Transcript ABET - Regis University

CS 468: Advanced UNIX
Class 6
Dr. Jesús Borrego
Regis University
1
scis.regis.edu ● [email protected]
Topics
• IA Lab visit was scheduled for today; attempting
to reschedule for next week
• Review of Homework 4
• Managing Devices
• Security
• Homework 5
• Q&A
2
New disk installation
• Attach the drive and reboot to allow system to
recognize it
▫ sudo fdisk -l
• Partition disk if required
▫ cfdisk, fdisk, sfdisk, parted, gparted
• Allocate space to the partition without installing
a file system
▫ Note the device name (something like /dev/sdc1)
4
New disk installation (Cont’d)
• Prepare for use:
$ sudo pvcreate /dev/sdc1
• Create volume group (vgname)
$ sudo vgcreate vgname /dev/sdc1
• Create logical volume
$ sudo lvcreate –l 100%FREE –n volname
vgname
• Create file system:
$ sudo mkfs –t ext4 /dev/vgname/volname
5
New disk installation (Cont’d)
• Create mount point:
$ sudo mkdir mountpoint
• Set mount opt, mntpoint:
$ sudo vi /etc/fstab
• In /etc/fstab add a line from an existing file
system and modify it
• Mount the file system
$ sudo mount mountpoint
6
Hard disks
8
Solid State Disks
Source:
http://www.ibmsystemsmag.com/p
ower/infrastructure/storage/SSD_b
enefits/Internal-Structure-of-anSSD/
9
Solid State Array Architecture
10
Source: http://www.anandtech.com/show/2738/5
Storage Interfaces
• ATA (Advanced Technology Attachment, aka
IDE, Integrated Drive Electronics): hardware
controller inside the disk. Has been improved
• PATA (Parallel ATA): disks are connected to
motherboard with 40/80 conductor cable
• SATA (Serial ATA): successor of PATA, higher
transfer rate, simpler connectivity, hot
swapping, optional command queuing
11
Storage Interfaces (Cont’d)
• SCSI (Small Computer System Interface): Not as
popular but has a long installation base, allows
for multiple disks on a bus, daisy chained
• FC (Fibre Channel): Serial interface for
enterprise environments with high speed (fiber)
• USB (Universal Serial Bus) and FW (FireWire):
popular for external hard disk connectivity
12
Storage Software
• Unix disk installation is more complex than
Windows (plug-and-play)
• See Exhibit B on page 221 (next slide)
• Storage device- anything that looks like a disk
• Partition- fixed subsection of a disk; acts as an
independent device
• RAID Array- combines multiple devices into one
virtualized device
• Volume/Logical volumes- subdivision of disks
14
Attachment
• After connecting the disk, the OS will
acknowledge its existence if everything is OK
• Initial POST will detect the disk and list its
characteristics
• See example on page 223 of USAH
• The new disk will have devices files in /dev
• Make sure you know the correct device when you
format
17
Formatting
• All hard disks are preformatted at the factory
• No need to perform a low-level format
• Formatting writes address information and
timing marks on the platter
▫ Indicates sector limits
▫ Also indicates bad blocks
• Any bad blocks found afterwards may or may
not be handled automatically
19
Partitioning
• Partitioning is the lowest level of disk
management
• Partitioning divides a disk into separate areas of
known size
• Traditional Partitioning: writes a “label” at the
beginning of the disk to define blocks included
in the partition
• The device driver responsible reads the label and
uses table to calculate location of each partition
21
Sample Partitions
22
RAID
• RAID: Redundant Arrays of
Inexpensive(independent) Disks
• Distributes/replicates data across multiple disks
• Intent is to avoid data loss and minimize
downtime, increasing performance
• Software and Hardware RAID: different issues
• Different RAID levels
23
RAID Levels
• The RAID levels specify the exact details of
parallelism and redundancy implemented in the
array
• Levels refer to the configuration
• The higher levels do not necessarily mean faster
or better
▫ Depend on the application
24
Linear Mode
• Also known as JBOD (Just a bunch of disks)
• Not really RAID
• Concatenates the block addresses of multiple
drives to create the illusion of single, larger
virtual drive
• There is no data redundancy or performance
benefit
25
RAID Level 0
• Used to increase performance
• Combines two or more drives of equal size with
stripes alternating between them
• Decreases write and access time
• Reliability is inferior to separate disks
• Two disks have double the failure rate of a single
drive, for example
26
27
RAID Level 1
• Also known as Mirroring
• Writes are duplicated to two or more drives at
the same time
• Slower writing
• Reads are similar to RAID 0
• Prevents data loss when a disk fails
28
RAID 0+1 and 1+0
• Stripes of mirrors or mirrors of stripes
• Logical concatenation of RAID 0 and RAID 1
• Attempts to obtain performance of RAID 0 and
the redundancy of RAID 1
30
RAID 5
•
•
•
•
32
Stripes both data and parity information
Adds redundancy
Improves read performance
More efficient use of disk space than RAID 1
33
RAID 6
• Similar to RAID 5 with two parity disks
• RAID 6 can withstand complete failure of two
drives without losing data
34
Disk Failure Recovery
• JBOD and RAID 0 do not help with disk failure
• Data must be recovered manually from backups
• Bad disks must be replaced with new ones as
soon as possible
• Once the new disk is replaced, data must be
written to new disk
▫ Not a very fast operation
• Can designate “hot spares” drives to allow
swapping of drives when failure occurs
35
RAID5 Drawbacks
•
•
•
•
RAID 5 is very popular but has disadvantages
Does not replace regular offline backups
Just protects the system against disk failures
Does not protect against controller failures,
hackers, fires, or other hazards
• Does not have great write performance
• Prone to corruption
• “Write hole”: cannot guarantee that the blocks
are properly updated
36
Logical Volume Management
• Want to manage space in a partition at different
times
• Groups storage devices into volume groups
• The blocks in the volume group are allocated to
logical volumes – act as disk partitions
• Logical volumes are more flexible and powerful
• Logical volumes provide many useful operations
37
Logical Volume Operations
• Move logical volumes among different physical
devices
• Grow and shrink logical volumes on the fly
• Take copy-on-write “snapshots” of logical
volumes
• Replace on-line drives without interrupting
service
• Incorporate mirroring or striping in your logical
volumes
38
File Systems
• After the partitions are set up, we need to load
the file system
• UFS: Unix File System
• The file system was removed from the kernel
▫ To abstract the implementation
• Many file systems are available
• See examples in the book (pp. 255-264)
40
Storage Area Networking
• Lower-level system for abstracting storage
• Network storage appears as local storage
• Clients must provide own file system
implementation to use SAN
• SAN can be used for swap areas that do not
require a full blown file system
• Not typically used to share files, but to replace
hard disks with centralized storage area
41
Operating System Security
• No OS is 100% safe
• Best we can hope is to make our OS resistant to
attack
• Architecture stresses easy manipulation of data
in a networked, multiuser environment
• Applications on the OS are developed by many
vendors
▫ Can introduce security vulnerabilities
43
Security Threats
•
•
•
•
•
•
•
Social Engineering
Operating System vulnerabilities
Application software vulnerabilities
Configuration Errors
Unpatched software
Attachments in emails
Inside threats
▫ Disgruntled employees
▫ Lack of security policy enforcement
44
Security Tips
•
•
•
•
•
•
•
•
•
45
Patch software
Detect and remove unnecessary services
Secure hosts for remote logging
Frequent and proper backups
Virus and worm protection
Trojan Horses, Rootkits
Packet filtering
Vigilance
Intrusion Detection Systems
Pluggable Authentication Modules
• PAM provides flexible modular control over
authentication tasks
• System authentication routines are stored in a
shared library that can be used by applications
▫ Accessible to programmers also
• Can integrate advances in security into a single
location
46
Setuid programs
• Setuid programs are run as the user that owns
the executable file
• Programs that run setuid create security issues
• Security holes have been discovered in these
setuid commands
• Best practice: scan disks at normal intervals to
find new setuid programs
48
Effective use of chroot
• Command chroot restricts a process to a specific
directory
▫ No access to other files outside this directory
• Can provide a false sense of security if not
understood well
• Does not relieve administrators from exercising
due diligence in security matters
49
Security Tools
• Nmap: network port scanner
50
Security Tools (Cont’d)
• Nessus: Next generation network scanner
51
Snort
IDS
52
Others
• John the Ripper (JTR): Finder of insecure
passwords
• Bro: programmable network intrusion detection
system
• OSSEC: Host based intrusion detection system
• Wireshark: Network packet analyzer
53
MAC
• Mandatory Access Control is an alternative to
Unix access control system
• MAC does not allow users to change permissions
• Permissions are granted based on sensitivity of
resource being controlled
• Users can read or write items of same
classification or lower, but not of higher
• Mainly used for classified projects
54
Cryptography
• Kerberos: developed by MIT, uses tickets to
validate user access
• PGP: Pretty good privacy – uses encryption tools
for files, signatures, and to verify origin
• SSH: secure shell; provides cryptographic
authentication between two hosts
55
Firewalls
• Filters unwanted packets from leaving or
entering a zone
• Scans packet header to determine if it should be
allowed access
• Services listen to a predefined port
▫ Defined in /etc/services
58
59
Service filtering
• Well-known services are associated with a port
• Ports in the range 1-1023 are “privileged” and
can only execute as root
• Ports > 1024 are non-privileged
• To start, deny inbound connections
▫ Allow one at a time for services you want to allow
60
Stateful inspection firewalls
• Inspects traffic flowing through firewalls and
compares with what should be being transmitted
• If you open an ftp port connection, you expect
data to flow through that port
• Attempts to connect to other ports are dropped
61
Linux Firewalls
• Netfilter packet-handling engine
• Command line tool iptables used to filter
network traffic
▫ Default table: filter
▫ Consists of chains of rules to filter traffic
▫ Filter contains three default chains: FORWARD,
INPUT, OUTPUT
▫ Each packet passes through one of these chains
• Other tables: nat and mangle
62
Linux Firewalls (Cont’d)
• Nat contains chains of rules to control Network
Address Translation (NAT)
• Mangle contains chains of rules that modify or
alter the contents of network packets outside of
NAT
• Mangle is used for special handling, but not
typically used in production environments
• USAH pp. 938-939 contain a complete example
63
IPFilter
• Most Unix vendors do not have firewall software
▫ But can add to the system
• IPFilter is an open source package to supply
NAT and stateful firewall services for Unix
▫ Included in many distributions, and in Linux
• It reads filter rules from configuration file
• If multiple matches are found, the last one wins
65
Sources of Security Information
• CERT: Computer Emergency Response Team, by
Carnegie-Mellon University
• SANS: Professional organization sponsoring
security conferences and training programs
• ISSA: Information Systems Security Association,
a professional organization
• ISACA: Information Systems Audit and Control,
a professional organization in areas of
governance and compliance
68
Installation of Software and
Devices
• UPU pp641-643
69
Installing Software
• Installed software is typically in /usr/local
▫ Indicates not from distribution
▫ Vendors installed in different locations
• Two ways to install software:
▫ 1. create directory and copy all there
(/opt/pianoman)
▫ 2. create directory and copy software there, but
configuration files in a central location
(/usr/local/pianoman)
• Impact: PATH modifications
70
Installation best practices
• Allow user to change location
▫ Avoid hard coding locations
• Use common installation packages (tar, cpio)
▫ Exist in most versions of Unix
▫ Can use distribution’s provided packages
 Advantage: these are typically better in functionality
 Disadvantage: you are tied to that distribution and
may have to develop multiple installation packages
71
Installation of Devices
• Install device driver
• Determine device’s major and minor numbers
• Use mknod to associate a filename in”/dev”
with the new device
▫ mknod creates special file in the file system
 Can create character or block oriented special file
 Can create a named pipe
 See page 642 in UPU
72
Installation of Terminal Files
Figure 15.12. Unix system files containing information about terminals
Name
Description
/etc/termcap or
/etc/terminfo
Encoded list of every standard terminal’s capabilities and
control codes. The Unix editors use the value of the
environment variable $TERM to index into this file and
fetch your terminal’s characteristics
/etc/sys
A list of every terminal on the system, together with the
program that should be associated with it when the system is
initialized (usually ‘getty”). If the terminal’s type is constant
and known, that information is also included
/etc/gettyttab
A list of baud rate information that is used by “getty” in
determining how to listen to a login command
73
Network Troubleshooting
• Most used protocol is TCP/IP
• Troubleshooting tools are available to
troubleshoot a network
• Sample tools: ping, arp, traceroute, netstat,
tcpdump, Wireshark
• Understand network protocols
75
Ping
• Simple to use, but useful to detect connectivity
problems
• Submits ICMP ECHO_REQUEST packet to a
host and waits to see if the host replies
76
SmokePing
• An open source tool used to keep ping packets
over time
• Displays the history of each monitored link
using front end
• Documents the round trip time of pings over
time
• Spikes show transit times of individual packets
77
Traceroute
• Displays the sequence of gateways from which a
packet traverses to its destination
• All OS contain a version of traceroute
• Syntax:
▫ traceroute hostname
79
80
Windows tracert
81
Netstat: network statistics
82
Netstat
options
83
Packet Sniffers
• Examples: Tcpdump and WireShark
85
Network Management Protocols
•
•
•
•
SNMP: Simple Network Management Protocol
Organized in a standard hierarchy
Manager relies on agents to provide information
Device configuration is stored in a MIB
(Management Information Base)
• Attributes are called OIDs (Object Identifiers)
• Has simple commands: get next, trap, set,
getnext
87
Homework 5
•
•
•
•
•
•
•
94
Download nmap from http://nmap.org
Review the nmap documentation there
Perform a scan of www.regis.edu
Perform a scan of your localhost (172.0.0.1)
Capture the scan and save it to a file
Write a report discussing your findings
Visit the nmap documentation portal and review
the Nmap Reference Guide for more information
Questions?
95