Ct 320 network and system administration
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

CT 320: Network and System Administration PowerPoint PPT Presentation


  • 47 Views
  • Uploaded on
  • Presentation posted in: General

CT 320: Network and System Administration. Network Services Colorado State University Computer Science Department Chris Wilcox Fall 2012. Original slides from Dr. James Walden at Northern Kentucky University. Topics. Name/address resolution Service selection Enabling/disabling services

Download Presentation

CT 320: Network and System Administration

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Ct 320 network and system administration

CT 320: Network and System Administration

Network Services

Colorado State University

Computer Science Department

Chris Wilcox

Fall 2012

Original slides from Dr. James Walden at Northern Kentucky University.


Topics

Topics

  • Name/address resolution

  • Service selection

  • Enabling/disabling services

  • xinetd

  • TCP Wrappers

CT 320: Fall Semester 2012


Name resolution

Name Resolution

Translate human-readable names to network address.

HOSTS.TXT

Name translation for entire Internet in 1970s, early 1980s.

A single file distributed from a single host.

Didn’t scale: Net changed before file distributed everywhere.

DNS – Domain Name System

Designed to resolve scalability issues in 1984 (RFC 882-3).

Distributed database: many files, many servers.

Allows local control of segments.

CT 320: Fall Semester 2012


Etc hosts

/etc/hosts

Maps hostnames to IP addresses.

127.0.0.1 localhost

10.30.10.15 myhost.nku.edu myhost me

10.30.10.22 xerxes.nku.edu xerxes logsvr

10.30.10.33 darius.nku.edu darius

10.30.10.42 cyrus.nku.edu cyrus10.30.10.55 ntp.nku.edu ntp-server

10.30.10.57 artaxerxes.nku.edu

CT 320: Fall Semester 2012


Etc hosts1

/etc/hosts

  • Oldest, simplest means of name resolution.

    • Derived from original HOSTS.TXT file.

  • Available during boot process.

    • Before DNS available.

  • Available when DNS is down.

    • Store essential name mappings for reliability.

  • Can share between hosts.

    • rsync, NIS, LDAP, etc.

CT 320: Fall Semester 2012


A minimal etc hosts

A minimal /etc/hosts

Name mappings for localhost:

127.0.0.1 localhost

10.30.10.15 myhost.nku.edumyhost

Name mappings for default gateway:

10.30.10.1 gw-5.nku.edu gw-5

Name mappings for name servers:

10.23.4.250 dns3.nku.edu dns3

10.88.9.253 ldap3.nku.edu ldap3

10.92.5.250 nfs4.nku.edu nfs4

CT 320: Fall Semester 2012


Dns clients

DNS Clients

Configuration file: /etc/resolv.conf

Sets search domains.

Sets primary and backup DNS servers.

Auto-created by DHCP if used.

Example:

search nku.edu

nameserver 172.28.10.29

nameserver 172.28.10.30

CT 320: Fall Semester 2012


Dns lookups

DNS Lookups

> host www.google.com

www.google.com is an alias for www.l.google.com.

www.l.google.com has address 216.239.37.104

www.l.google.com has address 216.239.37.99

> host www.nku.edu

www.nku.edu has address 192.122.237.7

CT 320: Fall Semester 2012


Choosing services

Choosing services

Configuration file: /etc/nsswitch.conf

Controls where data is found about:

User accounts and groups.

Hostnames and IP addresses.

Network configuration.

E-mail addresses and cryptographic keys.

Potential data sources

Files (usually under /etc)

Compat

NIS or NIS+

LDAP

DNS

CT 320: Fall Semester 2012


Choosing services1

Choosing services

# /etc/nsswitch.conf

#

# Example cfg of GNU Name Service Switch functionality.

passwd: compat

group: compat

shadow: compat

hosts: files dns

networks: files

protocols: db files

services: db files

ethers: db files

rpc: db files

netgroup: nis

CT 320: Fall Semester 2012


Network services

Network Services

Enable/disable immediately

service name stop

service name start

Enable/disable service start at boot time.

chkconfig –level <runlevels> name off

chkconfig –level <runlevels> name off

Service Files

Service start/stop script: /etc/init.d/name

Service config files: /etc/sysconfig, /etc

Symlinks

/etc/rc.d/rc<level>.d/S##name

/etc/rc.d/rc<level>.d/K##name

CT 320: Fall Semester 2012


Xinetd superserver

xinetd superserver

Manages low resource services.

Handles networking issues for service.

Low # of connections, or

Small effort/connection.

Examples: telnet, ftp, daytime, echo

Additional features

Access control: /etc/hosts.{allow,deny}

Logging.

Resource management.

CT 320: Fall Semester 2012


Tcp wrappers

TCP Wrappers

Provide host-based access control.

To any service linked with libwrap.

strings –f program | grep host_access

Examples: portmap, sshd, xinetd.

How does it work?

Checks access control lists for service.

Logs connection.

If permitted, runs the server process for service.

CT 320: Fall Semester 2012


Tcp wrappers1

TCP Wrappers

  • Checks /etc/hosts.allow

    If any rule matches, allows access.

    If no rule matches, goes to next step.

  • Checks /etc/hosts.deny

    If any rule matches, denies access.

    Otherwise, allows access.

    Typically, the last rule denies access to all.

CT 320: Fall Semester 2012


Access control lists

Access Control Lists

<daemon list>: <client list> [: <option>: <option>: ...]

<daemon list>: A comma separated list of process names (not service names) or the ALL wildcard.

<client list>: A comma separated list of hostnames, host IP addresses, special patterns, or special wildcards.

<option>: An optional action or colon separated list of actions performed when the rule is triggered. Option fields allow or deny access, log access attempts, and can even run shell commands.

CT 320: Fall Semester 2012


Wildcards

Wildcards

ALL — Matches everything. It can be used for both the daemon list and the client list.

LOCAL — Matches any host that does not contain a period (.), such as localhost.

KNOWN — Matches any host where the hostname and host address are known or where the user is known.

UNKNOWN — Matches any host where the hostname or host address are unknown or where the user is unknown.

PARANOID — Matches any host where the hostname does not match the host address.

CT 320: Fall Semester 2012


Except operator

EXCEPT Operator

  • Excepts a service or IP/host from list.

  • Examples:

    • ALL: .ex.com EXCEPT evil.ex.com.

    • ALL EXCEPT vsftpd: 192.168.0.

CT 320: Fall Semester 2012


Acl examples

ACL Examples

  • vsftpd : .example.com

    • Permits/denies access to vsftpd from .example.com.

    • Depends on whether in hosts.allow or hosts.deny.

  • sshd : .example.com \ : spawn /bin/echo `/bin/date` access denied>>/var/log/sshd.log \ : deny

    • Denies access no matter where it appears.

    • Runs /bin/echo to manually log access attempt.

CT 320: Fall Semester 2012


  • Login