Document

Download Report

Transcript Document 

Chapter 15:
Advanced Topics and
Troubleshooting
The Complete Guide to Linux System
Administration
Objectives
• Understand X window system scripts and remote
access
• Implement basic system security
• Use simple features of common network services
• Troubleshoot common hardware and software
problems
The Complete Guide to Linux System Administration
2
X Window System Advanced
Configuration
• Challenges configuring graphical system are rare
due to improvements in:
– XFree86 X server
– Installation programs
The Complete Guide to Linux System Administration
3
Configuring X
• X software normally located in directory
/usr/X11R6
– Sometimes called X-root directory
– Version 11, release 6
– Configuration file for Red Hat Linux and Fedora
called xorg.conf located in /etc/X11 directory
– Commercial X servers use different configuration
files
The Complete Guide to Linux System Administration
4
Configuring X (continued)
• xvidtune program
– Adjust finer details of display
– Can damage monitor if used carelessly
• system-config-display program configures:
– Screen resolution
– Number of colors
The Complete Guide to Linux System Administration
5
Configuring X (continued)
The Complete Guide to Linux System Administration
6
Using X Window System
Start-up Scripts
• X Window System starts automatically every time
user logs in at graphical prompt
• startx command
–
–
–
–
Start X Window System from command line
Script located in /usr/X11R6/bin
Starts xinit program
Place scripts in user’s home directory to define
graphical configuration for user
The Complete Guide to Linux System Administration
7
Using X Window System Start-up
Scripts (continued)
• Background application
– Does not prevent program that started it from
going on to other tasks
– xinit scripts can start X client then go on to start
another
• Window manager
– Responsible for controlling graphical screen
– Started last by xinit
The Complete Guide to Linux System Administration
8
Using X Window System Start-up
Scripts (continued)
The Complete Guide to Linux System Administration
9
Adjusting the Display
of Graphical Applications
• X resource
– Separate screen elements such as:
•
•
•
•
Scroll bars
Text fonts
Mouse pointers
Title bars for windows or dialog boxes
– Collection of default X resource settings applies to
all X applications
The Complete Guide to Linux System Administration
10
Adjusting the Display of Graphical
Applications (continued)
• Resource database file
– Settings apply only when specific user runs
specific application
– Main file app-defaults located at
/usr/X11R6/lib/X11
– User’s home directory can contain additional
settings
• .Xresources
• .Xdefaults
The Complete Guide to Linux System Administration
11
Adjusting the Display of Graphical
Applications (continued)
• xrdb command
– Loads initial X database resource file
– Adds resource configuration details from files
– xrdb -load $HOME/.Xresources
• xfontsel command
– See fonts supported by X Window System
• xset command
– Adjust behavior of X to suit preferences
The Complete Guide to Linux System Administration
12
Using a Graphical Login Screen
• Most Linux distributions start in run level 5
– Graphical environment
• xdm program
– Graphical login screen provided by X display
manager
– Versions specific to KDE and GNOME called:
• kdm
• Gdm
• Session defines set of graphical programs to run
when user logs in
The Complete Guide to Linux System Administration
13
Using a Graphical Login Screen
(continued)
• Xsession file specifies which programs started by
particular session name
• xdm executes file /etc/x11/xdm/Xsession to
determine which X clients to run
• Xsession file
– Placed in user home directory
– Controls which sessions specific user has
available
• /etc/X11/xdm subdirectory files configure features
of xdm
The Complete Guide to Linux System Administration
14
Using a Graphical Login Screen
(continued)
• Any type of computer can run X server
• Graphical application decides which X server to
use
– By default uses X server on same computer
– Specify different server
• DISPLAY environment variable
• Add display option to command
• Configuring remote display security
– X server on remote host configured to allow other
computers to display programs there
The Complete Guide to Linux System Administration
15
Using a Graphical Login Screen
(continued)
• xhost command specifies name of remote
computer permitted to use local X server
– Insecure
• xauth command restricts access to users on
remote system who have specific token
– Commonly called cookie
• MIT magic cookie
The Complete Guide to Linux System Administration
16
Using a Graphical Login Screen
(continued)
• .Xauthority files
– Stored in user’s home directory
– User-to-user security system
• Remote graphical login
– Log in to Linux system, use graphical environment
as if sitting at Linux system
– Uses XDMCP
The Complete Guide to Linux System Administration
17
Displaying X Clients Remotely
• X protocol
– X Window System uses own protocol to
communicate between X server and each X client
– Can be used over network connections
The Complete Guide to Linux System Administration
18
Displaying X Clients Remotely
(continued)
The Complete Guide to Linux System Administration
19
Security Issues:
The Structure of a Secure Network
• Security divided into areas:
–
–
–
–
Physical security
User security
File security
Network security
The Complete Guide to Linux System Administration
20
Types of Security Attacks
•
•
•
•
•
•
Password cracking
Trojan horse
Buffer overflow attacks
Denial-of-service (DoS)
Port scanning
Packet sniffing
The Complete Guide to Linux System Administration
21
Security Tools
• nmap
– Most widely used port-scanning utility
– Can use variety of different scanning methods
– nmap -ss www.myplace.net
• nmapfe utility
– Graphical interface
• IPTraf program
– Popular tool for viewing network activity on LAN
The Complete Guide to Linux System Administration
22
Security Tools (continued)
• tcpdump utility
– Similar to IPTraf program
– Also includes more detailed information about
packets on network
• Ethereal
– One of the best packet-sniffing tools
– Network traffic analysis tool
The Complete Guide to Linux System Administration
23
Security Tools (continued)
• Intrusion detection system (IDS) watches
network for activity that may indicate attacker is
looking for way to enter server
• Linux Intrusion Detection System (LIDS)
– Adds module to Linux kernel
– Blocks access to resources for all users except as
configured by LIDS
The Complete Guide to Linux System Administration
24
Security Tools (continued)
• Security audit
– Review or test of how secure system really is
– What needs to be done to improve its security
• Security Administrator’s Integrated Network Tool
(SAINT) utility
– Uses Web browser interface to manage “attack”
on network
– Reports vulnerabilities it finds
The Complete Guide to Linux System Administration
25
Viruses and Worms
• Security threats designed to replicate themselves
once installed on system
• Virus tries to replicate as part of another program
• Worm attempts to infiltrate other systems on its
own
• Linux rarely subject of virus attacks
• Worms pose greater threat than viruses
The Complete Guide to Linux System Administration
26
Security Organizations
• CERT Coordination Center (CERT/CC)
– U.S. Federal government-funded software
engineering institute
– Maintains lists of security vulnerabilities, alerts,
incident reports
• System Administration, Networking, and Security
(SANS) Institute
– Education and research organization
– Visiting web site www.sans.org
The Complete Guide to Linux System Administration
27
Security Organizations
(continued)
• Global Information Assurance Certification
(GIAC) program
– Certification program for security professionals
from SANS
The Complete Guide to Linux System Administration
28
Using Network Services
• Most network services installed by default
– Controlled using script in /etc/rc.d/init.d directory
or using service command
The Complete Guide to Linux System Administration
29
Using NetFilter for Firewalls
• Firewall
– Hardware device or software program that
prevents unintended network access
• Packet filter
– Firewall that examines each packet
– Decides how to process it based on firewall rules
• NetFilter defines rules in IP tables
The Complete Guide to Linux System Administration
30
Using NetFilter for Firewalls
(continued)
• Packet stages
– Input
– Forward
– Output
• iptables command creates and manages firewall
rules
• Rules executed in order defined in chain
The Complete Guide to Linux System Administration
31
Using NetFilter for Firewalls
(continued)
• Network address translation (NAT)
– Routing technique
– Alters addresses or other information in packet
• IP masquerading
– Type of network address translation
– Packets from many computers on LAN altered to
appear as if they came from single computer
The Complete Guide to Linux System Administration
32
Using NetFilter for Firewalls
(continued)
• system-config-securitylevel program sets up
reasonable rules based on:
– How secure system should be
– Specific protocols to leave more open
• Other graphical firewall programs that use IP
tables
–
–
–
–
Firestarter
Mason
KMyFirewall
GuardDog
The Complete Guide to Linux System Administration
33
Setting Up a DNS Name Server
• Root name servers
– DNS servers designated as starting point for DNS
queries
• Master DNS server or primary DNS server
– Provides information on domain
• Slave DNS server or secondary DNS server
– Contains backup copy of DNS information
• Named
– Daemon that implements DNS
The Complete Guide to Linux System Administration
34
Setting Up a DNS Name Server
(continued)
• Caching name server
– Queries other DNS servers and caches results
• Zone
– DNS server maintains information for at least part
of domain
• Zone information files
– Define host names and corresponding IP
addresses
• rndc utility
– Control named daemon from command line
The Complete Guide to Linux System Administration
35
Setting Up a DNS Name Server
(continued)
• dig utility
– Query any DNS server
• whois
– Information about organization that registered
domain name
The Complete Guide to Linux System Administration
36
File Sharing with NFS
• Work with hard disks located all over local
network ss if part of local directory structure
• NFS protocol implemented by several daemons
–
–
–
–
rpc.mountd
nfsd
rpc.rquotad
rpc.statd
The Complete Guide to Linux System Administration
37
File Sharing with NFS (continued)
• /etc/exports file defines which local directories
should be accessible to remote users
• exportfs command activates contents of
/etc/exports
• Squashing prevents user from gaining access to
user account on NFS server because user has
same ID on NFS client
The Complete Guide to Linux System Administration
38
Setting Up a Samba Server
• Samba suite
– File and print sharing using SMB and CIFS
protocols
• Server daemons
– nmbd
– smbd
• smb.conf
– Main configuration file
The Complete Guide to Linux System Administration
39
Setting Up a Samba Server
(continued)
• Common to allow everyone with Linux user
account to log in via Samba
• SWAT
– Graphical configuration tool for Samba
– Runs as network service managed by superserver
– Access SWAT: http//localhost:901/
The Complete Guide to Linux System Administration
40
Creating a Proxy Server with
Squid
• Proxy server
– Lets one server make request for another server
– Done to improve efficiency and security of network
• Squid requires significant configuration before
use
– In file /etc/squid/squid.conf
• Transparent proxy redirects network packet
based on port to which packet addressed
The Complete Guide to Linux System Administration
41
Creating a Linux Web Server
with Apache
• Daemon named httpd
– Control with apachectl program
• /etc/httpd/conf directory
– Configuration files
• Many features implemented as loadable modules
• Container activates other directives only if
condition is met or only within particular context
The Complete Guide to Linux System Administration
42
Configuring a Basic E-mail Server
• Mail Transfer Agent (MTA) moves mail between
e-mail servers
• Mail Delivery Agent (MDA) examines messages
and delivers them to user’s mailbox file
• Mail User Agent (MUA) lets user:
– View messages stored in mailbox
– Create new messages
The Complete Guide to Linux System Administration
43
Configuring a Basic E-mail Server
(continued)
• sendmail
– Most widely known e-mail server
– Managed using standard script in /etc/rc.d/init.d
– /etc/sendmail.cf
• Configuration file
• Considered to be single most difficult Linux
configuration file to master
– m4 program
• Configure sendmail
The Complete Guide to Linux System Administration
44
Configuring a Basic E-mail Server
(continued)
• E-mail alias
– Another name that can deliver e-mail messages to
user
– Configured in sendmail with /etc/aliases file
• Monitor sendmail
–
–
–
–
/var/log/maillog file
hoststat
mailq
mailstats
The Complete Guide to Linux System Administration
45
Using Superservers for Network
Services
• Superserver
– Listens on multiple network ports and starts
appropriate service when client connection arrives
for port
– Programs
• inetd
• xinetd
The Complete Guide to Linux System Administration
46
Using Superservers for Network
Services (continued)
• tcpd
– TCP wrappers
– Examines incoming network connection
– Compares it to configuration file to determine
whether connection allowed
– Configured by
• /etc/hosts.allow
• /etc/hosts.deny
The Complete Guide to Linux System Administration
47
Troubleshooting and Recovery
• Having appropriate methodology makes it easier
to locate and fix problems
• Basic methodology for troubleshooting
– What system or service is causing the problem?
– Can I eliminate other possible causes to limit the
scope of the problem?
The Complete Guide to Linux System Administration
48
Troubleshooting Linux Installation
• Installation program doesn’t boot
– Boot disk created incorrectly
– Bios configured to start operating system from
hard disk without first checking floppy disk or
CD-ROM
– Installation program not able to detect video card
The Complete Guide to Linux System Administration
49
Troubleshooting Linux Installation
(continued)
• After Linux installed system doesn’t boot
– Another boot manager installed in MBR
– Trouble identifying hardware on system that was
not detected during installation process
• Graphical interface doesn’t work
– Some video cards not supported by XFree86
– Supported by commercial X Window System
products
The Complete Guide to Linux System Administration
50
Troubleshooting Linux Installation
(continued)
• Device or part of memory isn’t available
– Hardware not correctly configured
– Linux does not access all of available system
RAM because of limitations in computer’s BIOS
The Complete Guide to Linux System Administration
51
Diagnosing Device Status
• Utilities to learn about devices
–
–
–
–
/proc file system
lspci
setserial
usbmodules
The Complete Guide to Linux System Administration
52
Troubleshooting Network
Connections
The Complete Guide to Linux System Administration
53
Troubleshooting Network
Connections (continued)
The Complete Guide to Linux System Administration
54
Creating Rescue Disks
• Rescue disk
– 3.5-inch disk used to boot Linux-based computer
– Create when installing Linux
• Rescue mode
– Boots from CD
– Searches for Fedora installations
– Launches console to repair problems
The Complete Guide to Linux System Administration
55
Summary
• Scripts used by X Window System to determine
exactly what programs to start
• Graphical login screen handled by xdm
• Graphical programs can be displayed remotely
• Computer security often divided into categories
• Linux uses firewalling and packet-filtering system
called NetFilter
The Complete Guide to Linux System Administration
56
Summary (continued)
• DNS server on Linux implemented using named
daemon
• NFS permits remote users to mount file system
on NFS server as part of directory structure
• Apache Web server included with most Linux
distributions
• Systematically eliminating possible problems
good methodology for troubleshooting
The Complete Guide to Linux System Administration
57