Chapter-10.pdf

Full Transcript

LINUX ESSENTIALS (010-160): A TIME COMPRESSED RESOURCE TO PASSING THE LPI® LINUX... = Q B&B Aa + Perform network testing in Linux - Understand how to best protect your network TEN CHAPTER in Linux Networking Basics Networking is a critical part of modern computing. That’s why most Linux distributions automatically creating a network are capable connection of when a user first boots up a Linux system. Unfortunately, there are some rare occasions when this automated process does not work properly. When this occurs, the user may need to uniquely configure the connection or debug a given problem. Basic Network Features OBJECTIVES + Understand Li Inux the. basic network features. in oy - Be able to configure a network connection in Linux Before you can understand how to configure, test, ; oo, or protect a network connection, it is important to understand and Page 136 of 208 « 68% some of the most basic network features i. terms. This includes commonly used network ©) LINUX ESSENTIALS (010-160): components A TIME COMPRESSED like the internet, ethernet, Wi-Fi, TCP/IP, DHCP, an IP address, the network mask, the router, and RESOURCE TO PASSING THE LPI® LINUX... is defined within the IEEE If you are using a wireless are already familiar with the internet Q B&B documentation standards. DNS. Most users 802.3 = is defined in the IEEE 802.11 network, though, standard and this referred since they use it every day. In fact, when you bought to as Wi-Fi. While there are other wireless networking this book standards that exist, such as cellular and Wi-Max, the online, you were using the internet. The internet simply refers to the globe-spanning network most common of interconnected enabled devices is Wi-Fi. computers that use the standard for desktops, laptops, and other Linux- Regardless of whether your devices uses a wired or Internet protocol suite (TCP/IP) to communicate. To connect to the internet, most uses will use a wired wireless connection, it is most certainly using TCP/IP or wireless network. A wired network is often referred to transmit the data from your system to another. The to by the hardware that network uses called ethernet. Transmission Technically, IP) is a set of standards that network communications at the software level. Every ethernet the data down is a specific into frames way of breaking of information and then Control Protocol/Internet Protocol (TCP/ underlie most modern transmitting those frames over a media (such as a wire network connected device these days supports the TCP/ or radiofrequency wave), but most people refer to wired IP protocol to communicate. For over 30 years, this has networks as “ethernet networks”. This ethernet standard Page 137 of 208 « 68% Aa LINUX ESSENTIALS (010-160): QO Kindle Library A TIME COMPRESSED RESOURCE TO PASSING THE LPI® LINUX... device to communicate on a to identify on given network. An IP address is used by computer to your used itself wired and wireless connections. for be [— address order can Q been the de facto standard, and it can be used with both In that =: a communicate with each other easily. network using TCP/IP, that device must have a way for There are two types of IP address formats, known other devices to uniquely identify it. This can be done as IPv4 and IPv6. IPv4 is the older format and utilizes using its hostname or an IP address. A hostname is an a 32-bit address in the form of four decimal numbers alphanumeric name that a computer uses in order to be separated by dots and each of those numbers should be easily identified by humans. These hostnames consist of between 0 and 255, such as 10.4.62.178. The issue with a computer portion and a network portion. For example, IPv4 addresses is that there are only 4.2 billion unique if you refer to the hostname of www.diontraining.com, addresses. While that sounds like a lot (and it used to you are really referring to the computer serving as our be), in modern networks like the internet have quickly company’s web server (known as www) on the network depleted this amount of IP addresses. To replace IPv4, a newer variant known as IPv6 was (known as diontraining.com). Unfortunately, though, computers don’t understand these are alphanumeric logical, computer hostnames mathematical much have creatures. a unique since computers Therefore, Internet Protocol each (IP) Page 137 of 208 introduced. IPv6 uses a 128-bit address that consists of hexadecimal digits separated by semi-colons. Due to the much large bit size of the address, there are over 3.4 x 107° IPv6 addresses available for use. « 69% Aa LN LINUX ESSENTIALS (010-160): QO Kindle Library A TIME COMPRESSED RESOURCE TO PASSING THE LPI® LINUX... =: Q For the LPI Linux Essentials exam, it is not important a hostname or domain name into an application, such to remember the number of IPv4 and IPv6 addresses, as entering www.diontraining.com in a Google Chrome but addresses web browser, the application will ask DNS to convert based on sight. For example, if you see 192.168.1.1, you the name (www.diontraining.com) into its assigned IP should identify it as an IPv4 address, and then the browser can connect to the remote you should be able to identify these address, whereas if you see an address like fe80::afdc:48ff:fe00:5577, you should server using its IP address. identify it as a IPv6 address. To properly configure your Linux system to use the So, if computers prefer numbers, but people prefer easier we to read and remember associate both the hostname hostnames, how can and the IP address network, it needs four pieces of information: its own IP address, its network mask, the IP address of its gateway, and the IP address of a valid DNS server. together? To perform this function, a system known as In IPv4, when an IP address is assigned, it must System (DNS) was created. DNS is a also be provided with a network mask that identifies global network of servers that automatically translates what network the host is contained within. By using a between hostnames and IP addresses for our systems. network mask (netmask), the system determines which To use DNS, your Linux system simply needs to have portion of the IP address represents the host and which the IP address of the DNS system added as part of the portion represents the network. For example, if a user’s network configuration. Then, whenever the user types system is assigned the IP address of 192.168.1.56 with the Domain Name Page 138 of 208 « 69% [— Aa LN LINUX ESSENTIALS (010-160): A TIME COMPRESSED RESOURCE TO PASSING THE LPI® LINUX... more is (56) and is a part of the (192.168.1.0) network. The the internet, they are actually connecting through concept of subnetting heavily uses these conventions, gateway, most commonly but router is beyond the scope of this book and the links together. to When a user Q a netmask of 255.255.255.0, this signifies that this host that networks = connects Ba to a their network's router. This another network, which in turn in LPI Linux Essentials exam. If you want to learn more turn links to another, and another, until it reaches the about subnetting and netmasks, final destination. considering I highly recommend the CompTIA Network: certification exam preparation courses or books. network, your To contact computer a computer communicates on another through its default gateway, which is assigned by configuring its The final component of the network configuration gateway’s IP address within its network configuration. is the IP address of the system’s gateway. Every system Most home and small businesses networks simply use can communicate small broadband such as the within its own 192.168.1.0 network by default, network in the netmask modem/routers routing, DNS, DHCP, with small, form factor unit. as 172.15.12.65 system in a different network or www.diontraining.com), (such then A gateway is a device that connects Therefore, the traffic must be routed through a gateway. able two or device to connect to the Internet, and these devices perform example above. But, if the user wanted to communicate another combination needs Page 139 of 208 « 70% to go and other useful services in one for your online to have and Linux system connect four pieces to to actually be the of information internet, it configured Qh LINUX ESSENTIALS (010-160): A TIME COMPRESSED RESOURCE TO PASSING THE LPI® LINUX... within its network settings: its IP address, its netmask, available. When the IP address its DNS of its gateway, Q B&B of message, it automatically sends the requesting system can be manually or an offer that contains an available IP address, a netmask, the automatically configured on your system. Configuring the gateway IP , and even the IP of a DNS this network information manually is time consuming the requester to use. Then, the requester will send back and can often be complicated, but thankfully there is an a request message to the DHCP server asking to use the automated method to do this which relies on a protocol network configuration information it just received from known the server. This is done because the requester may have as the Dynamic Host Configuration Protocol received (DHCP). DHCP computers information extremely is an automated mechanism use to obtain their network from useful, that configuration a server on their network. especially in large most scale This is corporate multiple on the same an acknowledgement server for DHCP servers so it has to request which message back one server will send to the requester once it accepts their offer. At this point, the requester now configured. configure its own message on the network to discover if a DHCP server is different it wants to utilize. Finally, the DHCP networks with thousands of computers that need to be By relying on DHCP, a system sends out a broadcast offers from network, has all the information needed to automatically network process is complete. connection and the DHCP This process is known as DORA, or Discover, Offer, Request, and Acknowledge. Page 140 of 208 « 70% Aa server receives this discovery IP address and server. This information a DHCP = For the Q) LINUX ESSENTIALS (010-160): A TIME COMPRESSED RESOURCE TO PASSING THE LPI® LINUX... = Q LPI Linux Essentials exam, though you are not required Configuring every computer on a large network with all to you this information is time-consuming. Additionally, this should remember that DHCP automatically configures a manual configuration can lead to problems caused by network connection within a Linux system. human errors, such as mistakes created when entering understand this four step Configuring a Most often, configured the process in-depth, in the IP address and other critical information. For this Network Connection network automatically, connection and DCHP reason, most enterprise networks provide a DHCP server will be assigns the vital that assigns computers within the network when they first connect. Depending on the configuration of the server, DHCP network information. Sometimes, though, those details will have to be configured manually can deliver IP addresses using either fixed or dynamic or the network configurations. A fixed configuration ensures that the interface must be enabled for it to function. As stated minimum) two earlier, a important computer pieces requires all this critical information to the other (at of information a to DHCP server provides each computer with the same IP address every time it boots up and connects to the connect to a local network: an IP address and a netmask. network. A dynamic configuration instead has the DHCP If you want the computer to also be able to perform server provide each computer with an IP addresses each name resolution and gain access to an external network, time it boots up, but this IP doesn’t have to remain the then DNS same each time. and the gateway must also be configured. Page 141 of 208 « 71% Ba Qh LINUX ESSENTIALS (010-160): QO Kindle Library Each computer A TIME COMPRESSED can use either a wireless or wired RESOURCE TO PASSING THE LPI® LINUX... =: Q [— available wireless networks and manage the existing Wi- network connection. Wireless connections are common Fi links connected to a given on laptops, tablets, smartphones, and internet of things user can utilize the iwlist and iwconfig utilities. The devices since they often lack a physical network cable iwlist command can identify nearby Wi-Fi networks by due scanning the airwaves within the Wi-Fi frequency bands to their size or configuration. Some desktops, Ghz and 5.0 Ghz, system. depending To do this, the though, have Wi-Fi capabilities in addition to their wired of 2.4 on the type of connections. wireless adapter installed within the user’s system. To To easily configure the Wi-Fi connection, it is best scan for a list of nearby networks, simply type iwlist scan to use the graphical user interface. Each distribution or iwlist scanning as either the root user or using the uses a different method sudo command to obtain a complete list of the networks and setup for connecting to Wi-Fi, so you should consult your distribution’s online manual or forums for details of how within range of the system. to do this. For Once a network is found, a user can manually most distributions, connecting to the Wi-Fi through the connect or disconnect from a specified network using graphical interface works similarly to a Windows or Mac the iwconfig utility. There are numerous computer and relies on a point and click interface. flags that can be used with the iwconfig command, so I If someone connection, they needs can to use fine-tune various tools the to options and wireless recommend consulting the man pages for this utility to scan ensure you are using it properly. for Page 142 of 208 « 71% Aa LN LINUX ESSENTIALS (010-160): A TIME COMPRESSED To configure a wired connection, a user may simply use the graphical user interface like they would within Windows or Mac. If the user requires more RESOURCE TO PASSING THE LPI® LINUX... include route, /etc/resolve.conf, = DHCP Q utilities, B&B and distribution-specific network scripts. The fidelity route utility allows the user to adjust the and control over the configuration, then we may use computer’s routing table to determine the path through command line tools instead. Just as iwconfig configures which the network a wireless network, the command packets. By using the route command, ifconfig configures device will send specific network a Linux system a wired network. The ifconfig utility allows a network can effectively become a network router for the other connection to be started up or shut down, machines on the network as well. the allocation of an IP address a specific piece of hardware, and network allows for mask The /etc/resolv.conf file contains the IP addresses of to and allows the defining up to three DNS servers as well as the name of the of other configuration details within a connection. The computer’s Internet domain and of other domains that ifconfig command should be searched when the user omits a domain name but the it can is primarily for wired connections, configure wireless a connection wireless has been connection once from a hostname. If you need to modify the DNS entries established using used by a given Linux system, this can be done within iwconfig. There the /etc/resolv.conf file. are many other flexible text-based tools for both wired and wireless connections. These tools Aa As stated for configuring Page 143 of 208 « 72% earlier, the DHCP network is the easiest connection on method a Linux Q) LINUX ESSENTIALS (010-160): QO Kindle Library machine A TIME COMPRESSED since it automatically configures the system. RESOURCE TO PASSING THE LPI® LINUX... = Q B&B fine from the moment the Linux system first boots up. must have However, there are time when a user may be a need to a DHCP client installed. The most common DHCP client diagnose a problem with the network because a formerly programs are known as dhclient or dhepcd. working connection has stopped working or it does not To enable this, though, the Linux machine The ifconfig, route, and DHCP client programs only produce a temporary change to the computer’s network work from the start. There are several ways to test for network connectivity. The configuration. To make these changes permanent, the first network connectivity test checks the settings must be stored within a configuration file that is routing table using the route command to ensure that loaded when the system is booted up. To help automate the default route is properly set and to check that the this process, many distributions create network scripts routing is sensible. In most cases, typing route by itself to help with this boot up and configuration process. at the terminal Each distribution uses its own methods and scripts for display. The routing table of a typical workstation or this purpose, and these are referred to as distribution- server is generally quite simple and can be automatically specific network scripts. configured. network Testing the Network In most cases, the network connection will display the routing table to the If the Linux router, though, system these is functioning often require as a complex routing tables which are beyond the scope of the LPI will work Linux Essentials certification exam. Page 144 of 208 « 73% Aa LINUX ESSENTIALS (010-160): QO Kindle Library A TIME COMPRESSED RESOURCE TO PASSING THE LPI® LINUX... The next most basic network connectivity test uses the ping utility. The ping command sends =: Q [— Second, if you can ping a system by its IP address but a simple not by its name, then the problem is most likely with the network packet to the system you name, via IP address DNS server or your system’s DNS configuration settings. or hostname, and waits for a reply. In Linux systems, So, if you can successfully run ping 8.8.8.8, but you get ping continually sends packets once every second until an error when running ping diontraining.com then the the command is interrupted with the Ctrl+C keystroke issue is likely caused by a DNS issue. Third, if you cannot ping any systems at all, then combination. To diagnose where a network problem resides when using the ping command, three on your system. This could be caused by a corrupted scenarios. First, if you can ping a system on the internal network software stack or even faulty hardware on your network but not a system on an external network, the Linux system. In any case, the problem exists within problem is probably in your router or in an improper your router remote systems. specification. Stated you must another consider you probably have a fundamental configuration problem way, if you can ping another workstation within your network but you machine, While ping and not is very with useful the larger in testing network the or entire cannot ping a website like Google or Facebook, then the connection issue must exist with the router or the external network there is a more useful tool that can be used when you connection. are trying to determine where exactly the connection Page 145 of 208 « 73% from your system to the remote system, Aa LN LINUX ESSENTIALS (010-160): QO Kindle Library A TIME COMPRESSED RESOURCE TO PASSING THE LPI® LINUX... is broken between your system and the remote system. a directory To to Internet determine occurring, where a command the break known The traceroute command in connectivity is as traceroute is utilized. sends a series of three test of domain Protocol names (IP) addresses. because, although domain names to remember, and computers = translates This Q B&B them is necessary are easy for people or machines need to access packets to each system between your computer and a websites based on IP addresses. DNS problems can cause specified remote system. As traceroute conducts each set networks of tests, it displays the results on the screen to inform cable. Because both people and many network tools rely the user of which systems are reported as functional and on hostnames, if DNS resolution doesn’t work then the which may be the cause of the break in connectivity. network becomes nearly useless. A user can test their This is helpful for determining whether a problem in network’s DNS server by using several tools, such as host, network connectivity exists within a network which you dig, and nslookup. to fail almost as badly as a physically cut are responsible for or if it is problem with an external The final diagnostic tool to consider is known connection and, therefore, a problem for your internet netstat. This utility is sometime referred to as the Swiss service provider to solve. Army knife of network troubleshooting tools because it As stated earlier, the problem may be caused by as can be used in place of several other tools depending is on the parameters passed to it. For example, the --all the internet's equivalent of a phone book; it maintains or -a option displays information about the ports that a an issue with the domain name system (DNS). DNS Page 146 of 208 « 74% Aa LINUX ESSENTIALS (010-160): QO Kindle Library A TIME COMPRESSED server has open and is currently listening for network RESOURCE TO PASSING THE LPI® LINUX... =: Q [— your system safe from attackers. First, you connections on, as well as any already-open connections. should always shut down any unused To learn all about netstat, please enter man netstat from services or daemons within your terminal window. the majority of risks center on an outsider’s ability to break into a system by abusing a server program that is Protecting the Network These days, one of the most on your Linux system. In Linux, running on your machine. Therefore, it’s important not important issues to run any servers, services, or daemons unnecessarily. involving technology revolves around system security Many and data protection. In this section, you will find a few numerous basic tips to prevent your Linux system from becoming Apache web server, a Sendmail server, or a Postfix email compromised server. To thoroughly remove by a malicious attacker. While many distributions automatically install and run servers, such as the Secure Shell (SSH), the a server from a system, people claim that Linux is more secure than Windows, you should uninstall it by using the appropriate package without proper precautions a Linux system can be just management system by using the uninstall command. as vulnerable as its Windows Second, counterpart. Luckily for you should always enable a firewall on us, Linux doesn’t have nearly as many viruses or worms your Linux system. A firewall is a software program or designed to run on its system, but by following these five system setting that inspects each network transactions simple rules you can increase your chances of keeping and then allows or disallow them based on programmed Page 147 of 208 « 74% Aa LN LINUX ESSENTIALS (010-160): A TIME COMPRESSED RESOURCE TO PASSING THE LPI® LINUX... = Q B&B criteria within an access control list (ACL). Most Linux Fourth, always be ssuspicious when using a network distributions enable an embedded software firewalls by connected system. You must always remain suspicious default, but there may be a need to adjust their settings of for your specific needs. When configuring a firewall, it is websites, and best to use a “deny by default” security posture, and only common occurrence; this allow network connectivity in and out of the system as sensitive data users needed for your operational use. individual or organization via email or other means. any untrusted sources other from of data, internet sources. is an by Phishing attempt posing as to extract a trusted providing their passwords, login server of any type, then setting a long, strong, and critical data. While malware (malicious software) is rare complex password can minimize the risk of an outsider on Linux system, a determined breaking malware simply guessing one of your user’s to target your financial trick is a your accounts on your system. If your system runs a in by can emails, and for attacks as Phishing Third, you should always use good passwords similar such users data, and organization. Therefore, best to stick to official software sources long, include uppercase and lowercase letter, numbers, remember and and special symbols. Also, your everyday user account communication can be easily faked to trick you. and it is always other types of Fifth and finally, always keep your software up to and your root user account should never use the same password. websites, other attacker could create passwords. Passwords should be at least 14 characters that emails, into date. Page 148 of 208 « 75% Whenever a hacker finds a way to exploit a Aa LINUX ESSENTIALS (010-160): A TIME COMPRESSED RESOURCE TO PASSING THE LPI® LINUX... = Q Ba software bug for their advantage, the creators of the easiest way is through the GUI. In Ubuntu Unity, the software fight back by releasing a security update to network icon, showing wired and wireless connections the if available, is at the top right corner of the taskbar. software program. But, if you don’t update the software on your system, then you are still using the Everything older software with the bug and are vulnerable to attack. Clicking on the network icon will bring up menus that Therefore, it is critical to always keep your software show patched and up to date using the package management connectivity. This figure shows that this machine is tools described previously in this book. It is best to check from there will be fairly straightforward. options to configure connected to both a wired both wired ©1:38 Een (Wired connection 1) and will have an automated mechanism to check for updates wireless (aleksz-wfifi) ~~ daily or weekly. network. aleksz-wit Connecting to a Network Scan QR code to watch a video for this topic ae a disable the wired connection = aie There are two ways to connect to a network in Linux: by using the GUI or by using the command line. The Ty 4) wireless 3:35PM Wired connection 1 regularly for software updates and most distributions There are options to and Disconnect ss anone er 3@ foe inet (by clicking on Enable ate Networking) or disable the Connect to Hidden Wireless Network... wireless connection (by cepacia Enable Networking clicking on Enable Wireless). a Justin_network Create New Wireless Network... ¥ ¥ Enable Wireless Connection Information Edit Connections... Page 149 of 208 « 75% iF Qh LINUX ESSENTIALS (010-160): QO Kindle Library A TIME COMPRESSED RESOURCE TO PASSING THE LPI® LINUX... Connecting to a wireless will show information connection may need the adapter, passphrase of the selected it, etc. When SSID. ip addresses its MAC such address, be the name the ip address troubleshooting wouldn't as =: of [— the assigned to a local network of much Q concern. issue, All you To use the command would need to see are the links in layer 2, the MAC line, open a terminal and addresses. To do that, type “ip link show". The ip link issue ip commands. Typing specifically focuses on layer 2, switching, as opposed to "ip address show" shows the ip address, which shows layer 3, routing. To turn off current ip address of the an adapter (just like when disabling Networking from system. There will be several the network icon on the desktop), type "sudo ip link set adapters that will show up but adapter-name down". Replace ‘adapter-name’ with the the first one will always be the adapter name to be switched off from the “ip address localhost or loopback address show" command. - 127.0.0.1 for ipv4 or ::1 for turning the adapter off will show its state as DOWN ipv6. and that there are no layer 3 routing information Typing "ip address show" again after or The next adapters may show the wired or wireless ip addresses assigned to it. To turn it back on, simply connection, whichever is present. Each adapter section type "sudo ip link adapter up". To manually assign an Page 149 of 208 « 76% Aa LN LINUX ESSENTIALS (010-160): A TIME COMPRESSED RESOURCE TO PASSING THE LPI® LINUX... ip address to a network adapter, type "sudo ip addr add ip-address dev adapter-name". Replace ‘ip-address’ with the ip address and subnet mask to be assigned to the adapter and replace ‘adapter-name’ with the name of the adapter. Conversely, to remove that assigned ip, type "sudo ip addr delete ip-address dev adapter-name". More information about the ip command can be found in its man pages. Page 150 of 208 « 76% = Q Ba Qh