Linux guide to linux certification second edition
Download
1 / 48

Linux Guide to Linux Certification - PowerPoint PPT Presentation


  • 318 Views
  • Updated On :

Linux+ Guide to Linux Certification, Second Edition. Chapter 15 Configuring Network Services and Security. Objectives. Identify and configure common network services Configure routing and firewalls Describe the different facets of Linux security Increase the security of a Linux computer

Related searches for Linux Guide to Linux Certification

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Linux Guide to Linux Certification' - arleen


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Linux guide to linux certification second edition l.jpg

Linux+ Guide to Linux Certification, Second Edition

Chapter 15

Configuring Network Services and Security


Objectives l.jpg
Objectives

  • Identify and configure common network services

  • Configure routing and firewalls

  • Describe the different facets of Linux security

  • Increase the security of a Linux computer

  • Outline measures that can be used to detect a Linux security breach

Linux+ Guide to Linux Certification, 2e


Network services l.jpg
Network Services

  • Processes that provide some type of valuable service for client computers on network

  • Must identify types and features of network services before they can be configured

  • Important to configure network-related services, such as routing and firewalls

Linux+ Guide to Linux Certification, 2e


Identifying network services l.jpg
Identifying Network Services

  • Port: Number uniquely identifying a network service

    • Ensure that packets delivered to proper service

    • Range from 0 to 65534

  • /etc/services file: Lists ports and associated protocol

  • Well-known port: Ports from 0 to 1024

    • Used by common networking services

Linux+ Guide to Linux Certification, 2e


Identifying network services continued l.jpg
Identifying Network Services (continued)

Table 15-1: Common well-known ports

Linux+ Guide to Linux Certification, 2e


Identifying network services continued6 l.jpg
Identifying Network Services (continued)

  • Internet Super Daemon (xinetd): Initializes and configures many networking services

  • Standalone daemons: Daemons normally started at boot-up

    • e.g., Apache Web server

    • Configure themselves without assistance

    • ntsysv utility can configure most standalone daemons to start in various runlevels

Linux+ Guide to Linux Certification, 2e


Identifying network services continued7 l.jpg
Identifying Network Services (continued)

Figure 15-1: Interacting with network services

Linux+ Guide to Linux Certification, 2e


Configuring common network services l.jpg
Configuring Common Network Services

Table 15-2: Common network services

Linux+ Guide to Linux Certification, 2e


Configuring common network services continued l.jpg
Configuring Common Network Services (continued)

Table 15-2 (continued): Common network services

Linux+ Guide to Linux Certification, 2e


Configuring common network services continued10 l.jpg
Configuring Common Network Services (continued)

Table 15-2 (continued): Common network services

Linux+ Guide to Linux Certification, 2e


Configuring common network services continued11 l.jpg
Configuring Common Network Services (continued)

Table 15-2 (continued): Common network services

Linux+ Guide to Linux Certification, 2e


Configuring common network services continued12 l.jpg
Configuring Common Network Services (continued)

Table 15-2 (continued): Common network services

Linux+ Guide to Linux Certification, 2e


Configuring dns l.jpg
Configuring DNS

  • Zone: Portion of DNS administered by one or more DNS servers

  • Forward lookup: FQDN resolved to IP address

  • Reverse lookup: IP address resolved to FQDN

Linux+ Guide to Linux Certification, 2e


Configuring dns continued l.jpg
Configuring DNS (continued)

Figure 15-2: The DNS lookup process

Linux+ Guide to Linux Certification, 2e


Configuring dns continued15 l.jpg
Configuring DNS (continued)

  • Iterative query: Resolved without use of top-level DNS servers

  • Recursive query: Resolved with the use of top-level DNS servers

  • DNS cache file: Contains IP addresses of top-level DNS servers

Linux+ Guide to Linux Certification, 2e


Configuring dns continued16 l.jpg
Configuring DNS (continued)

  • Master or primary DNS server: Contains read/write copy of zone

  • Slave or secondary DNS server: Contains read-only copy of zone

  • Zone transfer: Copying zone resource records from master to slave DNS server

Linux+ Guide to Linux Certification, 2e


Configuring dns continued17 l.jpg
Configuring DNS (continued)

Table 15-3: Common zone configuration files

Linux+ Guide to Linux Certification, 2e


Configuring dns continued18 l.jpg
Configuring DNS (continued)

Table 15-3 (continued): Common zone configuration files

Linux+ Guide to Linux Certification, 2e


Configuring dhcp l.jpg
Configuring DHCP

  • Send DHCP broadcast on network

    • Request IP configuration information

  • DHCP server leases IP address to client computer for a period of time

    • Ensures each client has unique IP address

  • /etc/dhcpd.conf file: Configure computer as a DHCP server

    • List appropriate IP address range for network

Linux+ Guide to Linux Certification, 2e


Configuring apache l.jpg
Configuring Apache

  • Most common Web server

  • Document root directory: Stores default HTML content for a Web server

    • /var/www/html on Fedora Linux

    • Default document is index.html

  • /etc/httpd/conf/httpd.conf: Default configuration file

  • Directive: Line within a configuration file

Linux+ Guide to Linux Certification, 2e


Configuring apache continued l.jpg
Configuring Apache (continued)

Table 15-4: Common httpd.conf directives

Linux+ Guide to Linux Certification, 2e


Configuring samba l.jpg
Configuring Samba

  • SaMBa daemon: Emulates SMB protocol

  • Windows computers advertise computer names using NetBIOS protocol

    • Can use NetBIOS name daemon to create and advertise NetBIOS name

      • Connect Windows computers to Linux server

  • smbpasswd command: Generate Samba passwords

Linux+ Guide to Linux Certification, 2e


Configuring samba continued l.jpg
Configuring Samba (continued)

  • /etc/samba/smb.conf: Default Samba configuration file

  • /etc/rc.d/init.d/smb start: Start Samba and NetBIOS name daemons

    • Restart if smb.conf changed

Linux+ Guide to Linux Certification, 2e


Configuring nfs l.jpg
Configuring NFS

  • Create directory containing information to share

  • Edit /etc/exports file:

    • Add line listing directory to be shared and options

  • Run exportfs –a

    • Update list of exported filesystems

  • Restart the NFS processes

Linux+ Guide to Linux Certification, 2e


Configuring ftp l.jpg
Configuring FTP

  • Very secure FTP daemon (vsftpd): Packaged with Fedora Linux

  • To configure (assuming logon as “user1”):

    • Create directory below user1’s home directory to host the files

      • Ensure user1 owns directory

    • Run /etc/rc.d/init.d/vsftpd start

      • Start vsftpd daemon

Linux+ Guide to Linux Certification, 2e


Configuring nis l.jpg
Configuring NIS

  • Network Information Service (NIS): Coordinate common configuration files across several computers

    • Computers belong to a NIS domain, use NIS map to access configuration information

    • Most commonly used for password databases

Linux+ Guide to Linux Certification, 2e


Configuring nis continued l.jpg
Configuring NIS (continued)

  • Define the NIS domain via domainname <NIS_ domain_name> command

  • Add “ NISDOMAIN=‘NIS_domain’ ” to /etc/sysconfig/network file

    • Configure NIS domain at boot time

  • Add “domain <NIS_domain> server <NIS_server>” to /etc/yp.conf file

    • Query specific NIS server

Linux+ Guide to Linux Certification, 2e


Configuring the secure shell daemon l.jpg
Configuring the Secure Shell Daemon

  • Secure Shell daemon (sshd): Allows use of ssh utility to log in to network servers

  • /etc/ssh/sshd_config file: Contains configuration options

  • Uses challenge-response authentication by default

Linux+ Guide to Linux Certification, 2e


Configuring the secure shell daemon continued l.jpg
Configuring the Secure Shell Daemon (continued)

  • Supported encryption standards:

    • Triple Data Encryption Standard (3DES)

    • Advanced Encryption Standard (AES)

    • Blowfish

    • Carlisle Adams Stafford Tavares (CAST)

    • ARCfour

Linux+ Guide to Linux Certification, 2e


Routing and firewall services l.jpg
Routing and Firewall Services

  • Network services not provided entirely by network daemons

    • Provided by Linux kernel

    • Do not listen to a particular port

Linux+ Guide to Linux Certification, 2e


Routing l.jpg
Routing

  • Route table: Indicates which networks are connected to network interfaces

  • Route command: Manipulate the route table

  • Multihomed hosts: Computers with multiple network interfaces

  • IP forwarding: Forwarding TCP/IP packets between networks

  • Routing: Forwarding data packets between networks

Linux+ Guide to Linux Certification, 2e


Routing continued l.jpg
Routing (continued)

  • Enabling routing:

    • Place number 1 in /proc/sys/net/ipv4/ip_forward file

    • Place “net.ipv4.ip_forward = 1” in /etc/sysctl.conf file

Linux+ Guide to Linux Certification, 2e


Routing continued33 l.jpg
Routing (continued)

  • Large networks may have several routers

  • route add <route> command: Add entries to route table

  • route del <route> command: Remove entries from route table

  • Can use ip command to add entries to route table

Linux+ Guide to Linux Certification, 2e


Routing continued34 l.jpg
Routing (continued)

Figure 15-3: A sample routed network

Linux+ Guide to Linux Certification, 2e


Routing continued35 l.jpg
Routing (continued)

  • Contents of route table lost when computer powered off

    • Add to /etc/rc.d/rc.local file

  • Most routers configured with a default gateway

    • For packets addressed to destinations not in route table

  • traceroute command: Troubleshoot routing

    • Displays routers between current and remote computer

Linux+ Guide to Linux Certification, 2e


Firewall services l.jpg
Firewall Services

  • netfilter/iptables: Used to create a firewall

    • Discard network packets according to chains of rules

  • Chains: Specify general type of network traffic to apply rules to

  • Rules: Match network traffic to be allowed or dropped

Linux+ Guide to Linux Certification, 2e


Firewall services continued l.jpg
Firewall Services (continued)

  • Three chain types:

    • INPUT chain: Incoming packets

    • FORWARD chain: Packets passing through computer

    • OUTPUT chain: Outgoing packets

  • iptables command: Creates rules for a chain

Linux+ Guide to Linux Certification, 2e


Firewall services continued38 l.jpg
Firewall Services (continued)

Table 15-5: Common iptables commands

Linux+ Guide to Linux Certification, 2e


Security l.jpg
Security

  • Linux systems typically available across networks such as the Internet

  • Should improve local and network security

  • Understand how to detect intruders who breach the system

Linux+ Guide to Linux Certification, 2e


Securing the local computer l.jpg
Securing the Local Computer

  • Limit access to computer itself

    • Prevent malicious users from accessing files

  • Server closet: Secured room to store servers

  • Remove floppy and CD-ROM devices from workstations

  • Ensure BIOS prevents booting from USB ports

Linux+ Guide to Linux Certification, 2e


Securing the local computer continued l.jpg
Securing the Local Computer (continued)

  • Ensure BIOS password is set

  • Set boot loader password in LILO or GRUB configuration file

  • Limit access to graphical desktops and shells

  • Minimize root user’s time logged in

Linux+ Guide to Linux Certification, 2e


Securing the local computer continued42 l.jpg
Securing the Local Computer (continued)

  • nohup command: Prevents other commands from exiting when parent process killed

  • su (switch user) command: Switch current user account to another

  • sudo command: Perform commands as another user via entries in /etc/sudoers file

Linux+ Guide to Linux Certification, 2e


Protecting against network attacks l.jpg
Protecting Against Network Attacks

  • Always a possibility that crackers can manipulate a network service

  • Buffer overrun: Network service altered in memory

  • Minimize number of running network services

  • nmap (network mapper) command: Scan ports on network computers

    • See what network services are running

Linux+ Guide to Linux Certification, 2e


Protecting against network attacks continued l.jpg
Protecting Against Network Attacks (continued)

  • Enable encryption on essential network services

  • Ensure network service daemons not run as root user when possible

  • New network service versions usually include fixes for known network attacks

    • Keep network services up-to-date

Linux+ Guide to Linux Certification, 2e


Protecting against network attacks continued45 l.jpg
Protecting Against Network Attacks (continued)

  • TCP wrapper: Run network daemon with additional security via /etc/hosts.allow and /etc/hosts.deny files

  • Examine permissions for files and directories associated with system and network services

Linux+ Guide to Linux Certification, 2e


Detecting intrusion l.jpg
Detecting Intrusion

  • Log files can contain information or irregularities indicating an intrusion

  • Review system log files associated with authentication

  • Pluggable Authentication Module (PAM): Handles authentication requests by daemons

    • Log file in /var/log/secure

Linux+ Guide to Linux Certification, 2e


Detecting intrusion continued l.jpg
Detecting Intrusion (continued)

  • Check /var/log/wtmp log file

    • Lists users who receive BASH shells

  • Tripwire: Monitors files and directories

  • Intrusion Detection System (IDS): Detect unauthorized access

Linux+ Guide to Linux Certification, 2e


Detecting intrusion continued48 l.jpg
Detecting Intrusion (continued)

Table 15-6: Common Linux intrusion detection systems

Linux+ Guide to Linux Certification, 2e


ad