Upload
narasimhan-parth
View
216
Download
2
Embed Size (px)
Citation preview
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
1/200
Linux Networking & Security
Linux Networking and Security
Administration
Courseware Designed & Written by
P Narasimhan
Linux Consultant
Acknowledgement
Some portions of this reference documentation has been derived from various
sources including the HOWTO's, Guides from the Linux Documentation ro!ect , "an
# $nfo pages, %&'s and technical articles from several other sources on the World
Wide Web( We are than)ful to and do hereb* sincerel* ac)no+ledge the creators of
these documents(
This course+are is given free of cost as a reference material covering the topics
dealt +ith during the training programmes- and on a fe+ topics even going be*ond
so as to provide an insight to the participants( $t is precisel* for internal circulation
onl* and is not intended for sale an*+here(
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
2/200
Linux Networking & Security
Linux is the Trademar) of Linus Torvalds and all other brand names and trademar)s
are properties of their respective o+ners(
No Warranty Clause
The authors disclaim all +arranties +ith regard to this document and the
configurations covered thereto, including all implied +arranties of merchantabilit*
and fitness for a certain purpose( $n no even shall the authors be liable for an*
special, indirect or conse.uential damages or an* damage +hatsoever resulting
from loss of data, or profits +hether in action of contract, negligence or other
tortuous action, arising out of or in connection +ith the http/00+++(vvi(edu(in0use
of this document or an* of the soft+are mentioned therein(
TA B L ! " C! N T N T #
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
3/200
Linux Networking & Security
Chapter- 1 : Manage P!" Network Con#iguration
Chapter- $ : Manage %omain Name Ser!ice %NS'
Chapter- ( : Con#igure emai) de)i!ery with Post#ix
Chapter- * : +i)e-,ased storage with N+S & Sam,a
Chapter- : .e, Ser!er Apache Con#iguration
Chapter- " : Security-/nhanced Linux -S/ Linux
Chapter- 0 : rou,)eshooting the Linux 2oot process
Chapter- 3 :
Chapter- 4 :
Chapter-15 :
Chapter- 11 :
Chapter-1$ :
Chapter-1( :
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
4/200
Linux Networking & Security
Cha$ter% '
C ( A P T ) % * 'A P P L + C A T + ! N , A N A - , N T T ( ) ! . - ( / . ,
Sometimes soft+are product installations are straightfor+ard — *ou +ant to install a
1ed Hat 2nterprise Linux server, so *ou install 1ed Hat 2nterprise Linux( Ho+ever,
products can have dependencies +ith each other product 3 is onl* +orth+hile if
product & is also installed- or products can interact +ith each other to provide extended
functionalit*( There are t+o categories of these )inds of product interactions/
De$endencies, +here one product re.uires or relies on another product
directl*
,odi0iers, +here a product provides enhanced functionalit* or services for
existing products
Dependencies are common and can be handled directl* +hen processing content through
tools li)e *um(
/um is the 1ed Hat pac)age manager that is able to .uer* for information about
available pac)ages, fetch pac)ages from repositories, install and uninstall them, and
update an entire s*stem to the latest available version( 4um performs automatic
dependenc* resolution on pac)ages *ou are updating, installing, or removing, and thus is
able to automaticall* determine, fetch, and install all available dependent pac)ages(
4um can be configured +ith ne+, additional repositories, or package sources, and also
provides man* plug5ins +hich enhance and extend its capabilities( 4um is able to
perform man* of the same tas)s that )P, can6 additionall*, man* of the command line
options are similar( 4um enables eas* and simple pac)age management on a single
machine or on groups of them(
#ecure $ackage management with -P-%signed $ackages
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
5/200
Linux Networking & Security
4um provides secure pac)age management b* enabling GG Gnu rivac* Guard6 also
)no+n as GnuG- signature verification on GG5signed pac)ages to be turned on for all
pac)age repositories i(e( pac)age sources-, or for individual repositories( When
signature verification is enabled, 4um +ill refuse to install an* pac)ages not GG5signed
+ith the correct )e* for that repositor*( This means that *ou can trust that the )P,
pac)ages *ou do+nload and install on *our s*stem are from a trusted source, such as 1ed
Hat, and +ere not modified during transfer(
4um also enables *ou to easil* set up *our o+n repositories of )P, pac)ages for
do+nload and installation on other machines(
Learning 4um is a +orth+hile investment because it is often the fastest +a* to perform
s*stem administration tas)s, and it provides capabilities be*ond those provided b* the
Package1it graphical pac)age management tools(
4ou must have superuser privileges in order to use *um to install, update or remove
pac)ages on *our s*stem( &ll s in this chapter assume that *ou have alread* obtained
superuser privileges b* using either the su or sudo command(
Checking "or and .$dating Packages
To see +hich installed pac)ages on *our s*stem have updates available, use the
follo+ing command/
789 yum check-update
Loaded plugins/ product5id, refresh5pac)age)it, subscription5manager
:pdating 1ed Hat repositories(
$;%O/rhsm5app(repolib/repos updated/ <
The pac)ages in the above output are listed as having updates available( The first
pac)age in the list is Package1it, the graphical pac)age manager( The line in the
output tells us/
% ac)age=it — the name of the pac)age
% x>?@?A — the B: architecture the pBhapter 5 C /ac)age +as built for
% — the version of the updated pac)age to be installed
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
6/200
Linux Networking & Security
% rhel — the repositor* in +hich the updated pac)age is located
The output also sho+s us that +e can update the )ernel the )ernel pac)age-, 4um and
1" themselves the *um and rpm pac)ages-, as +ell as their dependencies such as the)ernel5firm+are, rpm5libs, and rpm5p*thon pac)ages-, all using *um(
To update a single pac)age, run the follo+ing command as root/
9 yum update package_name
To update all pac)ages and their dependencies, simpl* enter *um update +ithout an*
arguments-/
9 yum update
Discovering +hich pac)ages have securit* updates available and then updating those
pac)ages .uic)l* and easil* is important( 4um provides the plugin for this purpose( The
securit* plugin extends the *um command +ith a set of highl*5useful securit*5centric
commands, subcommands and options( 4ou +ill inevitabl* ma)e changes to the
configuration files installed b* pac)ages as *ou use *our 1ed Hat 2nterprise Linux
s*stem( 1", +hich 4um uses to perform changes to the s*stem, provides a mechanism
for ensuring their integrit*(
4ou can search all 1" pac)age names, descriptions and summaries b* using the *um
search term Emore@terms8 command( *um displa*s the list of matches for each term, for
example/
789 yum search meld kompare
Loaded plugins/ product5id, refresh5pac)age)it, rhnplugin, subscription5manager
:pdating 1ed Hat repositories(
$;%O/rhsm5app(repolib/repos updated/ <
FFFFFFFFFFFFFFFFFFFFFFFFFFFF "atched/ )ompare FFFFFFFFFFFFFFFFFFFFFFFFFFFFF
)desd)(x>?@?A / The =D2 Soft+are Development =it SD=-
Warning/ ;o matches found for/ meld
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
7/200
Linux Networking & Security
The *um search command is useful for searching for pac)ages *ou do not )no+ the name
of, but for +hich *ou )no+ a related term(
yum list and related commands provide information about pac)ages, pac)age groups,
and repositories( &ll of 4um's list commands allo+ *ou to filter the results b* appending
one or more glob expressions as arguments( Glob expressions are normal strings of
characters +hich contain one or more of the +ildcard characters +hich expands to
match an* character multiple times- and +hich expands to match an* one character-(
9 yum list all , lists all installed and available pac)ages(
9 yum list installed , Lists all pac)ages installed on *our s*stem( The rightmost column
in the output lists the repositor* from +hich the pac)age +as retrieved(
9 yum list available , Lists all available pac)ages in all enabled repositories(
9 yum grouplist , Lists all pac)age groups(
9 yum repolist , Lists the repositor* $D, name, and number of pac)ages it provides for
each enabled repositor*(
& pac)age group is similar to a pac)age/ it is not useful b* itself, but installing one pulls
a group of dependent pac)ages that serve a common purpose( & pac)age group has aname and a groupid( The *um grouplist 5v command lists the names of all pac)age
groups, and, next to each of them, their groupid in parentheses( The groupid is al+a*s
the term in the last pair of parentheses, such as )de5 des)top in the follo+ing example/
789 yum -v grouplist kde\* or
Loading IrhnpluginI plugin
Loading Iproduct5idI plugin
9 yum groupinstall kde-desktop
*um remove pac)age@name uninstalls removes in 1" and 4um terminolog*- the
pac)age, as +ell as an* pac)ages that depend on it( &s +hen *ou install multiple
pac)ages, *ou can remove several at once b* adding more pac)age names to the
command( %or example, to remove totem, rh*thmbox, and sound5!uicer, t*pe the
follo+ing at a shell prompt/
9 yum remove totem rhythmbox sound-juicer
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
8/200
Linux Networking & Security
4ou can remove a pac)age group using s*ntax congruent +ith the install s*ntax( The
follo+ing are alternative but e.uivalent +a*s of removing the =D2 Des)top group/
~]# yum groupremove !" "esktop
~]# yum groupremove kde-desktop
~]# yum remove $kde-desktop
%on&iguring 'um and 'um (epositories
This section sho+s *ou ho+ to/
% set global 4um options b* editing the Emain8 section of the 0etc0*um(conf
configuration file6
% set options for individual repositories b* editing the Erepositor*8 sections in
0etc0*um(conf and (repo files in the 0etc0*um(repos(d0 director*6
% use 4um variables in 0etc0*um(conf and files in 0etc0*um(repos(d0 so that d*namic
version and architecture values are handled correctl*6 and,
% set up *our o+n custom 4um repositor*(
The 0etc0*um(conf configuration file contains one mandator* Emain8 section under
+hich *ou can set 4um options( The values that *ou define in the Emain8 section of
*um(conf have global effect, and ma* override values set in individual Erepositor*8
sections( 4ou can also add Erepositor*8 sections to 0etc0*um(conf6 ho+ever, best
practice is to define individual repositories in ne+ or existing (repo files in the
0etc0*um(repos(d0director*(
The 0etc0*um(conf configuration file contains exactl* one Emain8 section( 4ou can add
man* additional options under the Emain8 section heading in 0etc0*um(conf( Some of the
)e*5value pairs in the Emain8 section affect ho+ *um operates6 others affect ho+ 4um
treats repositories(
The best source of information for all 4um options is in the Emain8 OT$O;S and
Erepositor*8 OT$O;S sections of man *um(conf(
& sample 0etc0*um(conf configuration file can loo) li)e this/
Emain8
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
9/200
Linux Networking & Security
cachedirF0var0cache0*um0Jbasearch0Jreleasever
)eepcacheF<
debuglevelFK
logfileF0var0log0*um(log
exactarchF
obsoletesF
gpgchec)F
pluginsF
installonl*@limitFC
Ecomments abridged8
9 :T 4O:1 12OS H212 O1 $; separate files named file(repo
9 in 0etc0*um(repos(d
#etting 2re$ository3 !$tions
The Erepositor*8 sections +here repositor* is a uni.ue repositor* $D, such as
m*@personal@repo- allo+ *ou to define individual 4um repositories( To define a ne+
repositor*, either add this section to the 0etc0*um(conf file, or to a (repo file in the
0etc0*um(repos(d0 director*(
&ll (repo files in 0etc0*um(repos(d0are read b* *um, +hich allo+s *ou to create ne+,
custom (repo files in this director*( 3est practice is to define *our repositories here
instead of in 0etc0 *um(conf(
The follo+ing is a bare5minimum- example of the form a (repo file ta)es/
)repository_"]
name+ (epository ame
baseurl+http.//path/to/repo or &tp.//path/to/repo or &ile.///path/to/local/repo
2ver* Erepositor*8 section must contain the follo+ing minimum directives/
Erepository_"8
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
10/200
Linux Networking & Security
The repositor* $D is a uni.ue, one5+ord no spaces6 underscores are allo+ed- string of
characters enclosed b* brac)ets- that serves as a repositor* identifier(
nameF& 1epositor* ;ame
This is a human5readable string describing the repositor*(
baseurlFhttp/00path0to0repo, ftp/00path0to0repo, file/000path0to0local0repo
This is a :1L to the director* +here the repodata director* of a repositor* is
located(:suall* this :1L is an HTT lin), such as/
baseurlFhttp/00path0to0repo0releases0Jreleasever0server0Jbasearch0os0
4um al+a*s expands the Jreleasever, Jarch and Jbasearch variables in :1Ls( See the
follo+ing section for explanations of all 4um variables/ Section (C(C, “:sing 4um
Mariables”(
% $f the repositor* is available over %T, use/ ftp/00path0to0repo
% $f the repositor* is local to the machine, use file/000path0to0local0repo
% $f a specific online repositor* re.uires basic HTT authentication, *ou can specif*
*our username and pass+ord in the http/00path0to0repo b* prepending it as
username/pass+ordNlin)(%or example, if a repositor* on
http/00+++(example(com0repo0 re.uires a username of “user” and a pass+ord of
“pass+ord”, then the baseurl lin) could be specified as/
baseurlFhttp/00user/pass+ordN+++(example(com0repo0
The follo+ing is another useful Erepositor*8 directive/
enabledFvalue
(((+here value is one of/
< — do not include this repositor* as a pac)age source +hen performing updates and
installs( This is an eas* +a* of .uic)l* turning repositories on and off, +hich is useful
+hen *ou desire a single pac)age from a repositor* that *ou do not +ant to enable for
updates or installs(
— include this repositor* as a pac)age source(
P Narasimhan
mailto:password@linkhttp://www.example.com/repo/mailto:password@linkhttp://www.example.com/repo/
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
11/200
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
12/200
Linux Networking & Security
C ( A P T ) % 4 ' N T W ! ) 1 , ! N + T ! ) + N - T! ! L #
Sometimes it is necessar* or useful to monitor net+or) traffic on *our computer( 4ou can
monitor all the connections going in and out of *our computer(
;etstat is a common command line TB0$ net+or)ing utilit* available in most versions
of Windo+s, Linux, :;$ and other operating s*stems( ;etstat provides information and
statistics about protocols in use and current TB0$ net+or) connections( The name
derives from the +ords network and statistics(-
:sing netstat *ou can monitor ever* connection going in and out of *our computer( This
monitors all ma!or protocols including tcp and udp, and ever* port( netstat is a standard
:nix program, so it is li)el* installed(
netstat also displa*s unix connections are fairl* useless( To displa* onl* tcp and udp
connection(
% 2xecute/ netstat 5t 5u
% %or displa*ing continuousl*
% 2xecute/ netstat 5t 5u 5c
P Narasimhan
http://how-to.wikia.com/wiki/tcp?action=edit&redlink=1http://how-to.wikia.com/wiki/udp?action=edit&redlink=1http://how-to.wikia.com/wiki/tcp?action=edit&redlink=1http://how-to.wikia.com/wiki/udp?action=edit&redlink=1
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
13/200
Linux Networking & Security
2ach field in active internet connections contains rotocol, 1eceive .ueue, Send.ueue,
Local &ddress,%oreign &ddress, State(
2ach field in &ctive :;$ domain soc)ets contains rotocol, 1eference Bount, %lags,
T*pe, State,$node number and path of process(
To see all soc)ets in the s*stem use the parameter in the s*stem use the follo+ing
command(
9 netstat -a
:singparameter I5lI displa*s all listening state servers in the s*stem( The state field of
the result of this command +ill be IL$ST2;I
# netstat -l
To displa* routing table a s*stem use the parameter I5rI as sho+n belo+ /
9 netstat -r
$nterface list can be displa*ed b* using the follo+ing command
9 netstat -i
To vie+ the net+or) statistics of the s*stem use the follo+ing command
9 netstat -s
"an* people t*pe “netstat 5a P grep 5i L$ST2;“, but “netstat 5l” +ill do the same/ filter
the output to sho+ soc)ets in the L$ST2; state onl*( Mer* useful to .uic)l* see +hat is
being “served” in *our box( 4ou can combine this +ith “5u” to onl* sho+ :D connections
or “5t” to restrict the output to TB connections onl*(
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
14/200
Linux Networking & Security
12345678910111213
# netstat -lnActive Internet connections (only servers)Proto Recv-Q Send-Q Locl Address !orei"n Address
tc# 0 0 0$0$0$0%111 0$0$0$0%* tc# 0 0 0$0$0$0%22 0$0$0$0%* tc# 0 0 0$0$0$0%631 0$0$0$0%* tc# 0 0 0$0$0$0%17500 0$0$0$0%* $$$Active )(I* do+in soc,ets (only servers)Proto Re.nt !l"s &y#e Stte I-(ode Pt/ni 2 [ A.. ] S&R'A LIS&'(I( 101544//o+e/s+l/$dro#o/co++ndsoc,etni 2 [ A.. ] S&R'A LIS&'(I( 101549 //o+e/s+l/$dr$$$
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
15/200
Linux Networking & Security
With “5p”, netstat sho+s +hat program0pid is using a given soc)et( Mer* hand* to find
out +ho’s listening on a port or holding a connection open( & personal favorite of mine is
“netstat 5lput”, +hich displa*s all TB and :D soc)ets in the L$ST2; state, plus the
name and pid of the program listening on that soc)et(
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
16/200
Linux Networking & Security
12345678910111213
1415
# netstat -lnpActive Internet connections (only servers)Proto Recv-Q Send-Q Locl Address !orei"n Address Sttetc# 0 0 0$0$0$0%111 0$0$0$0%* LIS&'(tc# 0 0 0$0$0$0%22 0$0$0$0%* LIS&'(tc# 0 0 0$0$0$0%631 0$0$0$0%* LIS&'(tc# 0 0 0$0$0$0%17500 0$0$0$0%* LIS&'(tc# 0 0 127$0$0$1%2143 0$0$0$0%* LIS&'($$$Active )(I* do+in soc,ets (only servers)Proto Re.nt !l"s &y#e Stte I-(ode PI/Pro"r+ n+e Pt/ni 2 [ A.. ] S&R'A LIS&'(I( 101544 4185/dro#o//o+e/s+l/$dro#o/co++ndsoc,etni 2 [ A.. ] S&R'A LIS&'(I( 101549 4185/dro#o //o+e/s+
ni 2 [ A.. ] S&R'A LIS&'(I( 11051 -
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
17/200
Linux Networking & Security
%ombining s0itches 1ll 2%3 4 5"3 tra&&ic, numerically, listening, 0ith process ids6
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
18/200
Linux Networking & Security
12345678910111213
1415161718
# netstat -tulnp((ot ll #rocesses cold e identiied non-oned #rocess ino ill not e s/on yo old /ve to e root to see it ll$)Active Internet connections (only servers)Proto Recv-Q Send-Q Locl Address !orei"n Address Sttetc# 0 0 0$0$0$0%17500 0$0$0$0%* LIS&'(tc# 0 0 127$0$0$1%2143 0$0$0$0%* LIS&'(tc# 0 0 127$0$0$1%1986 0$0$0$0%* LIS&'(tc# 0 0 127$0$0$1%2025 0$0$0$0%* LIS&'(tc# 0 0 %%1%2143 %%%* LIS&'(tc# 0 0 %%1%2025 %%%* LIS&'($$$d# 0 0 0$0$0$0%111 0$0$0$0%*
d# 0 0 0$0$0$0%631 0$0$0$0%* d# 0 0 0$0$0$0%727 0$0$0$0%* d# 0 0 0$0$0$0%836 0$0$0$0%* d# 0 0 0$0$0$0%17500 0$0$0$0%* $$$
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
19/200
Linux Networking & Security
map .et0ork exploration tool and security / port scanner
;map I;et+or) "apperI- is an open source tool for net+or) exploration and securit*
auditing( $t +as designed to rapidl* scan large net+or)s, although it +or)s fine against
single hosts( ;map uses ra+ $ pac)ets in novel +a*s to determine +hat hosts are
available on the net+or), +hat services application name and version- those hosts are
offering, +hat operating s*stems and OS versions- the* are running, +hat t*pe of
pac)et filters0fire+alls are in use, and doQens of other characteristics( While ;map is
commonl* used for securit* audits, man* s*stems and net+or) administrators find it
useful for routine tas)s such as net+or) inventor*, managing service upgrade schedules,
and monitoring host or service uptime(
The output from ;map is a list of scanned targets, +ith supplemental information on
each depending on the options used( =e* among that information is the Iinteresting
ports tableI(( That table lists the port number and protocol, service name, and state(
The state is either open, filtered, closed, or unfiltered( Open( means that an application
on the target machine is listening for connections0pac)ets on that port( %iltered( means
that a fire+all, filter, or other net+or) obstacle is bloc)ing the port so that ;map
cannot tell +hether it is open or closed( Blosed( ports have no application listening onthem, though the* could open up at an* time( orts are classified as unfiltered( +hen
the* are responsive to ;map's probes, but ;map cannot determine +hether the* are
open or closed( ;map reports the state combinations openPfiltered( and closedPfiltered(
+hen it cannot determine +hich of the t+o states describe a port( The port table ma*
also include soft+are version details +hen version detection has been re.uested( When
an $ protocol scan is re.uested %s!-, ;map provides information on supported $
protocols rather than listening ports(
$n addition to the interesting ports table, ;map can provide further information on
targets, including reverse D;S names, operating s*stem guesses, device t*pes, and "&B
addresses(
$n addition to the interesting ports table, ;map can provide further information on
targets, including reverse D;S names, operating s*stem guesses, device t*pes, and "&B
addresses(
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
20/200
Linux Networking & Security
& t*pical ;map scan is sho+n in the follo+ing example( The onl* ;map arguments used
in this example are %A, to enable OS and version detection, script scanning, and
traceroute6 %T4 for faster execution6 and then the t+o target hostnames(
xam$le ' A re$resentati5e Nma$ scan
9 nmap 5& 5TA scanme(nmap(org
Starting ;map http/00nmap(org -$nteresting ports on scanme(nmap(org ?A(C(CA(K-/;ot sho+n/ RRA filtered portsO1T ST&T2 S21M$B2 M21S$O;KK0tcp open ssh OpenSSH A(C protocol K(
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
21/200
Linux Networking & Security
3ecause host discover* needs are so diverse, ;map offers a +ide variet* of options for
customiQing the techni.ues used( Host discover* is sometimes called ping scan, but it
goes +ell be*ond the simple $B" echo re.uest pac)ets associated +ith the ubi.uitous
ping tool( :sers can s)ip the ping step entirel* +ith a list scan %sL- or b* disabling ping
%PN-, or engage the net+or) +ith arbitrar* combinations of multi5port TB S4;0&B=,
:D, SBT $;$T and $B" probes( The goal of these probes is to solicit responses +hich
demonstrate that an $ address is actuall* active is being used b* a host or net+or)
device-( On man* net+or)s, onl* a small percentage of $ addresses are active at an*
given time( This is particularl* common +ith private address space such as < and AAC
using the connect s*stem call(( This host discover* is often sufficient +hen scanning
local net+or)s, but a more comprehensive set of discover* probes is recommended for
securit* auditing(
The %P8 options +hich select ping t*pes- can be combined( 4ou can increase *our odds
of penetrating strict fire+alls b* sending man* probe t*pes using different TB
ports0flags and $B" codes( &lso note that &1 discover* %P) -( is done b* default
against targets on a local ethernet net+or) even if *ou specif* other %P8 options,
because it is almost al+a*s faster and more effective(
3* default, ;map does host discover* and then performs a port scan against each host it
determines is online( This is true even if *ou specif* non5default host discover* t*pes
such as :D probes %P.-( 1ead about the %sP option to learn ho+ to perform onl* host
discover*, or use %PN to s)ip host discover* and port scan all target hosts( The follo+ing
options control host discover*/
%sL List Scan- (
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
22/200
Linux Networking & Security
The list scan is a degenerate form of host discover* that simpl* lists each host of
the networks- specified, +ithout sending an* pac)ets to the target hosts( 3*
default, ;map still does reverse5D;S resolution on the hosts to learn their names(
$t is often surprising ho+ much useful information simple hostnames give out( %or
example, f+(chi is the name of one compan*'s Bhicago fire+all( ;map also reports
the total number of $ addresses at the end( The list scan is a good sanit* chec) to
ensure that *ou have proper $ addresses for *our targets( $f the hosts sport domain
names *ou do not recogniQe, it is +orth investigating further to prevent scanning
the +rong compan*'s net+or)(
Since the idea is to simpl* print a list of target hosts, options for higher level
functionalit* such as port scanning, OS detection, or ping scanning cannot becombined +ith this( $f *ou +ish to disable ping scanning +hile still performing such
higher level functionalit*, read up on the %PN s)ip ping- option(
%sP S)ip port scan- (This option tells ;map not to do a port scan after host discover*, and onl* print out
the available hosts that responded to the scan( This is often )no+n as a Iping scanI,
but *ou can also re.uest that traceroute and ;S2 host scripts be run( This is b*
default one step more intrusive than the list scan, and can often be used for the
same purposes( $t allo+s light reconnaissance of a target net+or) +ithout
attracting much attention( =no+ing ho+ man* hosts are up is more valuable to
attac)ers than the list provided b* list scan of ever* single $ and host name(
S*stems administrators often find this option valuable as +ell( $t can easil* be used
to count available machines on a net+or) or monitor server availabilit*( This is
often called a ping s+eep, and is more reliable than pinging the broadcast address
because man* hosts do not repl* to broadcast .ueries(
P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
23/200
Linux Networking & Security
The %sP option sends an $B" echo re.uest, TB S4; to port AAC, TB &B= to port
>
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
24/200
Linux Networking & Security
This option sends an empt* TB pac)et +ith the S4; flag set( The default
destination port is >< configurable at compile time b* changing
DEFAULT_TCP_PROE_PORT_!PEC in nmap(h-( <ernate ports can be specified as a
parameter( The s*ntax is the same as for the %$ except that port t*pe specifiers
li)e T/ are not allo+ed( 2xamples are %P#99 and %P#99%9:;67;*;7:7;*:777(
;ote that there can be no space bet+een %P# and the port list( $f multiple probes
are specified the* +ill be sent in parallel(
The S4; flag suggests to the remote s*stem that *ou are attempting to establish a
connection( ;ormall* the destination port +ill be closed, and a 1ST reset- pac)et
sent bac)( $f the port happens to be open, the target +ill ta)e the second step of a
TB three5+a*5handsha)e( b* responding +ith a S4;0&B= TB pac)et( The machinerunning ;map then tears do+n the nascent connection b* responding +ith a 1ST
rather than sending an &B= pac)et +hich +ould complete the three5+a*5handsha)e
and establish a full connection( The 1ST pac)et is sent b* the )ernel of the
machine running ;map in response to the unexpected S4;0&B=, not b* ;map
itself(
;map does not care +hether the port is open or closed( 2ither the 1ST or S4;0&B=
response discussed previousl* tell ;map that the host is available and responsive(
Tc$dum$
The tcpdump tool is a command line utilit* for monitoring net+or) traffic(
cpdu"p prints out a description of the contents of pac)ets on a net+or) interface that
match the boolean e#pression( $t can also be run +ith the %w flag, +hich causes it to
save the pac)et data to a file for later anal*sis, and0or +ith the %r flag, +hich causes it
to read from a saved pac)et file rather than to read pac)ets from a net+or) interface(
$n all cases, onl* pac)ets that match e#pression +ill be processed b* tcpdu"p(
Tcpdu"p +ill, if not run +ith the %c flag, continue capturing pac)ets until it is
interrupted b* a S$G$;T signal generated, for example, b* t*ping *our interrupt
character, t*picall* control5B- or a S$GT21" signal t*picall* generated +ith the kill-
command-6 if run +ith the %c flag, it +ill capture pac)ets until it is interrupted b* a
S$G$;T or S$GT21" signal or the specified number of pac)ets have been processed(
When tcpdu"p finishes capturing pac)ets, it +ill report counts of/
P Narasimhan
http://linux.die.net/man/1/killhttp://linux.die.net/man/1/kill
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
25/200
Linux Networking & Security
pac)ets ''captured'' this is the number of pac)ets that tcpdu"p has received and
processed-6
pac)ets ''received b* filter'' the meaning of this depends on the OS on +hich *ou're
running tcpdu"p, and possibl* on the +a* the OS +as configured 5 if a filter +as
specified on the command line, on some OSes it counts pac)ets regardless of +hether
the* +ere matched b* the filter expression and, even if the* +ere matched b* the filter
expression, regardless of +hether tcpdu"p has read and processed them *et, on other
OSes it counts onl* pac)ets that +ere matched b* the filter expression regardless of
+hether tcpdu"p has read and processed them *et, and on other OSes it counts onl*
pac)ets that +ere matched b* the filter expression and +ere processed b* tcpdu"p-6
pac)ets ''dropped b* )ernel'' this is the number of pac)ets that +ere dropped, due to a
lac) of buffer space, b* the pac)et capture mechanism in the OS on +hich tcpdu"p is
running, if the OS reports that information to applications6 if not, it +ill be reported as
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
26/200
Linux Networking & Security
The %D flag +ill not be supported if tcpdu"p +as built +ith an older version of
li$pcap that lac)s the $ca$>0indallde5s
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
27/200
Linux Networking & Security
A5ahi is a s*stem +hich facilitates service discover* on a local net+or) via the
mD;S0D;S5SD protocol suite( This enables *ou to plug *our laptop or computer into
a net+or) and instantl* be able to vie+ other people +ho *ou can chat +ith, find
printers to print to or find files being shared(
?ero Con0iguration Network
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
28/200
Linux Networking & Security
"ost Linux distributions utilise the Uero Bonfiguration ;et+or) U21OBO;%- automation
suite( This is an $2T% +or)group that planned and coordinated a series of d*namic
configuration protocols to allo+ man* operating s*stems to automaticall* configure
themselves and communicate on a net+or) +ithout the need ofDHB orD;S servers(
U21OBO;% utilises the ?R(KA(
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
29/200
Linux Networking & Security
5he 6alue $or the (;
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
30/200
Linux Networking & Security
C ( A P T ) % : ' AD @ A N C D N T W ! ) 1 C ! N " + - . ) A T + ! N
Assign as additional address to a N+C
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
31/200
Linux Networking & Security
To create a channel bonding interface, create a file in the 0etc0s*sconfig0net+or)5
scripts0 director* called ifcfg5bondV; , replacing V; +ith the number for the
interface, such as ((
;2T"&S=FK(K(K(<
O;3OOTF*es
3OOT1OTOFnone
:S21BTLFno
3O;D$;G@OTSFIVbonding parameters separated b* spacesI
&fter the channel bonding interface is created, the net+or) interfaces to be bound
together must be configured b* adding the "&ST21F and SL&M2F directives to their
configuration files( The configuration files for each of the channel5bonded interfaces can
be nearl* identical(
%or example, if t+o 2thernet interfaces are being channel bonded, both eth< and eth
ma* loo) li)e the follo+ing example/
D2M$B2FethV;
3OOT1OTOFnone
O;3OOTF*es
"&ST21Fbond<
#L&M2F*es
:S21BTLFno
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
32/200
Linux Networking & Security
$n this example, replace V; +ith the numerical value for the interface(
%or a channel bonding interface to be valid, the )ernel module must be loaded( To
ensure that the
module is loaded +hen the channel bonding interface is brought up, create a ne+ file as
root named Vbonding(conf in the 0etc0modprobe(d0 director*( ;ote that *ou can name
this file an*thing *ou li)e as long as it ends +ith a (conf extension( $nsert the follo+ing
line in this ne+ file/
alias bondV; bonding (
Tuning 1ernel Network Parameters
The Linux )ernel parameters can be tuned to perform certain actions to suit the
re.uirements and it provides the necessar* tools and interfaces as +ell(
The 0sbin0s*sctl command is used to vie+, set, and automate )ernel settings in the
0proc0s*s0 director*(
%or a .uic) overvie+ of all settings configurable in the 0proc0s*s0 director*, t*pe the
0sbin0s*sctl 5a command as root( This creates a large, comprehensive list, a small
portion of +hich loo)s something li)e the follo+ing/
net(ipvA(route(min@dela* F K )ernel(s*sr. F < )ernel(sem F K< CK
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
33/200
Linux Networking & Security
While .uic)l* setting single values li)e this in 0proc0s*s0 is helpful during testing, this
method does not +or) as +ell on a production s*stem as special settings +ithin
0proc0s*s0 are lost +hen the machine is rebooted( To preserve custom settings, add
them to the 0etc0s*sctl(conf file(
2ach time the s*stem boots, the init program runs the 0etc0rc(d0rc(s*sinit script( This
script contains a command to execute s*sctl using 0etc0s*sctl(conf to determine the
values passed to the )ernel( &n* values added to 0etc0s*sctl(conf therefore ta)e effect
each time the s*stem boots(
Some of the best documentation about the proc file s*stem is installed on the s*stem b*
default(
% usr0share0doc0)ernel5doc5kernel_version0Documentation0files*stems0proc(txt —
Bontains assorted, but limited, information about all aspects of the 0proc0
director*(
% 0usr0share0doc0)ernel5doc5)ernel@version0Documentation0s*sr.(txt — &n overvie+
of S*stem 1e.uest =e* options(
% 0usr0share0doc0)ernel5doc5)ernel@version0Documentation0s*sctl0 — & director*
containing a variet* of s*sctl tips, including modif*ing values that concern the
)ernel )ernel(txt-, accessing file s*stems fs(txt-, and virtual memor* use
vm(txt-(
usr0share0doc0)ernel5doc5kernel_version0Documentation0net+or)ing0ip5
s*sctl(txt — & detailed overvie+ of $ net+or)ing options(
#tatic )oute Con0iguration
9 ip route sho0
%or persistent )ernel routing edit 0etc0s*sctl(conf
C ( A P T ) % ' L + N . " + ) W A L L C ! N " + - . ) A T + ! N
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
34/200
Linux Networking & Security
C ( A P T ) % '
C ( A P T ) % 6 ' D ! , A + N N A , # ) @ + C
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
35/200
Linux Networking & Security
$n a D;S server such as 3$;D 3er)ele* $nternet ;ame Domain-, all information is stored
in basic data elements called resource records 11-( The resource record is usuall* a
%ully )uali%ied do"ain na"e %D;- of a host, and is bro)en do+n into multiple sections
organiQed into a tree5li)e hierarch*( This hierarch* consists of a main trun), primar*
branches, secondar* branches, and so on(
A sim$le resource record
bob(sales(com
2ach level of the hierarch* is divided b* a period that is, (-( $n “& simple resource
record”, com defines the top'level do"ain, its subdomain, and sales the subdomain of ($n this case, bob identifies a resource record that is part of the sales((com domain( With
the exception of the part furthest to the left that is, bob-, each of these sections is
called a *one and defines a specific na"espace(
Uones are defined on authoritative nameservers through the use of *one %iles, +hich
contain definitions of the resource records in each Qone( Uone files are stored on
pri"ary na"eservers also called "aster na"eservers-, +here changes are made to the
files, and secondary na"eservers also called slave na"eservers-, +hich receive Qonedefinitions from the primar* nameservers( 3oth primar* and secondar* nameservers are
authoritative for the Qone and loo) the same to clients( Depending on the configuration,
an* nameserver can also serve as a primar* or secondar* server for multiple Qones at the
same time(
Nameser5er Ty$es
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
36/200
Linux Networking & Security
There are t+o nameserver configuration t*pes/
authoritative
&uthoritative nameservers ans+er to resource records that are part of their Qones onl*(This categor* includes both primar* master- and secondar* slave- nameservers(
recursive
1ecursive nameservers offer resolution services, but the* are not authoritative for an*
Qone( &ns+ers for all resolutions are cached in a memor* for a fixed period of time,
+hich is specified b* the retrieved resource record(
<hough a nameserver can be both authoritative and recursive at the same time, it is
recommended not to combine the configuration t*pes( To be able to perform their +or),
authoritative servers should be available to all clients all the time( On the other hand,
since the recursive loo)up ta)es far more time than authoritative responses, recursive
servers should be available to a restricted number of clients onl*, other+ise the* are
prone to distributed denial of service DDoS- attac)s(
B+ND as a Nameser5er
3$;D consists of a set of D;S5related programs( $t contains a nameserver called named,an administration utilit* called rndc, and a debugging tool called dig(
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
37/200
Linux Networking & Security
B+NDThis chapter covers 3$;D 3er)ele* $nternet ;ame Domain-, the D;S server included in
1ed Hat 2nterprise Linux( $t focuses on the structure of its configuration files, and
describes ho+ to administer it both locall* and remotel*( When the named service isstarted, it reads the configuration from the files as mentioned belo+ /
=et"=name9("on$ 5he main "on$iguration $ile(
=et"=name9=>n au?iliary 9ire"tory $or "on$iguration $iles that are in"lu9e9 in the m
"on$iguration $ile(
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
38/200
Linux Networking & Security
The configuration file consists of a collection of statements +ith nested optionssurrounded b* opening and closing curl* brac)ets( ;ote that +hen editing the file, *ou
have to be careful not to ma)e an* s*ntax error, other+ise the named service +ill notstart(
)unning B+ND in a chroot en5ironment
$f *ou have installed the bind5chroot pac)age, the 3$;D service +ill run in the
0var0named0chroot environment( $n that case, the initialiQation script +ill mount the
above configuration files using the mount 55bind command, so that *ou can manage the
configuration outside this environment(
Common #tatement Ty$esThe follo+ing t*pes of statements are commonl* used in 0etc0named(conf/
acl
The acl &ccess Bontrol List- statement allo+s *ou to define groups of hosts, so that the*
can be permitted or denied access to the nameserver( $t ta)es the follo+ing form/
acl acl-name 7 match-element8 999
:8
The acl5name statement name is the name of the access control list, and the match5
element option is usuall* an individual $ address such as
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
39/200
Linux Networking & Security
The acl statement can be especiall* useful in con!unction +ith other statements such as
options( $n the described belo+ “:sing acl in con!unction +ith options” defines t+oaccess control lists, blac)5hats and red5hats, and adds blac)5hats on the blac)list +hile
granting red5hats a normal access(
acl black-hats 7 ;
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
40/200
Linux Networking & Security
)estrict recursi5e ser5ers to selected clients only
To prevent distributed denial of service DDoS- attac)s, it is
recommended that *ou use the allo+5.uer*5cache option to restrict
recursive D;S services for a particular subset of clients onl*(
options 7 allo0-Euery 7 localhost8 :8 listen-on port CB 7 ;=D9
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
41/200
Linux Networking & Security
The Qone5name attribute is particularl* important, as it is the default
value assigned for the JO1$G$; directive used +ithin the corresponding
Qone file located in the 0var0named0 director*( The named daemon
appends the name of the Qone to an* non5full* .ualified domain name
listed in the Qone file( %or , if a Qone statement defines the namespace
for (com, use (com as the Qone5name so that it is placed at the end of
hostnames +ithin the (com Qone file( "ost changes to the
0etc0named(conf file of a primar* or secondar* nameserver involve
adding, modif*ing, or deleting Qone statements, and onl* a small subset
of Qone statement options is usuall* needed for a nameserver to +or)
efficientl*(
$n the given belo+, “& Qone statement for a primar* nameserver”, the
Qone is identified as (com, the t*pe is set to master, and the named
service is instructed to read the 0var0named0(com(Qone file( $t also
allo+s onl* a secondar* nameserver RK(?>(
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
42/200
Linux Networking & Security
3* default, named sends standard messages to the
rs*slog daemon, +hich places them in 0var0log0messages( Several
standard channels are built into 3$;D +ith various severit* levels, such
as default@s*slog +hich handles informational logging messages- and
default@debug +hich specificall* handles debugging messages-( &
default categor*, called default, uses the built5in channels to do normal
logging +ithout an* special configuration(
%omment 2ags
&dditionall* to statements, the 0etc0named(conf file can also contain
comments( Bomments are ignored b* the named service, but can prove
useful +hen providing additional information to a user( The follo+ing are
valid comment tags/
00
&n* text after the 00 characters to the end of the line is considered a
comment( %or /
notif* *es6 00 notif* all secondar* nameservers
9
&n* text after the 9 character to the end of the line is considered a
comment( %or /
notif* *es6 9 notif* all secondar* nameservers
0 and 0
&n* bloc) of text enclosed in 0 and 0 is considered a comment( %or /
notif* *es6 0 notif* all secondar* nameservers 0
diting ?one "iles
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
43/200
Linux Networking & Security
&s outlined in an earlier section, “;ameserver Uones”, Qone files contain
information about a namespace( The* are stored in the named +or)ing
director* located in 0var0named0 b* default, and each Qone file is
named according to the file option in the Qone statement, usuall* in a
+a* that relates to the domain in .uestion and identifies the file as
containing Qone data, such as (com(Qone(
& Qone file consists of directives and resource records( Directives tell the
nameserver to perform tas)s or appl* special settings to the Qone,
resource records define the parameters of the Qone and assign identities
to individual hosts( While the directives are optional, the resource
records are re.uired in order to provide name service to a Qone(
&ll directives and resource records should be entered on individual lines(
Common Directi5esDirectives begin +ith the dollar sign character follo+ed b* the name of
the directive, and usuall* appear at the top of the file( The follo+ing
directives are commonl* used in Qone files/
J$;BL:D2
The J$;BL:D2 directive allo+s *ou to include another file at the place
+here it appears, so that other Qone settings can be stored in a separate
Qone file(
H%I5" /var/named/penguin99com
HJ(K
The JO1$G$; directive allo+s *ou to append the domain name toun.ualified records, such as those +ith the hostname onl*( ;ote that the
use of this directive is not necessar* if the Qone is specified in
0etc0named(conf, since the Qone name is used b* default(
$n the given belo+, “:sing the JO1$G$; directive”, an* names used in
resource records that do not end in a trailing period are appended
+ith (com(
HJ(K 9com9
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
44/200
Linux Networking & Security
H22I
The JTTL directive allo+s *ou to set the default Ti"e to Live TTL- value
for the Qone, that is, ho+ long is a Qone record valid( 2ach resource
record can contain its o+n TTL value, +hich overrides this directive(
$ncreasing this value allo+s remote nameservers to cache the Qone
information for a longer period of time, reducing the number of .ueries
for the Qone and lengthening the amount of time re.uired to propagate
resource record changes(
H22I ;"
Common )esource )ecords
The follo+ing resource records are commonl* used in Qone files/
The Address record specifies an $ address to be assigned to a name( $t
ta)es the follo+ing form/
hostname $; & $5address
$f the hostname value is omitted, the record +ill point to the last
specified hostname( $n the given belo+, “:sing the & resource record”,
the re.uests for server((com are pointed to
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
45/200
Linux Networking & Security
B;&"2 records should not point to other B;&"2 records( This is
mainl* to avoid possible infinite loops(
B;&"2 records should not contain other resource record t*pes
such as &, ;S, ", etc(-( The onl* exception are D;SS2B related
records that is, 11S$G, ;S2B, etc(- +hen the Qone is signed(
Other resource record that point to the full* .ualified domain
name %D;- of a host that is, ;S, ", T1- should not point to a
B;&"2 record(
$n the given belo+, “:sing the B;&"2 resource record”, the & record
binds a hostname to an $ address, +hile the B;&"2 record points thecommonl* used +++ hostname to it(
server; ;
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
46/200
Linux Networking & Security
The +a"eserver record announces authoritative nameservers for a
particular Qone( $t ta)es the follo+ing form/
M nameserver-name
The nameserver5name should be a full* .ualified domain name %D;-(
;ote that +hen t+o nameservers are listed as authoritative for the
domain, it is not important +hether these nameservers are secondar*
nameservers, or if one of them is a primar* server( The* are both still
considered authoritative(
.sing the N# resource record
$; ;S dns((com($; ;S dnsK((com(
32(
The Pointer record points to another part of the namespace( $t ta)es the
follo+ing form/
last5$5digit $; T1 %D;5of5s*stem
The last5$5digit directive is the last number in an $ address, and the
%D;5of5s*stem is a full* .ualified domain name %D;-( T1 records
are primaril* used for reverse name resolution, as the* point $
addresses bac) to a particular name(
MJ
The !tart o% Aut-ority record announces important authoritative
information about a namespace to the nameserver( Located after the
directives, it is the first resource record in a Qone file( $t ta)es the
follo+ing form/
N $; SO& primar*5name5server hostmaster5email
serial5number
time5to5refresh
time5to5retr*
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
47/200
Linux Networking & Security
time5to5expire
minimum5TTL -
The directives are as follo+s/
The N s*mbol places the JO1$G$; directive or the Qone's name if
the JO1$G$; directive is not set- as the namespace being defined
b* this SO& resource record(
The primar*5name5server directive is the hostname of the primar*
nameserver that is authoritative for this domain(
The hostmaster5email directive is the email of the person to
contact about the namespace(
The serial5number directive is a numerical value incremented
ever* time the Qone file is altered to indicate it is time for the
named service to reload the Qone(
The time5to5refresh directive is the numerical value secondar*
nameservers use to determine ho+ long to +ait before as)ing the
primar* nameserver if an* changes have been made to the Qone(
The time5to5retr* directive is a numerical value used b* secondar*
nameservers to determine the length of time to +ait before
issuing a refresh re.uest in the event that the primar* nameserver
is not ans+ering( $f the primar* server has not replied to a refresh
re.uest before the amount of time specified in the time5to5expire
directive elapses, the secondar* servers stop responding as an
authorit* for re.uests concerning that namespace(
$n 3$;D A and >, the minimum5TTL directive is the amount of time
other nameservers cache the Qone's information( $n 3$;D R, it
defines ho+ long negative ans+ers are cached for( Baching of
negative ans+ers can be set to a maximum of C hours that is,
CH-(
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
48/200
Linux Networking & Security
When configuring 3$;D, all times are specified in seconds( Ho+ever, it is
possible to use abbreviations +hen specif*ing units of time other than
seconds, such as minutes "-, hours H-, da*s D-, and +ee)s W-( The
follo+ing table, “Seconds compared to other time units” sho+s an
amount of time in seconds and the e.uivalent time in another format(
Seconds
9ther
ime
>nits
+' &!
&.'' @'!
@+'' &A
&'.'' @A
)&+'' +A
*@)'' &)A
.+*'' &D
),-)'' @D
+'*.'' &B
@&,@+''
'@+,D
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
49/200
Linux Networking & Security
.sing the #!A resource record$ MJ dns;99com9 hostmaster99com9 1 =
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
50/200
Linux Networking & Security
8 2his sample Fone &ile illustrates sharing the same 3 addresses8 &or multiple services.8services ;
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
51/200
Linux Networking & Security
B@
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
52/200
Linux Networking & Security
To prevent unauthoriQed access to the service, named must be
configured to listen on the selected port that is, RC b* default-, and an
identical )e* must be used b* both the service and the rndc utilit*(
Table*EE)ele5ant 0iles
Path %escription
=
et"=name9("on
$
5he 9e$ault
"on$iguration
$ile $or the
name9
ser6i"e(
=et"=rn9"("on$
5he 9e$ault
"on$iguration$ile $or the
rn9" utility(
=et"=rn9"(key5he 9e$ault
key lo"ation(
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
53/200
Linux Networking & Security
The rndc configuration is located in 0etc0rndc(conf( $f the file does not
exist, the utilit* +ill use the )e* located in 0etc0rndc()e*, +hich +asgenerated automaticall* during the installation process using the rndc5
confgen 5a command(
The named service is configured using the controls statement in the
0etc0named(conf configuration file ( :nless this statement is present,
onl* the connections from the loopbac) address that is, K(
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
54/200
Linux Networking & Security
This +ill reload the Qones +hile )eeping all previousl* cached responses,
so that *ou can ma)e changes to the Qone files +ithout losing all stored
name resolutions(
To reload a single Qone, specif* its name after the reload command, for /
789 rndc reload localhost
Qone reload up5to5date
%inall*, to reload the configuration file and ne+l* added Qones onl*,
t*pe/
789 rndc reconfig
,odi0ying Fones with dynamic DN#
$f *ou intend to manuall* modif* a Qone that uses D*namic D;S DD;S-,
ma)e sure *ou run the freeQe command first/
789 rndc freeQe localhost
Once *ou are finished, run the tha+ command to allo+ the DD;S again
and reload the Qone/
789 rndc tha+ localhost
The Qone reload and tha+ +as successful(
:pdating Uone =e*s
To update the D;SS2B )e*s and sign the Qone, use the sign command( %or
/
789 rndc sign localhost
;ote that to sign a Qone +ith the above command, the auto5dnssec
option has to be set to maintain in the Qone statement( %or instance/
Fone localhost 7 type master8 &ile named9localhost8 allo0-update 7 none8 :8 auto-dnssec maintain8 :8
2nabling the D;SS2B Malidation
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
55/200
Linux Networking & Security
To enable0disable the D;SS2B validation, t*pe the follo+ing at a shell
prompt/
~]# rndc validation on/o&& as the case may be9
nabling the Guery Logging
To enable or disable in case it is currentl* enabled- the .uer* logging,
run the follo+ing command/
789 rndc .uer*log
To chec) the current setting, use the status command(
.sing the dig .tilityThe dig utilit* is a command line tool that allo+s *ou to perform D;S
loo)ups and debug a nameserver configuration( $ts t*pical usage is as
follo+s/
dig ENserver8 Eoption(((8 name t*pe
Looking .$ a Nameser5er
To loo) up a nameserver for a particular domain, use the command in
the follo+ing form/
digname ;S
$n the given belo+, “& sample nameserver loo)up”, the dig utilit* is used
to displa* nameservers for (com(
~]H dig 9com M
8 QQRR "iK ?9D9;-3=-(edOat-?9D9;-=93=9&c;B QQRR 9com M88 global options. Scmd 88 Kot ans0er.88 -RRO"(QQ- opcode. T5(', status. J((J(, id. CDAAB88 &lags. Er rd ra8 T5('. ;, MN(. =, 52OJ(2'. M a9iana-servers9net99com9 ??BD> M b9iana-servers9net9
88 Tuery time. ; msec
88 M(U(. ;9=CC9D#CB1;9=CC9D688 NO. Ned ug ;A ;A..
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
56/200
Linux Networking & Security
88 GMK MV rcvd. DD
Looking .$ an +P AddressTo loo) up an $ address assigned to a particular domain, use the
command in the follo+ing form/
digname &
$n the given belo+, “& sample $ address loo)up”, the dig utilit* is used
to displa* the $ address of (com(
78J dig (com &
6 VV DiG R((5K51edHat5R((5K(K(fcC VV (com &
66 global options/ Zcmd
66 Got ans+er/
66 5H2&D21VV5 opcode/ :214, status/ ;O211O1, id/ A>AR
66 flags/ .r rd ra6 :214/ , &;SW21/ , &:THO1$T4/ K, &DD$T$O;&L/ <
66 :2ST$O; S2BT$O;/
6(com( $; &
66 &;SW21 S2BT$O;/
(com( ?
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
57/200
Linux Networking & Security
66 S21M21/ /
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
58/200
Linux Networking & Security
CK(
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
59/200
Linux Networking & Security
SSH Secure Shell- is a protocol +hich facilitates secure communications
bet+een t+o s*stems using a client0server architecture and allo+s users
to log into server host s*stems remotel*( :nli)e other remote
communication protocols, such as %T or Telnet, SSH encr*pts the login
session, rendering the connection difficult for intruders to collect
unencr*pted pass+ords(
The ssh program is designed to replace older, less secure terminal
applications used to log into remote hosts, such as telnet or rsh( &
related program called scp replaces older programs designed to cop*
files bet+een hosts, such as rcp( 3ecause these older applications do not
encr*pt pass+ords transmitted bet+een the client and the server, avoidthem +henever possible( :sing secure methods to log into remote
s*stems decreases the ris)s for both the client s*stem and the [remote
host(
1ed Hat 2nterprise Linux includes the general OpenSSH pac)age
openssh- as +ell as the OpenSSH server openssh5server- and client
openssh5clients- pac)ages( ;ote, the OpenSSH pac)ages re.uire the
OpenSSL pac)age openssl- +hich installs several importantcr*ptographic libraries, enabling OpenSSH to provide encr*pted
communications(
The ##( Protocol
Why .se ##(I
otential intruders have a variet* of tools at their disposal enabling them
to disrupt, intercept, and re5route net+or) traffic in an effort to gain
access to a s*stem( $n general terms, these threats can be categoriQed as
follo+s/
+nterce$tion o0 communication between two systems
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
60/200
Linux Networking & Security
The attac)er can be some+here on the net+or) bet+een the
communicating parties, cop*ing an* information passed bet+een them(
He ma* intercept and )eep the information, or alter the information and
send it on to the intended recipient(
This attac) is usuall* performed using a packet sni%%er , a rather common
net+or) utilit* that captures each pac)et flo+ing through the net+or),
and anal*Qes its content(
+m$ersonation o0 a $articular host
&ttac)er's s*stem is configured to pose as the intended recipient of a
transmission( $f this strateg* +or)s, the user's s*stem remains una+are
that it is communicating +ith the +rong host(
This attac) can be performed using a techni.ue )no+n as D+! poisoning,
or via so5called .P spoo%ing( $n the first case, the intruder uses a crac)ed
D;S server to point client s*stems to a maliciousl* duplicated host( $n
the second case, the intruder sends falsified net+or) pac)ets that
appear to be from a trusted host(
3oth techni.ues intercept potentiall* sensitive information and, if theinterception is made for hostile reasons, the results can be disastrous( $f
SSH is used for remote shell login and file cop*ing, these securit* threats
can be greatl* diminished( This is because the SSH client and server use
digital signatures to verif* their identit*( &dditionall*, all communication
bet+een the client and server s*stems is encr*pted( &ttempts to spoof
the identit* of either side of a communication does not +or), since each
pac)et is encr*pted using a )e* )no+n onl* b* the local and remote
s*stems(
,ain "eatures
The SSH protocol provides the follo+ing safeguards/
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
61/200
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
62/200
Linux Networking & Security
T+o varieties of SSH currentl* exist/ version , and ne+er version K( The
OpenSSH suite under 1ed Hat 2nterprise Linux uses SSH version K, +hich
has an enhanced )e* exchange algorithm not vulnerable to the )no+n
exploit in version ( Ho+ever, for compatibilit* reasons, the OpenSSH
suite does support version connections as +ell(
A5oid using ##( 5ersion
To ensure maximum securit* for *our connection, it is recommended that
onl* SSH version K5compatible servers and clients are used +henever
possible(
5ent #eJuence o0 an ##( ConnectionThe follo+ing series of events help protect the integrit* of SSH
communication bet+een t+o hosts(
E & cr*ptographic handsha)e is made so that the client can verif*
that it is communicating +ith the correct server(
9E The transport la*er of the connection bet+een the client and
remote host is encr*pted using a s*mmetric cipher(
*E The client authenticates itself to the server(
4E The remote client interacts +ith the remote host over the
encr*pted connection(
Trans$ort Layer
The primar* role of the transport la*er is to facilitate safe and secure
communication bet+een the t+o hosts at the time of authentication and
during subse.uent communication( The transport la*er accomplishes thisb* handling the encr*ption and decr*ption of data, and b* providing
integrit* protection of data pac)ets as the* are sent and received( The
transport la*er also provides compression, speeding the transfer of
information(
Once an SSH client contacts a server, )e* information is exchanged so
that the t+o s*stems can correctl* construct the transport la*er( The
follo+ing steps occur during this exchange/
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
63/200
Linux Networking & Security
=e*s are exchanged
The public )e* encr*ption algorithm is determined
The s*mmetric encr*ption algorithm is determined
The message authentication algorithm is determined
The hash algorithm is determined
During the )e* exchange, the server identifies itself to the client +ith a
uni.ue -ost key ( $f the client has never communicated +ith this
particular server before, the server's host )e* is un)no+n to the client
and it does not connect( OpenSSH gets around this problem b* accepting
the server's host )e*( This is done after the user is notified and has both
accepted and verified the ne+ host )e*( $n subse.uent connections, the
server's host )e* is chec)ed against the saved version on the client,
providing confidence that the client is indeed communicating +ith the
intended server( $f, in the future, the host )e* no longer matches, the
user must remove the client's saved version before a connection can
occur(
Always 5eri0y the integrity o0 a new ##( ser5er
$t is possible for an attac)er to mas.uerade as an SSH server during the
initial contact since the local s*stem does not )no+ the difference
bet+een the intended server and a false one set up b* an attac)er( To
help prevent this, verif* the integrit* of a ne+ SSH server b* contacting
the server administrator before connecting for the first time or in the
event of a host )e* mismatch(
SSH is designed to +or) +ith almost an* )ind of public )e* algorithm or
encoding format( &fter an initial )e* exchange creates a hash value used
for exchanges and a shared secret value, the t+o s*stems immediatel*
begin calculating ne+ )e*s and algorithms to protect authentication and
future data sent over the connection(
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
64/200
Linux Networking & Security
&fter a certain amount of data has been transmitted using a given )e*
and algorithm the exact amount depends on the SSH implementation-,
another )e* exchange occurs, generating another set of hash values and
a ne+ shared secret value( 2ven if an attac)er is able to determine the
hash and shared secret value, this information is onl* useful for a limited
period of time(
Authentication
Once the transport la*er has constructed a secure tunnel to pass
information bet+een the t+o s*stems, the server tells the client the
different authentication methods supported, such as using a private )e*5
encoded signature or t*ping a pass+ord( The client then tries to
authenticate itself to the server using one of these supported methods(
SSH servers and clients can be configured to allo+ different t*pes of
authentication, +hich gives each side the optimal amount of control(
The server can decide +hich encr*ption methods it supports based on its
securit* model, and the client can choose the order of authentication
methods to attempt from the available options(
Channels
&fter a successful authentication over the SSH transport la*er, multiple
channels are opened via a techni.ue called "ultiple#ing EC8
( 2ach of
these channels handles communication for different terminal sessions
and for for+arded sessions(
3oth clients and servers can create a ne+ channel( 2ach channel is then
assigned a different number on each end of the connection( When theclient attempts to open a ne+ channel, the clients sends the channel
number along +ith the re.uest( This information is stored b* the server
and is used to direct communication to that channel( This is done so that
different t*pes of sessions do not affect one another and so that +hen a
given session ends, its channel can be closed +ithout disrupting the
primar* SSH connection(
Netcra#t; P Narasimhan
https://access.redhat.com/knowledge/docs/en-us/red_hat_enterprise_linux/6/html/deployment_guide/ch-openssh.html#ftn.id2844922https://access.redhat.com/knowledge/docs/en-us/red_hat_enterprise_linux/6/html/deployment_guide/ch-openssh.html#ftn.id2844922
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
65/200
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
66/200
Linux Networking & Security
Con0iguring !$en##(There are t+o different sets of configuration files/ those for client
programs that is, ssh, scp, and sftp-, and those for the server the sshd
daemon-(
S*stem5+ide SSH configuration information is stored in the 0etc0ssh0
director* as described in the Table belo+, “S*stem5+ide configuration
files”( :ser5specific SSH configuration information is stored in 70(ssh0
+ithin the user's home director* as described in the follo+ing
table“:ser5specific configuration files”(
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
67/200
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
68/200
Linux Networking & Security
+i)e %escription
=
et"=ssh=ss
hhost9sakey
5he D;>
7ri6ate key
use9 by thessh9 9aemon(
=
et"=ssh=ss
hhost9
sakey(7
ub
5he D;>
7ubli" key
use9 by the
ssh9 9aemon(
=
et"=ssh=sshhostk
ey
5he ;>
7ri6ate key
use9 by the
ssh9 9aemon$or 6ersion &
o$ the ;;A
7roto"ol(
=
et"=ssh=ss
hhostk
ey(7ub
5he ;>
7ubli" key
use9 by the
ssh9 9aemon
$or 6ersion &
o$ the ;;A
7roto"ol(
=
et"=ssh=ss
hhostrs
akey
5he ;>
7ri6ate key
use9 by the
ssh9 9aemon
$or 6ersion )
o$ the ;;A
7roto"ol(
=
et"=ssh=ss
hhostrs
akey(7u
b
5he ;>
7ubli" key
use9 by the
ssh9 9aemon
$or 6ersion )
o$ the ;;A
7roto"ol(
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
69/200
Linux Networking & Security
.ser%s$eci0ic con0iguration 0iles
+i)e %escription
E=(ssh=authori:e9 keys
Aol9s a list
o$
authori:e9
7ubli" keys
$or ser6ers(
Bhen the
"lient
"onne"ts to a
ser6er8 theser6er
authenti"ates
the "lient by
"he"king its
signe9
7ubli" key
store9
within this
$ile(
E=(ssh=i99sa
3ontains the
D;> 7ri6ate
key o$ the
user(
E=(ssh=i99sa(7u
b
5he D;>
7ubli" key
o$ the user(
E=(ssh=i9rsa
5he ;>
7ri6ate key
use9 by ssh$or 6ersion )
o$ the ;;A
7roto"ol(
E=(ssh=i9rsa(7ub
5he ;>
7ubli" key
use9 by ssh
$or 6ersion )
o$ the ;;A
7roto"ol(
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
70/200
Linux Networking & Security
+i)e %escription
E=(ssh=i9entity
5he ;>
7ri6ate key
use9 by ssh$or 6ersion &
o$ the ;;A
7roto"ol(
E=(ssh=i9entity(7u
b
5he ;>
7ubli" key
use9 by ssh
$or 6ersion &
o$ the ;;A
7roto"ol(
E=(ssh=knownho
sts
3ontains
D;> host
keys o$ ;;A
ser6ers
a""esse9 by
the user(
5his $ile is
6ery
im7ortant
$or ensuring
that the ;;A"lient is
"onne"ting
the "orre"t
;;A ser6er(
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
71/200
Linux Networking & Security
#tarting an !$en##( #er5er
$n order to run an OpenSSH server, *ou must have the openssh5server and
openssh pac)ages installed (
To start the sshd daemon, t*pe the follo+ing at a shell prompt/
789 service sshd start
To stop the running sshd daemon, use the follo+ing command/
789 service sshd stop
$f *ou +ant the daemon to start automaticall* at the boot time, t*pe/
789 ch)config sshd on
;ote that if *ou reinstall the s*stem, a ne+ set of identification )e*s +ill
be created( &s a result, clients +ho had connected to the s*stem +ith
an* of the OpenSSH tools before the reinstall +ill see the follo+ing
message/
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
W&1;$;G/ 12"OT2 HOST $D2;T$%$B&T$O; H&S BH&;G2D N
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
$T $S OSS$3L2 TH&T SO"2O;2 $S DO$;G SO"2TH$;G ;&ST4
Someone could be eavesdropping on *ou right no+ man5in5the5middle
attac)-
$t is also possible that the 1S& host )e* has !ust been changed(
1e.uiring SSH for 1emote Bonnections
%or SSH to be trul* effective, using insecure connection protocols should
be prohibited( Other+ise, a user's pass+ord ma* be protected using SSH
for one session, onl* to be captured later +hile logging in using Telnet(
Some services to disable include telnet, rsh, rlogin, and vsftpd(
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
72/200
Linux Networking & Security
To disable these services, t*pe the follo+ing commands at a shell
prompt/
789 ch)config telnet off
789 ch)config rsh off
789 ch)config rlogin off
789 ch)config vsftpd off
.sing a 1ey%Based Authentication
To improve the s*stem securit* even further, *ou can enforce the )e*5
based authentication b* disabling the standard pass+ord authentication(To do so, open the 0etc0ssh0sshd@config configuration file in a text
editor such as 5i or nano, and change the ass+ord&uthentication option
as follo+s/
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
73/200
Linux Networking & Security
ass+ord&uthentication no
To be able to use ssh, scp, or sftp to connect to the server from a client
machine, generate an authoriQation )e* pair b* follo+ing the steps
belo+( ;ote that )e*s must be generated for each user separatel*(
1ed Hat 2nterprise Linux ? uses SSH rotocol K and 1S& )e*s b* default(
Do not generate )e* pairs as root
$f *ou complete the steps as root, onl* root +ill be able to use the )e*s(
3ac)up *our 70(ssh0 director*
$f *ou reinstall *our s*stem and +ant to )eep previousl* generated )e*
pair, bac)up the 70(ssh0 director*( &fter reinstalling, cop* it bac) to *our
home director*( This process can be done for all users on *our s*stem,
including root(
Generating =e* airs
To generate an 1S& )e* pair for version K of the SSH protocol, follo+
these steps/
E Generate an 1S& )e* pair b* t*ping the follo+ing at a shell
prompt/
78J ssh5)e*gen 5t rsa
Generating public0private rsa )e* pair(
2nter file in +hich to save the )e* 0home0!ohn0(ssh0id@rsa-/
9E ress nter to confirm the default location that is, 70(ssh0id@rsa-for the ne+l* created )e*(
*E 2nter a passphrase, and confirm it b* entering it again +hen
prompted to do so( %or securit* reasons, avoid using the same
pass+ord as *ou use to log in to *our account(
&fter this, *ou +ill be presented +ith a message similar to this/
4our identification has been saved in 0home0!ohn0(ssh0id@rsa(
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
74/200
Linux Networking & Security
4our public )e* has been saved in 0home0!ohn0(ssh0id@rsa(pub(
The )e* fingerprint is/
e/R/c/eK/
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
75/200
Linux Networking & Security
E Generate a DS& )e* pair b* t*ping the follo+ing at a shell prompt/
78J ssh5)e*gen 5t dsa
Generating public0private dsa )e* pair(
2nter file in +hich to save the )e* 0home0!ohn0(ssh0id@dsa-/
9E ress nter to confirm the default location that is, 70(ssh0id@dsa-
for the ne+l* created )e*(
*E 2nter a passphrase, and confirm it b* entering it again +hen
prompted to do so( %or securit* reasons, avoid using the same
pass+ord as *ou use to log in to *our account(
&fter this, *ou +ill be presented +ith a message similar to this/
4our identification has been saved in 0home0!ohn0(ssh0id@dsa(
4our public )e* has been saved in 0home0!ohn0(ssh0id@dsa(pub(
The )e* fingerprint is/
>/a/R/a>/Rf/e>/c/??/
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
76/200
Linux Networking & Security
:E Bop* the content of 70(ssh0id@dsa(pub into the
70(ssh0authoriQed@)e*s on the machine to +hich *ou +ant to
connect, appending it to its end if the file alread* exists(
E Bhange the permissions of the 70(ssh0authoriQed@)e*s file using
the follo+ing command/
78J chmod ?AA 70(ssh0authoriQed@)e*s
To generate an 1S& )e* pair for version of the SSH protocol, follo+
these steps/
E Generate an 1S& )e* pair b* t*ping the follo+ing at a shell
prompt/
78J ssh5)e*gen 5t rsa
Generating public0private rsa )e* pair(
2nter file in +hich to save the )e* 0home0!ohn0(ssh0identit*-/
9E ress nter to confirm the default location that is,
70(ssh0identit*- for the ne+l* created )e*(
*E 2nter a passphrase, and confirm it b* entering it again +hen
prompted to do so( %or securit* reasons, avoid using the same
pass+ord as *ou use to log into *our account(
&fter this, *ou +ill be presented +ith a message similar to this/
4our identification has been saved in 0home0!ohn0(ssh0identit*(
4our public )e* has been saved in 0home0!ohn0(ssh0identit*(pub(
The )e* fingerprint is/
cb/f?/d/cb/?e/f/Kb/K>/ac//
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
77/200
Linux Networking & Security
P ( ( P
P o o P
P Z o 2 P
P ( o S P
P F Z ( P
4E Bhange the permissions of the 70(ssh0 director*/
78J chmod 70(ssh
:E Bop* the content of 70(ssh0identit*(pub into the
70(ssh0authoriQed@)e*s on the machine to +hich *ou +ant to
connect, appending it to its end if the file alread* exists(
E Bhange the permissions of the 70(ssh0authoriQed@)e*s file using
the follo+ing command/
78J chmod ?AA 70(ssh0authoriQed@)e*s
;ever share *our private )e*
The private )e* is for *our personal use onl*, and it is important that *ou
never give it to an*one(
Bonfiguring ssh5agent
To store *our passphrase so that *ou do not have to enter it each time
*ou initiate a connection +ith a remote machine, *ou can use the ssh5
agent authentication agent( $f *ou are running G;O"2, *ou can configure
it to prompt *ou for *our passphrase +henever *ou log in and rememberit during the +hole session( Other+ise *ou can store the passphrase for a
certain shell prompt(
To save *our passphrase during *our G;O"2 session, follo+ these steps/
E "a)e sure *ou have the openssh5as)pass pac)age installed(
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
78/200
Linux Networking & Security
9E Select #ystem → Pre0erences → #tartu$ A$$lications from the
panel( The #tartu$ A$$lications Pre0erences +ill be started, and
the tab containing a list of available startup programs +ill be
sho+n b* default(
#tartu$ A$$lications Pre0erences
*E Blic) the Add button on the right, and enter 0usr0bin0ssh5add in the Command field(
Adding new a$$lication
4E Blic) Add and ma)e sure the chec)box next to the ne+l* added item is selected(
nabling the a$$lication
:E Log out and then log bac) in( & dialog box +ill appear prompting
*ou for *our passphrase( %rom this point on, *ou should not be
prompted for a pass+ord b* ssh, scp, or sftp(
ntering a $ass$hrase
To save *our passphrase for a certain shell prompt, use the follo+ing
command/
78J ssh5add
2nter passphrase for 0home0!ohn0(ssh0id@rsa/
;ote that +hen *ou log out, *our passphrase +ill be forgotten( 4ou must
execute the command each time *ou log in to a virtual console or a
terminal +indo+(
!$en##( Clients
To connect to an OpenSSH server from a client machine, *ou must have
the openssh5clients and openssh pac)ages installed (
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
79/200
Linux Networking & Security
.sing the ssh .tility
The ssh utilit* allo+s *ou to log in to a remote machine and execute
commands there( $t is a secure replacement for the rlogin, rsh, and
telnet programs(
Similarl* to telnet, to log in to a remote machine b* using the follo+ing
command/
ssh hostname
%or , to log in to a remote machine named penguin((com, t*pe the
follo+ing at a shell prompt/
78J ssh penguin((com
This +ill log *ou in +ith the same username *ou are using on a local
machine( $f *ou +ant to specif* a different one, use a command in the
command in the follo+ing form/
ssh usernameNhostname
%or , to log in to penguin((com as !ohn, t*pe/
78J ssh !ohnNpenguin((com
The first time *ou initiate a connection, *ou +ill be presented +ith a
message similar to this/
The authenticit* of host 'penguin((com' can't be established(
1S& )e* fingerprint is RA/?>/Ca/Ca/bc/fC/Ra/Rb/
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
80/200
Linux Networking & Security
$f the SSH server's host )e* changes, the client notifies the user that the
connection cannot proceed until the server's host )e* is deleted from the
70(ssh0)no+n@hosts file( To do so, open the file in a text editor, and
remove a line containing the remote machine name at the beginning(
3efore doing this, ho+ever, contact the s*stem administrator of the SSH
server to verif* the server is not compromised(
&fter entering the pass+ord, *ou +ill be provided +ith a shell prompt for
the remote machine(
<ernativel*, the ssh program can be used to execute a command on the
remote machine +ithout logging in to a shell prompt/
ssh EusernameN8hostname command
%or , the 0etc0redhat5release file provides information about the 1ed
Hat 2nterprise Linux version( To vie+ the contents of this file on
penguin((com, t*pe/
78J ssh !ohnNpenguin((com cat 0etc0redhat5release
!ohnNpenguin((com's pass+ord/
1ed Hat 2nterprise Linux Server release ?(K Santiago-
&fter *ou enter the correct pass+ord, the username +ill be displa*ed,
and *ou +ill return to *our local shell prompt(
.sing the sc$ .tility
scp can be used to transfer files bet+een machines over a secure,
encr*pted connection( $n its design, it is ver* similar to rcp(
To transfer a local file to a remote s*stem, use a command in the
follo+ing form/
scp local%ile userna"eNhostname/remotefile
%or , if *ou +ant to transfer taglist(vim to a remote machine named
penguin((com, t*pe the follo+ing at a shell prompt/
78J scp taglist(vim !ohnNpenguin((com/(vim0plugin0taglist(vim
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
81/200
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
82/200
Linux Networking & Security
78J sftp !ohnNpenguin((com
!ohnNpenguin((com's pass+ord/
Bonnected to penguin((com(
sftp
&fter *ou enter the correct pass+ord, *ou +ill be presented +ith a
prompt( The sftp utilit* accepts a set of commands similar to those used
b* ftp (
A selection o0 a5ailable s0t$ commands
Netcra#t; P Narasimhan
8/18/2019 Linux Networking Security 14Jan 2016 Formatted
83/200
Linux Networking & Security
Command %escription
ls [9ire"tory]
Fist the
"ontent o$ a
remote9ire"tory( I$
none is
su77lie98 a
"urrent
working
9ire"tory is
use9 by
9e$ault(
"9 9ire"tory
3hange the
remoteworking
9ire"tory to
9ire"tory(
mk9ir
9ire"tory
3reate a
remote
9ire"tory(
rm9ir 7ath
emo6e a
remote
9ire"tory(
7ut lo"al$ile
[remote$ile]
5rans$er
lo"al$ile to a
remote
ma"hine(
get remote$ile
[lo"al$ile]
5rans$er
remo