RHCE COURSE 253
Unit 1: Introduction to System Services
 Service Management
 by init
by System V scripts
by direct command
by xinetd
Services Managed by init
Typically non-TCP/IP services, for example Virtual Console
Provides respawn capability
Configured in /etc/inittab
System V Service Management
Processes are “wrapped” by System V ( “ SysV ” ) initialization script methods
The service command is a “wrapper of wrappers”
chkconfig
Manages service definitions in run levels
List run level definitions with “chkconfig --list”
To start the httpd service on boot: “chkconfig httpd on”
Does not modify current run state of System V services
xinetd Managed Services
Services are started by xinetd in response to incoming request
Activated with chkconfig: chkconfig <service> on
The xinetd Daemon
Manages network-specific resources and authentication
xinetd uses /etc/services in its configuration of port-to-service management
Linked with libwrap.so
Replaces inetd
Configuration files
/etc/xinetd.conf
/etc/xinetd.d/<service>
xinetd default controls
/etc/xinetd.conf
xinetd service controls
/etc/xinetd.d/<service>
The /etc/sysconfig/ files
Fault Analysis
Determine the severity of the fault
Inspect logs
Use command options for debugging
Document
Security Enhanced Linux (SELinux)
SELinux Installation Options and Control
Installation Options : Enforcing, Permissive, Disabled
Control Options when SELinux is enforced : Targeted (default), Strict
Controlling SELinux
setenforce=0 and setenforce=1
getsebool and setsebool
/etc/sysconfig/selinux
system-config-securitylevel
SELinux Contexts
List process contexts: ps –Z
List file contexts: ls –Z
Change file contexts: chcon
Troubleshooting SELinux
What is the error?
Check /var/log/messages for avc denials
Does the target have the right context?
Does a “ boolean ” setting need adjustment?
Unit 2:Organizing Networked Systems(DNS Server, DHCP Server)
Domain Name System ( DNS )
Resolves hostnames into IP addresses ( forward lookup )
Resolves IP addresses into hostnames ( reverse lookup )
Allows machines to be logically grouped by name domains
Provides email routing information
Zones, Domains & Delegation
A domain is a DNS scope that responsible for name resolution
A zone is the part of the domain managed by a particular server
Subdomains may be delegated into additional zones
A zone may directly manage some subdomains
Name Server Hierarchy
Master name server
Slave name server
The DNS Server
Server receives request
If server doesn ’ t have answer, either asks root server or forwards request
Response from upstream server may be final answer or referral to another name server
Berkeley Internet Name Domain ( BIND )
BIND is the most widely used DNS server on the Internet
Red Hat Enterprise Linux uses BIND 9
Provides a stable and reliable infrastructure on which to base a domain ’ s name and IP address associations
Runs in a chrooted environment
Service Profile: DNS
bind-chroot
Config file: /etc/sysconfig/named
Define chroot directory: ROOTDIR=/var/named/chroot
Configuring BIND
Default configuration file is /var/named/chroot/etc/named.conf
Default configuration file is /var/named/chroot/etc/named.conf
Text-file specifying directive: zones, options, access control lists, etc
Comments can be in C, C++ or shell style
Global Options
Address Control Lists ( acl )
Access control list is a list on semicolon separated IP address, networks, or named address match lists
Can use acl directive to create a custom named access control list
Name Daemon Control Utility ( rndc )
Provides secure and remote management of running name server
rndc only listens to the loopback interface, or “ localhost ” by default
rndc is not a daemon, but called by named to verify keys
Master and Slave Zones
Reverse Lookup Zones
Administrators can understand the connection status more easily. For example, it is easier to monitor the network if the log file displays FQDN, instead of the client ’ s IP address
Security considerations. Some servers query client ’ s FQDN using the IP address of the connected clients. Then query the corresponding IP address of these FQDN, in order to verify the identifies of connected clients
Zone name ends with special domain: .in-addr.arpa
Root Zone and Loopback Zone
Zone Files
Files usually reside in /var/named/chroot/var/named
Begins with $TTL ( time to live )
First resource record is zone ’ s start of authority ( SOA )
Zone data in additional resource records
Resource Records ( RR )
SOA ( Start of Authority )
NS ( Name Server )
There should be an NS record for each master or slave name
Unit 3:Network File Sharing Services ( NFS Server, FTP Server, Samba Server)
Network File Service (NFS)
The Red Hat Enterprise Linux NFS service is similar to other BSD and UNIX variants
TExports are listed in /etc/exports
TServer notified of changes to exports list with ‘ exportfs -r ’
TShared directories are accessed through the mount command
TThe NFS server is an RPC service and thus requires portmap
Service Profile: NFS
NFS Server
TExported directories are defined in /etc/exports
Client-side NFS
T/etc/fstab can be used to specify network mounts
NFS shares are mounted at boot time by /etc/rc.d/init.d/netfs
autofs mounts NFS shares on demand and unmount them when idle
NIS (Network Information Service) Overview
Service Profile: NIS
NIS Server Configuration
Install the portmap and ypserv RPMs
Set the NIS domain name
In /var/yp/securenets, specify the networks that may use your server
Start ypserv
Configuring a Master Server
To share only user, group, and host name information, edit /var/yp/Makefile
Build the NIS maps from local files by using the makefile: /usr/lib/yp/ypinit –m
Start yppasswdd to allow password updates
Configuring a Slave Server
Include the names of all slave servers in the master’s /var/yp/ypservers file
On the slave, transfer the initial NIS maps from the master server: /usr/lib/yp/ypinit -s master
To rebuild and push NIS maps from master to slave, on the master run : cd /var/yp; make
NIS Client Configuration
Must install ypbind and portmap RPMs
authconfig Command
NIS Troubleshooting
Check log files in /var/log for errors first
Is the default firewall still turned on?
Are services running and registered with portmap?
rpcinfo -p hostname
Use ypwhich to verify which server a client is bound to, if any
Use ypcat and getent to verify that NIS data is available
File Transfer Protocol (FTP)
vsftpd – the default RHEL ftp server
No longer managed by xinetd
Allows anonymous or real user access only
/etc/vsftpd/vsftpd.conf is the main configuration file
Service Profile: FTP
Samba services
authentication and authorization of users
file and printer sharing
name resolution (NetBIOS)
Samba Daemons
smbd
nmbd
Service Profile: SMB
Configuring Samba
Configuration in /etc/samba/smb.conf
Configuration in system-config-samba
Configuration in samba-swat
Hand-editing smb.conf is recommended
Overview of smb.conf Sections
Configuring File and Directory Sharing
public – share can be accessed by guest
browseable – share is visible in browse lists
writable – resource is read and write enabled
Unit 4:Electronic Mail Services ( Sendmail ,Postfix)
Sendmail Features
Allow many different types of email addresses to be routed
Allows masquerading of users and machines
Provides automatic retry for failed delivery and other error conditions
Security and “ Anti-spam ” Features
An Email Review
Mail User Agent (MUA)
Mail Transport Agent (MTA)
Mail Delivery Agent (MDA)
Server Operations
Service Profile: Sendmail
Main Configuration Files
/etc/mail/sendmail.cf is the main configuration file for Sendmail
/etc/mail/submit.cf is used when Sendmail is called by a user program
Other Configuration Files
/etc/aliases
/etc/mail/local-host-names
Sendmail Configuration with the m4 Macro Language
m4 is a macro language that cat help configure the sendmail.cf file
Red Hat ’ s default Sendmail configuration is generated from the m4 specification in /etc/mail/sendmail.mc
Red Hat recommends configuring Sendmail with m4 using sendmail.mc as a starting point
Sendmail m4 Macro File: Introduction
All sendmail.mc macro configuration files should define the OS type, file locations, desired features
Sendmail m4 Macro File: Features
Sendmail Client Configuration
Other Valuable m4 directives
FEATURE(`dnsbl’) : checks a DNS implemented blackhole list to block email spammers
FEATURE(`relay_based_on_MX’) : Automatically allows relaying if sendmail server is listed as the target domain ’ s MX record
Additional Sendmail Configuration Files
/etc/mail/virtusertable
/etc/mail/access
/etc/mail/virtusertable
/etc/mail/access
OK accepts mail
RELAY accept mail for relaying
REJECT rejects the sender
DISCARD discard the mail
Blacklisting Recipients
FEATURE(`blacklist_recipients’)
Any entry in the access file that has a REJECT or returns an error code will be a blacklisted recipient
Debugging Sendmail
/etc/mail/local-host-names
mail -v user
mailq and mailq –Ac
tail -f /var/log/maillog
Using alternatives
alternatives --display mta
alternatives --config mta
system-switch-mail
Postfix
A replacement for Sendmail
Sendmail-compatible
Speed
Ease of Administration
Security
Service Profile: Postfix
Configuring Postfix
Installation postfix RPM packages
Activate with alternatives
Set up minimal configuration directives
Start with service
Additional Postfix Configuration
Procmail Delivery
Procmail is a very powerful delivery tool
Unit 5:The HTTP Service ( Apache, Proxy )
Apache Overview
spawn processes before needed
adapt number of processes to demand
run-time extensibility without recompiling
Multiple web sites may share the same web server
Service Profile: HTTPD
Apache Configuration
Main server configuration stored in /etc/httpd/conf/httpd.conf
Module configuration files stored in /etc/httpd/conf.d/*
DocumentRoot default /var/www/html/
Apache Server Configuration
Min and Max Spare Servers
Host name lookup
Virtual Hosts
user/group
Apache Namespace Configuration
Virtual Hosts
Apache Access Configuration
Apache provides directory- and file-level host-based access control
Host specifications may include dot notation numerics, network/netmask, and dot notation hostnames and domains
The Order statement provides control over “ order ”
Using .htaccess Files
CGI
CGI programs are restricted to separate directories by ScriptAlias directive
Apache can greatly speed up CGI programs with loaded modules such as mod_perl
Notable Apache Modules
mod_perl
mod_php
mod_speling
Squid Web Proxy Cache
Squid uses port 3128 by default, but can easily be changed to 8080 if required
Like Sendmail, the default Squid configuration only accepts connections on the system ’ s loopback interface
Service Profile: Squid
Unit 6:Authentication Services
User Authentication
Two types of information must always be provided for each user account
Account information
Authentication
Account Information
Name services accessed through library functions map names to information
Originally, name service was provided only by local files like /etc/passwd
Applications normally do not look directory in /etc/passwd for this information.
Applications normally do not look directory in /etc/passwd for this information.
Name Service Switch
NSS is the mechanism which allows configuration and extension of the name services supported by libc
/etc/nsswitch.conf controls which name services to check in what order
getent
getent database
getent database name
Authentication
Hashes password provided on login
Compare to hashed password in NSS
If the hashes match, authentication passes
PAM
Pluggable Authentication Modules
Application calls libpam functions to authenticated and authorize users
ibpam handles checks based on the applications PAM configuration file
Shared, dynamically configurable code
PAM Operation
/etc/pam.d/ Files: Tests
auth authenticates that the user is the user
account authorizes the account may be used
password controls password changes
session opens, closes, and logs the session
required
requisite l
sufficient if
optional
auth gets hashed password from NSS and compares it to hash of entered password
account checks for password expiration
/etc/pam.d Files: Control Values
Example /etc/pam.d/ File
pam_stack
pam_unix
password handles password changes to local files or NIS
session records login and logout to logs
Network Authentication
auth Modules
pam_securetty fails if the user is attempting to log in as root from a virtual console or serial terminal not listed in /etc/securetty
pam_nologin fails if the user is not root and the file /etc/nologin exists
pam_listfile checks a characteristic of the authentication against a list in a file
Password Security
Password Policy
Password history
Password strength
Failed login monitoring
session Modules
pam_limits enforces resource limits
pam_console sets permissions on local devices for console users
Utilities and Authentication
PAM Troubleshooting
Unit 7: System Monitoring
Introduction to System Monitoring
Security breaches or system malfunctions can be detected with regular system monitoring
System monitoring includes : File system monitoring, Log file analysis, Process monitoring
File System Analysis
Regular file system monitoring can prevent
Exhausting file system resources
Security breaches due to poor access controls
Utilities: df , du , logwatch
Set User ID and Set Group ID Permissions
Programs owned by root with SUID or SGID permissions can be dangerous
Security policy should include monitoring SUID programs
Prevent SUID and SGID permissions on filesystems with nosuid mount option
Typical Problematic Permissions
File without known owners may indicate unauthorized access
File/Directories with “other” write permission (o+w) may indicate a problem
EXT2/3 Filesystem Attributes
Show attributes with lsattr
A : atime record in not modified upon access or modification.
a : File can only be opened in append mode for writing (root only)
d : File is excluded in backup by dump.
i : File is immutable. It cannot be deleted or renamed (root only)
j : File data is journaled to ext3 journal (root only)
S : when the file is modified, the changes are written synchronously to the filesystem
System Log Files
Why monitor log files?
Which logs to monitor?
Logging Services
syslogd and klogd Configuration
syslogd and klogd are configured in /etc/syslog.conf
Advanced syslogd Configuration
Log File Analysis
Log file analysis should be performed on a regular basis
logwatch can be installed to run by crond every hour to report possible issues
Monitoring Processes
Monitor processes to determine:
Cause of decreased performance
If suspicious processes are executing
Monitoring utilities
top
gnome-system-monitor
sar
top
View processor activity in real-time
Interactively kill or renice processes
GUI system monitoring tools:
GUI system monitoring tools:
kpm : KDE version of system monitor
System Activity Reporting
Installation of the sysstat RPM automatically configures frequent system activity reports through the cron service
Process Accounting Tools
history shell built-in command listing
last : displays user ’ s login history
Unit 8: Securing Networks
IP Forwarding
How to configure the server as a router?
What is a firewall?
How to prevent Internet attacks using firewall?
What is dynamic routing?
Routing
How packets transmit across two networks?
What is a default router?
What are routing records?
How to create a new routing record?
Netfilter Overview
How packets are filtered?
How the netfilter related to the OSI Model?
How the netfilter communicates with the Kernel?
How to control netfilter?
Netfilter Architecture
What are the functionalities of IP Tables?
What is a table?
What is a filter?
How to configure filters for specific type of packet?
What is NAT?
How to specify IP address conversion on certain packets?
What is mangle?
How to alter packet contents?
What is a chain?
What is a rule?
What is a policy?
Netfilter Tables and Chains
What are the functionalities of a filter?
Demonstrate filter operations
What are the functionalities of NAT?
Demonstrate how NAT is worked?
What are the functionalities of mangle?
Demonstrate the mangle operations.
The types of chain in IP Tables?
What is an input packet?
What is a forward packet?
What is an output packet?
What is a pre-routing packet?
What is a post-routing packet?
Netfilter Packet Flow
Rule Matching
Principles for designing rules
Principles for designing rules
Rule Targets
What are the functionalities of rule target?
What are the functionalities of rule target?
What is a drop target?
What is an accept target?
What is a reject target?
What is a log target?
What is a log target?
Basic Chain Operations
the –a command
the –d command
the –i command
the –R command
the –L command
the –F command
Additional Chain Operations
the –Z command
the –N command
the –X command
the –X command
Rules: General Considerations
Match Criteria ( filter table )
What are the contents in the packet header?
What are the commands used for packet filtering in Iptables?
the –p command
the –s command
the –d command
the –j command
the –i command
the –o command
TCP Match Extensions ( filter table )
Which Iptables commands can filter TCP packets?
Unit 9: Securing Services
System V Startup Control
Determine which services are running from SysV startup scripts or xinetd
chkconfig –list
chkconfig –list
chkconfig <service-name> off
chkconfig <service-name> off
Securing the Service
Service-specific configuration
General configuration
tcp_wrappers Configuration
Configuration stored in two files:
Permissions in /etc/hosts.allow
Denials in /etc/hosts.deny
Daemon Specification
Applications pass name of their executable
Multiple services can be specified
Use wildcard ALL to match all service
Client Specification
by IP address (192.168.0.100, 10.0.1. )
by network / netmask (192.168.0.0/255.255.255.0)
by host name (www.redhat.com, .example.com)
Advanced Syntax
ALL : always matches
LOCAL : all hosts without a dot in their name
UNKNOWN : all hosts that cannot be looked up
KNOWN : all hosts that can be determined
PARANOID : matches all hosts where lookup and reverse lookup do not match
The EXCEPT operator can be used in daemon and client lists to exclude some hosts from your match
Options
Example
Securing xinetd-managed services
tcp_wrappers is still used
xinetd provides its own set of access control functions
host-based
time-based
xinetd Access Control
Host Patterns
numeric address
hostname or domain
IP address/netmask range
Advanced Security Options
Access by time
Number of simultaneous connections
Unit 10:Securing Data
The Need For Encryption
Insecure traditional protocols
Insecure passwords
Insecure information
Insecure authentication
Cryptographic Building Blocks
Random Numbers
One Way Hashes
Symmetric Algorithms
Asymmetric Algorithms
Digital Certificates
Random Numbers
One-Way Hashes
Symmetric Encryption
Based upon a single key
DES, 3DES, Blowfish, RC2, RC4, RC5, IDEA, CAST5
Asymmetric Encryption
Asymmetric Encryption
What one key encrypts, the other decrypts
Digital Certificates
OpenSSH Overview
OpenSSH Overview
OpenSSH Server Configuration
SSHD configuration file : /etc/ssh/sshd_config
Protocol
ListenAddress
PermitRootLogin
|
