Upload
dinhthu
View
244
Download
2
Embed Size (px)
Citation preview
Linux System Administration
Presenter : Raj Singh
IC Design GroupCEERIPilani – 333 031
Phone : 01596-242359
Fax : 01596-242294
Email : [email protected]
Linux System Administration Introduction
What is System Administration ?
System administration is the management of a mix of activities.
Installation of operating system(s) and software packages, Updating operatingsystem(s), Maintaining running systems and peripherals, User accounts man-agement, Monitoring systems, Performance tuning, Securing data/system/network,Backups, Answering user questions, Network services, Adding new systemsand software packages, Malware detection and removal, Automating tasks,Programming, Fault detection, Trouble-shooting, UPS management, Respect-ing confidentiality, Constant vigilance, etc.
Ability to switch tasks, optimize resources and service users. These are alsothe characteristics of Operating Systems !
System administration is like keeping trains on time. No one notices if trainsare on time and complain when they are late. It is a thankless job.c©CEERI, Pilani IC Design Group 1
Linux System Administration Introduction
Some Observations
• Ethical behaviour.
• Policies and guidelines.
• Frustrating and challenging.
• Balance between authority/responsibility vs. service/cooperation.
• Pro-actively solve issues before they become problems.
• Record keeping, labeling, and documentation is a necessity.
• Expert/power user. Familiarity with most system commands, scripting and programming.
• Knowledge of hardware, software, communications, networking, security, ground-neutral,. . .
• Many non-technical aspects e.g. rearranging furniture, role of a “detective,” interfacing tofinance/purchase, . . .
c©CEERI, Pilani IC Design Group 2
Linux System Administration Basic Strategies
System Administration Basic Strategies
• Plan. Think it through.
• Should be reversible. Archive/copy configuration files elsewhere.
• Incremental change.
• Test changes before implementation.
• Document (critical steps/commands/decisions with dates). Attention to detail.
• Continuous technical knowledge update.
• Regular activity/tasks schedule : daily, weekly, monthly, and yearly routine.
• Automate as many tasks as possible.
c©CEERI, Pilani IC Design Group 3
Linux System Administration Pre-Installation Steps
Pre-Installation Steps
• What is the usage profile of the system ?
e.g. web server, mail server, DNS/name server, print server, desktop, pro-gramming system, development system, backup server, NFS server, FTPserver, . . .
• CPU type, Main memory size (typically now, 1 GB or more), USB ports,Serial / Parallel ports, mouse type, . . .
• Decide on disk partitions, their sizes and partitioning strategy. Typicallynow, Disk size of 20-180 GB.
/, /boot, /home, swap, /usr, /var, ...
c©CEERI, Pilani IC Design Group 4
Linux System Administration Pre-Installation Steps
�
�
Pre-installation Steps
• Know details about networking and LAN environment.
IP number / DHCP, Hostname, MAC / network adapter card, Gateway /router, Name servers, IPv4 / IPv6, . . .
• Know details about Graphics card, Graphics memory, Monitor type, . . .
• Names of the users and their login names, root and password.
• Timezone, date and time.
c©CEERI, Pilani IC Design Group 5
Linux System Administration Sys Admin Tasks
System Administration Tasks
GUI vs. Command-line discussion. Necessity of being familiar with vi or vim.
1. Security, firewall, networking : /etc/hosts, /etc/host.conf, TCPwrapper files (hosts.allow,hosts.deny), OpenSSH files, /etc/sysconfig/iptables, SELinux, . . .
2. Information/messages logging. /etc/syslog.conf. Creating files in /var/log/.
3. Log file rotation : /etc/logorotate.conf, /etc/logrotate.d/.
4. Cron file : /etc/crontab.
5. Configuring DNS/BIND : /etc/named.conf, /etc/resolv.conf, /var/named/.
6. Configuring mail system : sendmail. /etc/mail/, /etc/aliases. Also, .procmailrc,spamassassin, alpine/pine, mutt, . . .
c©CEERI, Pilani IC Design Group 6
Linux System Administration Sys Admin Tasks�
�
System Administration Tasks
7. Creating user accounts : /etc/passwd, /etc/group, /etc/skel/.
8. Disk quota setting : edquota, repquota.
9. Disabling/enabling services : named, kudzu, ... : using chkconfig.
10. Kernel modules : /etc/modprobe.conf.
11. Web server : /etc/httpd/.
12. FTP server : /etc/vsftd/
13. System information messages to users : /etc/issue, /etc/issue.net, /etc/motd,/etc/lom.
14. Add other “external” packages e.g. OpenOffice, Acrobat Reader, ClamAV.
15. Remove some unwanted packages : wvdial, rp-pppoe, . . .
16. Adding peripherals : (printers, /etc/cups/).
c©CEERI, Pilani IC Design Group 7
Linux System Administration Sys Admin Tasks
/etc/hosts
## Updated April, 2004 by I. M. Root.127.0.0.1 localhost localhost.localdomain## LAN/WAN Facility Systems202.41.xxx.x ernet-router router-ernet router1 # (Net Devata, Cisco, 20xx)## Internal LAN192.168.1.1 my-pix # (Lan Shashtri, Cisco, 21xx)...## VLSI Lab (SMDP-II)192.168.6.1 switch-smdp2 smdp2-switch # (Lab Engg, Cisco, 26xx)192.168.6.11 smdp-server1 # Opteron...192.168.6.21 smdp-pc1 # Intel...192.168.6.41 smdp-hplj # HP-LJ Printer
c©CEERI, Pilani IC Design Group 8
Linux System Administration Sys Admin Tasks
/etc/host.conf
order hosts,bindmulti onnospoof onspoofalert on
/etc/hosts.allow
# One needs to edit and tailor this file -- Raj Singh, October, 2008ALL:smdp-server1,smdp-server2,smdp-server3,smdp-pc1,smdp-pc2httpd:ALLvsftpd:192.168.6.0/255.255.255.0sendmail:192.168.6.,localhost
/etc/hosts.deny
ALL:ALL
c©CEERI, Pilani IC Design Group 9
Linux System Administration Sys Admin Tasks
/etc/sysconfig/network
HOSTNAME=smdp-pc1.xyz.ac.inGATEWAY=192.168.1.1NETWORKING=yesNETWORKING_IPV6=no
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0BOOTPROTO=staticHWADDR=00:08:A2:7D:7C:42IPADDR=192.168.6.21NETMASK=255.255.0.0NETWORK=192.168.0.0BROADCAST=192.168.255.255ONBOOT=yesTYPE=EthernetIPV6INIT=no
c©CEERI, Pilani IC Design Group 10
Linux System Administration Sys Admin Tasks
/etc/sysconfig/iptables
# Generated by iptables-save v1.2.11 on ...*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [10516:3329244]:RH-Firewall-1-INPUT - [0:0]-A INPUT -j RH-Firewall-1-INPUT-A FORWARD -j RH-Firewall-1-INPUT-A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --sport 135:139 -j DROP-A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --sport 135:139 -j DROP...-A RH-Firewall-1-INPUT -s ! 192.168.6.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 22 -j DROP-A RH-Firewall-1-INPUT -s ! 192.168.6.0/255.255.255.0 -i eth0 -p udp -m udp --sport 22 -j DROP...-A RH-Firewall-1-INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP-A RH-Firewall-1-INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP-A RH-Firewall-1-INPUT -s 24.208.0.0/255.252.0.0 -i eth0 -j DROP...-A RH-Firewall-1-INPUT -i lo -j ACCEPTCOMMIT# Completed on ...
c©CEERI, Pilani IC Design Group 11
Linux System Administration Sys Admin Tasks
/etc/syslog.conf
# Log all kernel messages to the dev/tty12 instead of console.kern.*;local1.* /dev/tty12
*.info;mail.none;daemon.none;authpriv.none;auth.none /var/log/messages
# Added by Raj Singh on October 11, 2008.*.warn;*.err;*.alert /var/log/syslog
# The authpriv file has restricted access.authpriv.*;auth.* /var/log/secure
# Log all the daemon messages in one place.daemon.* /var/log/daemons
# Log all the mail messages in one place.mail.* /var/log/maillog
...
# Save level2 messages also to sysloglocal2.* /var/log/syslog
c©CEERI, Pilani IC Design Group 12
Linux System Administration Sys Admin Tasks
/etc/logrotate.conf
# rotate log files weeklyweekly# keep 4 weeks worth of backlogsrotate 4# create new (empty) log files after rotating old onescreate# uncomment this if you want your log files compressedcompress# RPM packages drop log rotation information into this directoryinclude /etc/logrotate.d# no packages own wtmp -- we’ll rotate them here/var/log/wtmp {
monthlycreate 0664 root utmprotate 1
}# system-specific logs may be also be configured here./var/log/daemons {
create 0600 root rootrotate 1
}
c©CEERI, Pilani IC Design Group 13
Linux System Administration Sys Admin Tasks
/etc/crontab
...# run-parts#01 * * * * root run-parts /etc/cron.hourly37 11 * * * root run-parts /etc/cron.daily43 12 * * 1 root run-parts /etc/cron.weekly09 13 1 * * root run-parts /etc/cron.monthly
# Remove /tmp, /var/tmp files not accessed in 5 days (120 hours)#21 13 * * * root /usr/sbin/tmpwatch 120 /tmp /var/tmp...
/etc/resolv.conf
domain xyz.ac.innameserver 192.168.1.250nameserver 218.248.240.21nameserver 202.141.1.132#nameserver 220.226.205.253
c©CEERI, Pilani IC Design Group 14
Linux System Administration Sys Admin Tasks
/etc/named.conf (for Master Name Server)
...// Set up our ACLsacl "xfer" {// Allow no transfers.
none;};
acl "trusted" {// Place our internal subnets in here for DNS queries.192.168.0.0/16;localhost;};
acl "bogon" {// Filter out the bogon networks.0.0.0.0/8;1.0.0.0/8;
...
// Setup logginglogging {
channel "default_syslog" {// Send most of the named messages to syslog.syslog local2;severity debug;
c©CEERI, Pilani IC Design Group 15
Linux System Administration Sys Admin Tasks
};channel audit_log {// Send the security related messages to a separate file.
file "/var/log/named.log";print-time yes;
};category default { audit_log; };category general { audit_log; };category security { audit_log; default_syslog; };
...
options {directory "/var/named/data";...allow-transfer {// Zone transfers limited to "xfer" ACL.
xfer;};
allow-query {// Accept queries from "trusted" ACL.trusted;};
blackhole {// Deny anything from "bogon" ACL.bogon;};
c©CEERI, Pilani IC Design Group 16
Linux System Administration Sys Admin Tasks
};
...
zone "." {type hint;file "db.cache";
};zone "0.0.127.in-addr.arpa" {
type master;file "db.local";allow-query { any; };allow-transfer { none; };
};zone "xyz.ac.in" {
type master;file "db.xyz";
};zone "1.168.192.in-addr.arpa" {
type master;file "db.rev1";
};
c©CEERI, Pilani IC Design Group 17
Linux System Administration Sys Admin Tasks
...
zone "6.168.192.in-addr.arpa" {type master;file "db.rev6";
};
...
// named-checkconf - integrity check the conf file.// named-checkzone - integrity check the zone files.
c©CEERI, Pilani IC Design Group 18
Linux System Administration Sys Admin Tasks
/etc/mail/sendmail.cf
...
# Configuration version numberDZ8.13.1-DAK-XYZDMxyz.ac.in...# SMTP daemon options# O DaemonPortOptions=Port=smtp,Addr=127.0.0.1,Name=MTAO DaemonPortOptions=Port=smtp,Name=MTA...# privacy flags#O PrivacyOptions=authwarnings,novrfy,noexpn,restrictqrunO PrivacyOptions=goaway,restrictqrun...O Timeout.queuereturn=12dO Timeout.queuewarn=7d
...
c©CEERI, Pilani IC Design Group 19
Linux System Administration Sys Admin Tasks
/etc/mail/access
...
# Hosts in XYZ192.168.2.2 OK...# Hosts in VLSI Lab192.168.6 RELAY...# Hosts Outside XYZ202.41 RELAYyahoo.com RELAY...# Deny172.16 550 Reserved Address Mail Reject10 550 Reserved Address Mail Reject...# Discardwanadoo.fr DISCARDhinet.net DISCARD
...
c©CEERI, Pilani IC Design Group 20
Linux System Administration Sys Admin Tasks
Configuration Files of Various Software Packages
• Many other configuration files need to be checked e.g. sysctl.conf, modprobe.conf,DIR COLORS, updatedb.conf, nsswitch.conf, ...
• Each software package/tool has its own configuration file(s) e.g. vsftp, Apache/httpd,ClamAV, alpine, mutt, elinks, yum, . . .
• GUI versions for setting many of the configuration files exist.
• Configuration files’ variables, styles and formats are different for each software package.
• There is no short-cut to reading and understanding working and documentation of eachsoftware package. /usr/share/doc/, man, info.
• Use Internet resources and websites with care.
c©CEERI, Pilani IC Design Group 21
Linux System Administration Summary
Summary of System Administration Tasks
• Installation and upkeep of operating system(s), software packages, ser-vices, printers and other peripherals, UPS system, . . .
• User accounts management. /etc/passwd, LDAP, NIS, . . .
• Security and firewall. SSH, NFS, PAM, iptables, . . .
• Managing disks and filesystems. NFS, rsync, Disk quota, . . .
• Monitoring and performance tuning. Log files. Processes and daemons.
c©CEERI, Pilani IC Design Group 22
Linux System Administration Summary�
�
Summary of System Administration Tasks
• Network configuration and management. Ethernet, SNMP, ping, netstat,wireshark, . . .
• Electronic mail. SpamAssassin, ClamAV.
• Backup and restore.
• Automating tasks and scripting/programming.
• DNS/BIND/named, FTP, Web server, Samba, DHCP, . . .
• License servers management.
c©CEERI, Pilani IC Design Group 23
Linux System Administration Desirable Qualities
Desirable Qualities in a System Administrator
• Ethical and trustworthy.
• Patience and Persistence.
• Adherence to routine.
• Ingenuity, quickness and cleverness.
• Flexibility.
• Attention to detail.
• Sense of adventure.
• Becoming invisible.
• Dash of humor and fun.
• Thick skin.
c©CEERI, Pilani IC Design Group 24