PROG1225-10 Lecture-Network Administration (Linux).pdf
Document Details
Uploaded by LyricalCelebration
Tags
Full Transcript
1225 Unit Ten: Network Administration (Linux) Overview Administering Users and Groups Compression System Backup Remote Administration Printer Administration Log File Administration Security Performance Troubleshooting Administering Users and Groups You must log in to a Linux sys...
1225 Unit Ten: Network Administration (Linux) Overview Administering Users and Groups Compression System Backup Remote Administration Printer Administration Log File Administration Security Performance Troubleshooting Administering Users and Groups You must log in to a Linux system with a valid user name and password before access the operating system is granted. This process is called authentication because the user name and password are authenticated against a system database that contains all user account information. Authenticated users are then granted access to files, directories, and other resources on the system based on their user account. Although command-line utilities are commonly used to administer users and groups, you could use a GUI to do most of the same. The system database that contains user account information typically consists of two files: o /etc/passwd – every user typically has a line that describes the user account o /etc/shadow – every user typically has a line that contains the encrypted password and expiration information o Note: Older systems stored everything in /etc/passwd but is a security issue since some processes often require access to the user information and giving access to the user information will also give the processes access to the passwords. The pwconv command allows to revert from using two files to one (an from one file to two). The following information is stored in the passwd file: name:password:UID:GID:GECOS:homedir:shell o name – name of the user. o password – the encrypted password (if shadow file not used) or an ‘x’ character as a placeholder (if shadow file is used). o UID (User Identifier) – specifies the unique User ID that is assigned to each user. Typically, UIDs that are less than 500 refer to user accounts that are used by daemons when logging in to the system. The root user (administrator) always has a UID of zero. o GID (Group Identifier) – is the primary Group ID for the user. Each user can be a member of several groups, but only one of those groups can be the primary group. o GECOS (General Electric Comprehensive Operating System) – represents a text description of the user and is typically left blank (used by the of GECOS operating system). o homedir – the user’s home directory. o shell – the user’s default shell (typically BASH on Linux systems). The following information is stored in the shadow file: name:password:lastchange:min:max:warn:disable1:disable2: o password – the encrypted password. o lastchange – date of the most recent password change – measured in the number of days since Jan. 1, 1970. o min and max – the amount of time (in days) that can elapse before changing the password. o warn – the number of days before a password expires that a user is warned to change their password. o disable1 – the number of days after a password expires that a user account in disabled. o disable2 – the number of days since Jan. 1, 1970 that the account will be disabled (ex. set it to expire at the end of an employee’s contract period). /etc/group – lists all groups and their members. Has the following info: name:password:GID:members o name – name of the group. o password – password of the group. Group passwords are rarely used so the field usually contains an ‘x’. o GID – Group ID for the group. o members – a comma delineated list of group members. Creating User Accounts useradd command o Typically used with just a username: useradd user1 – in this case all other information, such as the UID, shell, and home directory location is taken from two files that contain user account creation default values. o /etc/login.defs – set the default location for e-mail, password details, and the range of UIDs and GIDs available for use. It also determines whether home directories will be automatically made during user creation, as well as the password encryption algorithm used to store passwords. o /etc/default/useradd – contains information regarding the default primary group, the location of the home directories, the default number of days to disable accounts with expired passwords, the date to disable user accounts, the shell used, and the skeleton directory used. /etc/skel – the skeleton directory used on most Linux systems that contains files that are copied o all new users’ home directories when the home directory is created. Most of these files are environment variable files, such as .bash_profile and .bashrc. o To override any of the default parameters for a user, specify options to the useradd command when creating user accounts. Example: useradd -u 762 user1 will set the UID to 762 for user1. passwd command – used to set or change a user’s password. Example: passwd user1 o If a password has not been set, the /etc/shadow file will contain either two ! characters or a single * character. o Used with arguments, the passwd command changes the password for the current user. o All user accounts must have a password set before they are used to log in to the system. o The root user can set the password on any user account using the passwd command but regular users can only change their password. Modifying User Accounts To modify the information regarding a user account after creation, you can edit the /etc/passwd or /etc/shadow file but is not recommended because errors in these files might prevent the system from functioning. usermod command – used to modify most information regarding user accounts with the appropriate options. chage command – used to modify (with the appropriate options) the password expiration information – min, max, warn – stored in the /etc/shadow file (this info cannot be changed by usermod). To lock/unlock an account – to temporarily prevent a user from logging in: o usermod -L username and usermod -U username to lock and unlock respectively o passwd -l username and passwd -u username to lock and unlock respectively Deleting User Accounts userdel command – used with the user name as the argument deletes a user account. o o o Removes entries from the /etc/passwd and /etc/shadow files. userdel -r – removes the home directory for the user and all of its contents. Note that if the files of the old user are not removed and a new user is created with the same UID, the new user will have access to the files of the old user. Managing Groups /etc/group – editing this file is the easiest way to add groups to a system. groupadd command – used to add a group to a system. usermod -G command – used to add members to a group. groupmod command – can be used to modify the group name and GID. groupdel command – used to remove groups from the system. groups command – lists the groups the current user is a member of. id command – lists the GIDs for each group. newgrp command – temporarily (until the next login) changes the primary group a user belongs to. Compression Compression works just like it does in Windows – taking one or more files, attempting to reduce their size, and putting them in a single file. The most common compression utilities in Linux are command line base: GNU Zip – uses the gzip command and uses the .gz filename extension by default. o gzip -r – used to compress all files in a directory. o zcat and zmore commands – used to view the contents of a compressed file. o gzip -d or gunzip commands – to decompress (extract) the file(s). bzip2 command – cannot be used to compress a directory full of files and the compression ratio is not as good as gzip. compress command – an old compression utility with a lower compression ratio than gzip. Not typically installed by default. tar command – used mostly for backups discussed later. System Backup You should back up user files from home directories and any important system configuration and services files. The entire process is known as system backup, and the back-up copies of files and directories are called archives. tar (Tape Archive) – one of the oldest and most widely used back-up utilities and is executed by the tar command. o Example of creating an archive: tar -cvf /backup.tar * [c – create new archive, v – verbose output, f – specify filename][/backup.tar – filename and location][* - wildcard used to indicate all files] o Example of extracting an archive: tar -xvf /backup.tar [x – extract][extracts specified file to the current working directory] o Example of creating a gzip compressed archive: tar -zcvf /backup.tar.gz * [z – compress with gzip] Filenames ending with .tar.gz or .tgz are commonly called tarballs since they represent compressed tar archives. o Example of viewing the contents of a gzip compressed archive: tar -ztvf /backup.tar.gz [t – list contents] o Example of extracting a gzip compressed archive: tar -zxvf /backup.tar.gz [use -z anytime the file is compressed] o Note that the tar utility cannot back up filenames longer than 255 characters cpio (Copy In/Out) – similar to tar but supports long filenames and the ability to back up device files. o To create an archive using cpio, a list of filenames must be generated first – usually by using the find command. o The list of files is then sent as input to the cpio command…Ex. find /root/sample | cpio -vocB -O /dev/st0 Kind of a complicated process that one would have to get used to over time. The dump (to create the archive) and restore (to extract the archive) commands can also be used. o Not typically installed by default. o dump can be used for a full backup as well as an incremental backup – backs up only the data that has been changed since the last backup. Other software – 3rd party software (hopefully GUI based for newer users) as well as software provided by specific Linux distributions and certain backup hardware. Remote Administration There are several ways to perform command-line and graphical administration of remote Linux servers, including telnet, Secure Shell (SSH), and Virtual Network Computing (VNC). Telnet – has traditionally been used to obtain a command-line shell on remote UNIX and Linux servers across the network that run a telnet server daemon. (Putty can be used on a Windows system to telnet to a Linux system). o No longer installed by default on most Linux distributions. o One major problem with the telnet command is that it doesn’t encrypt its communications. SSH (Secure Shell) – designed as a secure replacement for telnet (and other legacy commands such as rsh, rlogin, and rcp). SSH does allow for a GUI. o The SSH daemon (sshd) is installed by default on most Linux distributions – but not set to start automatically. o To connect to a remote Linux computer running sshd, you can use the ssh command followed by the host name or IP address of the target computer. Your local user name will be passed to the server automatically during the SSH request, and you will be prompted to supply the password for the same user on the target computer. Use ssh -l username if you need to log in using a different user name on the remote computer. VNC (Virtual Network Computing) – a graphical option for administrating a Linux system remotely. o After a VNC server daemon is installed on a computer, other computers that run a VNC client can connect to the VNC server daemon to obtain a desktop environment. o VNC uses a special platform-independent protocol called Remote FrameBuffer (RFB) to transfer graphics, mouse movements, and keystrokes across the network. o VNC server and client software exist for Linux, UNIX, Mac, and Windows systems. Printer Administration A common printing system used on Linux computers is called CUPS (Common Unix Printing System). An older printing system is called LPD (Line Printer Daemon). The process by which information is sent to a printer is generally the same on any system: Print Job – the information sent to a printer. Print jobs can consist of a file, several files, or the output of a command. o lp command – used to specify what to print. lp -d printer1 /etc/inittab (sends the file inittab to the printer1 printer) [-d – specifies the printer device] cupsd (CUPS Daemon) – assigns the print job a unique print job ID and places a copy of the print job into a temporary directory called the print queue. If the printer is not accepting print jobs, the CUPS daemon displays an error message. o Accepting print jobs into a print queue is commonly called spooling or queuing. o The print queue for a printer is typically /var/spool/cups. Regardless of how many printers you have on your Linux system, all print jobs are sent to the same directory. o /etc/cups/cupsd.conf – file that contains settings for the CUPS daemon. o /etc/cups/printers.conf – file that contains the configuration information for each printer installed. The CUPS daemon then sends the print job from the print queue to the printer and removes the copy of the print job in the print queue. If the printer is disabled, the print job remains in the print queue. lpstat -t command – used to see a list of all printers on the system and their status. [-t – total] o The output will show the CUPS daemon with the name scheduler. The following commands can be used to manipulate the status of a printer: cupsaccept, cupsreject, cupsenable, and cupsdisable. lpoptions -d printername command – sets the default printer (printername) for all users – these settings are stored in the /etc/cups/lpoptions file. o Each user can specify their default printer by adding a line to the .lpoptions file in their home directory. cancel command – removes a print job from the print queue. lpadmin command – controls access to certain printers by specific users. CUPS does have a GUI option – a comprehensive way to create and manage CUPS printers using the CUPS Web Administration Tool. Access to the CUPS Web administration tool uses a web browser on TCP port 631 o Use: http://servername:631 where servername is the name of the Linux server computer. Log File Administration To identify and troubleshoot problems on a Linux system, you must view the events that occur over time. Most daemons record information and error messages to log files typically stored in the /var/log directory. o Many programs store their log files in subdirectories of the /var/log directory. Logging daemons create log information for other daemons and operating system components. The two most common logging daemons are: o rsyslogd (System Log Daemon) – the traditional and most common logging daemon. The events logged are controlled by specific rules the administrator can set up. o journald (Systemd Journal Daemon) – replaces rsyslogd on some Linux distributions. All events are logged and sent to a database. Logging daemons use a network construct known as a socket: o Socket - allows communication between two different processes on either the same machine or different machines in a client-server environment. A socket can be a number of different things but in this case it is an open file that has been assigned an integer number. This number (known as a file descriptor) is used when reading and writing to the file. Security To protect a Linux computer, steps should be taken to improve local and network security as well as learn how to detect intruders. Securing the local computer: o Restrict access to the computer (where possible). With physical access, someone can possibly boot the computer using a CD/DVD or USB device with a minimal operating system on it and access files stored on that computer (or they could just steal the computer). Servers can be secured in locked room – usually called a server room or server closet. Workstations can be configured to not allow booting from optical and USB devices. The workstation will also need these boot options password protected – all done through the computers BIOS/CMOS setup program. Workstations can also be physically locked down with security cables and locks. o Limit access to the graphical desktop and shells – if you walk away from your workstation for a few minutes and leave yourself logged in to the system, another person can use your computer. Lock your screen before leaving the system – various desktop environments have different ways of doing this. o Minimize the time that you are logged in as the root user (administrator). Login as a general user and use the su and sudo commands to give you temporary root privileges. If a hacker can gain access through a root user account (or through a service/daemon running with root privileges) then the hacker has complete control of the system! Protecting Against Network Attacks As long as network services exist on a computer, there is always the possibility that hackers can manipulate the network service by interacting with it in unusual ways. Minimize the number of network services running. If you run only the minimum number of network services necessary for your organization, you greatly reduce the chance of network attacks. o nmap (network mapper) command – lists the network services running on your network. nmap is not usually installed by default. o For services that are not needed, ensure that they are not started automatically. Secure the services that are necessary as much as possible. o Ensure that network service daemons are not run as the root user when possible. o For certain daemons, set an invalid shell as the shell listed in /etc/passwd (like /sbin/nologin). If a hacker attempted to remotely log into the system using a well-known daemon account (like Apache web server), they would not be able to get a BASH shell. Instead, the /sbin/nologin simply displays and error message. o Install updates. o Use a TCP wrapper which will allow you to restrict the network service such that it can only be accessed by certain hosts within your organization. Basically, a TCP wrapper is a program that starts other programs. o Carefully examine the local permissions on files and directories associated with system and network services. Example: If everyone had read permission on the /etc/shadow file, any user could read the encrypted passwords and possible decrypt them. Configure a Firewall. o Firewalls are used to block unwanted network traffic based on certain rules that can be set. o netfilter is the firewall component of the Linux kernel. Netfilter discards certain network packets according to chains of rules. By default, you can specify firewall rules for three types of chains: INPUT chain – for network packets destined for your computer. FORWARD chain – for network packets that must pass through your computer (used on routers). OUTPUT chain – for network packets that originate from your computer. iptables command – creates rules that used by the netfilter firewall. ip6tables command – creates rules using IPv6 service iptables save command line – since rules are stored in memory, they are lost when your computer is shut down – this command saves them to /etc/sysconfig/iptables file. o firewalld (Firewall Daemon) – can configure iptables with more flexibility through the use of network zones and service names. Network Zone – defines the level of trust for network connections and can be mutable (changeable) or immutable (unchangeable). firewall-cmd command – allows you to manage zones and firewall rules that allow or deny traffic by service or port number. o Many Linux distributions also provide a graphical firewall configuration utility. Configure SELinux (Security Enhanced Linux) – a series of kernel patches and utilities created by the NSA (National Security Agency) that enforce role-based security on your system using security profiles and policies that prevent applications from being used to access resources and system components I insecure ways. o Disabled by default on most Linux distributions. o Many distributions provide a graphical utility for SELinux. Configure AppArmor – an alternative to SELinux that provides a similar type of protection for applications and systems resources. It consists of a kernel module and a series of utilities that you can use to associate a set of restrictions for individual programs. o The kernel module is installed separately from the utilities and some distributions have only the kernel module loaded. o AppArmor profiles can be enforced (called enforce mode) or simply used to generate warnings and log events (called complain mode). Use Encryption to protect network data – since network packets pass through many different computers and network devices, the data within them could easily be intercepted and read by hackers. To prevent this, many technologies use an encryption algorithm to protect the data before it is transmitted on the network. o An encryption algorithm uses a series of mathematical steps in sequence to scramble data. Since the steps within encryption algorithms are widely known, nearly all encryption algorithms use a random component called a key to modify the steps within the algorithm. o Networking technologies typically use asymmetric encryption which uses a pair of keys that are uniquely generated on each system: a public key and a private key. The public key is shared by the originating device to other systems and used to encrypt data – the originating device can then decrypt the data using the private key. Private keys can also be used to encrypt data – but that type of encryption is called a digital signature (used for authentication). o The two most common asymmetric encryption technologies used on Linux is SSH (Secure Shell) and GPG (GNU Privacy Guard). Detecting Intrusions – most common way is by consistently analyzing log files (/var/log) but specialized programs exist. o PAM (Pluggable Authentication Modules) – Network applications that authenticate users typically use these modules. PAM logs information to either the journald database (if using Systemd) or to a log file in /var/log directory. o lsof (List Open Files) command – can be used to list files that are currently being edited by users and system processes. lsof | grep root command line – lists the files that are currently open on the system by the root user (grep is a search utility). If there are key configuration files listed in the output that you are not currently editing, hacker may have compromised your system. o Buffer Overrun Exploit – an attempt to create executable files within the filesystem that are owned by the root user and have the SUID bit set. SUID (Set owner User ID up on execution) is a special type of file permission given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it. In simple words: users will get the file owner’s permissions as well as owner UID and GID when executing a file/program/command. This allows the executable program to be run as the root user and gain access to the entire Linux system. find / -type f -perm +4000 command line – searches for files that have the SUID bit set. o Intrusion Detection System (IDS) – a program that can be used to detect intruders. Some common ones include: Tripwire – checks the basic integrity of important files and directories by using a checksum (basically: a file’s fingerprint). Advanced Intrusion Detection Environment (AIDE) – an alternative to tripwire that has added functionality for checking the integrity of files and directories. Integrity Checking Utility (ICU) – program that is designed to work with AIDE to check the integrity of Linux computers remotely across a network. PortSentry – monitors traffic on ports and allows you to detect whether hackers are probing your ports using port scanning utilities such as nmap. Snort / Airsnort – can be used to capture and monitor network packets. It can be used to detect a wide range of network attacks and port probing. Linux Intrusion Detection System (LIDS) – involves modifying the Linux kernel to increase process and file security as well as detect security breaches. Simple WATCHer (SWATCH) – monitors log files and alerts administrators when an intrusion is detected. Performance Performance is usually monitored through the /proc directory as discussed in an earlier unit, but there are more utilities – some geared more towards servers. The sysstat (System Statistics) package contains a wide range of utilities that monitor the system using information from the /proc directory and system devices. o mpstat (Multiple Processor Statistics) command – monitors CPU performance (even for multiple processors). o iostat (Input/Output Statistics) command – measures the flow of information to and from disk devices. o sar (System Activity Reporter) command – is used to display far more information than iostat and mpstat and has many options. By default, sar commands are scheduled using the cron daemon to run every 10 minutes. Troubleshooting When a problem occurs, you need to gather as much information about the problem as possible. This might include examining system log files and viewing the contents of the /proc filesystem, as well as running information utilities such as ps or mount. In addition, you might research the symptoms of the problem on the Internet – Web sites and newsgroups often list log files and commands that can be used to check for certain problems. Following this, you need to try to isolate the problem by examining the information gathered. Determine whether the problem is persistent or intermittent and whether it affects all users or just one. You might then generate a list of possible causes and solutions – using the Internet again can be helpful. You need to implement and test each possible solution for results until the problem is resolved. Apply one solution at a time. After the problem has been solved, document the solution for future reference and proceed to take proactive maintenance measures to reduce the chance of the same problem recurring in the future. Hardware Related Problems Some hardware related problems prevent the use of hardware. These problems are typically specific to the type of hardware. o Viewing the output of the dmesg command, journalctl -b command (if Systemd is used), or the contents of the /var/log/syslog, /var/log/boot.log, and /var/log/messages log files can isolate most hardware problems. The absence of a device driver also prevents the operating system from using the associated hardware device. Normally, the Linux kernel detects new hardware devices at boot time and configures the device driver module for them automatically. However, if the Linux kernel doesn’t have access to the appropriate driver module for a certain hardware device, the device cannot be used. o You can view the hardware that is detected by the Linux kernel by viewing the output of the dmesg command or lshw command. o To only view the USB devices detected by the Linux kernel, you could instead use the lsusb command. o Use the lscpu command to view the features of your CPU, or the lspci command to view the PCI devices detected by the Linux kernel. Software Related Problems Applications can fail during execution for a number of reasons, including missing program libraries and files, process restrictions, or conflicting applications. o To identify any missing files in a package or package dependency, use rpm -v command (for RPM) or dpkg command (for DPM), followed by the name of the package. o After downloading and installing any shared libraries, it is good practice to run the ldconfig command to ensure that the list of shared library directories (/etc/ld.so.conf) and the list of shared libraries (/etc/ld.so.cache) are updated. o Processes are restricted by a number of constraints that can also prevent them from executing properly. All processes require a PID from the system process table. Too many processes running on the system can use all available PIDs – this is typically the result of a large number of zombie processes. Killing the parent process of the zombie processes then frees several entries in the process table. Processes can initiate numerous connections to files on the filesystem in addition to Standard Input, Standard Output, and Standard Error. These connections are called file handles. The ulimit command can be used to increase the number of file handles that can be used as well as to increase the number of processes that users can start in a shell (this might be required for programs that start a great deal of child processes). o To isolate application problems that are not related to missing dependencies or restrictions, you should first check the log file produced by the application. /var/log directory, or subdirectories named for the application. o Applications might run into difficulties gaining resources during execution and stop functioning. Often, restarting the process using a SIGHUP (Signal Hang Up – which is a ‘gentle’ way to stop a process) solves this problem. Example: kill -s SIGHUP PID [where PID is the process ID] This condition might also be caused by another process on the system that attempts to use the same resource. So, attempt to start the application when fewer processes are loaded, such as in single user-mode (runlevel 1). If resource conflicts seem to be the source of the problem, check the Internet for a newer version of the application or an application fix. Many software related problems are related to the operating system itself. These typically include problems with X Windows, boot loaders, and filesystems. o X Windows issues can usually be isolated by viewing the Xorg or XFree86 configuration file, or by executing the xwininfo command. o Boot loaders can encounter problems while attempting to load the operating system kernel. For the LILO boot loader, placing the word ‘linear’ and removing the word ‘compact’ from the /etc/lilo.conf file usually remedies the problem. For the GRUB and GRUB2 boot loaders, errors are typically the result of a missing file in the /boot directory. o The filesystem can become corrupted. For noncritical directories (like /home or /var): Unmount the filesystem if mounted. Run the fsck -f command on the filesystem device. If the fsck command cannot repair the filesystem, use the mkfs command to re-create the filesystem. Restore the original data for the filesystem using a backup utility (hopefully you have a backup). If the / filesystem becomes corrupted, the system is unstable and must be turned off. Boot your system from the installation media to perform a system rescue. At the BASH shell prompt during system rescue, use the mkfs command to recreate the filesystem. Use the appropriate utility (ex. tar, restore, cpio) to restore the original data to the recreated / filesystem (hopefully you have a backup). Boot your system normally.