1 LINUX ADMINISTRATION TYBSC-IT SEM V
2 UNIT 4
CHAPTER 1 : INTERNET SERVICES WHAT IS AN INTERNET SERVICE? Internet Service can be defined as any service that can be accessed through TCP/IP based networks, whether an internal network (Intranet) or external network (Internet) Internet services can be provided through either secure or non-secure TCP/IP connections. Common services are Telnet, FTP, SMTP, HTTP, ICMP, ARP, DNS, ssh, scp, sftp, and others. 3
Secure Services Plain text traffic is extremely easyto eavesdrop on by anyone Since the Internet has exploded in popularity, running insecure services such as these is not a good idea. That s why secure replacements have been developed These replacements provide stronger Authentication controls and encrypt all their traffic to keep your data safe. 4
Ssh Secure Shell, also known as ssh, is a secure telnet replacement that encrypts all traffic, including passwords, using a public/private encryption key exchange protocol. ssh vnavrat@woolf.xena.edu you start ssh, it asks for your password, and then you have a regular terminal screen. 5
scp Secure Copy, also known as scp, is part of the ssh package. It is a secure alternative to rcp and ftp You can scp files to any machine that has an ssh daemon running 6
sftp Secure File Transfer Program, also known as sftp, is an FTP client that performs all its functions over ssh. The syntax for sftp is sftp user@host:file file 7
Less Secure Services These are insecure services that should not be used, since they trust that the network is absolutely secure. telnet Telnet is an application that s available almost everywhere. All telnet traffic, including passwords, is sent in plain text. [vnavrat@buffy vnavrat]$ telnet xena Trying 127.0.0.1... Connected to xena. Escape character is ^]. Welcome to null.xena.edu login: 8
Rsync rsync is an unencrypted file transfer program that is similar to rcp. Differences between two sets of files on two machines to be transferred across the network. Rsh rsh is an unencrypted mechanism to execute commands on remote hosts. rsh remotehostname remotecommand rlogin rlogin is a remote login program that connects your terminal to a remote machine s terminal. Finger finger enables users on remote systems to look up information about users on another system. Generally finger displays a user s login name, real name, terminal name, idle time, login time, office location, and phone number. 9
talk and ntalk Talk and ntalk are real-time chat protocols. The talk server runs on port 517 The ntalk server runs on port 518. 10
USING YOUR LINUX MACHINE AS A SERVER http The most common Web server used on Linux is Apache configuration files live in /etc/httpd/conf/. Sshd The secure shell daemon (sshd) is started out of the system s rc scripts. global system configuration files are in /etc/ssh user s ssh configuration files are in $HOME/.ssh/. 11
Ftpd The FTP daemon uses ports 20 and 21 to listen for and initiate FTP requests Its configuration files ftpaccess ftpconversions ftpgroups ftphosts ftpusers located in the /etc directory. dns The Domain Name Service (DNS), which maps IP addresses to hostnames, It is served by the named program on port 53. Its configuration file is named.conf in the /etc directory. 12
The Inetd Server inetd is called an Internet superserver. It is launched at boot time, and listens for connections on network sockets. It checks the inetd.conf file to see what services should be running. It then reads the /etc/services file to see what ports those services should be running on. Xinetd xinetd is a replacement for inetd, that adds more security and functionality. great reason to run xinetd is that it can run alongside inetd inetd and xinetd behave the same way 13
INETD AND XINETD 14
SERVICES ARE SPAWNED FROM SUPERSERVERS SUCH AS INETD AND XINETD 1. chargen random character generator that sends its traffic over tcp 2. daytime-udp gives you the time over udp 3. finger user information lookup program 4. kshell restricts user access to the shell 5. rlogin service similar to telnet, but enables trust relationships between machines 6. swat Samba Web Administration Tool 7. time gives you the time 8. chargen-udp random character generator that sends its traffic over udp 9. echo echoes back all characters sent to it over tcp 10. gssftp kerberized FTP server 15
11. rsh remote shell 12. talk a talk (real-time chat) server 13. time-udp gives you the time over udp 14. comsat notifies users if they have new mail 15. echo-udp echoes back all characters sent to it over udp 16. klogin kerberos s answer to rlogin 17. ntalk a talk (real-time chat) server 18. rsync remote file transfer protocol 19. telnet telnet server 20. wu-ftpd an ftp server 21. daytime gives you the time over tcp 22. eklogin encrypting kerberized rlogin server 16
23. krb5-telnet kerberized telnet server 24. rexec provides remote execution facilities 25. sgi_fam file monitoring daemon 26. tftp trivial file transfer program 17
STAND-ALONE SERVICES These services are started from the rc scripts specifically written for them in the rc directories. You can enable or disable these services from those directories. 18
1. apache Web server 2. sshd ssh server 3. sendmail mail server 4. qmail mail server 5. postfix mail server 6. thttpd semilightweight Web server 7. boa lightweight Web server 8. named dns server 9. xfs X font server 10. xdm X display manager 19
11. portmap maps RPC services to ports 12. rpc.quotad serves quota information 13. knfsd userspace portion of the NFS daemon 14. rpc.mountd NFS mount server 15. rpc.ypbind NIS server 16. squid Web proxy server 17. nessusd penetration testing server 18. postgresql database server 19. mysql database server 20. oracle database server 20
LINUX FIREWALL PACKAGES Linux provides a few different mechanisms for system security. One of these mechanisms is Linux s firewall packages. Two of the firewalling packages available are tcpwrappers and ipchains. tcp-wrappers is a minimalistic packet filtering application to protect certain network ports ipchains is a packet filtering firewall. 21
TCP wrappers works only on programs that are started from inetd. An inetd.conf without tcp-wrappers would look like this: telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd An inetd.conf with tcp-wrappers looks like this: telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd 22
WHAT DOES WITH AND WITHOUT WRAPPER MEANS If your system does not have TCP Wrappers built in your configuration will have to use the tcpd program that is part of TCP Wrappers to wrap inetd services. In order to wrap an inetd service.you simply change its entry in /etc/inetd.conf so that tcpd is executed telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd In other words, replace the pathname of the daemon with the full path to tcpd, leaving everything else untouched. 23
When inetd starts up, it looks through /etc/inetd. to see what network service connections it should start listening for. tcpd is then called and reads the /etc/hosts.allow file to see if the hostname is allowed. If the hostname is in /etc/hosts.deny, the connection is closed. 24
SYNTAX OF AN ALLOW OR DENY RULE service: hostname : options Add rules host.allow or in host.deny hosts.allow file in.telnetd:.xena.edu : ALLOW To enable only machines from the xena.edu domain to telnet into your machine hosts.deny file in.telnetd:.xena.edu : DENY 25
IPCHAINS ipchains is Linux s built-in IP firewall administration tool Using ipchains enables you to run a personal firewall to protect your Linux machine. If the Linux machine is a routing gateway for other machines on your network, it can act as a packet filtering network firewall if more than one network interface is installed. 26
27 END OF CHAPTER 1