------------------------- Week 12 Notes for NET2003 ------------------------- -Ian! D. Allen - idallen@idallen.ca Remember - knowing how to find out an answer is more important than memorizing the answer. Learn to fish! RTFM! (Read The Fine Manual) Keep up on your readings (Course Outline: average 5 hours/week homework) [************************************************************] [************************************************************] [*** Students should be taking their own notes in class ***] [*** and updating them with my published summaries. ***] [************************************************************] [************************************************************] Abbreviation "ALN" = your "Advanced Linux Networking" text by R.W.Smith Last week: - Mail Systems Terminology: MTA, MDA, Push, Pull, etc. - configuring SMTP (Postfix) Note on managing Systemv V /etc/rc?.d/ symlinks: - look for packages such as "chkconfig" and "sysv-rc-conf" that let you manage the links more easily with fewer errors Q: What is the advantage to using a tool to manage the rc?.d symlinks? Free O'Reilly Safari eBook Resources (from an Algonquin network): http://proquest.safaribooksonline.com/ =============================================================================== Network Security ---------------- start at: www.sans.org "Most Unix/Linux systems include a number of standard services in their default installation. These services, even if fully patched, can be the cause of unintended compromises. Security savvy administrators harden systems by turning off unnecessary services and/or firewalling them from the Internet." http://www.sans.org/top20/?ref=3706 - tcpdump reference card at SANS (sans.org): http://www.sans.org/info/3871 - more on iptables/netfilter: http://www.netfilter.org/ http://www.faqs.org/docs/iptables/ http://linux-ip.net/ http://linux-ip.net/html/part-concepts.html * Pre-configuring a network of servers using virtual machines Entry-level network administrators don't get to play with the real systems; but, with a virtual environment you can practice anyway. The VNS lets you pre-configure networks of application servers, routers, and firewalls and test them all before deploying them to production systems. (VMware "Workstation" also lets you configure multiple-virtual-machine groups with networks and start/suspend them together.) Q: What advantage does a virtual environment offer you when configuring networks of Linux servers? =============================================================================== Configuring SMB (Samba) - ALN Chapter 7 p.167 --------------- Using Samba 3rd Edition (from an authorized network): http://proquest.safaribooksonline.com/0596007698 SMB is not a text-friendly protocol. Unlike Internet protocols such as SMTP, POP2, HTTP, etc., the SMB protocol is binary and you can't just "look at it" or type it from the keyboard. Q: T/F Like SMTP, you can use netcat to access the SMB protocol. Q: What does Samba let a Linux system do? p.167,168 Q: What is the name of the main Samba config file? p.169 Q: What is the purpose of the special [global] share? p.169,1809 Q: What is the syntax to define each share in the config file? p.169 - Where is the main Samba config file on your VNS system (absolute path)? - What is the workgroup of the VNS Samba service? p.170 - What is the name of the SysV start-up script for Samba? (If you're on a system where it's not called "samba", you can grep for "samba" in all the SysV start-up scripts to find the executable name - sometimes it's called "smb" or "smbd".) - Where does Debian/Ubuntu/VNS get additional samba configuration defaults? (Read the first few lines of the start-up script to find out.) Q: Where do you look to find the additional Samba config file pathnames that are used when Samba is started? - What are the program names (and therefore man page names) of the two daemons started by the Samba start-up script? (Go look!) - In which run levels (if any) is the Samba service configured to start on your VNS system? Q: What does the -D option mean to the above two programs? (RTFM) Q: True/False: Samba can authenticate its passwords against the Unix password file. p.171 Q: True/False: Samba passwords are always sent in cleartext. p.171 Q: True/False: Samba servers running encrypted passwords can accept connections from clients running cleartext passwords. p.171 Debian systems keep Samba config info under /var/lib/samba/ Q: How do I add a user to the Samba password file? p.172 Q: How can I restrict which hosts connect to my Samba server? p.172 (mnemonic - name similar to TCPwrappers /etc/hosts.allow) Skip: Becoming a NetBIOS Name Server p.172 Q: What is the most common use of a Samba server? p.179 - What is the syntax/format of a basic Samba file share? p.179 Note the crazy option synonyms that all do the same thing: read only = no writeable = yes write ok = yes Q: T/F You are not permitted to have blanks in SMB option keywords Q: What is the purpose of the special [homes] share? p.179 Q: Would it be useful to define multiple [homes] shares? p.180 - Is the [homes] share enabled and browsable on your VNS system? Q: What is the purpose of the special [global] share? p.180,169 The "smbclient" Samba client program is useful for debugging Samba configurations on local and remote machines. (The remote machines will need to have the SMB ports open: 445 and possibly 137-139.) Some distributions suffix the Samba man pages with a version number. If "man smbclient" doesn't work, try to locate the page using "man -k smbclient". That should give the version number. Typing "smbclient" with no arguments will give you a summary of options. You can list the visible Samba shares on a system, local or remote: $ smbclient -L localhost Password: # just push RETURN - no password Anonymous login successful Domain=[VNS] OS=[Unix] Server=[Samba 3.0.14a-Debian] Sharename Type Comment ... Q: What command-line program is used to connect to SMB shares? Once you have set a Samba password for an account using "smbpasswd", you can log in and connect to various shares, including home directory shares (replace vns with any other existing user account name): red~# smbpasswd vns ... red~# smbclient //localhost/vns -U vns Password: Domain=[RED] OS=[Unix] Server=[Samba 3.0.14a-Debian] smb: \> help ... smb: \> ls ... Q: What program changes your SMB password? Without the "-U" option to set your logon userid, smbclient defaults to using the userid in the Linux $USER environment variable. The smbclient interface is FTP-like - put and get work as you expect: smb: \> help get HELP get: [local name] get a file You can run single commands and save the output using the "-c" option of smbclient: $ smbclient //localhost/tmp -U abcd0001 -c "ls" >out Password: Domain=[SOMEHOST] OS=[Unix] Server=[Samba 3.0.10] $ cat out ... Remember that Samba *cannot* authenticate using your Unix password file. Windows has its own password authentication method and you can't change it to use any other. You *can* tell Samba to propagate Windows SMB password changes into the Unix password file via "unix password sync". Good luck trying to configure legacy Windows machines to work in a mixed network of encrypted/non-encrypted access or via Active Directory - read the book! Configuring HTTP (Apache) - ALN Chapter 20 p. 527 ---------------- If you do take the risk of putting up a public web server, beware of your company's network connection getting "Slashdotted"! You don't have to run Apache (300KB+) - you can run smaller servers. p.531 The book (published 2002) documents Apache Version 1, the version used by the VNS and by many existing service providers (e.g. facebook.com, idallen.com). Newer web sites may use Apache Version 2, which has some different configuration details. Some of the program names changed to have a version number "2" added for a period of time; recent versions of Apache have gone back to having no version number. Most of the man pages are still named for the program without the suffix, e.g. you ask for "man httpd" not "man httpd2". We'll look at the common configuration options between Version 1 and Version 2: Q: What does a Web server do? p.528 Q: What common well-known port does an HTTP server listen on? p.528 Q: T/F HTTP is bi-directional - you can send information back from the client to the web server. p.528 Note that the transfer of information can be two-way (HTTP uploading). Q: T/F The Apache server also handles ftp:// and telnet:// URLs. p.528 Many systems come with documentation or Intranets in HTTP form. Having at least a "localhost" web browser can be useful. p.528 Q: What use would there be for a "localhost-only" HTTP server? p.528 Q: T/F: a single web server IP address can only host a single web site. p.529 Q: What are the trade-offs pro/con in running your own Web server, instead of outsourcing to a Web hosting service? p.529 Q: True/False: all Unix web servers (e.g. thttpd) occupy about the same amount of memory as Apache. p.531 - What is the name of the SysV start-up script for Apache? (Hint: grep for "apache" in all the SysV start-up scripts) Much code in the newer Apache start-up scripts (Version 2) attempts to do the "right thing" for running either Apache Version 1 or Apache Version 2. This makes the newer start-up scripts rather complex! - In which run levels (if any) is the Apache service configured to start on your VNS system? Q: What is the (relative) name of the main Apache config file? p.532 - Where is the main Apache config file on your VNS system (absolute path)? (The file has a title of "Apache HTTP server configuration file".) Version 2 Apache has split the configuration file up into different parts; look for other *.conf files under /etc/apache/ Q: What is the general syntax used in the Apache config files? p.533 Note the HTTP-like directive format used for multi-line directives Q: T/F Like Samba, Apache directives have the form: keyword = value - Looking in the config file, what is the path to the ServerRoot for your Debian system? What is the path to the DocumentRoot? Skip: Standalone vs. Super Server p.534 - How can you change what port the web server listens on? p.537 (The Port and BindAddress directives on p.537 only work for Apache v1 - Apache v2 uses "Listen" for both, e.g. "Listen 127.0.0.0:8080".) Q: How can you change in which directory HTML documents are stored (the root of the document tree)? p. 539 A great resource that documents in short form all the many configuration directives used by Apache is the "Directive Quick-Reference" link under: http://httpd.apache.org/docs/1.3/ http://httpd.apache.org/docs/2.2/ //*EOF End of Notes