Linux Networking Security 14Jan 2016 Formatted

8/18/2019 Linux Networking Security 14Jan 2016 Formatted

1/200

Linux Networking & Security

Linux Networking and Security

Administration

Courseware Designed & Written by

P Narasimhan

Linux Consultant

Acknowledgement

Some portions of this reference documentation has been derived from various

sources including the HOWTO's, Guides from the Linux Documentation ro!ect , "an

# $nfo pages, %&'s and technical articles from several other sources on the World

Wide Web( We are than)ful to and do hereb* sincerel* ac)no+ledge the creators of

these documents(

This course+are is given free of cost as a reference material covering the topics

dealt +ith during the training programmes- and on a fe+ topics even going be*ond

so as to provide an insight to the participants( $t is precisel* for internal circulation

onl* and is not intended for sale an*+here(

P Narasimhan


2/200


Linux is the Trademar) of Linus Torvalds and all other brand names and trademar)s

are properties of their respective o+ners(

No Warranty Clause

The authors disclaim all +arranties +ith regard to this document and the

configurations covered thereto, including all implied +arranties of merchantabilit*

and fitness for a certain purpose( $n no even shall the authors be liable for an*

special, indirect or conse.uential damages or an* damage +hatsoever resulting

from loss of data, or profits +hether in action of contract, negligence or other

tortuous action, arising out of or in connection +ith the http/00+++(vvi(edu(in0use

of this document or an* of the soft+are mentioned therein(

TA B L ! " C! N T N T #

P Narasimhan


3/200


Chapter- 1 : Manage P!" Network Con#iguration

Chapter- $ : Manage %omain Name Ser!ice %NS'

Chapter- ( : Con#igure emai) de)i!ery with Post#ix

Chapter- * : +i)e-,ased storage with N+S & Sam,a

Chapter- : .e, Ser!er Apache Con#iguration

Chapter- " : Security-/nhanced Linux -S/ Linux

Chapter- 0 : rou,)eshooting the Linux 2oot process

Chapter- 3 :

Chapter- 4 :

Chapter-15 :

Chapter- 11 :

Chapter-1$ :

Chapter-1( :

P Narasimhan


4/200


Cha$ter% '

C ( A P T ) % * 'A P P L + C A T + ! N , A N A - , N T T ( ) ! . - ( / . ,

Sometimes soft+are product installations are straightfor+ard — *ou +ant to install a

1ed Hat 2nterprise Linux server, so *ou install 1ed Hat 2nterprise Linux( Ho+ever,

products can have dependencies +ith each other product 3 is onl* +orth+hile if

product & is also installed- or products can interact +ith each other to provide extended

functionalit*( There are t+o categories of these )inds of product interactions/

De$endencies, +here one product re.uires or relies on another product

directl*

,odi0iers, +here a product provides enhanced functionalit* or services for

existing products

Dependencies are common and can be handled directl* +hen processing content through

tools li)e *um(

/um is the 1ed Hat pac)age manager that is able to .uer* for information about

available pac)ages, fetch pac)ages from repositories, install and uninstall them, and

update an entire s*stem to the latest available version( 4um performs automatic

dependenc* resolution on pac)ages *ou are updating, installing, or removing, and thus is

able to automaticall* determine, fetch, and install all available dependent pac)ages(

4um can be configured +ith ne+, additional repositories, or package sources, and also

provides man* plug5ins +hich enhance and extend its capabilities( 4um is able to

perform man* of the same tas)s that )P, can6 additionall*, man* of the command line

options are similar( 4um enables eas* and simple pac)age management on a single

machine or on groups of them(

#ecure $ackage management with -P-%signed $ackages

P Narasimhan


5/200


4um provides secure pac)age management b* enabling GG Gnu rivac* Guard6 also

)no+n as GnuG- signature verification on GG5signed pac)ages to be turned on for all

pac)age repositories i(e( pac)age sources-, or for individual repositories( When

signature verification is enabled, 4um +ill refuse to install an* pac)ages not GG5signed

+ith the correct )e* for that repositor*( This means that *ou can trust that the )P,

pac)ages *ou do+nload and install on *our s*stem are from a trusted source, such as 1ed

Hat, and +ere not modified during transfer(

4um also enables *ou to easil* set up *our o+n repositories of )P, pac)ages for

do+nload and installation on other machines(

Learning 4um is a +orth+hile investment because it is often the fastest +a* to perform

s*stem administration tas)s, and it provides capabilities be*ond those provided b* the

Package1it graphical pac)age management tools(

4ou must have superuser privileges in order to use *um to install, update or remove

pac)ages on *our s*stem( &ll s in this chapter assume that *ou have alread* obtained

superuser privileges b* using either the su or sudo command(

Checking "or and .$dating Packages

To see +hich installed pac)ages on *our s*stem have updates available, use the

follo+ing command/

789 yum check-update

Loaded plugins/ product5id, refresh5pac)age)it, subscription5manager

:pdating 1ed Hat repositories(

$;%O/rhsm5app(repolib/repos updated/ <

The pac)ages in the above output are listed as having updates available( The first

pac)age in the list is Package1it, the graphical pac)age manager( The line in the

output tells us/

% ac)age=it — the name of the pac)age

% x>?@?A — the B: architecture the pBhapter 5 C /ac)age +as built for

% — the version of the updated pac)age to be installed

P Narasimhan


6/200


% rhel — the repositor* in +hich the updated pac)age is located

The output also sho+s us that +e can update the )ernel the )ernel pac)age-, 4um and

1" themselves the *um and rpm pac)ages-, as +ell as their dependencies such as the)ernel5firm+are, rpm5libs, and rpm5p*thon pac)ages-, all using *um(

To update a single pac)age, run the follo+ing command as root/

9 yum update package_name

To update all pac)ages and their dependencies, simpl* enter *um update +ithout an*

arguments-/

9 yum update

Discovering +hich pac)ages have securit* updates available and then updating those

pac)ages .uic)l* and easil* is important( 4um provides the plugin for this purpose( The

securit* plugin extends the *um command +ith a set of highl*5useful securit*5centric

commands, subcommands and options( 4ou +ill inevitabl* ma)e changes to the

configuration files installed b* pac)ages as *ou use *our 1ed Hat 2nterprise Linux

s*stem( 1", +hich 4um uses to perform changes to the s*stem, provides a mechanism

for ensuring their integrit*(

4ou can search all 1" pac)age names, descriptions and summaries b* using the *um

search term Emore@terms8 command( *um displa*s the list of matches for each term, for

example/

789 yum search meld kompare

Loaded plugins/ product5id, refresh5pac)age)it, rhnplugin, subscription5manager

:pdating 1ed Hat repositories(

$;%O/rhsm5app(repolib/repos updated/ <

FFFFFFFFFFFFFFFFFFFFFFFFFFFF "atched/ )ompare FFFFFFFFFFFFFFFFFFFFFFFFFFFFF

)desd)(x>?@?A / The =D2 Soft+are Development =it SD=-

Warning/ ;o matches found for/ meld

P Narasimhan


7/200


The *um search command is useful for searching for pac)ages *ou do not )no+ the name

of, but for +hich *ou )no+ a related term(

yum list and related commands provide information about pac)ages, pac)age groups,

and repositories( &ll of 4um's list commands allo+ *ou to filter the results b* appending

one or more glob expressions as arguments( Glob expressions are normal strings of

characters +hich contain one or more of the +ildcard characters +hich expands to

match an* character multiple times- and +hich expands to match an* one character-(

9 yum list all , lists all installed and available pac)ages(

9 yum list installed , Lists all pac)ages installed on *our s*stem( The rightmost column

in the output lists the repositor* from +hich the pac)age +as retrieved(

9 yum list available , Lists all available pac)ages in all enabled repositories(

9 yum grouplist , Lists all pac)age groups(

9 yum repolist , Lists the repositor* $D, name, and number of pac)ages it provides for

each enabled repositor*(

& pac)age group is similar to a pac)age/ it is not useful b* itself, but installing one pulls

a group of dependent pac)ages that serve a common purpose( & pac)age group has aname and a groupid( The *um grouplist 5v command lists the names of all pac)age

groups, and, next to each of them, their groupid in parentheses( The groupid is al+a*s

the term in the last pair of parentheses, such as )de5 des)top in the follo+ing example/

789 yum -v grouplist kde\* or

Loading IrhnpluginI plugin

Loading Iproduct5idI plugin

9 yum groupinstall kde-desktop

*um remove pac)age@name uninstalls removes in 1" and 4um terminolog*- the

pac)age, as +ell as an* pac)ages that depend on it( &s +hen *ou install multiple

pac)ages, *ou can remove several at once b* adding more pac)age names to the

command( %or example, to remove totem, rh*thmbox, and sound5!uicer, t*pe the

follo+ing at a shell prompt/

9 yum remove totem rhythmbox sound-juicer

P Narasimhan


8/200


4ou can remove a pac)age group using s*ntax congruent +ith the install s*ntax( The

follo+ing are alternative but e.uivalent +a*s of removing the =D2 Des)top group/

~]# yum groupremove !" "esktop

~]# yum groupremove kde-desktop

~]# yum remove $kde-desktop

%on&iguring 'um and 'um (epositories

This section sho+s *ou ho+ to/

% set global 4um options b* editing the Emain8 section of the 0etc0*um(conf

configuration file6

% set options for individual repositories b* editing the Erepositor*8 sections in

0etc0*um(conf and (repo files in the 0etc0*um(repos(d0 director*6

% use 4um variables in 0etc0*um(conf and files in 0etc0*um(repos(d0 so that d*namic

version and architecture values are handled correctl*6 and,

% set up *our o+n custom 4um repositor*(

The 0etc0*um(conf configuration file contains one mandator* Emain8 section under

+hich *ou can set 4um options( The values that *ou define in the Emain8 section of

*um(conf have global effect, and ma* override values set in individual Erepositor*8

sections( 4ou can also add Erepositor*8 sections to 0etc0*um(conf6 ho+ever, best

practice is to define individual repositories in ne+ or existing (repo files in the

0etc0*um(repos(d0director*(

The 0etc0*um(conf configuration file contains exactl* one Emain8 section( 4ou can add

man* additional options under the Emain8 section heading in 0etc0*um(conf( Some of the

)e*5value pairs in the Emain8 section affect ho+ *um operates6 others affect ho+ 4um

treats repositories(

The best source of information for all 4um options is in the Emain8 OT$O;S and

Erepositor*8 OT$O;S sections of man *um(conf(

& sample 0etc0*um(conf configuration file can loo) li)e this/

Emain8

P Narasimhan


9/200


cachedirF0var0cache0*um0Jbasearch0Jreleasever

)eepcacheF<

debuglevelFK

logfileF0var0log0*um(log

exactarchF

obsoletesF

gpgchec)F

pluginsF

installonl*@limitFC

Ecomments abridged8

9 :T 4O:1 12OS H212 O1 $; separate files named file(repo

9 in 0etc0*um(repos(d

#etting 2re$ository3 !$tions

The Erepositor*8 sections +here repositor* is a uni.ue repositor* $D, such as

m*@personal@repo- allo+ *ou to define individual 4um repositories( To define a ne+

repositor*, either add this section to the 0etc0*um(conf file, or to a (repo file in the

0etc0*um(repos(d0 director*(

&ll (repo files in 0etc0*um(repos(d0are read b* *um, +hich allo+s *ou to create ne+,

custom (repo files in this director*( 3est practice is to define *our repositories here

instead of in 0etc0 *um(conf(

The follo+ing is a bare5minimum- example of the form a (repo file ta)es/

)repository_"]

name+ (epository ame

baseurl+http.//path/to/repo or &tp.//path/to/repo or &ile.///path/to/local/repo

2ver* Erepositor*8 section must contain the follo+ing minimum directives/

Erepository_"8

P Narasimhan


10/200


The repositor* $D is a uni.ue, one5+ord no spaces6 underscores are allo+ed- string of

characters enclosed b* brac)ets- that serves as a repositor* identifier(

nameF& 1epositor* ;ame

This is a human5readable string describing the repositor*(

baseurlFhttp/00path0to0repo, ftp/00path0to0repo, file/000path0to0local0repo

This is a :1L to the director* +here the repodata director* of a repositor* is

located(:suall* this :1L is an HTT lin), such as/

baseurlFhttp/00path0to0repo0releases0Jreleasever0server0Jbasearch0os0

4um al+a*s expands the Jreleasever, Jarch and Jbasearch variables in :1Ls( See the

follo+ing section for explanations of all 4um variables/ Section (C(C, “:sing 4um

Mariables”(

% $f the repositor* is available over %T, use/ ftp/00path0to0repo

% $f the repositor* is local to the machine, use file/000path0to0local0repo

% $f a specific online repositor* re.uires basic HTT authentication, *ou can specif*

*our username and pass+ord in the http/00path0to0repo b* prepending it as

username/pass+ordNlin)(%or example, if a repositor* on

http/00+++(example(com0repo0 re.uires a username of “user” and a pass+ord of

“pass+ord”, then the baseurl lin) could be specified as/

baseurlFhttp/00user/pass+ordN+++(example(com0repo0

The follo+ing is another useful Erepositor*8 directive/

enabledFvalue

(((+here value is one of/

< — do not include this repositor* as a pac)age source +hen performing updates and

installs( This is an eas* +a* of .uic)l* turning repositories on and off, +hich is useful

+hen *ou desire a single pac)age from a repositor* that *ou do not +ant to enable for

updates or installs(

— include this repositor* as a pac)age source(

P Narasimhan

mailto:password@linkhttp://www.example.com/repo/mailto:password@linkhttp://www.example.com/repo/


11/200


12/200


C ( A P T ) % 4 ' N T W ! ) 1 , ! N + T ! ) + N - T! ! L #

Sometimes it is necessar* or useful to monitor net+or) traffic on *our computer( 4ou can

monitor all the connections going in and out of *our computer(

;etstat is a common command line TB0$ net+or)ing utilit* available in most versions

of Windo+s, Linux, :;$ and other operating s*stems( ;etstat provides information and

statistics about protocols in use and current TB0$ net+or) connections( The name

derives from the +ords network and statistics(-

:sing netstat *ou can monitor ever* connection going in and out of *our computer( This

monitors all ma!or protocols including tcp and udp, and ever* port( netstat is a standard

:nix program, so it is li)el* installed(

netstat also displa*s unix connections are fairl* useless( To displa* onl* tcp and udp

connection(

% 2xecute/ netstat 5t 5u

% %or displa*ing continuousl*

% 2xecute/ netstat 5t 5u 5c

P Narasimhan

http://how-to.wikia.com/wiki/tcp?action=edit&redlink=1http://how-to.wikia.com/wiki/udp?action=edit&redlink=1http://how-to.wikia.com/wiki/tcp?action=edit&redlink=1http://how-to.wikia.com/wiki/udp?action=edit&redlink=1


13/200


2ach field in active internet connections contains rotocol, 1eceive .ueue, Send.ueue,

Local &ddress,%oreign &ddress, State(

2ach field in &ctive :;$ domain soc)ets contains rotocol, 1eference Bount, %lags,

T*pe, State,$node number and path of process(

To see all soc)ets in the s*stem use the parameter in the s*stem use the follo+ing

command(

9 netstat -a

:singparameter I5lI displa*s all listening state servers in the s*stem( The state field of

the result of this command +ill be IL$ST2;I

# netstat -l

To displa* routing table a s*stem use the parameter I5rI as sho+n belo+ /

9 netstat -r

$nterface list can be displa*ed b* using the follo+ing command

9 netstat -i

To vie+ the net+or) statistics of the s*stem use the follo+ing command

9 netstat -s

"an* people t*pe “netstat 5a P grep 5i L$ST2;“, but “netstat 5l” +ill do the same/ filter

the output to sho+ soc)ets in the L$ST2; state onl*( Mer* useful to .uic)l* see +hat is

being “served” in *our box( 4ou can combine this +ith “5u” to onl* sho+ :D connections

or “5t” to restrict the output to TB connections onl*(

P Narasimhan


14/200


12345678910111213

# netstat -lnActive Internet connections (only servers)Proto Recv-Q Send-Q Locl Address !orei"n Address

tc# 0 0 0$0$0$0%111 0$0$0$0%* tc# 0 0 0$0$0$0%22 0$0$0$0%* tc# 0 0 0$0$0$0%631 0$0$0$0%* tc# 0 0 0$0$0$0%17500 0$0$0$0%* $$$Active )(I* do+in soc,ets (only servers)Proto Re.nt !l"s &y#e Stte I-(ode Pt/ni 2 [ A.. ] S&R'A LIS&'(I( 101544//o+e/s+l/$dro#o/co++ndsoc,etni 2 [ A.. ] S&R'A LIS&'(I( 101549 //o+e/s+l/$dr$$$

P Narasimhan


15/200


With “5p”, netstat sho+s +hat program0pid is using a given soc)et( Mer* hand* to find

out +ho’s listening on a port or holding a connection open( & personal favorite of mine is

“netstat 5lput”, +hich displa*s all TB and :D soc)ets in the L$ST2; state, plus the

name and pid of the program listening on that soc)et(

P Narasimhan


16/200


12345678910111213

1415

# netstat -lnpActive Internet connections (only servers)Proto Recv-Q Send-Q Locl Address !orei"n Address Sttetc# 0 0 0$0$0$0%111 0$0$0$0%* LIS&'(tc# 0 0 0$0$0$0%22 0$0$0$0%* LIS&'(tc# 0 0 0$0$0$0%631 0$0$0$0%* LIS&'(tc# 0 0 0$0$0$0%17500 0$0$0$0%* LIS&'(tc# 0 0 127$0$0$1%2143 0$0$0$0%* LIS&'($$$Active )(I* do+in soc,ets (only servers)Proto Re.nt !l"s &y#e Stte I-(ode PI/Pro"r+ n+e Pt/ni 2 [ A.. ] S&R'A LIS&'(I( 101544 4185/dro#o//o+e/s+l/$dro#o/co++ndsoc,etni 2 [ A.. ] S&R'A LIS&'(I( 101549 4185/dro#o //o+e/s+

ni 2 [ A.. ] S&R'A LIS&'(I( 11051 -

P Narasimhan


17/200


%ombining s0itches 1ll 2%3 4 5"3 tra&&ic, numerically, listening, 0ith process ids6

P Narasimhan


18/200


12345678910111213

1415161718

# netstat -tulnp((ot ll #rocesses cold e identiied non-oned #rocess ino ill not e s/on yo old /ve to e root to see it ll$)Active Internet connections (only servers)Proto Recv-Q Send-Q Locl Address !orei"n Address Sttetc# 0 0 0$0$0$0%17500 0$0$0$0%* LIS&'(tc# 0 0 127$0$0$1%2143 0$0$0$0%* LIS&'(tc# 0 0 127$0$0$1%1986 0$0$0$0%* LIS&'(tc# 0 0 127$0$0$1%2025 0$0$0$0%* LIS&'(tc# 0 0 %%1%2143 %%%* LIS&'(tc# 0 0 %%1%2025 %%%* LIS&'($$$d# 0 0 0$0$0$0%111 0$0$0$0%*

d# 0 0 0$0$0$0%631 0$0$0$0%* d# 0 0 0$0$0$0%727 0$0$0$0%* d# 0 0 0$0$0$0%836 0$0$0$0%* d# 0 0 0$0$0$0%17500 0$0$0$0%* $$$

P Narasimhan


19/200


map .et0ork exploration tool and security / port scanner

;map I;et+or) "apperI- is an open source tool for net+or) exploration and securit*

auditing( $t +as designed to rapidl* scan large net+or)s, although it +or)s fine against

single hosts( ;map uses ra+ $ pac)ets in novel +a*s to determine +hat hosts are

available on the net+or), +hat services application name and version- those hosts are

offering, +hat operating s*stems and OS versions- the* are running, +hat t*pe of

pac)et filters0fire+alls are in use, and doQens of other characteristics( While ;map is

commonl* used for securit* audits, man* s*stems and net+or) administrators find it

useful for routine tas)s such as net+or) inventor*, managing service upgrade schedules,

and monitoring host or service uptime(

The output from ;map is a list of scanned targets, +ith supplemental information on

each depending on the options used( =e* among that information is the Iinteresting

ports tableI(( That table lists the port number and protocol, service name, and state(

The state is either open, filtered, closed, or unfiltered( Open( means that an application

on the target machine is listening for connections0pac)ets on that port( %iltered( means

that a fire+all, filter, or other net+or) obstacle is bloc)ing the port so that ;map

cannot tell +hether it is open or closed( Blosed( ports have no application listening onthem, though the* could open up at an* time( orts are classified as unfiltered( +hen

the* are responsive to ;map's probes, but ;map cannot determine +hether the* are

open or closed( ;map reports the state combinations openPfiltered( and closedPfiltered(

+hen it cannot determine +hich of the t+o states describe a port( The port table ma*

also include soft+are version details +hen version detection has been re.uested( When

an $ protocol scan is re.uested %s!-, ;map provides information on supported $

protocols rather than listening ports(

$n addition to the interesting ports table, ;map can provide further information on

targets, including reverse D;S names, operating s*stem guesses, device t*pes, and "&B

addresses(

$n addition to the interesting ports table, ;map can provide further information on

targets, including reverse D;S names, operating s*stem guesses, device t*pes, and "&B

addresses(

P Narasimhan


20/200


& t*pical ;map scan is sho+n in the follo+ing example( The onl* ;map arguments used

in this example are %A, to enable OS and version detection, script scanning, and

traceroute6 %T4 for faster execution6 and then the t+o target hostnames(

xam$le ' A re$resentati5e Nma$ scan

9 nmap 5& 5TA scanme(nmap(org

Starting ;map http/00nmap(org -$nteresting ports on scanme(nmap(org ?A(C(CA(K-/;ot sho+n/ RRA filtered portsO1T ST&T2 S21M$B2 M21S$O;KK0tcp open ssh OpenSSH A(C protocol K(


21/200


3ecause host discover* needs are so diverse, ;map offers a +ide variet* of options for

customiQing the techni.ues used( Host discover* is sometimes called ping scan, but it

goes +ell be*ond the simple $B" echo re.uest pac)ets associated +ith the ubi.uitous

ping tool( :sers can s)ip the ping step entirel* +ith a list scan %sL- or b* disabling ping

%PN-, or engage the net+or) +ith arbitrar* combinations of multi5port TB S4;0&B=,

:D, SBT $;$T and $B" probes( The goal of these probes is to solicit responses +hich

demonstrate that an $ address is actuall* active is being used b* a host or net+or)

device-( On man* net+or)s, onl* a small percentage of $ addresses are active at an*

given time( This is particularl* common +ith private address space such as < and AAC

using the connect s*stem call(( This host discover* is often sufficient +hen scanning

local net+or)s, but a more comprehensive set of discover* probes is recommended for

securit* auditing(

The %P8 options +hich select ping t*pes- can be combined( 4ou can increase *our odds

of penetrating strict fire+alls b* sending man* probe t*pes using different TB

ports0flags and $B" codes( &lso note that &1 discover* %P) -( is done b* default

against targets on a local ethernet net+or) even if *ou specif* other %P8 options,

because it is almost al+a*s faster and more effective(

3* default, ;map does host discover* and then performs a port scan against each host it

determines is online( This is true even if *ou specif* non5default host discover* t*pes

such as :D probes %P.-( 1ead about the %sP option to learn ho+ to perform onl* host

discover*, or use %PN to s)ip host discover* and port scan all target hosts( The follo+ing

options control host discover*/

%sL List Scan- (

P Narasimhan


22/200


The list scan is a degenerate form of host discover* that simpl* lists each host of

the networks- specified, +ithout sending an* pac)ets to the target hosts( 3*

default, ;map still does reverse5D;S resolution on the hosts to learn their names(

$t is often surprising ho+ much useful information simple hostnames give out( %or

example, f+(chi is the name of one compan*'s Bhicago fire+all( ;map also reports

the total number of $ addresses at the end( The list scan is a good sanit* chec) to

ensure that *ou have proper $ addresses for *our targets( $f the hosts sport domain

names *ou do not recogniQe, it is +orth investigating further to prevent scanning

the +rong compan*'s net+or)(

Since the idea is to simpl* print a list of target hosts, options for higher level

functionalit* such as port scanning, OS detection, or ping scanning cannot becombined +ith this( $f *ou +ish to disable ping scanning +hile still performing such

higher level functionalit*, read up on the %PN s)ip ping- option(

%sP S)ip port scan- (This option tells ;map not to do a port scan after host discover*, and onl* print out

the available hosts that responded to the scan( This is often )no+n as a Iping scanI,

but *ou can also re.uest that traceroute and ;S2 host scripts be run( This is b*

default one step more intrusive than the list scan, and can often be used for the

same purposes( $t allo+s light reconnaissance of a target net+or) +ithout

attracting much attention( =no+ing ho+ man* hosts are up is more valuable to

attac)ers than the list provided b* list scan of ever* single $ and host name(

S*stems administrators often find this option valuable as +ell( $t can easil* be used

to count available machines on a net+or) or monitor server availabilit*( This is

often called a ping s+eep, and is more reliable than pinging the broadcast address

because man* hosts do not repl* to broadcast .ueries(

P Narasimhan


23/200


The %sP option sends an $B" echo re.uest, TB S4; to port AAC, TB &B= to port

>


24/200


This option sends an empt* TB pac)et +ith the S4; flag set( The default

destination port is >< configurable at compile time b* changing

DEFAULT_TCP_PROE_PORT_!PEC in nmap(h-( &lternate ports can be specified as a

parameter( The s*ntax is the same as for the %$ except that port t*pe specifiers

li)e T/ are not allo+ed( 2xamples are %P#99 and %P#99%9:;67;*;7:7;*:777(

;ote that there can be no space bet+een %P# and the port list( $f multiple probes

are specified the* +ill be sent in parallel(

The S4; flag suggests to the remote s*stem that *ou are attempting to establish a

connection( ;ormall* the destination port +ill be closed, and a 1ST reset- pac)et

sent bac)( $f the port happens to be open, the target +ill ta)e the second step of a

TB three5+a*5handsha)e( b* responding +ith a S4;0&B= TB pac)et( The machinerunning ;map then tears do+n the nascent connection b* responding +ith a 1ST

rather than sending an &B= pac)et +hich +ould complete the three5+a*5handsha)e

and establish a full connection( The 1ST pac)et is sent b* the )ernel of the

machine running ;map in response to the unexpected S4;0&B=, not b* ;map

itself(

;map does not care +hether the port is open or closed( 2ither the 1ST or S4;0&B=

response discussed previousl* tell ;map that the host is available and responsive(

Tc$dum$

The tcpdump tool is a command line utilit* for monitoring net+or) traffic(

cpdu"p prints out a description of the contents of pac)ets on a net+or) interface that

match the boolean e#pression( $t can also be run +ith the %w flag, +hich causes it to

save the pac)et data to a file for later anal*sis, and0or +ith the %r flag, +hich causes it

to read from a saved pac)et file rather than to read pac)ets from a net+or) interface(

$n all cases, onl* pac)ets that match e#pression +ill be processed b* tcpdu"p(

Tcpdu"p +ill, if not run +ith the %c flag, continue capturing pac)ets until it is

interrupted b* a S$G$;T signal generated, for example, b* t*ping *our interrupt

character, t*picall* control5B- or a S$GT21" signal t*picall* generated +ith the kill-

command-6 if run +ith the %c flag, it +ill capture pac)ets until it is interrupted b* a

S$G$;T or S$GT21" signal or the specified number of pac)ets have been processed(

When tcpdu"p finishes capturing pac)ets, it +ill report counts of/

P Narasimhan

http://linux.die.net/man/1/killhttp://linux.die.net/man/1/kill


25/200


pac)ets ''captured'' this is the number of pac)ets that tcpdu"p has received and

processed-6

pac)ets ''received b* filter'' the meaning of this depends on the OS on +hich *ou're

running tcpdu"p, and possibl* on the +a* the OS +as configured 5 if a filter +as

specified on the command line, on some OSes it counts pac)ets regardless of +hether

the* +ere matched b* the filter expression and, even if the* +ere matched b* the filter

expression, regardless of +hether tcpdu"p has read and processed them *et, on other

OSes it counts onl* pac)ets that +ere matched b* the filter expression regardless of

+hether tcpdu"p has read and processed them *et, and on other OSes it counts onl*

pac)ets that +ere matched b* the filter expression and +ere processed b* tcpdu"p-6

pac)ets ''dropped b* )ernel'' this is the number of pac)ets that +ere dropped, due to a

lac) of buffer space, b* the pac)et capture mechanism in the OS on +hich tcpdu"p is

running, if the OS reports that information to applications6 if not, it +ill be reported as


26/200


The %D flag +ill not be supported if tcpdu"p +as built +ith an older version of

li$pcap that lac)s the $ca$>0indallde5s


27/200


A5ahi is a s*stem +hich facilitates service discover* on a local net+or) via the

mD;S0D;S5SD protocol suite( This enables *ou to plug *our laptop or computer into

a net+or) and instantl* be able to vie+ other people +ho *ou can chat +ith, find

printers to print to or find files being shared(

?ero Con0iguration Network


28/200


"ost Linux distributions utilise the Uero Bonfiguration ;et+or) U21OBO;%- automation

suite( This is an $2T% +or)group that planned and coordinated a series of d*namic

configuration protocols to allo+ man* operating s*stems to automaticall* configure

themselves and communicate on a net+or) +ithout the need ofDHB orD;S servers(

U21OBO;% utilises the ?R(KA(


29/200


5he 6alue $or the (;


30/200


C ( A P T ) % : ' AD @ A N C D N T W ! ) 1 C ! N " + - . ) A T + ! N

Assign as additional address to a N+C


31/200


To create a channel bonding interface, create a file in the 0etc0s*sconfig0net+or)5

scripts0 director* called ifcfg5bondV; , replacing V; +ith the number for the

interface, such as ((

;2T"&S=FK(K(K(<

O;3OOTF*es

3OOT1OTOFnone

:S21BTLFno

3O;D$;G@OTSFIVbonding parameters separated b* spacesI

&fter the channel bonding interface is created, the net+or) interfaces to be bound

together must be configured b* adding the "&ST21F and SL&M2F directives to their

configuration files( The configuration files for each of the channel5bonded interfaces can

be nearl* identical(

%or example, if t+o 2thernet interfaces are being channel bonded, both eth< and eth

ma* loo) li)e the follo+ing example/

D2M$B2FethV;

3OOT1OTOFnone

O;3OOTF*es

"&ST21Fbond<

#L&M2F*es

:S21BTLFno

Netcra#t; P Narasimhan


32/200


$n this example, replace V; +ith the numerical value for the interface(

%or a channel bonding interface to be valid, the )ernel module must be loaded( To

ensure that the

module is loaded +hen the channel bonding interface is brought up, create a ne+ file as

root named Vbonding(conf in the 0etc0modprobe(d0 director*( ;ote that *ou can name

this file an*thing *ou li)e as long as it ends +ith a (conf extension( $nsert the follo+ing

line in this ne+ file/

alias bondV; bonding (

Tuning 1ernel Network Parameters

The Linux )ernel parameters can be tuned to perform certain actions to suit the

re.uirements and it provides the necessar* tools and interfaces as +ell(

The 0sbin0s*sctl command is used to vie+, set, and automate )ernel settings in the

0proc0s*s0 director*(

%or a .uic) overvie+ of all settings configurable in the 0proc0s*s0 director*, t*pe the

0sbin0s*sctl 5a command as root( This creates a large, comprehensive list, a small

portion of +hich loo)s something li)e the follo+ing/

net(ipvA(route(min@dela* F K )ernel(s*sr. F < )ernel(sem F K< CK


33/200


While .uic)l* setting single values li)e this in 0proc0s*s0 is helpful during testing, this

method does not +or) as +ell on a production s*stem as special settings +ithin

0proc0s*s0 are lost +hen the machine is rebooted( To preserve custom settings, add

them to the 0etc0s*sctl(conf file(

2ach time the s*stem boots, the init program runs the 0etc0rc(d0rc(s*sinit script( This

script contains a command to execute s*sctl using 0etc0s*sctl(conf to determine the

values passed to the )ernel( &n* values added to 0etc0s*sctl(conf therefore ta)e effect

each time the s*stem boots(

Some of the best documentation about the proc file s*stem is installed on the s*stem b*

default(

% usr0share0doc0)ernel5doc5kernel_version0Documentation0files*stems0proc(txt —

Bontains assorted, but limited, information about all aspects of the 0proc0

director*(

% 0usr0share0doc0)ernel5doc5)ernel@version0Documentation0s*sr.(txt — &n overvie+

of S*stem 1e.uest =e* options(

% 0usr0share0doc0)ernel5doc5)ernel@version0Documentation0s*sctl0 — & director*

containing a variet* of s*sctl tips, including modif*ing values that concern the

)ernel )ernel(txt-, accessing file s*stems fs(txt-, and virtual memor* use

vm(txt-(

usr0share0doc0)ernel5doc5kernel_version0Documentation0net+or)ing0ip5

s*sctl(txt — & detailed overvie+ of $ net+or)ing options(

#tatic )oute Con0iguration

9 ip route sho0

%or persistent )ernel routing edit 0etc0s*sctl(conf

C ( A P T ) % ' L + N . " + ) W A L L C ! N " + - . ) A T + ! N



34/200


C ( A P T ) % '

C ( A P T ) % 6 ' D ! , A + N N A , # ) @ + C


35/200


$n a D;S server such as 3$;D 3er)ele* $nternet ;ame Domain-, all information is stored

in basic data elements called resource records 11-( The resource record is usuall* a

%ully )uali%ied do"ain na"e %D;- of a host, and is bro)en do+n into multiple sections

organiQed into a tree5li)e hierarch*( This hierarch* consists of a main trun), primar*

branches, secondar* branches, and so on(

A sim$le resource record

bob(sales(com

2ach level of the hierarch* is divided b* a period that is, (-( $n “& simple resource

record”, com defines the top'level do"ain, its subdomain, and sales the subdomain of ($n this case, bob identifies a resource record that is part of the sales((com domain( With

the exception of the part furthest to the left that is, bob-, each of these sections is

called a *one and defines a specific na"espace(

Uones are defined on authoritative nameservers through the use of *one %iles, +hich

contain definitions of the resource records in each Qone( Uone files are stored on

pri"ary na"eservers also called "aster na"eservers-, +here changes are made to the

files, and secondary na"eservers also called slave na"eservers-, +hich receive Qonedefinitions from the primar* nameservers( 3oth primar* and secondar* nameservers are

authoritative for the Qone and loo) the same to clients( Depending on the configuration,

an* nameserver can also serve as a primar* or secondar* server for multiple Qones at the

same time(

Nameser5er Ty$es



36/200


There are t+o nameserver configuration t*pes/

authoritative

&uthoritative nameservers ans+er to resource records that are part of their Qones onl*(This categor* includes both primar* master- and secondar* slave- nameservers(

recursive

1ecursive nameservers offer resolution services, but the* are not authoritative for an*

Qone( &ns+ers for all resolutions are cached in a memor* for a fixed period of time,

+hich is specified b* the retrieved resource record(

&lthough a nameserver can be both authoritative and recursive at the same time, it is

recommended not to combine the configuration t*pes( To be able to perform their +or),

authoritative servers should be available to all clients all the time( On the other hand,

since the recursive loo)up ta)es far more time than authoritative responses, recursive

servers should be available to a restricted number of clients onl*, other+ise the* are

prone to distributed denial of service DDoS- attac)s(

B+ND as a Nameser5er

3$;D consists of a set of D;S5related programs( $t contains a nameserver called named,an administration utilit* called rndc, and a debugging tool called dig(



37/200


B+NDThis chapter covers 3$;D 3er)ele* $nternet ;ame Domain-, the D;S server included in

1ed Hat 2nterprise Linux( $t focuses on the structure of its configuration files, and

describes ho+ to administer it both locall* and remotel*( When the named service isstarted, it reads the configuration from the files as mentioned belo+ /

=et"=name9("on$ 5he main "on$iguration $ile(

=et"=name9=>n au?iliary 9ire"tory $or "on$iguration $iles that are in"lu9e9 in the m

"on$iguration $ile(



38/200


The configuration file consists of a collection of statements +ith nested optionssurrounded b* opening and closing curl* brac)ets( ;ote that +hen editing the file, *ou

have to be careful not to ma)e an* s*ntax error, other+ise the named service +ill notstart(

)unning B+ND in a chroot en5ironment

$f *ou have installed the bind5chroot pac)age, the 3$;D service +ill run in the

0var0named0chroot environment( $n that case, the initialiQation script +ill mount the

above configuration files using the mount 55bind command, so that *ou can manage the

configuration outside this environment(

Common #tatement Ty$esThe follo+ing t*pes of statements are commonl* used in 0etc0named(conf/

acl

The acl &ccess Bontrol List- statement allo+s *ou to define groups of hosts, so that the*

can be permitted or denied access to the nameserver( $t ta)es the follo+ing form/

acl acl-name 7 match-element8 999

:8

The acl5name statement name is the name of the access control list, and the match5

element option is usuall* an individual $ address such as


39/200


The acl statement can be especiall* useful in con!unction +ith other statements such as

options( $n the described belo+ “:sing acl in con!unction +ith options” defines t+oaccess control lists, blac)5hats and red5hats, and adds blac)5hats on the blac)list +hile

granting red5hats a normal access(

acl black-hats 7 ;


40/200


)estrict recursi5e ser5ers to selected clients only

To prevent distributed denial of service DDoS- attac)s, it is

recommended that *ou use the allo+5.uer*5cache option to restrict

recursive D;S services for a particular subset of clients onl*(

options 7 allo0-Euery 7 localhost8 :8 listen-on port CB 7 ;=D9


41/200


The Qone5name attribute is particularl* important, as it is the default

value assigned for the JO1$G$; directive used +ithin the corresponding

Qone file located in the 0var0named0 director*( The named daemon

appends the name of the Qone to an* non5full* .ualified domain name

listed in the Qone file( %or , if a Qone statement defines the namespace

for (com, use (com as the Qone5name so that it is placed at the end of

hostnames +ithin the (com Qone file( "ost changes to the

0etc0named(conf file of a primar* or secondar* nameserver involve

adding, modif*ing, or deleting Qone statements, and onl* a small subset

of Qone statement options is usuall* needed for a nameserver to +or)

efficientl*(

$n the given belo+, “& Qone statement for a primar* nameserver”, the

Qone is identified as (com, the t*pe is set to master, and the named

service is instructed to read the 0var0named0(com(Qone file( $t also

allo+s onl* a secondar* nameserver RK(?>(


42/200


3* default, named sends standard messages to the

rs*slog daemon, +hich places them in 0var0log0messages( Several

standard channels are built into 3$;D +ith various severit* levels, such

as default@s*slog +hich handles informational logging messages- and

default@debug +hich specificall* handles debugging messages-( &

default categor*, called default, uses the built5in channels to do normal

logging +ithout an* special configuration(

%omment 2ags

&dditionall* to statements, the 0etc0named(conf file can also contain

comments( Bomments are ignored b* the named service, but can prove

useful +hen providing additional information to a user( The follo+ing are

valid comment tags/

00

&n* text after the 00 characters to the end of the line is considered a

comment( %or /

notif* *es6 00 notif* all secondar* nameservers

9

&n* text after the 9 character to the end of the line is considered a

comment( %or /

notif* *es6 9 notif* all secondar* nameservers

0 and 0

&n* bloc) of text enclosed in 0 and 0 is considered a comment( %or /

notif* *es6 0 notif* all secondar* nameservers 0

diting ?one "iles



43/200


&s outlined in an earlier section, “;ameserver Uones”, Qone files contain

information about a namespace( The* are stored in the named +or)ing

director* located in 0var0named0 b* default, and each Qone file is

named according to the file option in the Qone statement, usuall* in a

+a* that relates to the domain in .uestion and identifies the file as

containing Qone data, such as (com(Qone(

& Qone file consists of directives and resource records( Directives tell the

nameserver to perform tas)s or appl* special settings to the Qone,

resource records define the parameters of the Qone and assign identities

to individual hosts( While the directives are optional, the resource

records are re.uired in order to provide name service to a Qone(

&ll directives and resource records should be entered on individual lines(

Common Directi5esDirectives begin +ith the dollar sign character follo+ed b* the name of

the directive, and usuall* appear at the top of the file( The follo+ing

directives are commonl* used in Qone files/

J$;BL:D2

The J$;BL:D2 directive allo+s *ou to include another file at the place

+here it appears, so that other Qone settings can be stored in a separate

Qone file(

H%I5" /var/named/penguin99com

HJ(K

The JO1$G$; directive allo+s *ou to append the domain name toun.ualified records, such as those +ith the hostname onl*( ;ote that the

use of this directive is not necessar* if the Qone is specified in

0etc0named(conf, since the Qone name is used b* default(

$n the given belo+, “:sing the JO1$G$; directive”, an* names used in

resource records that do not end in a trailing period are appended

+ith (com(

HJ(K 9com9



44/200


H22I

The JTTL directive allo+s *ou to set the default Ti"e to Live TTL- value

for the Qone, that is, ho+ long is a Qone record valid( 2ach resource

record can contain its o+n TTL value, +hich overrides this directive(

$ncreasing this value allo+s remote nameservers to cache the Qone

information for a longer period of time, reducing the number of .ueries

for the Qone and lengthening the amount of time re.uired to propagate

resource record changes(

H22I ;"

Common )esource )ecords

The follo+ing resource records are commonl* used in Qone files/

The Address record specifies an $ address to be assigned to a name( $t

ta)es the follo+ing form/

hostname $; & $5address

$f the hostname value is omitted, the record +ill point to the last

specified hostname( $n the given belo+, “:sing the & resource record”,

the re.uests for server((com are pointed to


45/200


B;&"2 records should not point to other B;&"2 records( This is

mainl* to avoid possible infinite loops(

B;&"2 records should not contain other resource record t*pes

such as &, ;S, ", etc(-( The onl* exception are D;SS2B related

records that is, 11S$G, ;S2B, etc(- +hen the Qone is signed(

Other resource record that point to the full* .ualified domain

name %D;- of a host that is, ;S, ", T1- should not point to a

B;&"2 record(

$n the given belo+, “:sing the B;&"2 resource record”, the & record

binds a hostname to an $ address, +hile the B;&"2 record points thecommonl* used +++ hostname to it(

server; ;


46/200


The +a"eserver record announces authoritative nameservers for a

particular Qone( $t ta)es the follo+ing form/

M nameserver-name

The nameserver5name should be a full* .ualified domain name %D;-(

;ote that +hen t+o nameservers are listed as authoritative for the

domain, it is not important +hether these nameservers are secondar*

nameservers, or if one of them is a primar* server( The* are both still

considered authoritative(

.sing the N# resource record

$; ;S dns((com($; ;S dnsK((com(

32(

The Pointer record points to another part of the namespace( $t ta)es the

follo+ing form/

last5$5digit $; T1 %D;5of5s*stem

The last5$5digit directive is the last number in an $ address, and the

%D;5of5s*stem is a full* .ualified domain name %D;-( T1 records

are primaril* used for reverse name resolution, as the* point $

addresses bac) to a particular name(

MJ

The !tart o% Aut-ority record announces important authoritative

information about a namespace to the nameserver( Located after the

directives, it is the first resource record in a Qone file( $t ta)es the

follo+ing form/

N $; SO& primar*5name5server hostmaster5email

serial5number

time5to5refresh

time5to5retr*



47/200


time5to5expire

minimum5TTL -

The directives are as follo+s/

The N s*mbol places the JO1$G$; directive or the Qone's name if

the JO1$G$; directive is not set- as the namespace being defined

b* this SO& resource record(

The primar*5name5server directive is the hostname of the primar*

nameserver that is authoritative for this domain(

The hostmaster5email directive is the email of the person to

contact about the namespace(

The serial5number directive is a numerical value incremented

ever* time the Qone file is altered to indicate it is time for the

named service to reload the Qone(

The time5to5refresh directive is the numerical value secondar*

nameservers use to determine ho+ long to +ait before as)ing the

primar* nameserver if an* changes have been made to the Qone(

The time5to5retr* directive is a numerical value used b* secondar*

nameservers to determine the length of time to +ait before

issuing a refresh re.uest in the event that the primar* nameserver

is not ans+ering( $f the primar* server has not replied to a refresh

re.uest before the amount of time specified in the time5to5expire

directive elapses, the secondar* servers stop responding as an

authorit* for re.uests concerning that namespace(

$n 3$;D A and >, the minimum5TTL directive is the amount of time

other nameservers cache the Qone's information( $n 3$;D R, it

defines ho+ long negative ans+ers are cached for( Baching of

negative ans+ers can be set to a maximum of C hours that is,

CH-(



48/200


When configuring 3$;D, all times are specified in seconds( Ho+ever, it is

possible to use abbreviations +hen specif*ing units of time other than

seconds, such as minutes "-, hours H-, da*s D-, and +ee)s W-( The

follo+ing table, “Seconds compared to other time units” sho+s an

amount of time in seconds and the e.uivalent time in another format(

Seconds

9ther

ime

>nits

+' &!

&.'' @'!

@+'' &A

&'.'' @A

)&+'' +A

*@)'' &)A

.+*'' &D

),-)'' @D

+'*.'' &B

@&,@+''

'@+,D



49/200


.sing the #!A resource record$ MJ dns;99com9 hostmaster99com9 1 =


50/200


8 2his sample Fone &ile illustrates sharing the same 3 addresses8 &or multiple services.8services ;


51/200


B@


52/200


To prevent unauthoriQed access to the service, named must be

configured to listen on the selected port that is, RC b* default-, and an

identical )e* must be used b* both the service and the rndc utilit*(

Table*EE)ele5ant 0iles

Path %escription

=

et"=name9("on

$

5he 9e$ault

"on$iguration

$ile $or the

name9

ser6i"e(

=et"=rn9"("on$

5he 9e$ault

"on$iguration$ile $or the

rn9" utility(

=et"=rn9"(key5he 9e$ault

key lo"ation(



53/200


The rndc configuration is located in 0etc0rndc(conf( $f the file does not

exist, the utilit* +ill use the )e* located in 0etc0rndc()e*, +hich +asgenerated automaticall* during the installation process using the rndc5

confgen 5a command(

The named service is configured using the controls statement in the

0etc0named(conf configuration file ( :nless this statement is present,

onl* the connections from the loopbac) address that is, K(


54/200


This +ill reload the Qones +hile )eeping all previousl* cached responses,

so that *ou can ma)e changes to the Qone files +ithout losing all stored

name resolutions(

To reload a single Qone, specif* its name after the reload command, for /

789 rndc reload localhost

Qone reload up5to5date

%inall*, to reload the configuration file and ne+l* added Qones onl*,

t*pe/

789 rndc reconfig

,odi0ying Fones with dynamic DN#

$f *ou intend to manuall* modif* a Qone that uses D*namic D;S DD;S-,

ma)e sure *ou run the freeQe command first/

789 rndc freeQe localhost

Once *ou are finished, run the tha+ command to allo+ the DD;S again

and reload the Qone/

789 rndc tha+ localhost

The Qone reload and tha+ +as successful(

:pdating Uone =e*s

To update the D;SS2B )e*s and sign the Qone, use the sign command( %or

/

789 rndc sign localhost

;ote that to sign a Qone +ith the above command, the auto5dnssec

option has to be set to maintain in the Qone statement( %or instance/

Fone localhost 7 type master8 &ile named9localhost8 allo0-update 7 none8 :8 auto-dnssec maintain8 :8

2nabling the D;SS2B Malidation



55/200


To enable0disable the D;SS2B validation, t*pe the follo+ing at a shell

prompt/

~]# rndc validation on/o&& as the case may be9

nabling the Guery Logging

To enable or disable in case it is currentl* enabled- the .uer* logging,

run the follo+ing command/

789 rndc .uer*log

To chec) the current setting, use the status command(

.sing the dig .tilityThe dig utilit* is a command line tool that allo+s *ou to perform D;S

loo)ups and debug a nameserver configuration( $ts t*pical usage is as

follo+s/

dig ENserver8 Eoption(((8 name t*pe

Looking .$ a Nameser5er

To loo) up a nameserver for a particular domain, use the command in

the follo+ing form/

digname ;S

$n the given belo+, “& sample nameserver loo)up”, the dig utilit* is used

to displa* nameservers for (com(

~]H dig 9com M

8 QQRR "iK ?9D9;-3=-(edOat-?9D9;-=93=9&c;B QQRR 9com M88 global options. Scmd 88 Kot ans0er.88 -RRO"(QQ- opcode. T5(', status. J((J(, id. CDAAB88 &lags. Er rd ra8 T5('. ;, MN(. =, 52OJ(2'. M a9iana-servers9net99com9 ??BD> M b9iana-servers9net9

88 Tuery time. ; msec

88 M(U(. ;9=CC9D#CB1;9=CC9D688 NO. Ned ug ;A ;A..


56/200


88 GMK MV rcvd. DD

Looking .$ an +P AddressTo loo) up an $ address assigned to a particular domain, use the

command in the follo+ing form/

digname &

$n the given belo+, “& sample $ address loo)up”, the dig utilit* is used

to displa* the $ address of (com(

78J dig (com &

6 VV DiG R((5K51edHat5R((5K(K(fcC VV (com &

66 global options/ Zcmd

66 Got ans+er/

66 5H2&D21VV5 opcode/ :214, status/ ;O211O1, id/ A>AR

66 flags/ .r rd ra6 :214/ , &;SW21/ , &:THO1$T4/ K, &DD$T$O;&L/ <

66 :2ST$O; S2BT$O;/

6(com( $; &

66 &;SW21 S2BT$O;/

(com( ?


57/200


66 S21M21/ /


58/200


CK(


59/200


SSH Secure Shell- is a protocol +hich facilitates secure communications

bet+een t+o s*stems using a client0server architecture and allo+s users

to log into server host s*stems remotel*( :nli)e other remote

communication protocols, such as %T or Telnet, SSH encr*pts the login

session, rendering the connection difficult for intruders to collect

unencr*pted pass+ords(

The ssh program is designed to replace older, less secure terminal

applications used to log into remote hosts, such as telnet or rsh( &

related program called scp replaces older programs designed to cop*

files bet+een hosts, such as rcp( 3ecause these older applications do not

encr*pt pass+ords transmitted bet+een the client and the server, avoidthem +henever possible( :sing secure methods to log into remote

s*stems decreases the ris)s for both the client s*stem and the [remote

host(

1ed Hat 2nterprise Linux includes the general OpenSSH pac)age

openssh- as +ell as the OpenSSH server openssh5server- and client

openssh5clients- pac)ages( ;ote, the OpenSSH pac)ages re.uire the

OpenSSL pac)age openssl- +hich installs several importantcr*ptographic libraries, enabling OpenSSH to provide encr*pted

communications(

The ##( Protocol

Why .se ##(I

otential intruders have a variet* of tools at their disposal enabling them

to disrupt, intercept, and re5route net+or) traffic in an effort to gain

access to a s*stem( $n general terms, these threats can be categoriQed as

follo+s/

+nterce$tion o0 communication between two systems



60/200


The attac)er can be some+here on the net+or) bet+een the

communicating parties, cop*ing an* information passed bet+een them(

He ma* intercept and )eep the information, or alter the information and

send it on to the intended recipient(

This attac) is usuall* performed using a packet sni%%er , a rather common

net+or) utilit* that captures each pac)et flo+ing through the net+or),

and anal*Qes its content(

+m$ersonation o0 a $articular host

&ttac)er's s*stem is configured to pose as the intended recipient of a

transmission( $f this strateg* +or)s, the user's s*stem remains una+are

that it is communicating +ith the +rong host(

This attac) can be performed using a techni.ue )no+n as D+! poisoning,

or via so5called .P spoo%ing( $n the first case, the intruder uses a crac)ed

D;S server to point client s*stems to a maliciousl* duplicated host( $n

the second case, the intruder sends falsified net+or) pac)ets that

appear to be from a trusted host(

3oth techni.ues intercept potentiall* sensitive information and, if theinterception is made for hostile reasons, the results can be disastrous( $f

SSH is used for remote shell login and file cop*ing, these securit* threats

can be greatl* diminished( This is because the SSH client and server use

digital signatures to verif* their identit*( &dditionall*, all communication

bet+een the client and server s*stems is encr*pted( &ttempts to spoof

the identit* of either side of a communication does not +or), since each

pac)et is encr*pted using a )e* )no+n onl* b* the local and remote

s*stems(

,ain "eatures

The SSH protocol provides the follo+ing safeguards/



61/200


62/200


T+o varieties of SSH currentl* exist/ version , and ne+er version K( The

OpenSSH suite under 1ed Hat 2nterprise Linux uses SSH version K, +hich

has an enhanced )e* exchange algorithm not vulnerable to the )no+n

exploit in version ( Ho+ever, for compatibilit* reasons, the OpenSSH

suite does support version connections as +ell(

A5oid using ##( 5ersion

To ensure maximum securit* for *our connection, it is recommended that

onl* SSH version K5compatible servers and clients are used +henever

possible(

5ent #eJuence o0 an ##( ConnectionThe follo+ing series of events help protect the integrit* of SSH

communication bet+een t+o hosts(

E & cr*ptographic handsha)e is made so that the client can verif*

that it is communicating +ith the correct server(

9E The transport la*er of the connection bet+een the client and

remote host is encr*pted using a s*mmetric cipher(

*E The client authenticates itself to the server(

4E The remote client interacts +ith the remote host over the

encr*pted connection(

Trans$ort Layer

The primar* role of the transport la*er is to facilitate safe and secure

communication bet+een the t+o hosts at the time of authentication and

during subse.uent communication( The transport la*er accomplishes thisb* handling the encr*ption and decr*ption of data, and b* providing

integrit* protection of data pac)ets as the* are sent and received( The

transport la*er also provides compression, speeding the transfer of

information(

Once an SSH client contacts a server, )e* information is exchanged so

that the t+o s*stems can correctl* construct the transport la*er( The

follo+ing steps occur during this exchange/



63/200


=e*s are exchanged

The public )e* encr*ption algorithm is determined

The s*mmetric encr*ption algorithm is determined

The message authentication algorithm is determined

The hash algorithm is determined

During the )e* exchange, the server identifies itself to the client +ith a

uni.ue -ost key ( $f the client has never communicated +ith this

particular server before, the server's host )e* is un)no+n to the client

and it does not connect( OpenSSH gets around this problem b* accepting

the server's host )e*( This is done after the user is notified and has both

accepted and verified the ne+ host )e*( $n subse.uent connections, the

server's host )e* is chec)ed against the saved version on the client,

providing confidence that the client is indeed communicating +ith the

intended server( $f, in the future, the host )e* no longer matches, the

user must remove the client's saved version before a connection can

occur(

Always 5eri0y the integrity o0 a new ##( ser5er

$t is possible for an attac)er to mas.uerade as an SSH server during the

initial contact since the local s*stem does not )no+ the difference

bet+een the intended server and a false one set up b* an attac)er( To

help prevent this, verif* the integrit* of a ne+ SSH server b* contacting

the server administrator before connecting for the first time or in the

event of a host )e* mismatch(

SSH is designed to +or) +ith almost an* )ind of public )e* algorithm or

encoding format( &fter an initial )e* exchange creates a hash value used

for exchanges and a shared secret value, the t+o s*stems immediatel*

begin calculating ne+ )e*s and algorithms to protect authentication and

future data sent over the connection(



64/200


&fter a certain amount of data has been transmitted using a given )e*

and algorithm the exact amount depends on the SSH implementation-,

another )e* exchange occurs, generating another set of hash values and

a ne+ shared secret value( 2ven if an attac)er is able to determine the

hash and shared secret value, this information is onl* useful for a limited

period of time(

Authentication

Once the transport la*er has constructed a secure tunnel to pass

information bet+een the t+o s*stems, the server tells the client the

different authentication methods supported, such as using a private )e*5

encoded signature or t*ping a pass+ord( The client then tries to

authenticate itself to the server using one of these supported methods(

SSH servers and clients can be configured to allo+ different t*pes of

authentication, +hich gives each side the optimal amount of control(

The server can decide +hich encr*ption methods it supports based on its

securit* model, and the client can choose the order of authentication

methods to attempt from the available options(

Channels

&fter a successful authentication over the SSH transport la*er, multiple

channels are opened via a techni.ue called "ultiple#ing EC8

( 2ach of

these channels handles communication for different terminal sessions

and for for+arded sessions(

3oth clients and servers can create a ne+ channel( 2ach channel is then

assigned a different number on each end of the connection( When theclient attempts to open a ne+ channel, the clients sends the channel

number along +ith the re.uest( This information is stored b* the server

and is used to direct communication to that channel( This is done so that

different t*pes of sessions do not affect one another and so that +hen a

given session ends, its channel can be closed +ithout disrupting the

primar* SSH connection(


https://access.redhat.com/knowledge/docs/en-us/red_hat_enterprise_linux/6/html/deployment_guide/ch-openssh.html#ftn.id2844922https://access.redhat.com/knowledge/docs/en-us/red_hat_enterprise_linux/6/html/deployment_guide/ch-openssh.html#ftn.id2844922


65/200


66/200


Con0iguring !$en##(There are t+o different sets of configuration files/ those for client

programs that is, ssh, scp, and sftp-, and those for the server the sshd

daemon-(

S*stem5+ide SSH configuration information is stored in the 0etc0ssh0

director* as described in the Table belo+, “S*stem5+ide configuration

files”( :ser5specific SSH configuration information is stored in 70(ssh0

+ithin the user's home director* as described in the follo+ing

table“:ser5specific configuration files”(



67/200


68/200


+i)e %escription

=

et"=ssh=ss

hhost9sakey

5he D;>

7ri6ate key

use9 by thessh9 9aemon(

=

et"=ssh=ss

hhost9

sakey(7

ub

5he D;>

7ubli" key

use9 by the

ssh9 9aemon(

=

et"=ssh=sshhostk

ey

5he ;>

7ri6ate key

use9 by the

ssh9 9aemon$or 6ersion &

o$ the ;;A

7roto"ol(

=

et"=ssh=ss

hhostk

ey(7ub

5he ;>

7ubli" key

use9 by the

ssh9 9aemon

$or 6ersion &

o$ the ;;A

7roto"ol(

=

et"=ssh=ss

hhostrs

akey

5he ;>

7ri6ate key

use9 by the

ssh9 9aemon

$or 6ersion )

o$ the ;;A

7roto"ol(

=

et"=ssh=ss

hhostrs

akey(7u

b

5he ;>

7ubli" key

use9 by the

ssh9 9aemon

$or 6ersion )

o$ the ;;A

7roto"ol(



69/200


.ser%s$eci0ic con0iguration 0iles

+i)e %escription

E=(ssh=authori:e9 keys

Aol9s a list

o$

authori:e9

7ubli" keys

$or ser6ers(

Bhen the

"lient

"onne"ts to a

ser6er8 theser6er

authenti"ates

the "lient by

"he"king its

signe9

7ubli" key

store9

within this

$ile(

E=(ssh=i99sa

3ontains the

D;> 7ri6ate

key o$ the

user(

E=(ssh=i99sa(7u

b

5he D;>

7ubli" key

o$ the user(

E=(ssh=i9rsa

5he ;>

7ri6ate key

use9 by ssh$or 6ersion )

o$ the ;;A

7roto"ol(

E=(ssh=i9rsa(7ub

5he ;>

7ubli" key

use9 by ssh

$or 6ersion )

o$ the ;;A

7roto"ol(



70/200


+i)e %escription

E=(ssh=i9entity

5he ;>

7ri6ate key

use9 by ssh$or 6ersion &

o$ the ;;A

7roto"ol(

E=(ssh=i9entity(7u

b

5he ;>

7ubli" key

use9 by ssh

$or 6ersion &

o$ the ;;A

7roto"ol(

E=(ssh=knownho

sts

3ontains

D;> host

keys o$ ;;A

ser6ers

a""esse9 by

the user(

5his $ile is

6ery

im7ortant

$or ensuring

that the ;;A"lient is

"onne"ting

the "orre"t

;;A ser6er(



71/200


#tarting an !$en##( #er5er

$n order to run an OpenSSH server, *ou must have the openssh5server and

openssh pac)ages installed (

To start the sshd daemon, t*pe the follo+ing at a shell prompt/

789 service sshd start

To stop the running sshd daemon, use the follo+ing command/

789 service sshd stop

$f *ou +ant the daemon to start automaticall* at the boot time, t*pe/

789 ch)config sshd on

;ote that if *ou reinstall the s*stem, a ne+ set of identification )e*s +ill

be created( &s a result, clients +ho had connected to the s*stem +ith

an* of the OpenSSH tools before the reinstall +ill see the follo+ing

message/

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

W&1;$;G/ 12"OT2 HOST $D2;T$%$B&T$O; H&S BH&;G2D N

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

$T $S OSS$3L2 TH&T SO"2O;2 $S DO$;G SO"2TH$;G ;&ST4

Someone could be eavesdropping on *ou right no+ man5in5the5middle

attac)-

$t is also possible that the 1S& host )e* has !ust been changed(

1e.uiring SSH for 1emote Bonnections

%or SSH to be trul* effective, using insecure connection protocols should

be prohibited( Other+ise, a user's pass+ord ma* be protected using SSH

for one session, onl* to be captured later +hile logging in using Telnet(

Some services to disable include telnet, rsh, rlogin, and vsftpd(



72/200


To disable these services, t*pe the follo+ing commands at a shell

prompt/

789 ch)config telnet off

789 ch)config rsh off

789 ch)config rlogin off

789 ch)config vsftpd off

.sing a 1ey%Based Authentication

To improve the s*stem securit* even further, *ou can enforce the )e*5

based authentication b* disabling the standard pass+ord authentication(To do so, open the 0etc0ssh0sshd@config configuration file in a text

editor such as 5i or nano, and change the ass+ord&uthentication option

as follo+s/



73/200


ass+ord&uthentication no

To be able to use ssh, scp, or sftp to connect to the server from a client

machine, generate an authoriQation )e* pair b* follo+ing the steps

belo+( ;ote that )e*s must be generated for each user separatel*(

1ed Hat 2nterprise Linux ? uses SSH rotocol K and 1S& )e*s b* default(

Do not generate )e* pairs as root

$f *ou complete the steps as root, onl* root +ill be able to use the )e*s(

3ac)up *our 70(ssh0 director*

$f *ou reinstall *our s*stem and +ant to )eep previousl* generated )e*

pair, bac)up the 70(ssh0 director*( &fter reinstalling, cop* it bac) to *our

home director*( This process can be done for all users on *our s*stem,

including root(

Generating =e* airs

To generate an 1S& )e* pair for version K of the SSH protocol, follo+

these steps/

E Generate an 1S& )e* pair b* t*ping the follo+ing at a shell

prompt/

78J ssh5)e*gen 5t rsa

Generating public0private rsa )e* pair(

2nter file in +hich to save the )e* 0home0!ohn0(ssh0id@rsa-/

9E ress nter to confirm the default location that is, 70(ssh0id@rsa-for the ne+l* created )e*(

*E 2nter a passphrase, and confirm it b* entering it again +hen

prompted to do so( %or securit* reasons, avoid using the same

pass+ord as *ou use to log in to *our account(

&fter this, *ou +ill be presented +ith a message similar to this/

4our identification has been saved in 0home0!ohn0(ssh0id@rsa(



74/200


4our public )e* has been saved in 0home0!ohn0(ssh0id@rsa(pub(

The )e* fingerprint is/

e/R/c/eK/


75/200


E Generate a DS& )e* pair b* t*ping the follo+ing at a shell prompt/

78J ssh5)e*gen 5t dsa

Generating public0private dsa )e* pair(

2nter file in +hich to save the )e* 0home0!ohn0(ssh0id@dsa-/

9E ress nter to confirm the default location that is, 70(ssh0id@dsa-

for the ne+l* created )e*(



pass+ord as *ou use to log in to *our account(


4our identification has been saved in 0home0!ohn0(ssh0id@dsa(

4our public )e* has been saved in 0home0!ohn0(ssh0id@dsa(pub(


>/a/R/a>/Rf/e>/c/??/


76/200


:E Bop* the content of 70(ssh0id@dsa(pub into the

70(ssh0authoriQed@)e*s on the machine to +hich *ou +ant to

connect, appending it to its end if the file alread* exists(

E Bhange the permissions of the 70(ssh0authoriQed@)e*s file using

the follo+ing command/

78J chmod ?AA 70(ssh0authoriQed@)e*s

To generate an 1S& )e* pair for version of the SSH protocol, follo+

these steps/

E Generate an 1S& )e* pair b* t*ping the follo+ing at a shell

prompt/

78J ssh5)e*gen 5t rsa

Generating public0private rsa )e* pair(

2nter file in +hich to save the )e* 0home0!ohn0(ssh0identit*-/

9E ress nter to confirm the default location that is,

70(ssh0identit*- for the ne+l* created )e*(



pass+ord as *ou use to log into *our account(


4our identification has been saved in 0home0!ohn0(ssh0identit*(

4our public )e* has been saved in 0home0!ohn0(ssh0identit*(pub(


cb/f?/d/cb/?e/f/Kb/K>/ac//


77/200


P ( ( P

P o o P

P Z o 2 P

P ( o S P

P F Z ( P

4E Bhange the permissions of the 70(ssh0 director*/

78J chmod 70(ssh

:E Bop* the content of 70(ssh0identit*(pub into the

70(ssh0authoriQed@)e*s on the machine to +hich *ou +ant to

connect, appending it to its end if the file alread* exists(

E Bhange the permissions of the 70(ssh0authoriQed@)e*s file using

the follo+ing command/

78J chmod ?AA 70(ssh0authoriQed@)e*s

;ever share *our private )e*

The private )e* is for *our personal use onl*, and it is important that *ou

never give it to an*one(

Bonfiguring ssh5agent

To store *our passphrase so that *ou do not have to enter it each time

*ou initiate a connection +ith a remote machine, *ou can use the ssh5

agent authentication agent( $f *ou are running G;O"2, *ou can configure

it to prompt *ou for *our passphrase +henever *ou log in and rememberit during the +hole session( Other+ise *ou can store the passphrase for a

certain shell prompt(

To save *our passphrase during *our G;O"2 session, follo+ these steps/

E "a)e sure *ou have the openssh5as)pass pac)age installed(



78/200


9E Select #ystem → Pre0erences → #tartu$ A$$lications from the

panel( The #tartu$ A$$lications Pre0erences +ill be started, and

the tab containing a list of available startup programs +ill be

sho+n b* default(

#tartu$ A$$lications Pre0erences

*E Blic) the Add button on the right, and enter 0usr0bin0ssh5add in the Command field(

Adding new a$$lication

4E Blic) Add and ma)e sure the chec)box next to the ne+l* added item is selected(

nabling the a$$lication

:E Log out and then log bac) in( & dialog box +ill appear prompting

*ou for *our passphrase( %rom this point on, *ou should not be

prompted for a pass+ord b* ssh, scp, or sftp(

ntering a $ass$hrase

To save *our passphrase for a certain shell prompt, use the follo+ing

command/

78J ssh5add

2nter passphrase for 0home0!ohn0(ssh0id@rsa/

;ote that +hen *ou log out, *our passphrase +ill be forgotten( 4ou must

execute the command each time *ou log in to a virtual console or a

terminal +indo+(

!$en##( Clients

To connect to an OpenSSH server from a client machine, *ou must have

the openssh5clients and openssh pac)ages installed (



79/200


.sing the ssh .tility

The ssh utilit* allo+s *ou to log in to a remote machine and execute

commands there( $t is a secure replacement for the rlogin, rsh, and

telnet programs(

Similarl* to telnet, to log in to a remote machine b* using the follo+ing

command/

ssh hostname

%or , to log in to a remote machine named penguin((com, t*pe the

follo+ing at a shell prompt/

78J ssh penguin((com

This +ill log *ou in +ith the same username *ou are using on a local

machine( $f *ou +ant to specif* a different one, use a command in the

command in the follo+ing form/

ssh usernameNhostname

%or , to log in to penguin((com as !ohn, t*pe/

78J ssh !ohnNpenguin((com

The first time *ou initiate a connection, *ou +ill be presented +ith a

message similar to this/

The authenticit* of host 'penguin((com' can't be established(

1S& )e* fingerprint is RA/?>/Ca/Ca/bc/fC/Ra/Rb/


80/200


$f the SSH server's host )e* changes, the client notifies the user that the

connection cannot proceed until the server's host )e* is deleted from the

70(ssh0)no+n@hosts file( To do so, open the file in a text editor, and

remove a line containing the remote machine name at the beginning(

3efore doing this, ho+ever, contact the s*stem administrator of the SSH

server to verif* the server is not compromised(

&fter entering the pass+ord, *ou +ill be provided +ith a shell prompt for

the remote machine(

&lternativel*, the ssh program can be used to execute a command on the

remote machine +ithout logging in to a shell prompt/

ssh EusernameN8hostname command

%or , the 0etc0redhat5release file provides information about the 1ed

Hat 2nterprise Linux version( To vie+ the contents of this file on

penguin((com, t*pe/

78J ssh !ohnNpenguin((com cat 0etc0redhat5release

!ohnNpenguin((com's pass+ord/

1ed Hat 2nterprise Linux Server release ?(K Santiago-

&fter *ou enter the correct pass+ord, the username +ill be displa*ed,

and *ou +ill return to *our local shell prompt(

.sing the sc$ .tility

scp can be used to transfer files bet+een machines over a secure,

encr*pted connection( $n its design, it is ver* similar to rcp(

To transfer a local file to a remote s*stem, use a command in the

follo+ing form/

scp local%ile userna"eNhostname/remotefile

%or , if *ou +ant to transfer taglist(vim to a remote machine named

penguin((com, t*pe the follo+ing at a shell prompt/

78J scp taglist(vim !ohnNpenguin((com/(vim0plugin0taglist(vim



81/200


82/200


78J sftp !ohnNpenguin((com

!ohnNpenguin((com's pass+ord/

Bonnected to penguin((com(

sftp

&fter *ou enter the correct pass+ord, *ou +ill be presented +ith a

prompt( The sftp utilit* accepts a set of commands similar to those used

b* ftp (

A selection o0 a5ailable s0t$ commands



83/200


Command %escription

ls [9ire"tory]

Fist the

"ontent o$ a

remote9ire"tory( I$

none is

su77lie98 a

"urrent

working

9ire"tory is

use9 by

9e$ault(

"9 9ire"tory

3hange the

remoteworking

9ire"tory to

9ire"tory(

mk9ir

9ire"tory

3reate a

remote

9ire"tory(

rm9ir 7ath

emo6e a

remote

9ire"tory(

7ut lo"al$ile

[remote$ile]

5rans$er

lo"al$ile to a

remote

ma"hine(

get remote$ile

[lo"al$ile]

5rans$er

remo

Documents

Linux Networking Security 14Jan 2016 Formatted