Linux System Administrationsmdp2vlsi.gov.in/smdp2vlsi/downloads/sysadminlinux.pdf · Linux System Administration Introduction What is System Administration ? System administration

Linux System Administration

Presenter : Raj Singh

IC Design GroupCEERIPilani – 333 031

Phone : 01596-242359

Fax : 01596-242294

Email : [email protected]

Linux System Administration Introduction

What is System Administration ?

System administration is the management of a mix of activities.

Installation of operating system(s) and software packages, Updating operatingsystem(s), Maintaining running systems and peripherals, User accounts man-agement, Monitoring systems, Performance tuning, Securing data/system/network,Backups, Answering user questions, Network services, Adding new systemsand software packages, Malware detection and removal, Automating tasks,Programming, Fault detection, Trouble-shooting, UPS management, Respect-ing confidentiality, Constant vigilance, etc.

Ability to switch tasks, optimize resources and service users. These are alsothe characteristics of Operating Systems !

System administration is like keeping trains on time. No one notices if trainsare on time and complain when they are late. It is a thankless job.c©CEERI, Pilani IC Design Group 1

Linux System Administration Introduction

Some Observations

• Ethical behaviour.

• Policies and guidelines.

• Frustrating and challenging.

• Balance between authority/responsibility vs. service/cooperation.

• Pro-actively solve issues before they become problems.

• Record keeping, labeling, and documentation is a necessity.

• Expert/power user. Familiarity with most system commands, scripting and programming.

• Knowledge of hardware, software, communications, networking, security, ground-neutral,. . .

• Many non-technical aspects e.g. rearranging furniture, role of a “detective,” interfacing tofinance/purchase, . . .

c©CEERI, Pilani IC Design Group 2

Linux System Administration Basic Strategies

System Administration Basic Strategies

• Plan. Think it through.

• Should be reversible. Archive/copy configuration files elsewhere.

• Incremental change.

• Test changes before implementation.

• Document (critical steps/commands/decisions with dates). Attention to detail.

• Continuous technical knowledge update.

• Regular activity/tasks schedule : daily, weekly, monthly, and yearly routine.

• Automate as many tasks as possible.


Linux System Administration Pre-Installation Steps

Pre-Installation Steps

• What is the usage profile of the system ?

e.g. web server, mail server, DNS/name server, print server, desktop, pro-gramming system, development system, backup server, NFS server, FTPserver, . . .

• CPU type, Main memory size (typically now, 1 GB or more), USB ports,Serial / Parallel ports, mouse type, . . .

• Decide on disk partitions, their sizes and partitioning strategy. Typicallynow, Disk size of 20-180 GB.

/, /boot, /home, swap, /usr, /var, ...


Linux System Administration Pre-Installation Steps

�

�

Pre-installation Steps

• Know details about networking and LAN environment.

IP number / DHCP, Hostname, MAC / network adapter card, Gateway /router, Name servers, IPv4 / IPv6, . . .

• Know details about Graphics card, Graphics memory, Monitor type, . . .

• Names of the users and their login names, root and password.

• Timezone, date and time.


Linux System Administration Sys Admin Tasks

System Administration Tasks

GUI vs. Command-line discussion. Necessity of being familiar with vi or vim.

1. Security, firewall, networking : /etc/hosts, /etc/host.conf, TCPwrapper files (hosts.allow,hosts.deny), OpenSSH files, /etc/sysconfig/iptables, SELinux, . . .

2. Information/messages logging. /etc/syslog.conf. Creating files in /var/log/.

3. Log file rotation : /etc/logorotate.conf, /etc/logrotate.d/.

4. Cron file : /etc/crontab.

5. Configuring DNS/BIND : /etc/named.conf, /etc/resolv.conf, /var/named/.

6. Configuring mail system : sendmail. /etc/mail/, /etc/aliases. Also, .procmailrc,spamassassin, alpine/pine, mutt, . . .


Linux System Administration Sys Admin Tasks�

�

System Administration Tasks

7. Creating user accounts : /etc/passwd, /etc/group, /etc/skel/.

8. Disk quota setting : edquota, repquota.

9. Disabling/enabling services : named, kudzu, ... : using chkconfig.

10. Kernel modules : /etc/modprobe.conf.

11. Web server : /etc/httpd/.

12. FTP server : /etc/vsftd/

13. System information messages to users : /etc/issue, /etc/issue.net, /etc/motd,/etc/lom.

14. Add other “external” packages e.g. OpenOffice, Acrobat Reader, ClamAV.

15. Remove some unwanted packages : wvdial, rp-pppoe, . . .

16. Adding peripherals : (printers, /etc/cups/).



/etc/hosts

## Updated April, 2004 by I. M. Root.127.0.0.1 localhost localhost.localdomain## LAN/WAN Facility Systems202.41.xxx.x ernet-router router-ernet router1 # (Net Devata, Cisco, 20xx)## Internal LAN192.168.1.1 my-pix # (Lan Shashtri, Cisco, 21xx)...## VLSI Lab (SMDP-II)192.168.6.1 switch-smdp2 smdp2-switch # (Lab Engg, Cisco, 26xx)192.168.6.11 smdp-server1 # Opteron...192.168.6.21 smdp-pc1 # Intel...192.168.6.41 smdp-hplj # HP-LJ Printer



/etc/host.conf

order hosts,bindmulti onnospoof onspoofalert on

/etc/hosts.allow

# One needs to edit and tailor this file -- Raj Singh, October, 2008ALL:smdp-server1,smdp-server2,smdp-server3,smdp-pc1,smdp-pc2httpd:ALLvsftpd:192.168.6.0/255.255.255.0sendmail:192.168.6.,localhost

/etc/hosts.deny

ALL:ALL



/etc/sysconfig/network

HOSTNAME=smdp-pc1.xyz.ac.inGATEWAY=192.168.1.1NETWORKING=yesNETWORKING_IPV6=no

/etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0BOOTPROTO=staticHWADDR=00:08:A2:7D:7C:42IPADDR=192.168.6.21NETMASK=255.255.0.0NETWORK=192.168.0.0BROADCAST=192.168.255.255ONBOOT=yesTYPE=EthernetIPV6INIT=no



/etc/sysconfig/iptables

# Generated by iptables-save v1.2.11 on ...*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [10516:3329244]:RH-Firewall-1-INPUT - [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --sport 135:139 -j DROP-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --sport 135:139 -j DROP...-A RH-Firewall-1-INPUT -s ! 192.168.6.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 22 -j DROP-A RH-Firewall-1-INPUT -s ! 192.168.6.0/255.255.255.0 -i eth0 -p udp -m udp --sport 22 -j DROP...-A RH-Firewall-1-INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP-A RH-Firewall-1-INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP-A RH-Firewall-1-INPUT -s 24.208.0.0/255.252.0.0 -i eth0 -j DROP...-A RH-Firewall-1-INPUT -i lo -j ACCEPTCOMMIT# Completed on ...



/etc/syslog.conf

# Log all kernel messages to the dev/tty12 instead of console.kern.*;local1.* /dev/tty12

*.info;mail.none;daemon.none;authpriv.none;auth.none /var/log/messages

# Added by Raj Singh on October 11, 2008.*.warn;*.err;*.alert /var/log/syslog

# The authpriv file has restricted access.authpriv.*;auth.* /var/log/secure

# Log all the daemon messages in one place.daemon.* /var/log/daemons

# Log all the mail messages in one place.mail.* /var/log/maillog

...

# Save level2 messages also to sysloglocal2.* /var/log/syslog



/etc/logrotate.conf

# rotate log files weeklyweekly# keep 4 weeks worth of backlogsrotate 4# create new (empty) log files after rotating old onescreate# uncomment this if you want your log files compressedcompress# RPM packages drop log rotation information into this directoryinclude /etc/logrotate.d# no packages own wtmp -- we’ll rotate them here/var/log/wtmp {

monthlycreate 0664 root utmprotate 1

}# system-specific logs may be also be configured here./var/log/daemons {

create 0600 root rootrotate 1

}



/etc/crontab

...# run-parts#01 * * * * root run-parts /etc/cron.hourly37 11 * * * root run-parts /etc/cron.daily43 12 * * 1 root run-parts /etc/cron.weekly09 13 1 * * root run-parts /etc/cron.monthly

# Remove /tmp, /var/tmp files not accessed in 5 days (120 hours)#21 13 * * * root /usr/sbin/tmpwatch 120 /tmp /var/tmp...

/etc/resolv.conf

domain xyz.ac.innameserver 192.168.1.250nameserver 218.248.240.21nameserver 202.141.1.132#nameserver 220.226.205.253



/etc/named.conf (for Master Name Server)

...// Set up our ACLsacl "xfer" {// Allow no transfers.

none;};

acl "trusted" {// Place our internal subnets in here for DNS queries.192.168.0.0/16;localhost;};

acl "bogon" {// Filter out the bogon networks.0.0.0.0/8;1.0.0.0/8;

...

// Setup logginglogging {

channel "default_syslog" {// Send most of the named messages to syslog.syslog local2;severity debug;



};channel audit_log {// Send the security related messages to a separate file.

file "/var/log/named.log";print-time yes;

};category default { audit_log; };category general { audit_log; };category security { audit_log; default_syslog; };

...

options {directory "/var/named/data";...allow-transfer {// Zone transfers limited to "xfer" ACL.

xfer;};

allow-query {// Accept queries from "trusted" ACL.trusted;};

blackhole {// Deny anything from "bogon" ACL.bogon;};



};

...

zone "." {type hint;file "db.cache";

};zone "0.0.127.in-addr.arpa" {

type master;file "db.local";allow-query { any; };allow-transfer { none; };

};zone "xyz.ac.in" {

type master;file "db.xyz";

};zone "1.168.192.in-addr.arpa" {

type master;file "db.rev1";

};



...

zone "6.168.192.in-addr.arpa" {type master;file "db.rev6";

};

...

// named-checkconf - integrity check the conf file.// named-checkzone - integrity check the zone files.



/etc/mail/sendmail.cf

...

# Configuration version numberDZ8.13.1-DAK-XYZDMxyz.ac.in...# SMTP daemon options# O DaemonPortOptions=Port=smtp,Addr=127.0.0.1,Name=MTAO DaemonPortOptions=Port=smtp,Name=MTA...# privacy flags#O PrivacyOptions=authwarnings,novrfy,noexpn,restrictqrunO PrivacyOptions=goaway,restrictqrun...O Timeout.queuereturn=12dO Timeout.queuewarn=7d

...



/etc/mail/access

...

# Hosts in XYZ192.168.2.2 OK...# Hosts in VLSI Lab192.168.6 RELAY...# Hosts Outside XYZ202.41 RELAYyahoo.com RELAY...# Deny172.16 550 Reserved Address Mail Reject10 550 Reserved Address Mail Reject...# Discardwanadoo.fr DISCARDhinet.net DISCARD

...



Configuration Files of Various Software Packages

• Many other configuration files need to be checked e.g. sysctl.conf, modprobe.conf,DIR COLORS, updatedb.conf, nsswitch.conf, ...

• Each software package/tool has its own configuration file(s) e.g. vsftp, Apache/httpd,ClamAV, alpine, mutt, elinks, yum, . . .

• GUI versions for setting many of the configuration files exist.

• Configuration files’ variables, styles and formats are different for each software package.

• There is no short-cut to reading and understanding working and documentation of eachsoftware package. /usr/share/doc/, man, info.

• Use Internet resources and websites with care.


Linux System Administration Summary

Summary of System Administration Tasks

• Installation and upkeep of operating system(s), software packages, ser-vices, printers and other peripherals, UPS system, . . .

• User accounts management. /etc/passwd, LDAP, NIS, . . .

• Security and firewall. SSH, NFS, PAM, iptables, . . .

• Managing disks and filesystems. NFS, rsync, Disk quota, . . .

• Monitoring and performance tuning. Log files. Processes and daemons.


Linux System Administration Summary�

�

Summary of System Administration Tasks

• Network configuration and management. Ethernet, SNMP, ping, netstat,wireshark, . . .

• Electronic mail. SpamAssassin, ClamAV.

• Backup and restore.

• Automating tasks and scripting/programming.

• DNS/BIND/named, FTP, Web server, Samba, DHCP, . . .

• License servers management.


Linux System Administration Desirable Qualities

Desirable Qualities in a System Administrator

• Ethical and trustworthy.

• Patience and Persistence.

• Adherence to routine.

• Ingenuity, quickness and cleverness.

• Flexibility.

• Attention to detail.

• Sense of adventure.

• Becoming invisible.

• Dash of humor and fun.

• Thick skin.


Documents

Linux System Administrationsmdp2vlsi.gov.in/smdp2vlsi/downloads/sysadminlinux.pdf · Linux System Administration Introduction What is System Administration ? System administration