------------------------- Week 08 Notes for NET2003 ------------------------- -Ian! D. Allen - idallen@idallen.ca - www.idallen.com Remember - knowing how to find out an answer is more important than memorizing the answer. Learn to fish! RTFM! (Read The Fine Manual) Keep up on your readings (Course Outline: average 5 hours/week homework). A good way to memorize the material is to take notes in class and then merge your notes with my published note summaries after class. You won't be able to Google search during tests and exams. * Abbreviation "ALN" = your "Advanced Linux Networking" text by R.W.Smith Review: Week 7 notes -------------------------------------------------------------------------------- Note on managing Systemv V /etc/rc?.d/ symlinks: - look for packages such as "chkconfig" and "sysv-rc-conf" that let you manage the links more easily with fewer errors Q: What is the advantage to using a tool to manage the rc?.d symlinks? -------------------------------------------------------------------------------- The inetd/xinetd "super-servers" - ALN Chapter 4 p.89-99 -------------------------------- * How a Super-Server works - two main programs: inetd (original) and xinetd (newer) - older "inetd" usually replaced with newer "xinetd" - config files/directories are different: /etc/inetd.conf vs. /etc/xinetd.conf and /etc/xinetd.d/ Q: How does a super-server work? p.89 - binds to many ports - starts real server upon incoming connection Q: Outline the costs/benefits to using a super-server instead of running many individual servers. p.89, p.108-110, table p.109 Q: Suppose the super-server and each of five other servers controlled by the super-server take 1MB of memory each. (1) How much memory is in use when none of the other servers are being used? (2) How much memory is in use if all the other servers are being used? Q: If we start the five other servers (e.g. from SysV start-up scripts) without running the super-server, (3) how much memory is in use if none of the five servers are being used? (4) How much memory is in use if all of the five servers are being used? (Hint: same answer) Q: A system often comes configured with many servers enabled in the inetd or xinetd config files. Are these servers safe to leave enabled? p.92 * TCP Wrappers - used by inetd and xinetd (and other programs such as sshd) The book mentions only inetd and xinetd as using TCP Wrappers - in fact, some other programs (e.g. sshd) use the same config files without having to use inetd or xinetd to start them. (TCP Wrappers was made into a library/API called "libwrap" that any server may include.) If a program uses TCP Wrappers directly, it is the *name* of the program that should be placed in the hosts.allow and hosts.deny config files, not the name of the service from /etc/services, e.g. use "sshd" not "ssh". Q: What name should I place in /etc/hosts.allow to control the SSH service on port 22? TCP Wrappers are called "wrappers" because of the way they originated in the inetd.conf file, where the "tcpd" program was inserted in front of the daemon name, effectively "wrapping" the call to the daemon, e.g. a line from inetd.conf before TCP Wrappers and after adding TCP wrappers: before: telnet stream tcp nowait root telnetd after: telnet stream tcp nowait root /usr/sbin/tcpd telnetd Note the use of tcpd in front of telnetd. The "tcpd" program does IP-based access checks and only calls the program telnetd if the checks pass (based on the contents of hosts.allow and hosts.deny). Q: What is the network function of TCP Wrappers? p.92 Q: Can TCP Wrappers restrict access to a server based on IP address? p.92 Q: Can TCP Wrappers restrict access to a server based on port number? p.92 Q: Name the two config files used by TCP Wrappers. p.92 Which of the two config files over-rides the other config file? p.92 What is the comment character used in these two files? p.93 What is the "wildcard" name used in these files? p.93 Q: T/F Configuring the two TCP Wrappers files means TCP Wrappers will apply to all servers on your machine. p. 93 Q: What is the syntax of the basic TCP Wrappers config file line? p.93-94 How would I allow the SSH service from all hosts in domain carleton.ca? Note that if SSH (compiled to use libwrap) is running stand-alone, it expects to find its daemon name "sshd" in the TCP Wrappers config files, not the "ssh" service name from /etc/services. The book shows only "ssh", which is what you would use if running SSH from inetd or xinetd. (p.94) The book talks about blocking based on user name (ident or auth); but, this almost never works since most machines don't give out that info. (p.95) Q: How do you tell TCP Wrappers to block access to all services from all IP addresses? p.95 Q: How do you tell TCP Wrappers to allow access to all services from all IP addresses? * The "xinetd" super server - Where does the xinetd super-server keep its main config file? p.96 - Where does the xinetd super-server keep its supplementary config files? p.96 - How many supplementary xinetd config files are installed in your system? The xinetd config files have an option with the dumb name "disable" that you set to "yes" to DISABLE the service, and to "no" to ENABLE the service. (No option present means to enable.) (p.97) Q: How do you enable a service under xinetd? - For all the supplementary xinetd config files on your system, how many are enabled/disabled? (Go look! "grep" is your friend) p.97 The book says xinetd doesn't use TCP Wrappers (p. 97); but, modern version of xinetd come with TCP Wrappers "libwrap" compiled in. You can use options to disable this or modify how libwrap is used. RTFM Q: T/F modern versions of xinetd have TCPwrappers (libwrap) built-in. - How do you tell xinetd to reload/reread its configuration files? p.98 The book mentions the access control features of xinetd as being "similar to TCP Wrappers". Modern xinetd has TCP Wrappers libwrap compiled in; it *is* TCP Wrappers. (p.98-99) Q: How do you start or restart xinetd? (p.98) If you have system logging enabled, at start-up xinetd will log the number of services found and enabled (may be zero!). Q: Will the xinetd process still be running if there are zero services configured? ------------------------------------------------------------------------- Maintaining Consistent Time: Time Servers ----------------------------------------- Configuring NTP - ALN Chapter 10 - p.241 Read: When to run a time server Read: Setting up an NTP server Skip: Monitoring NTP's Operations Skip: Using samba to serve time Read: Summary - Internet time is available from servers with differnet levels of accuracy. - You can either run a system daemon to gently keep your clock updated; or, you can periodically run a client program to query a time server and fix your clock by resetting it. - NTP client programs: ntpdate, rdate (old) - The NTP server will not normally make large corrections; use ntpdate for that - at boot, run ntpdate before starting your NTP server - some NTP server start-up scripts automatically run ntpdate first - pick time servers near you (or use pool.ntp.org, a collection of volunteer NTP time server machines) - Canadian stratum 2 servers: time.nrc.ca and time.chu.nrc.ca - http://inms-ienm.nrc-cnrc.gc.ca/time_services/network_time_protocol_e.html - The default Ubuntu install does not install an NTP server. How does Ubuntu set the time? Hint: Look recursively for "ntpdate" in various configuration file locations. - Is the "rdate" program (p.246) is installed on your system? Q: What is "pool.ntp.org"? - program to sync PC hardware clock to system time: hwclock - Warning: Unix likes a hwclock in UTC (GMT); Windows uses local time - hwclock --systohc --localtime Q: Why do you have to be careful about your BIOS clock settings when dual-booting Windows and Linux? - why run a time server at all? p.242 - what is a "stratum 3" or "stratum 4" time server? p.243 - what is "slewing" a system clock? p.244 - True/False: the NTP program can correct any size time differences. p.244 - True/False: running NTP automatically keeps your system's hardware clock synchronized (as well as the software clock). p.245 - True/False: The NTP service on Linux is server-only. Other computers can connect to this computer to receive time information; but, this computer does not synchronize with other computers unless you install another package than NTP). p.245/246 - Where is the NTP configuration file usually kept? p.246 Where does Debian keep the NTP configuration file? (Hint: "man -k ntpdate") - How do you specify the names of time servers in the config file? p.246 - What network tool is useful in choosing the best NTP server for your location? p.248 - How do you get NTP to re-read its configuration file? p.248 - Can some NTP servers require authentication? p.252 - True/False: if you have many computers, you should configure them all to query the same remote NTP servers. p.252 - What risks do you incur running the NTP server? p.252 - True/False: if you want high-precision time keeping, you should run the ntpdate program instead of ntp. p.252 - True/False: the ntpdate program is replacing NTP. p.253 - NTP runs continually as a server daemon. How do you run ntpdate? p.254 - True/False: the best time to synchronize your system clock is at midnight, when other time servers are most accurate. p.254