Transcript Document
Chapter 15: Advanced Topics and Troubleshooting The Complete Guide to Linux System Administration
Objectives
• • • • Understand X window system scripts and remote access Implement basic system security Use simple features of common network services Troubleshoot common hardware and software problems The Complete Guide to Linux System Administration 2
X Window System Advanced Configuration
• Challenges configuring graphical system are rare due to improvements in: – – XFree86 X server Installation programs The Complete Guide to Linux System Administration 3
Configuring X
• X software normally located in directory /usr/X11R6 – – – Sometimes called X-root directory Version 11, release 6 Configuration file for Red Hat Linux and Fedora called xorg.conf located in /etc/X11 directory – Commercial X servers use different configuration files The Complete Guide to Linux System Administration 4
Configuring X (continued)
• • xvidtune program – – Adjust finer details of display Can damage monitor if used carelessly system-config-display program configures: – – Screen resolution Number of colors The Complete Guide to Linux System Administration 5
Configuring X (continued)
The Complete Guide to Linux System Administration 6
Using X Window System Start-up Scripts
• • X Window System starts automatically every time user logs in at graphical prompt startx command – – – – Start X Window System from command line Script located in /usr/X11R6/bin Starts xinit program Place scripts in user’s home directory to define graphical configuration for user The Complete Guide to Linux System Administration 7
Using X Window System Start-up Scripts (continued)
• • Background application – Does not prevent program that started it from going on to other tasks – xinit scripts can start X client then go on to start another Window manager – – Responsible for controlling graphical screen Started last by xinit The Complete Guide to Linux System Administration 8
Using X Window System Start-up Scripts (continued)
The Complete Guide to Linux System Administration 9
Adjusting the Display of Graphical Applications
• X resource – Separate screen elements such as: • • • • Scroll bars Text fonts Mouse pointers Title bars for windows or dialog boxes – Collection of default X resource settings applies to all X applications The Complete Guide to Linux System Administration 10
Adjusting the Display of Graphical Applications (continued)
• Resource database file – Settings apply only when specific user runs specific application – – Main file app-defaults located at /usr/X11R6/lib/X11 User’s home directory can contain additional settings • • .Xresources
.Xdefaults
The Complete Guide to Linux System Administration 11
Adjusting the Display of Graphical Applications (continued)
• • • xrdb command – – – Loads initial X database resource file Adds resource configuration details from files xrdb -load $HOME/.Xresources
xfontsel command – See fonts supported by X Window System xset command – Adjust behavior of X to suit preferences The Complete Guide to Linux System Administration 12
Using a Graphical Login Screen
• • • Most Linux distributions start in run level 5 – Graphical environment xdm program – Graphical login screen provided by X display manager – Versions specific to KDE and GNOME called: • • kdm Gdm Session defines set of graphical programs to run when user logs in The Complete Guide to Linux System Administration 13
Using a Graphical Login Screen (continued)
• • • • Xsession file specifies which programs started by particular session name xdm executes file /etc/x11/xdm/Xsession to determine which X clients to run Xsession file – – Placed in user home directory Controls which sessions specific user has available /etc/X11/xdm subdirectory files configure features of xdm The Complete Guide to Linux System Administration 14
Using a Graphical Login Screen (continued)
• • • Any type of computer can run X server Graphical application decides which X server to use – – By default uses X server on same computer Specify different server • • DISPLAY environment variable Add display option to command Configuring remote display security – X server on remote host configured to allow other computers to display programs there The Complete Guide to Linux System Administration 15
Using a Graphical Login Screen (continued)
• • xhost command specifies name of remote computer permitted to use local X server – Insecure xauth command restricts access to users on remote system who have specific token – Commonly called cookie • MIT magic cookie The Complete Guide to Linux System Administration 16
Using a Graphical Login Screen (continued)
• • .Xauthority files – – Stored in user’s home directory User-to-user security system Remote graphical login – Log in to Linux system, use graphical environment as if sitting at Linux system – Uses XDMCP The Complete Guide to Linux System Administration 17
Displaying X Clients Remotely
• X protocol – X Window System uses own protocol to communicate between X server and each X client – Can be used over network connections The Complete Guide to Linux System Administration 18
Displaying X Clients Remotely (continued)
The Complete Guide to Linux System Administration 19
Security Issues: The Structure of a Secure Network
• Security divided into areas: – – – – Physical security User security File security Network security The Complete Guide to Linux System Administration 20
Types of Security Attacks
• • • • • • Password cracking Trojan horse Buffer overflow attacks Denial-of-service (DoS) Port scanning Packet sniffing The Complete Guide to Linux System Administration 21
Security Tools
• • • nmap – – – Most widely used port-scanning utility Can use variety of different scanning methods nmap -ss www.myplace.net
nmapfe utility – Graphical interface IPTraf program – Popular tool for viewing network activity on LAN The Complete Guide to Linux System Administration 22
Security Tools (continued)
• • tcpdump utility – – Similar to IPTraf program Also includes more detailed information about packets on network Ethereal – – One of the best packet-sniffing tools Network traffic analysis tool The Complete Guide to Linux System Administration 23
Security Tools (continued)
• • Intrusion detection system (IDS) watches network for activity that may indicate attacker is looking for way to enter server Linux Intrusion Detection System (LIDS) – – Adds module to Linux kernel Blocks access to resources for all users except as configured by LIDS The Complete Guide to Linux System Administration 24
Security Tools (continued)
• • Security audit – – Review or test of how secure system really is What needs to be done to improve its security Security Administrator’s Integrated Network Tool (SAINT) utility – Uses Web browser interface to manage “attack” on network – Reports vulnerabilities it finds The Complete Guide to Linux System Administration 25
Viruses and Worms
• • • • • Security threats designed to replicate themselves once installed on system Virus tries to replicate as part of another program Worm attempts to infiltrate other systems on its own Linux rarely subject of virus attacks Worms pose greater threat than viruses The Complete Guide to Linux System Administration 26
Security Organizations
• • CERT Coordination Center (CERT/CC) – U.S. Federal government-funded software engineering institute – Maintains lists of security vulnerabilities, alerts, incident reports System Administration, Networking, and Security (SANS) Institute – – Education and research organization Visiting web site www.sans.org
The Complete Guide to Linux System Administration 27
Security Organizations (continued)
• Global Information Assurance Certification (GIAC) program – Certification program for security professionals from SANS The Complete Guide to Linux System Administration 28
Using Network Services
• Most network services installed by default – Controlled using script in /etc/rc.d/init.d directory or using service command The Complete Guide to Linux System Administration 29
Using NetFilter for Firewalls
• • • Firewall – Hardware device or software program that prevents unintended network access Packet filter – – Firewall that examines each packet Decides how to process it based on firewall rules NetFilter defines rules in IP tables The Complete Guide to Linux System Administration 30
Using NetFilter for Firewalls (continued)
• • • Packet stages – – – Input Forward Output iptables command creates and manages firewall rules Rules executed in order defined in chain The Complete Guide to Linux System Administration 31
Using NetFilter for Firewalls (continued)
• • Network address translation (NAT) – – Routing technique Alters addresses or other information in packet IP masquerading – – Type of network address translation Packets from many computers on LAN altered to appear as if they came from single computer The Complete Guide to Linux System Administration 32
Using NetFilter for Firewalls (continued)
• • system-config-securitylevel program sets up reasonable rules based on: – – How secure system should be Specific protocols to leave more open Other graphical firewall programs that use IP tables – Firestarter – – – Mason KMyFirewall GuardDog The Complete Guide to Linux System Administration 33
Setting Up a DNS Name Server
• • • • Root name servers – DNS servers designated as starting point for DNS queries Master DNS server or primary DNS server – Provides information on domain Slave DNS server or secondary DNS server – Contains backup copy of DNS information Named – Daemon that implements DNS The Complete Guide to Linux System Administration 34
• • • •
Setting Up a DNS Name Server (continued)
Caching name server – Queries other DNS servers and caches results Zone – DNS server maintains information for at least part of domain Zone information files – Define host names and corresponding IP addresses rndc utility – Control named daemon from command line The Complete Guide to Linux System Administration 35
Setting Up a DNS Name Server (continued)
• • dig utility – Query any DNS server whois – Information about organization that registered domain name The Complete Guide to Linux System Administration 36
File Sharing with NFS
• • Work with hard disks located all over local network ss if part of local directory structure NFS protocol implemented by several daemons – – – – rpc.mountd
nfsd rpc.rquotad
rpc.statd
The Complete Guide to Linux System Administration 37
File Sharing with NFS (continued)
• • • /etc/exports file defines which local directories should be accessible to remote users exportfs command activates contents of /etc/exports Squashing prevents user from gaining access to user account on NFS server because user has same ID on NFS client The Complete Guide to Linux System Administration 38
Setting Up a Samba Server
• • • Samba suite – File and print sharing using SMB and CIFS protocols Server daemons – – nmbd smbd smb.conf
– Main configuration file The Complete Guide to Linux System Administration 39
Setting Up a Samba Server (continued)
• • Common to allow everyone with Linux user account to log in via Samba SWAT – – – Graphical configuration tool for Samba Runs as network service managed by superserver Access SWAT: http//localhost:901/ The Complete Guide to Linux System Administration 40
• • •
Creating a Proxy Server with Squid
Proxy server – – Lets one server make request for another server Done to improve efficiency and security of network Squid requires significant configuration before use – In file /etc/squid/squid.conf
Transparent proxy redirects network packet based on port to which packet addressed The Complete Guide to Linux System Administration 41
Creating a Linux Web Server with Apache
• • • • Daemon named httpd – Control with apachectl program /etc/httpd/conf directory – Configuration files Many features implemented as loadable modules Container activates other directives only if condition is met or only within particular context The Complete Guide to Linux System Administration 42
Configuring a Basic E-mail Server
• • • Mail Transfer Agent (MTA) moves mail between e-mail servers Mail Delivery Agent (MDA) examines messages and delivers them to user’s mailbox file Mail User Agent (MUA) lets user: – – View messages stored in mailbox Create new messages The Complete Guide to Linux System Administration 43
Configuring a Basic E-mail Server (continued)
• sendmail – – – Most widely known e-mail server Managed using standard script in /etc/rc.d/init.d
/etc/sendmail.cf
• • Configuration file Considered to be single most difficult Linux configuration file to master – m4 program • Configure sendmail The Complete Guide to Linux System Administration 44
Configuring a Basic E-mail Server (continued)
• • E-mail alias – Another name that can deliver e-mail messages to user – Configured in sendmail with /etc/aliases file Monitor sendmail – – – – /var/log/maillog file hoststat mailq mailstats The Complete Guide to Linux System Administration 45
Using Superservers for Network Services
• Superserver – Listens on multiple network ports and starts appropriate service when client connection arrives for port – Programs • • inetd xinetd The Complete Guide to Linux System Administration 46
Using Superservers for Network Services (continued)
• tcpd – – – TCP wrappers Examines incoming network connection Compares it to configuration file to determine whether connection allowed – Configured by • • /etc/hosts.allow /etc/hosts.deny
The Complete Guide to Linux System Administration 47
Troubleshooting and Recovery
• • Having appropriate methodology makes it easier to locate and fix problems Basic methodology for troubleshooting – – What system or service is causing the problem?
Can I eliminate other possible causes to limit the scope of the problem?
The Complete Guide to Linux System Administration 48
Troubleshooting Linux Installation
• Installation program doesn’t boot – Boot disk created incorrectly – Bios configured to start operating system from hard disk without first checking floppy disk or CD-ROM – Installation program not able to detect video card The Complete Guide to Linux System Administration 49
Troubleshooting Linux Installation (continued)
• • After Linux installed system doesn’t boot – Another boot manager installed in MBR – Trouble identifying hardware on system that was not detected during installation process Graphical interface doesn’t work – Some video cards not supported by XFree86 – Supported by commercial X Window System products The Complete Guide to Linux System Administration 50
Troubleshooting Linux Installation (continued)
• Device or part of memory isn’t available – Hardware not correctly configured – Linux does not access all of available system RAM because of limitations in computer’s BIOS The Complete Guide to Linux System Administration 51
Diagnosing Device Status
• Utilities to learn about devices – – – – /proc file system lspci setserial usbmodules The Complete Guide to Linux System Administration 52
Troubleshooting Network Connections
The Complete Guide to Linux System Administration 53
Troubleshooting Network Connections (continued)
The Complete Guide to Linux System Administration 54
Creating Rescue Disks
• • Rescue disk – – 3.5-inch disk used to boot Linux-based computer Create when installing Linux Rescue mode – – – Boots from CD Searches for Fedora installations Launches console to repair problems The Complete Guide to Linux System Administration 55
Summary
• • • • • Scripts used by X Window System to determine exactly what programs to start Graphical login screen handled by xdm Graphical programs can be displayed remotely Computer security often divided into categories Linux uses firewalling and packet-filtering system called NetFilter The Complete Guide to Linux System Administration 56
Summary (continued)
• • • • DNS server on Linux implemented using named daemon NFS permits remote users to mount file system on NFS server as part of directory structure Apache Web server included with most Linux distributions Systematically eliminating possible problems good methodology for troubleshooting The Complete Guide to Linux System Administration 57