----------------------- Exercise #07 for NET2003 due March 7, 2006 ----------------------- -Ian! D. Allen - idallen@idallen.ca Remember - knowing how to find out an answer is more important than memorizing the answer. Learn to fish! RTFM! (Read The Fine Manual) Global weight: 5% of your total mark this term Due date: 23h59 Tuesday March 7, 2006 Late-submission date: I will accept without penalty exercises that are submitted late but before 10h00 on Thursday, March 9. After that late-submission date, the exercise is worth zero marks. Exercises submitted by the *due date* will be marked online and your marks will be sent to you by email after the late-submission date. NOTE: For full marks, keep your own answer lines shorter than 80 columns in this course! Keep your terminal window set to 80 columns. The VIM editor will automatically wrap most lines as you type them if you enter "set wrapmargin=5" in your $HOME/.vimrc file. You do not have to shorten lines that are the output of programs; only your *own* typing needs to be wrapped at 80. -------------------- Part 0 - Preparation -------------------- Synopsis: Read details on Unix networking tools in week07notes.txt and associated Advanced Linux Networking ("ALN") pages. Use Unix command-line tools to investigate network issues. "ALN" is Advanced Linux Networking, by Roderick W. Smith Prepare an answer file named exercise07answers.txt with your assignment label at the top. Copy the questions below into the file, trim away any of my examples and output, and answer each question using your own resources. --------------- Part I - netcat --------------- On your caddy Mandriva system, the man page for netcat ("man nc") mentions a README pathname under "SEE ALSO". The name is wrong. Find the correct pathname (under /usr/share/doc/). 1) Give the correct pathname to the README file and explain how you found it. (What Unix tools and shell features aided you in finding it?) The README file gives an example paragraph of using netcat in "Listen mode" with input redirected from a filename. Set up netcat on your machine with input redirected from the password file and with "verbose" output enabled. Have a buddy connect to your machine using the given port number and verify that the password file is sent onto his screen. Break out of the connection and restart it; but, this time, have your buddy redirect the output of netcat into a file. (You will need to interrupt netcat after the file is transferred.) Checksum the file on your buddies computer to verify that it arrived intact. 2) Give the netcat command line you used, and the netcat command line used by your buddy, to transfer the file. Try the same listen mode example without any redirection at all (but do enable verbosity) and have a buddy use netcat to connect to your machine using the given port number. When the connection succeeds, you will have a private line-oriented two-way text message connection. Each line you type will appear on the other person's screen. During the two-way chat, in another window on your machine, run tcpdump on that port: # tcpdump -n -i eth0 port 1234 (You may need to specify a different interface and/or port.) You should see dump traffic every time you pass a line between your two systems. Interrupt your netcat session; break out of the two-way chat. 3) Copy the tcpdump output from the *last three* session packets here. (Some of the last tcpdump packets should show "F" FIN TCP flags set.) On the Course Linux Server use netcat to connect to the localhost Internet Printing Protocol (IPP) port and pull out the first page using an HTTP "GET" request, as if you were pulling up the root page from a web server. (IPP is another text-based protocol.) Use output redirection to store the fetched page in a file so you can look at it more carefully. 4) What netcat command line did you use to connect to the localhost IPP port and redirect its output to a file? What did you type into netcat to fetch the root page? 5) Copy the header lines from the IPP response into your answer here. (The header lines start with a code 200 "OK" response line and all precede the very first statement of the web page. There are about seven header lines to copy here.) --------------- Part II - MAC neighbourhood --------------- On your caddy Mandriva system, trigger any network access to some other machine (use HTTP, SSH, FTP, anything) and then immediately list the MAC addresses known to your host. (The single "-a" option is recommended to see IP addresses and avoid host name truncation in the output.) 6) Enter the command you used and its output here. The output will have a format similar to this (though the actual hosts will differ): . (192.168.9.254) at 00:04:E2:50:08:96 [ether] on eth0 elm.home.idallen.ca (192.168.9.250) at 00:0E:A6:C3:A0:78 [ether] on eth0 --------------- Part III - looking for rogue network programs --------------- As network administrators, you need to become familiar with what "normal" means on a Unix system. What programs are normally running? What ports are normally open? Let's look at your "normal" Mandriva caddy system. 7) Generate a listing of *all* the open TCP and UDP ports on your Mandriva caddy system. Use the option to display numerical output; don't convert the numbers to symbolic names. The output format should look something like this, though your actual ports will differ: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:608 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN [... many lines deleted ...] udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 :::123 :::* Copy the command used and your own output to here. It should show only TCP and UDP entries, nothing else. 8) [REVISED noon 2006/03 to use an easier netstat option - thanks to Alex K.] Modern versions of "netstat" have an option to show the PID and name of the program using each Internet port (when run as root). Use that option to find out which programs are using each of the Local Address ports for TCP and UDP services only. (Don't show the Unix services.) Enter the command and its output here. If you don't have a modern "netstat" installed, you can do this: [OLD WAY - PREVIOUS VERSION OF THIS QUESTION] For each given TCP port number NNN, run "fuser -vn tcp NNN" (as root) to identify the Unix process that has that TCP port open. (If you don't have the fuser command installed, locate it and fetch it using the usual urpm* package tools.) Use either netstat or fuser (not both) to determine the PID and command name of the processes with open ports. Enter here the command used and its output, for each port. 9) [SEE Q-8 REVISION ABOVE] For each given UDP port number NNN, run "fuser -vn udp NNN" to identify the Unix process that has that UDP port open. Enter the command used and its output, for each port. 10) Now generate a listing of all the open TCP and UDP ports in symbolic form. (Re-run the command and omit the option that requests numeric output.) The output format will look similar to this (note the symbolic names): Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:608 *:* LISTEN tcp 0 0 localhost:10026 *:* LISTEN tcp 0 0 *:netbios-ssn *:* LISTEN [... many lines deleted ...] udp 0 0 localhost:ntp *:* udp 0 0 *:ntp *:* udp 0 0 *:ntp *:* Copy the command line you used and your own output to here. Pick two ports that are not translated into names (which means these ports are not present in the /etc/services file) and look up the numbers on the Internet, perhaps in the IANA "well known port numbers" file or in an online port list. 11) Which two ports did you pick? What did you find out about them? --------------- Part IV - network hops --------------- 12) Produce a numeric (no host names looked up) trace routing of the number of hops between your caddy and hosts (a) net2003.idallen.ca, (b) ian0.idallen.ca. (The net2003 address goes to my homve via Sympatico ADSL; the ian0 address goes via Cybersurf ADSL.) --------------- Part V - service start-up and shut-down --------------- Reading Reference: Notes file chkconfig.txt, ALN p.84-86 13) Again produce a listing of *all* open TCP ports on your system (TCP only this time!) and pipe it into grep to find only the HTTP port, to demonstrate that the Apache server is listening on the HTTP web port in your Mandriva system. (The output should be one line - the line matching the HTTP port.) If HTTP isn't running - find out why? Did you install it? Is your system in run level "3" as it should be? Is the Apache service enabled in run level "3"? Make sure Apache is running and listening on the HTTP port. Your sysadmin tells you that he is going to pick the only unused run level in your Mandriva system, to be used as a stand-alone run level with no network services started. He asks you to start this conversion by making the necessary changes in your Mandriva system so that the Apache server is not started in the unused run level, even if the Apache service is reset to defaults using the chkconfig command. The Apache server must be shut down when the system switches to the unused run level. 14) How do you know which run level is currently unused under Mandriva? (In which config file is the use of run levels documented?) 15) What changes do you make to ensure that "chkconfig reset" does not enable Apache in the unused run level at boot time? (Notes file: chkconfig.txt) What file do you edit; what change do you make? After you make the correct edit, resetting the Apache service with chkconfig should create the symlinks needed to shut down Apache in the unused run level instead of starting it. Make sure the correct symlinks are created by chkconfig. 16) How do you use chkconfig to reset the Apache service so that it is shut down in the unused run level and started correctly in other levels at boot time? What chkconfig command line resets the HTTP service to its stored defaults? 17) Produce a long listing of the "rc" directory corresponding to the formerly unused run level, after you have successfully used chkconfig to reset and configure your system's symlinks to shut down Apache in the unused run level. Show that the symlinks into the init.d/ directory are correct for that run level. Use the "telinit" command to change from your current run level (which should be level "3" for a server) to the unused run level. 18) After changing to the "unused" run level, produce a listing of *all* open TCP ports on your system (TCP only!) to demonstrate that changing to the new run level caused the Apache service to run its "stop" script. Nothing should be listening on the HTTP port while your system is in the unused run level. Use "telinit" to change back to run level "3". Verify that the Apache server starts up again. Labelling and Submission ------------------------ NOTE: For full marks, keep your own answer lines shorter than 80 columns in this course! Keep your terminal window set to 80 columns. The VIM editor will automatically wrap most lines as you type them if you enter "set wrapmargin=5" in your $HOME/.vimrc file. You do not have to shorten lines that are the output of programs; only your *own* typing needs to be wrapped at 80. Submit the finished and labelled file for marking as Exercise 07 on the Course Linux Server, using the following netsubmit command line: $ netsubmit 07 exercise07answers.txt $ netsubmit -list Class Notes reference: netsubmit.txt - Using the netsubmit command