168.0.0 through 192.168.255.0

Special Purpose IP

• Octets 0 and 255 are reserved for special purposes. • An address where all host part bits are 0 refers to

the network, and an address where all bits of the host part are 1 is called a broadcast address.

• This refers to all hosts on the specified network simultaneously. Thus, 149.76.255.255 is not a valid host address, but refers to all hosts on network 149.76.0.0.

Special Purpose IP Ctd.

• Usually, address 127.0.0.1 will be assigned to a special interface on your host, the loopback interface, which acts like a closed circuit.

• Any IP packet handed to this interface from TCP or UDP will be returned to them as if it had just arrived from some network.

Address Resolution

• ARP - mechanism that maps IP addresses onto the addresses of the underlying network

• A datagram is addressed to all stations on the network simultaneously. The broadcast datagram sent by ARP contains a query for the IP address. Each receiving host compares this query to its own IP address and if it matches, returns an ARP reply to the inquiring host.

• The inquiring host can now extract the sender's Ethernet address from the reply.

Subnetworks

• Hosts with identical IP network numbers should be found within the same network

• The number of bits that are interpreted as the subnet number is given by the so-called subnet mask, or netmask. This is a 32-bit number too, which specifies the bit mask for the network part of the IP address.

• A class B network number of 149.76.0.0 has a netmask of 255.255.0.0.

Gateways

• A gateway is a host that is connected to two or more physical networks simultaneously and is configured to switch packets between them.

ICMP

• Internet Control Message Protocol (ICMP), used by the kernel networking code to communicate error messages to other hosts

• There is one very interesting message called the Redirect message.

• It is generated by the routing module when it detects that another host is using it as a gateway, even though a much shorter route exists

Resolving Host Names

• The need to map numbers to names• On a small network like an Ethernet or even a

cluster of Ethernets, it is not very difficult to maintain tables mapping hostnames to addresses.

• This information is usually kept in a file named /etc/hosts

• This is why a new name resolution scheme was adopted in 1994: the Domain Name System

Config Network H/W

- 3.0 Config Network H/W

- 3.1 Kernel Config (Overview)

- 3.2 Tour of Network Dev

- 3.3 Ethernet Install

- 3.5 PPP-Dialup

3.0 Config Network H/W

• Hardware == Physical device– i.e., Ethernet, FDDI, or Token Ring

• Device Driver– Auto Probing– i.e., ISA, PCI, MCA, PCMCIA, and USB– I/O and Memory Address– Interrupt Request Number (IRQ)

3.0 Config Network H/W

• Interfaces in /dev– Type ls –las /dev/

• Dev files– Type b block device– Type c character device– Major & minor device numbers– Defined in kernel not real files in /dev

3.0 Config Network H/W

3.0 Config Network H/W

3.1 Kernel Config (Overview)

• Distribution media supplied w/boot disks• Basics of compiling Linux in Matt Welsh’s book,

running Linux (O’Reilly)• Linux kernel numbering 2.2.14

– 1st digit major version

– 2nd digit minor version• Even production, or stable

• Odd development, or unstable

– 3rd incremented for each release of a minor

3.1 Kernel Config (Overview)

• Make menuconfig– Offers list of config questions– Asks whether you want TCP/IP networking

support.– You must answer this with y to get a kernel

capable of networking

3.1 Kernel Options (Linux 2.2)

• After General Section– Config for SCSI/sound cards

– Config for network support

3.1 Kernel Options (Linux 2.2)

3.1 Kernel Options (Linux 2.2)

3.1 Kernel Options (Linux 2.2)

3.1 Kernel Options (Linux 2.2)

3.1 Kernel Networking Options (Linux 2.2)

3.1 Kernel Networking Options (Linux 2.2)

3.2 Tour of Network Dev

• Lo loopback

• Eth0 ethernet

• Tr0 Token Ring

• Sl0 SLIP transport

• Ppp0 PPP transport

Ethernet Install

• Ethernet HOWTO– Donald Becker wrote most drivers for the

National Semi 8390 chip set• Becker Series Drivers

– Many other developers have contributed drivers– Few common Ethernet cards aren’t supported

Ethernet Install

• Ethernet HOWTO– Autoprobing– Append option in the lilo.conf file

• ether=irq,base_addr,[param1,][param2,]name– irq, base_addr, andname parameters are required

– the two param parameters are optional

PPP-Dialup

• Serial port connection– Chapter 4 Config the Serial hardware– Chapter 8 The Point-to-Point Protocol

Serial Dev

- 4.2 Intro to Serial Dev

- 4.6 Serial Login (Getty, mgetty)

4.2 Intro to Serial Dev

• tty Teletype device (Char-based)– Serial devices– Virtual terminals– Pseudo-terminal

• setserial command– setserial device [parameters]

• stty set tty– stty -a -F /dev/ttyS1

4.6 Serial Login (Getty)

• getty program get tty– Issues a login: prompt– Invokes the login program

Chapter 5: Configuring TCP/IP NetworkingChapter 5: Configuring TCP/IP Networking

• Usually handled by a GUI configuration program as part of an installation

• Typically network configuration is done only once

• Guide covers installing network drivers separately, but most distros already include these

Chapter 5: Configuring TCP/IP Networking (cont.)Chapter 5: Configuring TCP/IP Networking (cont.)

• Most network apps require a sensible hostname value, so this is usually done first

– # hostname name • The hostname is the first part of a fully-qualified domain

name (FQDN), so for panthro.isrg.utulsa.edu, the hostname is panthro.

5.3 5.3 Setting the Hostname

Chapter 5: Configuring TCP/IP Networking (cont.)Chapter 5: Configuring TCP/IP Networking (cont.)

• For standalone operation, the loopback address is all you need– This is always 127.0.0.1, and refers to the local machine

• With a “real” network (e.g. Ethernet), you have to assign your machine an IP address on the network– If your machine is on a private network, you can give it an IP from one

of the reserved ranges (A, B, or C):

– Otherwise, you want to network your computer to the Internet. Your friendly network administrator should help you in this case.

5.3 5.3 Assigning IP Addresses

Chapter 5: Configuring TCP/IP Networking (cont.)Chapter 5: Configuring TCP/IP Networking (cont.)

• In order to have multiple Ethernets (and other networks) operating simultaneously, you have to split up your network into subnets

• Example: for two Ethernets on a private class B network, we can assign each network its own subnet, 172.16.1.0 and 172.16.2.0, with a subnet mask of 255.255.255.0.

A gateway is required so these networks can talk to each other. This is usually assigned the first host number on each subnet, e.g. 172.16.1.1 and 172.16.2.1

5.5 5.5 Creating Subnets

Chapter 5: Configuring TCP/IP Networking (cont.)Chapter 5: Configuring TCP/IP Networking (cont.)

• After subnetting the network, the next step is to configure hostname resolution, which is done in the /etc/hosts file

• This file tells applications how to resolve the IP address of a host, and can be configured to use DNS first, then the /etc/hosts file if DNS doesn’t provide the info, for example

• Even if DNS is used, it’s a good idea to have hostnames in /etc/hosts

• To setup your host resolver to use the /etc/hosts file, edit /etc/host.conf to the following:

order hosts

5.6 5.6 Writing hosts and networks files

Chapter 5: Configuring TCP/IP Networking (cont.)Chapter 5: Configuring TCP/IP Networking (cont.)5.6 5.6 Writing hosts and network files (cont.)

Sample hosts file:

Chapter 5: Configuring TCP/IP Networking (cont.)Chapter 5: Configuring TCP/IP Networking (cont.)

5.6 5.6 Writing hosts and network files (cont.)

Sample networks file:

Chapter 5: Configuring TCP/IP Networking (cont.)Chapter 5: Configuring TCP/IP Networking (cont.)

• After hardware configuration, the next step is to make these devices known to the kernel networking software, which involves configuring and testing an interface

• The three commands used for this are ifconfig (”interface” config), ping, and route– ifconfig – used to make an interface accessible to the kernel

networking layer. This involves IP address assignment and other parameters, and ”bringing up” an interface or activation.

– ping – used to see if the given address is reachable; also prints the time it takes (round-trip time)

– route – can be used to add/remove routes from the kernel routing table.

• These interface activation tasks are usually performed at boot by a network initialization script, and usually aren’t needed unless there’s a networking issue

5.7 5.7 Interface Configuration

Chapter 5: Configuring TCP/IP Networking (cont.)Chapter 5: Configuring TCP/IP Networking (cont.)5.8 5.8 Using ifconfig

• Normal command-line format:ifconfig interface [address [parameters]]

• Without any additional options, ifconfig will display all active interfaces configured on your machine

• If you want to see the config for a specific intferface (e.g. the first Ethernet interface, eth0), you can use ifconfig interface, which looks like the following:

• Some interesting ifconfig parameters include:up – makes the interface accessible to the IP layerdown – makes an interface inaccessible to the IP layernetmask mask – assigns a subnet mask to be used by an interfacebroadcast address – usually made up from the network number by setting all bits of the host partpromisc – puts the interface in promiscuous mode. On a broadcast network, this makes the interface receive all packets, regardless of whether they were destined for this host or not.

Chapter 5: Configuring TCP/IP Networking (cont.)Chapter 5: Configuring TCP/IP Networking (cont.)

• Netstat is useful for checking your network configuration and activity

• Three modes of operation:– netstat –r displays the kernel routing table

– netstat –i shows statistics for the network interfaces configured (some of the same information displayed by ifconfig)

– netstat –a displays sockets or open connections on your machine

5.9 5.9 Using netstat

Chapter 5: Configuring TCP/IP Networking (cont.)Chapter 5: Configuring TCP/IP Networking (cont.)

• Sometimes useful to view the kernel’s ARP tables, e.g. when a duplicate IP address is causing intermittent network problems.

• To remove all entries related to a given host from the arp table, use arp –d hostname

5.10 5.10 Checking ARP tables

Chapter 11: IP Masquerading and Network Address TranslationChapter 11: IP Masquerading and Network Address Translation

• NAT is the process of modifying network addresses in datagram headers while they are in transit

• IP Masquerading is a specific type of NAT allowing hosts on a private network to use the Internet by means of a single IP address

Chapter 11: IP Masquerading and Network Address Translation Chapter 11: IP Masquerading and Network Address Translation (cont.)(cont.)

• Benefits:– Relatively easy to setup and configure– Saves on costs– Provides some security

Chapter 11: IP Masquerading and Network Address Translation Chapter 11: IP Masquerading and Network Address Translation (cont.)(cont.)

Secure System Administration & Secure System Administration & CertificationCertification

The Linux Network Administration Guide The Linux Network Administration Guide(Ch. 1-5, part of 11)(Ch. 1-5, part of 11)

Jim ArrowoodJim Arrowood Michael Linnenburger Michael Linnenburger

Nick Davis Nick Davis

University of TulsaUniversity of TulsaDepartment of Mathematical & Computer SciencesDepartment of Mathematical & Computer Sciences

CS 5493/7493 Secure System Administration & CertificationCS 5493/7493 Secure System Administration & CertificationDr. Mauricio PapaDr. Mauricio Papa

Recommended