Transcript Unix System Administration

TCP/IP Networking
• Objectives
– to learn how to integrate a SuSE system onto a TCP/IP network
• Contents
–
–
–
–
the TCP/IP protocol suite
IP addressing
basic TCP/IP applications
TCP/IP configuration files
• Practicals
– working with TCP/IP utilities and files
• Summary
Overview of TCP/IP
• US DoD funded experimental network
– supports inter-networks, inter-host communication
– most popular UNIX networking protocols
• Three basic protocols
TCP - a reliable session protocol: telnet, ftp
UDP - low overhead sessionless: NFS, NIS, DNS, routing
IP - Network layer protocol, sessionless, base of TCP and UDP
network
hosts
gateway
Internet Protocol Address
• All networked systems need a unique IP address
– address has four dot separated numbers (each 0 - 255)
– IP address mapped to hardware using ARP or RARP protocols
• Companies allocated a site address by NIC
– allocated class A B or C address ranges
– local administrator allocates individual host numbers
• Some address values reserved
0 not used
255 reserved for broadcasts
•
•
•
•
Network address of 127 is reserved for loopback
Network address of 10 is reserved for internal networks
Network addesss of 172.16 is reserved for internal networks
Network addesss of 192.168 is reserved for internal networks
IP Address Format
network
Class A
Addresses
0
7 bits
network addresses in range
24 bit host address
8 bits
0 - 126
16 bit network
Class B
Addresses
10
network addresses in range
24 bits
16 bit host address
14 bits
16 bits
128.0 - 191.254
24 bit network
Class C
Addresses
110
network addresses in range
21 bits
192.0.0 - 223.254.254
8 bit host
8 bits
Defining IP Addresses
• Traditionally IP address defined in /etc/hosts
– one line per known host defining IP address hostname and aliases
– if last line is a + then NIS is being used
– hostnames are limited to 8 characters
• Larger sites use DNS (Domain Name Services)
– one or more hosts on the network maintain all IP addresses
– individual hosts request addresses as needed
– address cached locally to optimise DNS
# more /etc/hosts
127.0.0.1
localhost.localdomain
localhost
192.168.0.12
mash4077 loghost
mailhost
192.168.0.42
rosies
printserver
10.1.1.1
seoul
Analyze Network Interface Configuration
• Use ifconfig to view network interfaces
– use the -a option to list all configured interfaces
# ifconfig -a
eth0
Link encap:Ethernet HWaddr 00:50:04:50:61:98
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:59078481 errors:0 dropped:0 overruns:84 frame:0
TX packets:53902612 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
lo
Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:22596609 errors:0 dropped:0 overruns:0 frame:0
TX packets:22596609 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
# ifconfig eth0 down
# ifconfig eth0 up
Network Interface Configuration
• Use ifconfig to configure the network interface
# ifconfig eth0 192.168.0.1 netmask 255.255.255.0 up
• Permanent changes in /etc/sysconfig/network
Files named like: ifcfg-eth-id-<MAC> STATIC settings:
DHCP settings: DEVICE=eth0
STARTMODE=auto
BOOTPROTO=dhcp
STARTMODE=auto
• Alias interfaces
# Ifconfig eth0:0 192.168.1.12
BOOTPROTO=static
BROADCAST=192.168.0.255
NETWORK=192.168.0.0
NETMASK=255.255.255.0
IPADDR=192.168.0.1
Permanent changes in /etc/sysconfig/network-scripts/ifcfg-eth-id-<MAC>
IPADDR_0='192.168.1.99'
NETMASK_0='255.255.255.0'
LABEL_0='0'
• Releasing/Renewing IP adresses
ifdown eth0 / ifup eth0
Routing information
• Use route to get/manipulate network routing
–
–
–
–
Route table netstat –r(n) or route
Routes to all directly connected networks are created automatic
To add a net-route: route add –net 192.168.7.0 gw 192.168.1.254
To delete a net-route: route del –net 192.168.7.0 gw 192.168.1.254
• SuSE can hande RIP/OSPF + traffic shaping
Metric value for priority if different value or round robin if same:
route add –net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.253 metric 10
route add –net 192.168.3.0 netmask 255.255.255.0 gw 192.168.1.254 metric 10
Detete the route:
route del –net 192.168.3.0 netmask 255.255.255.0
# route
Kernel IP routing table
Destination
Gateway
80.84.37.0
*
172.16.0.0
*
192.168.1.0
*
192.168.0.0
*
127.0.0.0
*
default
router.ing-stee
Genmask
255.255.255.240
255.255.255.0
255.255.255.0
255.255.255.0
255.0.0.0
0.0.0.0
Flags
U
U
U
U
U
UG
Metric
0
0
0
0
0
0
Ref
0
0
0
0
0
0
Use
0
0
0
0
0
0
Iface
eth3
eth2
eth0
eth1
lo
eth3
Routing information configuration
• Use route to configure the defaultrouter
# route add default gw 192.168.1.1 eth0
• Permanent changes in /etc/sysconfig/network
File named routes: default 192.168.1.1 - -
• Using several routes
# route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 eth0
Permanent changes in /etc/sysconfig/network/routes
10.0.0.0 192.168.1.254 255.0.0.0 eth-id-00:03:47:b0:5e:85
Another way is to use /etc/init.d/boot.local
route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.1.254 eth0
This way is the most common in other RPM distributions
Adding/Removing NIC’s
•
Adding NIC
1. Before going further, find out current NIC-order
a) By physical inspection, pinging and moving cables.
b) Look in /etc/modprobe.conf or find NIC modules with lsmod, lsdev, hwinfo,
lspci and ksymoops Kernel key symbol is exported like [3c59x] for 3c905
boards.
c) Modify /etc/modprobe.conf to reflect your wished NIC order.
2. Look if new NIC needs to be added in kernel or kernel need patch. If that is the
case, recompile kernel and do step 1 again!
3. Power off the host
4. Insert the new NIC
5. If you are lucky, hwinfo and hald will find the new NIC and add it for you, you
will be asked configuration parameters.
6. If everything goes well you can now goto step 1 once again to check out your
NIC order. If you are satisfied it is time to do NIC configuration permanent.
Removing NIC, you basically do the same steps but you now remove support,
hald will detect NIC removal and you can remember its configuration.
Changing NIC parameters
• Use ethtool to view NIC settings
# ethtool eth0
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: d
Current message level: 0x00000007 (7)
Link detected: yes
• Using mii-tool to force 100MBit/s Full Duplex
# ethtool -s eth0 speed 100 duplex full
• Making changes permanent /etc/init.d/boot.local
Nameservers for non nameserver hosts
• Nameservers are stored in /etc/resolv.conf
General format: domain my-site.com
search my-site.com
nameserver ip 2
nameserver ip 1
nameserver ip 3
Nameserver
Domain
Search
Options
The nameservers to query for names
My domain, my host is added to this domain.
A space delimited list of max six key domains to add hostnames
to in the query if domain is missing.
rotate round robin Nameserver list
timeout:n
default is 30 seconds
attempts:n default is 3 or 4
• Searchorder for finding hosts are stored in /etc/host.conf
order hosts,bind
• Name Service Switch config file /etc/nsswitch.conf
Hosts: files lwres dns
Looking at Network Statistics
• Use netstat to get network status information
– use -a to view all sockets
– use -i to view interfaces
– use -rn to view routing statistics
# netstat -i
Kernel Interface table
Iface MTU
Met RX-OK
RX-ERR RX-DRP RX-OVR
eth0 1500 0
59098394 0
0
84
lo
16436 0
22598046 0
0
0
TX-OK
TX-ERR TX-DRP TX-OVR Flg
53924429 0
0
0
BRU
22598046 0
0
0
LRU
• MRTG Multi Router Traffic Grapher
– Is common to make graphs over network traffic
– Usally togeather with SNMP
Simple Network
Management Protocol
– Apache is common for presentation of plots
Activating SNMP
• Actviating at boot and starting SNMPD server
– Your server will now respond to SNMP messages
# insserv /etc/init.d/snmp ; rcsnmpd start
• Check that SNMP server responds
– Your server will now respond to SNMP messages
# snmpwalk -v 1 -c public localhost interface
– The ”password” public can be secured in /etc/snmpd.conf
#rocommunity public 127.0.0.1
rocommunity crazy42guy
• Apache webserver is needed for presentation
– You simply ”browse” to read your network plots
– It is most simple to setup one ”plotting” directory in DocumentRoot
# mkdir /srv/www/htdocs/mrtg
Activating MRTG
• Autoconfigure MRTG with cfgmaker
– First create config directory
– Then execute the autoconfig
– All must be in one row!
• Test run MRTG 3 times
# mkdir /etc/mrtg/
# cfgmaker --output=/etc/mrtg/mrtg.cfg \
--global "workdir: /srv/www/htdocs/mrtg" -ifref=ip \
--global 'options[_]: growright,bits' \
crazy42guy@localhost
– MRTG will now make three test plots, the warnings will go away
# env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
• Use MRTG's indexmaker command to create a Web index
page # indexmaker --output=/srv/www/htdocs/mrtg/index.html \
/etc/mrtg/mrtg.cfg
• Add a CRON job to run MRTG every 5 minute
– Enter with crontab –e
0-59/5 * * * * env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
• Check the plots with web-browser
http://<your server ip>/mrtg/index.html
Looking for a System
• The simplest TCP/IP utility is ping which sends a message
to a host and waits for a reply
– the host can be specified as a name or an IP address
$ ping –c1 gkse1
PING gkse1.ing-steen.se (80.84.37.2) from 80.84.37.3 : 56(84) bytes of data.
64 bytes from gkse1.ing-steen.se (80.84.37.2): icmp_seq=0 ttl=64 time=1.119 mse
--- gkse1.ing-steen.se ping statistics --1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 1.119/1.119/1.119/0.000 ms
$ ping ulf2
PING ulf2.intra.ing-steen.se (192.168.1.37) from 192.168.1.100 : 56(84) bytes of data.
From lina.intra.ing-steen.se (192.168.1.100): Destination Host Unreachable
--- ulf2.intra.ing-steen.se ping statistics --1 packets transmitted, 0 packets received, +1 errors, 100% packet loss
$ ping dude
ping: unknown host dude
Network layer 2
• To see if you have contact with network layer 2
– use ifconfig
Shows if interfaces are up
– use arp
Shows the local arp cache
• Manipulate with arp cache
– Add static route
To secure system and increase network speed
– Flush arp cache
If you have stale arp entries
– Delete entry in arp cache
Remove faulty entries
# arp –s 192.168.0.12 00:0B:5F:12:81:00
# arp –d 192.168.0.12
# arp
Address
router.ing-steen.se
grey.ing-steen.se
HWtype
ether
ether
HWaddress
00:0B:5F:12:81:00
00:06:5B:1A:84:11
Flags Mask
C
C
Iface
eth3
eth3
Telnet & local name resolution 1/2
• Telnet server settings
– It is dependent of xinetd the internet demon
– Xinetd starts telnet demon whenever connections to it’s port 23 is made
declared in file /etc/xinetd.d/telnet
service telnet
{
socket_type = stream
protocol
= tcp
wait
= no
user
= root
server
= /usr/sbin/in.telnetd
}
– Most Xinetd dependent TCP/UDP services are declared in /etc/services
telnet
telnet
23/tcp # Telnet
23/udp # Telnet
– Offcource your telnet server need a login & welcome text like: Welcome to
SuSE.. and Have a lot of fun... these are added in /etc/issue + /etc/issue.net
and /etc/motd
Telnet & local name resolution 2/2
• To activate telnet
# chkconfig telnet on ; rcxinetd restart
• Telnet is used to access most network gears (routers) and
many servers sitting in trusted networks
$ uname -n
a01
$ telnet a02
My SuSE linux server!
login: hawkeye
password:
Welcome to Uncle Sam's wonderful world of Unix
Remember the bar never closes!
$ uname -n
a02
• The local name resolution should allways be setup to
cover the most important hosts and servers.
# cat /etc/hosts
127.0.0.1
192.168.0.1
192.168.0.2
192.168.0.3
192.168.0.4
localhost.localdomain
a01.my-site.com a01
a02.my-site.com a02
a03.my-site.com a03
a04.my-site.com a04
localhost
a01
# This host IP address!
# Other important hosts
SSH (Secure Shell) 1/2
• The SSH command is used to connect or copy files to/from
another machine over a TCP/IP network
– It is a stand alone service
– It is activated by default in SuSE and most other linuxes.
# chkconfig --list sshd
sshd
0:off 1:off 2:off 3:on 4:off 5:on 6:off
– Encryption makes use of private and public keys
id_rsa
private key
# ls .ssh/
id_rsa.pub
public key
. .. id_rsa id_rsa.pub known_hosts
known_hosts public key container
• Configuration files: /etc/ssh/sshd_config
– Most common options to change is:
Port 22
Change this
Protocol 2,1
SSH protocol V2 and V1
ListenAddress 0.0.0.0
Bind to all interfaces as here or to one only
PermitRootLogin no
Disable root direct logins
SSH (Secure Shell) 2/2
• SSH login
– a connection is established and the user logs on as normal
$ hostname
a02
$ ssh peter@a01
password:
$ hostname
a01
First time you login to a new server a public key must eventually
be generated and stored in known_hosts, Second time login will
eventually prompt you for password.
• SSH copy
– From current host to any other host running sshd
– From any other host to current host
– Between two remote hosts
# scp filename.txt [email protected]:~ungk4/.
Welcome to Linux (i586)
Password:
filename.txt
100% 1166
1.1KB/s 00:00
• FileZilla & Putty
– Login & Copy tools for use with Windows to administer your unix servers
VSFTP Very Secure FTP
• FTP is an interactive utility for network file transfer
– login to remote host supplying username and password
– FTP can be run as xinetd or stand alone service
• Anonymous FTP server
– Allows only user anonymous or ftp to login
• Non Anonymous FTPserver
– Allows also local registered users (passwd users) to login
• As standard it is Anonymous server
– Only file download is allowed
• VSFTP has to be opened in order to do more
$ ftp a01
Connected to a01
Name (a01:hawkeye):
Password:
ftp> get file2
...data about the transfer...
ftp> put /etc/hosts /tmp/mash.hosts
...data about the transfer...
ftp> bye
VSFTPD setup: /etc/vsftpd.conf
• The file is in clear textand somewhat selfexplained, basicaly we have
– General settings
– Anonymous FTP settings
– Transfer settings
anonymous_enable=Yes/No
anon_upload_enable=Yes/No
anon_mkdir_write_enable=Yes/No
anon_root=<path>
Allow anon users at all
Allow anon users to uploadfiles
Allow anon users to make dirs
FTP root settings
userlist_enable
userlist_deny
vs.ftpd.user_list contain allowed users
vs.ftpd.user_list contain denied users
local_enable=Yes/No
write_enable=Yes/No
Allow non anonymous local users to login
To be allowed to write at all
ftpd_banner= My FTP Server
xferlog_enable=YES/No
xferlog_file=<path>
Welcome message
Log filetransfers
Logfile
• Restrict FTP access using /etc/vsftpd.ftpusers file
• Chroot Jail users: /etc/vsftpd.chroot_list
• Ftp userlist: /etc/vsftpd.user_list
Other vsftpd.conf Options
There are many other options you can add to this file:
• Limiting the maximum number of client connections:
max_clients
• Limiting the number of connections by source IP address:
max_per_ip
• The maximum rate of data transfer per anonymous login:
anon_max_rate
• The maximum rate of data transfer per non-anonymous login:
local_max_rate
0=Unlimited
Descriptions on this and more can be found in the vsftpd.conf
man pages.
File Transfer Protocol
Other vsftpd.conf Options
There are many other options you can add to this file:
• Limiting the maximum number of client connections:
max_clients
• Limiting the number of connections by source IP address:
max_per_ip
• The maximum rate of data transfer per anonymous login:
anon_max_rate
• The maximum rate of data transfer per non-anonymous login:
local_max_rate
0=Unlimited
Descriptions on this and more can be found in the vsftpd.conf
man pages.
VSFTP tutorial 1/3
FTP Users with Only Read Access to a Shared Directory
1. Disable anonymous FTP. Comment out the anonymous_enable line in
the vsftpd.conf file like this:
# Allow anonymous FTP?
# anonymous_enable=YES
2. Enable individual logins by making sure you have the local_enable line
uncommented in the vsftpd.conf file like this:
# Uncomment this to allow local users to log in.
local_enable=YES
3. Start VSFTP.
[root@my-host]# service vsftpd start
4. Create a user group and shared directory. In this case, use /home/ftpusers and a user group name of ftp-users for the remote users
[root@my-host]# groupadd ftp-users
[root@my-host]# mkdir /home/ftp-docs
VSFTP tutorial 2/3
5. Make the directory accessible to the ftp-users group.
[root@my-host]# chmod 750 /home/ftp-docs
[root@my-host]# chown root:ftp-users /home/ftp-docs
6. Add users, and make their default directory /home/ftpdocs
[root@my-host]# useradd -g ftp-users -d /home/ftp-docs user1
[root@my-host]# useradd -g ftp-users -d /home/ftp-docs user2
[root@my-host]# useradd -g ftp-users -d /home/ftp-docs user3
[root@my-host]# useradd -g ftp-users -d /home/ftp-docs user4
[root@my-host]# passwd user1
[root@my-host]# passwd user2
[root@my-host]# passwd user3
[root@my-host]# passwd user4
VSFTP tutorial 3/3
7. Copy files to be downloaded by your users into the /home/ftp-docs
directory
8. Change the permissions of the files in the /home/ftp-docs directory for
read only access by the group
[root@my-host]# chown root:ftp-users /home/ftp-docs/*
[root@my-host]# chmod 740 /home/ftp-docs/*
Users should now be able to log in via FTP to the server using their new
usernames and passwords. If you absolutely don't want any FTP users
to be able to write to any directory, then you should set the
write_enable line in your vsftpd.conf file to no:
write_enable = NO
Remember, you must restart VSFTPD, if it is run as stand alone, for the
configuration file changes to take effect.
Sample Login Session To Test if it works
Here is a simple test procedure you can use to make sure everything is
working correctly:
9. Check for the presence of a test file on the ftp client server.
[root@my-friend]# ll
total 1
-rw-r--r-- 1 root root 0 Jan 4 09:08 testfile
[root@my-friend]#
10.Connect to bigboy via FTP
[root@my-friend]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): user1
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Sample Login Session To Test if it works
As expected, we can't do an upload transfer of testfile to my-host.
ftp> put testfile
local: testfile remote: testfile
227 Entering Passive Mode (192,168,1,100,181,210)
553 Could not create file.
ftp>
But we can view and download a copy of the VSFTPD RPM located on the FTP server myhost.
ftp> ls
227 Entering Passive Mode (192,168,1,100,35,173)
150 Here comes the directory listing.
-rwxr----- 1 0 502 76288 Jan 04 17:06 vsftpd-1.1.0-1.i386.rpm
226 Directory send OK.
ftp> get vsftpd-1.1.0-1.i386.rpm vsftpd-1.1.0-1.i386.rpm.tmp
local: vsftpd-1.1.0-1.i386.rpm.tmp remote: vsftpd-1.1.0-1.i386.rpm
227 Entering Passive Mode (192,168,1,100,44,156)
150 Opening BINARY mode data connection for vsftpd-1.1.0-1.i386.rpm (76288 bytes).
226 File send OK.
76288 bytes received in 0.499 secs (1.5e+02 Kbytes/sec)
ftp> exit
221 Goodbye.
[root@my-friend]#
Sample Login Session To Test if it works
As expected, anonymous FTP fails.
[root@my-friend]# ftp 192.168.1.100
Connected to 192.168.1.100 (192.168.1.100)
220 ready, dude (vsFTPd 1.1.0: beat me, break me)
Name (192.168.1.100:root): anonymous
331 Please specify the password.
Password:
530 Login incorrect.
Login failed.
ftp> quit
221 Goodbye.
[root@my-friend]#
Now that testing is complete, you can make this a regular part of your
FTP server's operation.
Summary
• Unix systems use TCP/IP for networking
• Every host on the network must have a unique
IP address
• The file /etc/hosts maps names into IP
addresses for network utilities
• Systems using DNS don't keep local host files
• Unix supports standard TCP/IP programs such
as ping, telnet and ftp
• Unix uses snmpd network analysis
• MRTG is nice to make graph over netstat
• Unix uses several TCP/IP configuration files in
/etc (xinetd.conf, services, etc.)