available here

Download Report

Transcript available here

ITI-481: Unix Administration
Meeting 3
Today’s Agenda
• Hands-on exercises with booting and
software installation.
• Account Management
• Basic Network Configuration Setting
• Inetd
• Exercise: Disabling Services with Inetd
Exercise: Using Red Hat Package
Manager
• Place your Linux CD in your drive - the files on your
CD can be accessed via the directory /mnt/cdrom.
You may have to issue the “mountcd” command on
your system to mount the CD ROM.
• The RedHat/RPMS directory on your CDROM
contains many RPM files.
• Install tcpdump off of the Red Hat CD:
> cd /mnt/cdrom/RedHat/RPMS
> rpm –ivh tcpdump-3.4-16.i386.rpm
• Uninstall elm software :
> rpm -e elm
• Question: Is pine installed on your system? If so,
what is the version number?
Exercise: Installing ssh1 from Source
• SSH is a program that allows you to securely
access a server from a remote location.
• Download ssh1 from
http://iti.rutgers.edu/~chrisjur/software/ssh1.2.31.tar.gz
• From the download directory:
> tar -xvzf ssh-1.2.27.tar.gz
> cd ssh-1.2.27
>./configure
> make
> make install
Exercise: Changing Runlevels
• As root, type the following:
shutdown –t 30 –h “System Downtime
Beginning”
• Hit the power switch on your machine to turn the
system back on after the shutdown process is
complete (you should see a bash# prompt). NEVER
turn power off without a proper shutdown.
• At the LILO prompt, enter “linux 1.” (Linux only)
• After booting into single-user mode, type:
init 5
Unix System Accounts
• Access to system resources is
controlled through user and group
assignment.
• Two types of user accounts:
– Normal user
– Root user
Components for Account Creation
•
•
•
•
•
/etc/password
/etc/shadow
/etc/group
Home Directory (/home/username)
Initialization scripts (.login,
.bash_profile, .cshrc) – copied from
/etc/skel
Passwords
• Should always be encrypted
– Crypt – up to 8 characters
– MD5 – up to 256 characters
• Should be a combination of random letters,
numbers, and special characters.
• Stored in /etc/password or /etc/shadow
(preferred).
• Can be disabled by putting * in password
field.
/etc/password
• Entry format (One Entry Per Line):
username:encrypted password:user ID (UID):default group
(GID):name (GECOS): home directory:login shell
• Sample entry (no shadow file):
kkaplan:boQavhhaCKaXG:500:500:Kellee
Kaplan:/home/kkaplan:/bin/tcsh
• Sample entry (with shadow file):
kkaplan:x:500:500:Kellee Kaplan:/home/kkaplan:/bin/bash
• Typical file permissions:
-rw-r--r-- 1 root root
865 Mar 28 10:44 /etc/passwd
/etc/shadow
• Entry format:
login name:encrypted password: other options for password
expiration and changing
• Sample entry:
kkaplan:$1$iwdVDnei&aBcxvpyYi06qu2wll.MAE.:10987:0:9999
9:7:-1:-1:134549860
• Typical permissions:
-r-------- 1 root root
752 Jan 31 11:45 /etc/shadow
/etc/group
• Entry format:
group name:encrypted group
password:GID:comma-separated list of
group members
• Sample entry:
staff:x:103:kkaplan,jsmith,jdoe
Account Management Tools
• Command line
– Users: useradd, userdel, usermod,
– Groups: groupadd, groupdel, groupmod
– Specific fields: passwd, chsh
• Graphical
– LinuxConf
– Control-panel
Exercise: Account Creation
• Create an entry in /etc/group for a new group called “students:”
students:x:103:
• Create an entry by hand in /etc/passwd for an account called
student2:
student2:x:501:103:Student 2:/home/student2:/bin/bash
• Create an entry for student2 in /etc/shadow. Leave the
password field with an * for now:
student2:*:::::::
• Use passwd to change the password for the account.
• Create a home directory for your new account. Change
ownership of the directory to the username for your new account
and set permissions on the directory to 755.
• Login to the student2 account and verify that it is working.
Exercise: Account Creation with
Command Line Tools
• Use useradd to create an account for
student3. Use the appropriate flags to
set a default group of “students,” a
home directory of /home/student3, and
a password of your choosing.
• Login to the student3 account.
• Use userdel to remove the student3
account.
Basic TCP/IP Network Configuration
• If the install program detects a NIC card during the install
process, you will be prompted to enter network settings.
• Network setting are configured at boot time through an rc script:
/etc/rc.d/init.d/network
• Network rc script sets network settings designated in
/etc/sysconfig:
– /etc/sysconfig/network
Hostname and gateway
– /etc/sysconfig/network-scripts/ifcfg-eth0
IP address, broadcast, netmask
– (These are the files that contain the network address
settings your network admin gives you).
Domain Name Service Client
Configuration
• Local IP address, host name combination set in
/etc/hosts.
• To use DNS for host name resolution, need to enable
it in /etc/nsswitch.conf:
hosts:
files dns
• DNS servers defined in /etc/resolv.conf:
search domainname
nameserver IP-address
Sample File:
search rutgers.edu
nameserver 128.6.4.4
nameserver 128.6.21.9
Network Configuration Utilities
• Text-based
– ifconfig
Shows various network setting, such as the IP address
associated with a NIC.
– hostname
Displays and sets the machine’s hostname
– route
Displays and sets network routes and gateways.
• Network Monitoring Utilities
– ping
– traceroute
– netstat
Daemons
• A unix process designed to handle a
specialized function, usually to run server
based processes.
• Run in the background.
• Run two possible ways:
– Standalone - Usually started through rc scripts.
Always resident in process table (ps –ef or ps –
aux show Unix processes running on the system)
– Inetd - started via the Inetd network server
Inetd
• Inetd is a "Superserver" for network
server-related processes.
• Configuration file: /etc/inetd.conf
• Controls starting and stopping of
network services like telnet and ftp.
• Connections made on specific ports are
handed over to the appropriate daemon.
/etc/inetd.conf
• Define specific services run through inetd.
• Per service format:
srvce_name sock_type protocol [no]wait user
srvr_orig srvr_prog_args
• Sample entry:
telnet stream tcp nowait root /usr/sbin/tcpd
in.telnetd
• For security reasons, comment out entries for
services not being used.
• Administrators rarely manually add entries to
inetd.conf
• Restart inetd after making any configuration changes:
kill -HUP `cat /var/run/inetd.pid`
/etc/services
• Inetd needs to know on what port (network
application identification number) the service
being started needs to listen.
• Maps servcies to specific ports.
/etc/services:
• Entry format:
service port/protocol
• Sample entry:
telnet 23/tcp
• This file is already configured and populated
for you but can be a good reference for “well
known” TCP ports
TCP Wrappers
• Access restrictions to TCP applications can be
enabled using TCP Wrappers.
• In inetd.conf, the network service is called through
/usr/sbin/tcpd instead of directly.
• Access control set through /etc/hosts.allow and
/etc/hosts.deny allows you to selectively
allow/deny remote access to network services based
on IP address and/or hostname.
• Connections to TCP wrapped services are logged.
• Generally used for security reasons.
Example: Denying Access via
/etc/hosts.allow file
• The format of /etc/hosts.allow and
/etc/hosts.deny is:
• Service name: [ip or host], [ip or
host]…
• Adding the following entries to the
/etc/hosts.allow files will stop users from AOL
and the IP address range 128.6.6.* from
accessing your system via telnet:
in.telnetd:128.6.6.,.aol.com
Exercise: Disabling Services in Inetd
• Disable telnet access to your system by commenting
out the entry for telnet.
• Restart inetd:
kill -HUP `cat /var/run/inetd.pid`
• Verify that the telnet daemon has been disabled –
what happens when you type…
>telnet localhost
Homework
• Read Chapters 8,18, and 20 in Linux
Administration: A Beginner’s Guide.