Linux Networking and Security
Download
Report
Transcript Linux Networking and Security
Linux Networking and
Security
Chapter 6
1
Configuring Major Network
Services
Expand the routing capabilities of your Linux server
Set up your own DNS name server
Configure a basic email server
Understand how Linux can excel as a Web server
2
Dynamic Routing with Routing
Protocols
Static Routing - the routing table in the Linux kernel is
assembled by entries in start-up scripts or by userentered route commands issued to update the routing
table
Dynamic Routing - the process of using a specialized
routing protocol to build and modify routing tables
automatically through a network, based on information
shared by the routers
3
Dynamic Routing with Routing
Protocols
4
Dynamic Routing with Routing
Protocols
Interior routing protocols are designed for routing
packets among networks within an organization and they
route packets based on mathematical models
Exterior routing protocols are designed for routing
packets between networks controlled by different
organizations and they route packets based on
administration policies
All routing protocols communicate between routers to
find the most efficient packet route
5
Routing Information Protocol (RIP)
and routed
RIP, an interior routing protocol, is the oldest routing
protocol still in common use on smaller or simply-routed
networks
RIP defines the best route as that which has the lowest
number of routers (hops) to reach the destination
network
RIP is implemented using the routed daemon, which is
easy to configure and run
6
Open Shortest Path First (OSPF)
and gated
OSPF, an interior routing protocol, is designed to work
effectively even in very large networks
OSPF uses a technique called flooding which allows
routers to intelligently construct a chart inside the router
that defines the best routing paths
OSPF is implemented using the gated daemon, which is
not installed by default
7
Popular Routing Protocols
8
Setting Up a DNS Name Server
Domain name service (DNS) is central to the Internet
When URLs are entered in a Web browser, a DNS server
converts the name to an IP address, allowing the client to send a
packet to the Web server as requested
The information in DNS can be thought of as an inverted
hierarchical tree, where the top of the tree is called root and is
represented by a period
Users typically don’t refer to roots, but to the last part of domain
names called top-level domains
9
Setting Up a DNS Name Server
10
Setting Up a DNS Name Server
11
Setting Up a DNS Name Server
Resolving a domain to an IP address using DNS, also
called querying the DNS server, stores, or cashes, the
conversion information resulting in speedier DNS queries
Each domain has a master DNS server which contains
database files that provide IP addresses to every host in
that domain
Each domain should have a slave DNS server which
acts as a backup to the master
12
Setting Up a Basic Name Server
The program that implements a DNS server is called
named, the name daemon, which is controlled by a
system script in /etc/rc.d/init.d
named is found in the BIND package on most Linux
systems; selecting the Red Hat Linux name server
component provides bind-conf, bind-utils, and cachingnameserver
Caching name servers have no preconfigured domain
information, but simply query other DNS servers and
cache the results
13
Setting Up a Basic Name Server
Later versions of BIND use the configuration file
/etc/named.conf
This file is divided into five sections: options, controls,
three different zones and an include line, which refers to
the rndc security file
A zone is a part of the DNS domain tree for which the
DNS server has authority to provide information
Zone information is contained in files referred to in
named.conf
14
Setting Up a Basic Name Server
Zone information is important since it is the information
that a DNS query seeks
These files contain resource records which hold
information about a host within a zone that a client can
receive through a query
There are many types of resource records and they have
this general format: item-described, time-to-keepcached, type-of-record, and information-sought
15
Setting Up a Basic Name Server
16
Managing the named Server
Once the /etc/named.conf configuration file and the zone
information files are set up in /var/named, the named
daemon is started by entering /usr/sbin/named
The script used is in /etc/rc.d/init.d
The rndc utility is used to control the name server from a
command line without reloading
rndc can operate over a network connection, but is used
only locally by default
17
Using bindconf.gui
18
Using bindconf.gui
19
Using bindconf.gui
20
Using bindconf.gui
21
Using bindconf.gui
22
Using Command-line Utilities
It is important to test the DNS server when it is up and
running, and using any of the following utilities requests
DNS information about a specific hostname or IP
address:
host provides a brief response showing the IP address of the
hostname specified
nslookup is more complete in that it can be run in interactive
mode or from the command line
dig extracts data from the zone information files of DNS servers
for domains requested
23
Using Command-line Utilities
A utility that goes beyond host, nslookup, and dig is
nsupdate
nsupdate allows a user to update zone information files
dynamically at the command line
nsupdate is an interactive utility, with a separate command
prompt
The configuration file /etc/named.conf must be properly updated
to allow the use of nsupdate
24
Using Command-line Utilities
25
Using Command-line Utilities
26
Configuring a Basic Email Server
Linux email servers include: sendmail, Qmail, Postfix
and smail
Sendmail is the most widely used email server in the
world
The sendmail package contains the sendmail daemon
Sendmail is started using a script in /etc/rc.d/init.d
Sendmail is configured using the file /etc/sendmail.cf
Most email administrators prefer to use the m4 program to
configure sendmail
27
Configuring a Basic Email Server
28
Configuring a Basic Email Server
Email servers use DNS to locate the mail exchanger for
a recipient, then hands the message to the sendmail
daemon for delivery
Relaying is when sendmail tries to deliver a message
that didn’t originate on the same host where sendmail is
running
One problem with relaying is that spam email generators use it
to hide their origin
Sendmail can be configured to avoid problems such as
spamming
29
Using Forwarding and Aliases
Sendmail maintains a forwarding database that contains
handling rules for a user’s email
If a user has moved their principal email account to another
server, a line can be added to the forwarding database to
redirect their email
Forwarding relying on single domain names for incoming
messages can be done using the aliases file /etc/aliases
An email alias is another name that delivers email messages to
the user
30
Watching sendmail Work
31
Watching sendmail Work
32
Creating a Linux Web Server
A Web server is a daemon that accepts requests via
HTTP and responds with the requested files
The most widely used Web server in the world today is
Apache
Apache is included with every standard version of Linux
and is usually installed by default
Other Linux Web servers include: Boa, iPlanet,
Servertec iServer, Stronghold, Zues
33
Creating a Linux Web Server
Some of the features that make Apache so popular
include:
A regular development cycle
Virtual hosting, which allows a single Web server to provide
documents for multiple Web sites
A modular design that allows functionality choices
Many security options and performance tuning settings
A broad support base, despite being free software
34
Creating a Linux Web Server
Apache is started from the standard script
/etc/rc.d/init.d/httpd
Apache configuration files are stored in /etc/httpd/conf
The main configuration file, httpd.conf, contains
hundreds of configurations options called directives, that
affect global and local operation of Apache
35
Creating a Linux Web Server
Apache can keep a connection active, or alive, after a
file is transferred
Apache uses a master server to spawn additional
servers that handle client requests
many features of Apache are implemented as loadable
modules where the user defines what their copy of
Apache will do by what modules are selected for
inclusion
36
Creating a Linux Web Server
Much of the httpd.conf file is organized into containers,
special directives that activate other directives upon
certain conditions
Virtual hosting is the feature of Apache that lets a single
copy of Apache serve documents for several Web sites
Apache can act as a proxy server, which intercepts
requests from clients and forwards them as if they came
from the proxy server rather than the original client
37
38
39
Chapter Summary
Routing tables guide the Linux kernel in sending packets to their
final destination on distant networks
Interior routing protocols are used within an organization using
mathematical algorithms to determine how to route packets
Exterior routing protocols are used for routing packets among
organizations, based on policy decisions about which specific
sources of routing information are to be trusted - and how much
The routed daemon implements RIP on Linux, but typically only
for small networks
40
Chapter Summary
OSPF is a highly effective interior routing protocol which builds a
chart of the status of all routers that it knows of, determining the
best route based on a complex mathematical algorithm
The gated daemon supports RIP version 2 with classless
addressing, OSPF, and BGP on Linux
DNS is an Internetwide information hierarchy used to provide
hostname-to-IP-address matching and IP-address-to-hostname
address matching
Queries about a given hostname usually begin with one of the
Internet’s root DNS servers
41
Chapter Summary
A zone is part of a domain about which a particular DNS server
is authorized to provide information
Reverse DNS provides a security mechanism that is widely
used to prevent unauthorized users from completing queries to
various network services
Setting up a simple caching name server to forward DNS
queries to another name server makes efficient use of network
bandwidth for many small networks
The DNS protocol is implemented in Linux by the named
daemon, which is part of the BIND collection of programs
42
Chapter Summary
Resource records hold information about a host within a zone
that clients can receive through queries
The Start of Authority (SOA) record defines how to reach the
DNS administrator for a zone
bindconf.gui is one utility used to configure named
The host, nslookup, and dig commands let you query a DNS
server from the command line
The nsupdate utility lets you update DNS zone information over
a network, on the fly
Popular Linux email servers include sendmail (most popular),
Qmail, Postfix, and smail
43
Chapter Summary
Startup options for sendmail are configured via
/etc/sysconfig/sendmail, but sendmail is most often configured
through the /etc/sendmail.cf file
Spam is a source of great concern and annoyance to email
server administrators, and email servers provide many features
to control this problem
Aliases are a popular way to redirect email or create small
mailing lists via sendmail
Apache is the most widely used Web server and it is included
with all standard distributions of Linux
One copy of Apache is the master server and it controls Apache
copies that handle client requests
44
Chapter Summary
Most functions in Apache are performed by loadable modules,
configured using directives in httpd.conf
Apache uses directives to control access to the server on a perdirectory basis, and can also host multiple Web sites using
virtual hosting directives
Apache supports advanced features like virtual hosting and
acting as a proxy server
45