Académique Documents
Professionnel Documents
Culture Documents
riz
ho
ut
na
EV
U
ed
GL275
t
uc
od
AT
pr
re
ENTERPRISE
LINUX NETWORK
SERVICES
or
IO
n
io
RHEL6
No part of this publication may be stored in a retrieval system, transmitted or reproduced in any
way, including, but not limited to, photocopy, photograph, magnetic, electronic or other record,
without the prior written permission of Guru Labs.
O
ite
PY
ib
d.
Version: GL275S-R6-H00
oh
Guru Labs L.C. accepts no liability for any claims, demands, losses, damages, costs or expenses
suffered or incurred howsoever arising from or in connection with the use of this courseware. All
trademarks are the property of their respective owners.
pr
Photocopying any part of this manual without prior written consent of Guru Labs L.C. is a violation
of federal law. This manual should not appear to be a photocopy. If you believe that Guru Labs
training materials are being photocopied without permission, please email Alert@gurulabs.com or
call 1-801-298-5227.
is
This instructional program, including all material provided herein, is supplied without any guarantees
from Guru Labs L.C. Guru Labs L.C. assumes no liability for damages or legal action arising from
the use or misuse of contents or details contained herein.
This curriculum contains proprietary information which is for the exclusive use of customers of Guru
Labs L.C., and is not to be shared with personnel other than those in attendance at this course.
tio
bu
ri
st
di
The contents of this course and all its modules and related materials, including handouts to
audience members, are copyright 2012 Guru Labs L.C.
Table of Contents
1
2
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
20
21
22
23
25
26
29
32
36
41
45
Testing Resolution
Lab Tasks
1. Configuring a Slave Name Server
14
16
17
Chapter 3
CONFIGURING BIND
BIND Configuration Files
named.conf Syntax
named.conf Options Block
Creating a Site-Wide Cache
rndc Key Configuration
Zones In named.conf
Zone Database File Syntax
SOA Start of Authority
A & PTR Address & Pointer Records
NS Name Server
CNAME & MX Alias & Mail Host
Abbreviations and Gotchas
$ORIGIN and $GENERATE
Lab Tasks
1. Use rndc to Control named
2. Configuring BIND Zone Files
1
2
3
5
7
8
10
12
13
15
16
17
18
20
21
22
24
Chapter 4
CREATING DNS HIERARCHIES
Subdomains and Delegation
Subdomains
Delegating Zones
in-addr.arpa. Delegation
Issues with in-addr.arpa.
RFC2317 & in-addr.arpa.
Lab Tasks
1. Create a Subdomain in an Existing Domain
2. Subdomain Delegation
1
2
3
4
5
6
7
8
9
13
t
uc
od
n
io
or
IO
AT
pr
re
ed
AL
riz
ho
ut
na
EV
tio
bu
ri
st
di
Chapter 1
SECURING SERVICES
Xinetd
Xinetd Connection Limiting and Access Control
Xinetd: Resource limits, redirection, logging
TCP Wrappers
The /etc/hosts.allow & /etc/hosts.deny Files
/etc/hosts.{allow,deny} Shortcuts
Advanced TCP Wrappers
Basic Firewall Activation
Netfilter: Stateful Packet Filter Firewall
Netfilter Concepts
Using the iptables Command
Netfilter Rule Syntax
Targets
Common match_specs
Connection Tracking
SELinux Security Framework
Choosing an SELinux Policy
SELinux Commands
SELinux Booleans
Graphical SELinux Policy Tools
Lab Tasks
1. Securing xinetd Services
2. Enforcing Security Policy with xinetd
3. Securing Services with TCP Wrappers
4. Securing Services with Netfilter
5. Troubleshooting Practice
6. SELinux File Contexts
PY
ib
oh
pr
Chapter 5
ADVANCED BIND DNS FEATURES
Address Match Lists & ACLs
Split Namespace with Views
Restricting Queries
Restricting Zone Transfers
ite
d.
ii
1
2
3
4
6
7
8
10
12
13
is
Chapter 2
DNS CONCEPTS
Naming Services
DNS A Better Way
The Domain Name Space
Delegation and Zones
Server Roles
Resolving Names
Resolving IP Addresses
Basic BIND Administration
Configuring the Resolver
1
2
3
4
5
6
7
8
9
10
11
12
14
15
18
Chapter 6
LDAP CONCEPTS AND CLIENTS
LDAP: History and Uses
LDAP: Data Model Basics
LDAP: Protocol Basics
LDAP: Applications
LDAP: Search Filters
LDIF: LDAP Data Interchange Format
OpenLDAP Client Tools
Alternative LDAP Tools
Lab Tasks
1. Querying LDAP
1
2
3
5
6
7
8
10
12
13
14
Chapter 8
USING APACHE
HTTP Operation
Apache Architecture
Dynamic Shared Objects
Adding Modules to Apache
Apache Configuration Files
httpd.conf Server Settings
httpd.conf Main Configuration
HTTP Virtual Servers
Virtual Hosting DNS Implications
httpd.conf VirtualHost Configuration
Port and IP based Virtual Hosts
Name-based Virtual Host
Apache Logging
Log Analysis
The Webalizer
Lab Tasks
1. Apache Architecture
2. Apache Content
3. Configuring Virtual Hosts
1
2
4
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
23
25
Chapter 9
APACHE SECURITY
Virtual Hosting Security Implications
Delegating Administration
Directory Protection
Directory Protection with AllowOverride
Common Uses for .htaccess
Symmetric Encryption Algorithms
Asymmetric Encryption Algorithms
Digital Certificates
SSL Using mod_ssl.so
Lab Tasks
1. Using .htaccess Files
2. Using SSL Certificates with Apache
1
2
3
4
6
7
8
9
10
11
12
13
17
or
IO
n
io
tio
bu
ri
st
is
oh
pr
PY
ib
Chapter 10
APACHE SERVER-SIDE SCRIPTING ADMINISTRATION
Dynamic HTTP Content
PHP: Hypertext Preprocessor
Developer Tools for PHP
Installing PHP
ite
1
2
3
4
5
d.
1
2
3
4
5
6
7
8
10
12
13
15
17
18
23
26
di
Chapter 7
OPENLDAP SERVERS
Popular LDAP Server Implementations
OpenLDAP: Server Architecture
OpenLDAP: Backends
OpenLDAP: Replication
OpenLDAP: Configuration Options
OpenLDAP: Configuration Sections
OpenLDAP: Global Parameters
OpenLDAP: Database Parameters
OpenLDAP Server Tools
Enabling LDAP-based Login
System Security Services Daemon (SSSD)
Lab Tasks
1. Building An OpenLDAP Server
2. Enabling TLS For An OpenLDAP Server
3. Enabling LDAP-based Logins
t
uc
od
AT
pr
re
ed
AL
riz
ho
ut
na
EV
iii
6
7
8
9
10
11
12
13
14
15
20
22
26
or
IO
n
io
Chapter 14
SMTP THEORY
SMTP
SMTP Terminology
SMTP Architecture
SMTP Commands
SMTP Extensions
SMTP AUTH
SMTP STARTTLS
SMTP Session
tio
bu
is
1
2
3
4
5
6
8
9
10
11
12
13
14
15
16
17
18
19
21
22
23
28
32
36
39
1
2
3
4
5
6
7
8
9
ite
PY
ib
oh
pr
Chapter 15
POSTFIX
Postfix Features
Postfix Architecture
Postfix Components
d.
1
2
3
4
5
7
8
9
10
12
13
16
18
20
ri
st
di
iv
t
uc
od
Chapter 12
THE SQUID PROXY SERVER
Squid Overview
Squid File Layout
Squid Access Control Lists
Applying Squid ACLs
Tuning Squid & Configuring Cache Hierarchies
Bandwidth Metering
Monitoring Squid
Proxy Client Configuration
Lab Tasks
1. Installing and Configuring Squid
2. Squid Cache Manager CGI
3. Proxy Auto Configuration
4. Configure a Squid Proxy Cluster
1
2
3
4
6
7
8
9
11
12
13
Chapter 13
SAMBA CONCEPTS AND CONFIGURATION
Introducing Samba
Samba Daemons
NetBIOS and NetBEUI
Accessing Windows/Samba Shares from Linux
Samba Utilities
Samba Configuration Files
The smb.conf File
Mapping Permissions and ACLs
Mapping Linux Concepts
Mapping Case Sensitivity
Mapping Users
Sharing Home Directories
Sharing Printers
Share Authentication
Share-Level Access
User-Level Access
Samba Account Database
User Share Restrictions
Lab Tasks
1. Samba Share-Level Access
2. Samba User-Level Access
3. Samba Group Shares
4. Configuring Samba
5. Samba Home Directory Shares
AT
pr
re
Chapter 11
IMPLEMENTING AN FTP SERVER
The FTP Protocol
Active Mode FTP
Passive Mode FTP
ProFTPD
Pure-FTPd
vsftpd
Configuring vsftpd
Anonymous FTP with vsftpd
Lab Tasks
1. Configuring vsftpd
ed
AL
riz
ho
ut
na
EV
Configuring PHP
Securing PHP
Security Related php.ini Configuration
Java Servlets and JSP
Apache's Tomcat
Installing Java SDK
Installing Tomcat Manually
Using Tomcat with Apache
Lab Tasks
1. CGI Scripts in Apache
2. Apache's Tomcat
3. Using Tomcat with Apache
4. Installing Applications with Apache and Tomcat
1
2
3
4
t
uc
od
GNU Mailman
Mailman Configuration
Lab Tasks
1. Configuring Procmail & SpamAssassin
2. Configuring Cyrus IMAP
3. Dovecot TLS Configuration
4. Configuring SquirrelMail
5. Base Mailman Configuration
6. Basic Mailing List
7. Private Mailing List
20
21
23
24
31
38
43
47
50
56
Appendix A
SENDMAIL
Sendmail Architecture
Sendmail Components
Sendmail Configuration
Sendmail Remote Configuration
Controlling Access
Sendmail Mail Filter (milter)
Configuring Sendmail SMTP AUTH
Configuring SMTP STARTTLS
Lab Tasks
1. Configuring Sendmail
2. Sendmail Network Configuration
3. Sendmail Virtual Host Configuration
4. Sendmail SMTP AUTH Configuration
5. Sendmail STARTTLS Configuration
1
2
3
4
6
8
9
10
11
12
13
18
20
24
28
or
IO
n
io
tio
bu
ri
st
di
Appendix B
NIS
NIS Overview
NIS Limitations and Advantages
NIS Client Configuration
NIS Server Configuration
NIS Troubleshooting Aids
Lab Tasks
1. Configuring NIS
2. NIS Slave Server
1
2
3
4
5
7
8
9
13
is
O
ite
PY
ib
oh
pr
d.
1
2
3
5
7
9
10
11
13
14
16
17
18
19
Chapter 16
MAIL SERVICES AND RETRIEVAL
Filtering Email
Procmail
SpamAssassin
Bogofilter
Accessing Email
The IMAP4 Protocol
Dovecot POP3/IMAP Server
Cyrus IMAP/POP3 Server
Cyrus IMAP MTA Integration
Cyrus Mailbox Administration
Fetchmail
SquirrelMail
Mailing Lists
5
7
8
9
10
11
12
13
14
15
16
17
18
19
21
22
23
24
25
26
27
28
29
34
38
42
47
AT
pr
re
ed
AL
riz
ho
ut
na
EV
Postfix Configuration
master.cf
main.cf
Postfix Map Types
Postfix Pattern Matching
Advanced Postfix Options
Virtual Domains
Postfix Mail Filtering
Configuration Commands
Management Commands
Postfix Logging
Logfile Analysis
chrooting Postfix
Postfix, Relaying and SMTP AUTH
SMTP AUTH Server and Relay Control
SMTP AUTH Clients
Postfix / TLS
TLS Server Configuration
Postfix Client Configuration for TLS
Other TLS Clients
Ensuring TLS Security
Lab Tasks
1. Configuring Postfix
2. Postfix Network Configuration
3. Postfix Virtual Host Configuration
4. Postfix SMTP AUTH Configuration
5. Postfix STARTTLS Configuration
Typographic Conventions
0O
1l
EV
The fonts, layout, and typographic conventions of this book have been
carefully chosen to increase readability. Please take a moment to
familiarize yourself with them.
A Warning and Solution
riz
ho
ut
na
AL
ed
AT
pr
re
od
t
uc
The number
"zero".
The letter
"oh".
The number
"one".
The letter
"ell".
or
IO
n
io
di
C
O
ite
PY
ib
oh
d.
vi
pr
is
tio
bu
ri
st
Typographic Conventions
Line Wrapping
EV
t
uc
od
AT
pr
re
ed
AL
riz
ho
ut
na
or
IO
n
io
tio
bu
ri
st
di
is
oh
pr
#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
AllowUsers sjansen
#StrictModes yes
+
+
ite
PY
ib
Note that the standard file edit representation may not be used when it
When it is necessary to press keys at the same time, the combination will is important that the edit be performed using a specific editor or method.
be represented with a plus between each key. For example, the following In these rare cases, the editor specific actions will be given instead.
means to press the "ctrl," "alt," and "backspace" keys at the same time:
. Uppercase letters are treated the same: A
d.
vii
Lab Conventions
Variable Data Substitutions
EV
Every lab task begins with three standard informational headers: In some lab tasks, students are required to replace portions of commands
"Objectives," "Requirements," and "Relevance". Some tasks also include a with variable data. Variable substitution are represented using italic fonts.
For example, X and Y.
"Notices" section. Each section has a distinct purpose.
AL
riz
ho
ut
na
Substitutions are used most often in lab tasks requiring more than one
computer. For example, if a student on station4 were working with a
student on station2, the lab task would refer to stationX and stationY
ed
od
Command Prompts
AT
pr
re
t
uc
or
IO
n
io
Though different distributions and shells have different prompts, all Command output is occasionally omitted or truncated in examples. There
examples will use a $ prompt for commands to be run as an unprivileged are two type of omissions: complete or partial.
user (guru or visitor), and commands with a # prompt should be run as
Sometimes the existence of a commands output, and not its content, is
the root user. For example:
all that matters. Other times, a commands output is too variable to
$ whoami
reliably represent. In both cases, when a command should produce
guru
output, but an example of that output is not provided, the following
$ su format is used:
tio
bu
ri
st
di
$ cat /etc/passwd
. . . output omitted . . .
Password: makeitso
# whoami
root
is
Occasionally the prompt will contain additional information. For example, In general, at least a partial output example is included after commands.
when portions of a lab task should be performed on two different stations When example output has been trimmed to include only certain lines,
the following format is used:
(always of the same distribution), the prompt will be expanded to:
O
ite
PY
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
. . . snip . . .
clints:x:500:500:Clint Savage:/home/clints:/bin/zsh
. . . snip . . .
ib
d.
viii
oh
pr
stationX$ whoami
guru
stationX$ ssh visitor@stationY
root@stationY's password: work
stationY# whoami
visitor
Lab Conventions
Action Lists
EV
AL
riz
ho
ut
na
This courseware is designed to support multiple Linux distributions. Some lab steps consist of a list of conceptually related actions. A
When there are differences between supported distributions, each description of each action and its effect is shown to the right or under
the action. Alternating actions are shaded to aid readability. For example,
version is labeled with the appropriate base strings:
the following action list describes one possible way to launch and use
xkill to kill a graphical application:
R Red Hat Enterprise Linux (RHEL)
S SUSE Linux Enterprise Server (SLES)
U Ubuntu
xkill
pr
re
ed
t
uc
od
AT
n
io
or
IO
[S10]
is
ite
PY
ib
oh
pr
[S11]
tio
bu
Occasionally lab steps will feature a shaded line that extends to a note
in the right margin. This note, referred to as a "callout," is used to provide
additional commentary. This commentary is never necessary to complete
the lab succesfully and could in theory be ignored. However, callouts
do provide valuable information such as insight into why a particular
command or option is being used, the meaning of less obvious command
output, and tips or tricks such as alternate ways of accomplishing the task
at hand.
ri
st
di
Callouts
d.
ix
or
N
is
ite
d.
PY
ib
oh
pr
C
n
tio
bu
ri
st
di
IO
n
io
AT
t
uc
od
pr
re
ed
AL
riz
ho
ut
na
EV
AL
riz
ho
ut
na
EV
Content
Xinetd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Xinetd Connection Limiting and Access Control . . . . . . . . 4
Xinetd: Resource limits, redirection, logging . . . . . . . . . . . 5
TCP Wrappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
The /etc/hosts.allow & /etc/hosts.deny Files . . . . . . . . . . . . 7
/etc/hosts.{allow,deny} Shortcuts . . . . . . . . . . . . . . . . . . . . 8
Advanced TCP Wrappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Basic Firewall Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Netfilter: Stateful Packet Filter Firewall . . . . . . . . . . . . . . . 11
Netfilter Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Using the iptables Command . . . . . . . . . . . . . . . . . . . . . . . 13
Netfilter Rule Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Common match_specs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Connection Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
SELinux Security Framework . . . . . . . . . . . . . . . . . . . . . . . . 18
Choosing an SELinux Policy . . . . . . . . . . . . . . . . . . . . . . . . . 20
SELinux Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
SELinux Booleans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Graphical SELinux Policy Tools . . . . . . . . . . . . . . . . . . . . . . 23
Lab Tasks
25
1. Securing xinetd Services . . . . . . . . . . . . . . . . . . . . . . . . . 26
2. Enforcing Security Policy with xinetd . . . . . . . . . . . . . . 29
3. Securing Services with TCP Wrappers . . . . . . . . . . . . . 32
4. Securing Services with Netfilter . . . . . . . . . . . . . . . . . . . 36
5. Troubleshooting Practice . . . . . . . . . . . . . . . . . . . . . . . . . 41
6. SELinux File Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
ed
Chapter
t
uc
od
AT
pr
re
or
IO
n
io
di
tio
bu
ri
st
SECURING
SERVICES
is
O
ite
PY
ib
oh
pr
d.
Xinetd
ed
AL
riz
ho
ut
na
EV
pr
re
3120
23
AT
Client
69
od
inetd
79
t
uc
IO
n
io
3120
23
69
79
110
3120
tio
bu
Client
in.telnetd
23
is
in.telnetd
23
inetd
ri
st
While the original inetd is (still) widely used on most Unix systems,
most Linux distributions typically use xinetd in place of inetd.
Some of the benefits of xinetd over the older inetd include:
Client
di
23
69
inetd
ite
79
PY
ib
oh
pr
or
110
d.
110
1-2
Xinetd Configuration
EV
AL
riz
ho
ut
na
Description
amanda
gssftp
pr
re
ed
talk
telnet
tftp
t
uc
od
or
IO
n
io
di
File: /etc/xinetd.d/telnet
AT
rsync
tio
bu
ri
st
# default: on
# description: The telnet server serves telnet sessions;
# it uses unencrypted authentication.
service telnet
{
flags
= REUSE
socket_type
= stream
wait
= no
user
= root
server
= /usr/sbin/in.telnetd
log_on_failure
+= USERID
disable
= no
}
is
O
ite
PY
ib
oh
pr
d.
1-3
EV
only_from
no_access
Sophisticated connection limiting
AL
riz
ho
ut
na
instances
cps
per_source
max_load
Time of day restrictions
access_times
ed
pr
re
od
AT
t
uc
or
di
IO
n
io
File: /etc/xinetd.d/service_config
+ access_times
= 2:00-8:59 12:00-23:59
d.
0
50 10
50
10
ite
=
=
=
=
PY
ib
oh
pr
1-4
max_load
cps
instances
per_source
is
File: /etc/xinetd.conf
tio
bu
ri
st
One of the major reasons for using Xinetd in place of Inetd are the
connection limiting features. With legacy inetd, there are no limits,
besides exhausting system resources, on the number of connections
to a service. This creates the probability of DoS attack.
EV
rlimit_as
rlimit_cpu
nice
AL
riz
ho
ut
na
log_type
log_on_success
log_on_failure
Redirection of TCP connections
redirect
ed
pr
re
t
uc
od
n
io
Each service can log one or more of these items: the PID, the remote
HOST address, the remote USERID (obtained via the ident protocol),
the EXIT event (and status) and / or the DURATION. These values are
used with the log_on_success and log_on_failure attributes.
or
IO
ri
st
di
For example:
File: /etc/xinetd.d/telnet
File: /etc/xinetd.d/service_config
+ redirect = 172.23.52.18 23
ib
oh
pr
PY
With Xinetd running on Linux, this is not often used because Netfilter
has more powerful redirection.
ite
d.
is
stream
no
root
/usr/etc/in.telnetd
8M
20
=
=
=
=
=
=
tio
bu
service telnet
{
socket_type
wait
user
server
+
rlimit_as
+
rlimit_cpu
}
The Xinetd system has fine-grained logging abilities. You can specify
exactly what you would like logged, and you can log to SYSLOG or
bypass SYSLOG and log directly to files. The log_type attribute is
used to specify where to log.
AT
Xinetd can set limits on the amount of memory and CPU that
launched services can consume. This can be used to protect against
potentially malicious clients, or buggy launched daemons.
1-5
TCP Wrappers
TCP Wrappers
ed
AL
riz
ho
ut
na
EV
Securing Inetd
pr
re
t
uc
od
AT
IO
n
io
in.telnetd
or
Centralized Administration
File: /etc/inetd.conf
telnet stream tcp nowait root /usr/sbin/in.telnetda
di
in.telnetd
ri
st
tio
bu
is
O
ite
PY
ib
oh
pr
libwrap
d.
1-6
EV
If a rule matches:
access is granted to the requested service rule checking
ends
/etc/hosts.deny
ed
AL
riz
ho
ut
na
If a rule matches:
access is denied to the requested service rule checking
ends
If there are no matches in either file, access is granted
Basic Syntax
daemon_list : client_list
pr
re
t
uc
od
AT
or
Within each file, more specific rules should come first, then general
rules. If this isn't done, the more specific rules will never be matched
against when a more general rule is matched before ever checking
the more specific one.
Examples
PY
ib
oh
pr
sshd: 10.100.0.5
in.telnetd: 192.168. 10.5.2.0/255.255.255.0
in.ftpd sshd: .gurulabs.com
ite
is
tio
bu
ri
st
di
IO
n
io
It is important to note that both files are checked top down, with
hosts.allow checked before hosts.deny. If no matches are found
then access is granted.
d.
1-7
/etc/hosts.{allow,deny} Shortcuts
ed
AL
riz
ho
ut
na
EV
Wildcard shortcuts
ALL
LOCAL
KNOWN
UNKNOWN
PARANOID
Operators
EXCEPT
pr
re
The EXCEPT operator is useful when you want to match nearly all
hosts in a client_list. For example, you have a kiosk machine in
your lobby and you don't want people using the kiosk machine to
make connections to wrapped services on your corporate hosts. One
possible solution would be use TCP Wrappers and have:
File: /etc/hosts.{allow,deny}
File: /etc/hosts.{allow,deny}
IO
n
io
t
uc
od
AT
or
is
O
ite
PY
ib
oh
pr
d.
1-8
The problem with nesting the EXCEPT operator is that such practices
very quickly lead to the creation of rules that even the original author
will have difficulty understanding. This usually means that the
configuration which caused the confusion does more or less than
what was expected, instead of doing what the author (or editor) of
the configuration intended.
tio
bu
Note, that this rule would have to be added to each system which
you wanted to protect.
ri
st
di
The LOCAL wildcard matches any host whose name doesn't contain a
dot. This means that hosts within your same domain would match.
ed
AL
riz
ho
ut
na
EV
Printing banner
banners
Running an alternative daemon
twist
Running a command on connection
spawn
Default deny configuration
ALL: ALL in /etc/hosts.deny
Put allowed hosts in /etc/hosts.allow
At least ALL: 127. [::1]
pr
re
t
uc
od
AT
%a
or
IO
n
io
File: /etc/deny-banner
+
Attention, this is a private host!
+
To request access, email <root@example.com>
Token Function
di
%d
%h
%n
%p
%s
tio
bu
File: /etc/hosts.deny
+ ALL: ALL : banners /etc/deny-banner
ri
st
%c
This line would finger the connecting host and email the output with
a subject line containing the Client info.
ite
PY
ib
File: /etc/hosts.deny
+ in.telnetd: ALL : spawn (/usr/sbin/safe_finger -l @%h |a
d.
File: /etc/hosts.allow
+ in.telnetd: .badguys.com : twist exec /bin/ft.pl
oh
pr
%u
is
Note that you can use ANSI or VT100 screen control characters as
well in banner files.
1-9
ed
AL
riz
ho
ut
na
EV
pr
re
t
uc
od
AT
The firewall creation code built into the Anaconda installer has two
modes, Enabled (the default) and Disabled. It uses stateful rules. All
network traffic that is part of (or related to) some established
connection initiated by the host is automatically allowed along with
inbound ICMP and IPSec connections. All other, externally initiated,
inbound connections are rejected.
IO
n
io
or
di
is
O
ite
PY
ib
oh
pr
tio
bu
ri
st
d.
1-10
ed
AL
riz
ho
ut
na
EV
pr
re
AT
od
should be filtered. Packets flow down the chains, and at every rule
they can be blocked, dropped, redirected to other chains or passed
on to the next rule. Netfilter can be configured in a stateful fashion
making it possible to filter packets by connection state, which can
especially be useful when configuring a firewall safely to permit
baroque protocols like FTP. In addition, maintaining state makes it
possible for Netfilter to prevent certain kinds of denial-of-service
attacks. It also makes it possible for Netfilter to deal with fragments
more safely than earlier Linux firewalls such as ipchains.
t
uc
or
IO
n
io
tio
bu
is
O
ite
PY
ib
oh
d.
pr
ri
st
di
1-11
Netfilter Concepts
Netfilter Concepts
ed
AL
riz
ho
ut
na
EV
pr
re
Packet Input
ppp0
eth0
eth1
Packet Output
PREROUTING
nat, mangle
FORWARD
Routing
Decision
ppp0
eth0
eth1
POSTROUTING
nat, mangle
filter, mangle
t
uc
od
AT
INPUT
or
IO
n
io
filter, mangle
Routing
Decision
Legend
CHAIN
table
ce
Spa
Spa
ce
Three tables exist to organize chains: filter, nat, and mangle. This
chart lists which chains are available in each table
Chain
is
PREROUTING
X
X
PY
POSTROUTING
X
X
d.
OUTPUT
ite
FORWARD
ib
INPUT
oh
pr
1-12
tio
bu
nel
Ker
r
Use
ri
st
di
OUTPUT
filter, mangle, nat
EV
AL
riz
ho
ut
na
ed
Manipulating Rules
# iptables -L chain_name
Setting chain policy
To set the FORWARD chain's policy to DROP:
Listing Rules
pr
re
od
AT
t
uc
Rules are added by using the -A option with the name of a chain to
specify that a rule is being added to that chain, and then supplying
the rule to be added. This iptables command would add a rule to
the INPUT chain which limits ICMP ping requests coming in via eth0
to one per second:
# iptables -L CHAIN
. . . output omitted . . .
Description
-n
-v
or
IO
n
io
Option
-x
tio
bu
oh
ite
PY
ib
d.
To delete all the rules in a chain use the -F (Flush) chain operator. If a
CHAIN is not specified, all rules in all chains in the specified table (the
filter table if the -t option is not used) are flushed:
pr
is
ri
st
di
# iptables -F CHAIN
1-13
Match Specification
ed
AL
riz
ho
ut
na
EV
pr
re
AT
There are many options that can be used to match traffic. When
multiple switches are used on the command line, all of the conditions
listed must be satisfied in order for the rule to match. If any part does
not match, Netfilter moves on to the next rule in the chain, without
taking the action specified by the rule's target.
t
uc
od
IO
n
io
Targets
or
C
O
ite
PY
ib
oh
d.
1-14
pr
is
In the default-open model, the system will examine the policy to see
if there is a reason to deny access and, if none can be found, will
grant access. Rules must be written to explicitly deny anything that
should not be allowed.
tio
bu
There are two different ways in which policy based systems can be
built. They are referred to as the "default-open" and the
"default-closed" models.
ri
st
di
Policy Considerations
Targets
ed
AL
riz
ho
ut
na
EV
pr
re
t
uc
od
AT
or
di
IO
n
io
When a rule whose target is LOG matches a packet, Netfilter will send
information about that packet to Syslog. Since Netfilter is a part of
the kernel, those log messages will be sent from the kernel using the
kern facility to syslogd.
tio
bu
ri
st
If the DROP target were referred to as the "rude" way to block traffic,
then the REJECT target might be called the "kind" way. When a rule
whose target is REJECT matches a packet, Netfilter throws the packet
away with no further rule checking, just like with the DROP target, but
also sends an ICMP response to the REJECT'ed packet's sender. Just
as with DROP'ed packets, user-space programs will never know of the
packet's existence.
is
pr
ite
PY
ib
oh
d.
Rule processing will continue with the next rule following a rule with
a matched LOG target. To log traffic before dropping it, create two
rules with the same match_spec; the first with the LOG target and the
second with the DROP target.
1-15
Common match_specs
Matching IP Addresses
ed
AL
riz
ho
ut
na
EV
IP Address
Source [-s] or destination [-d] address
Interface
Input [-i] or output [-o] interface
Protocol
-p
TCP, UDP & ICMP
For these protocols, iptables can match on most header values
pr
re
For the TCP, UDP & ICMP protocols, there are several additional
options available for narrowing down exactly what traffic to match.
AT
od
t
uc
IO
or
PY
ib
oh
ite
# iptables -p icmp -h
d.
1-16
pr
is
Matching ICMP
tio
bu
ri
st
di
n
io
Connection Tracking
NEW
No match in Netfilter's connection tracking state engine
EV
ESTABLISHED
The packet matches an ongoing communication
RELATED
INVALID
riz
ho
ut
na
ed
AL
pr
re
t
uc
od
AT
IO
n
io
Once the state module is loaded, you can then use the --state
option to match a packet according to its Netfilter connection-tracking
state.
or
O
ite
PY
ib
d.
oh
pr
is
tio
bu
ri
st
di
Packets that do not match another state, match the INVALID state.
1-17
ed
AL
riz
ho
ut
na
EV
pr
re
AT
t
uc
od
or
IO
n
io
O
ite
PY
ib
oh
pr
d.
1-18
is
Security Context
tio
bu
ri
st
di
Relabeling Files
t
uc
od
AT
pr
re
ed
AL
riz
ho
ut
na
EV
If files on the filesystem have the wrong (or no) security context label,
then applications can fail. The most common reasons that security
labels become incorrect is either from copying files, or running the
system with SELinux disabled. You can relabel files or directories
using the setfiles, restorecon, or chcon commands. You can
relabel the entire filesystem using the fixfiles relabel command.
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
1-19
SELinux Policies
ed
AL
riz
ho
ut
na
EV
Targeted
separate types for most commands and services
everything else runs under the unconfined_t, kernel_t, or
initrc_t domains
MLS (Multi-Level Security)
implements sensitivity and category security labels
primarily used in military and government
Minimum
Everything runs unconfined_t
All targeted modules are available if desired
Selected via /etc/selinux/config
Switching Policies
pr
re
od
AT
t
uc
or
IO
n
io
1. Verify that the policy files for the desired policy exist. They are
contained in the following RPMS: selinux-policy
(configuration), selinux-policy-minimum,
selinux-policy-targeted, and selinux-policy-mls.
2. Set the active policy in /etc/selinux/config to
SELINUXTYPE=mls, SELINUXTYPE=minimum, or
SELINUXTYPE=targeted.
3. Reboot the machine for the new policy to take effect.
tio
bu
is
O
ite
PY
ib
oh
pr
d.
1-20
ri
st
di
SELinux Commands
sestatus
EV
/etc/sestatus.conf
chcon set the security context of a file or files
ed
AL
riz
ho
ut
na
permissions. The three options that are used for changing an object's
context are -u for user, -r for role, and -t for type. Like many Unix
commands, the -R option performs recursive file modification.
pr
re
od
AT
t
uc
IO
n
io
# ls -Z
-rw-r--r-- guru guru system_u:object_r:user_home_t file.txt
# chcon -t staff_home_t file.txt
# ls -Z
-rw-r--r-- guru guru system_u:object_r:staff_home_t file.txt
or
O
ite
PY
ib
oh
d.
$ ps -eZ
. . . output omitted . . .
pr
is
enabled
/selinux
enforcing
enforcing
21
targeted
tio
bu
# sestatus
SELinux status:
SELinuxfs mount:
Current mode:
Mode from config file:
Policy version:
Policy from config file:
ri
st
di
Many of the core commands that work with files have had options
added to support the security context labels for files. When possible,
these commands have used the -Z option--with the meaning of the
option varying greatly command to command. Examples of
commands that have been patched to support SELinux in some way
include: login, su, id, ls, ps, cp, mv, stat, and find. For example:
1-21
SELinux Booleans
Booleans
ed
AL
riz
ho
ut
na
EV
Toggling Booleans
pr
re
od
AT
t
uc
n
io
or
IO
tio
bu
is
PY
ib
oh
pr
off
off
off
off
off
off
off
ri
st
di
# sestatus -b
. . . snip . . .
Policy booleans:
allow_httpd_anon_write
allow_httpd_apcupsd_cgi_script_anon_write
allow_httpd_bugzilla_script_anon_write
allow_httpd_mod_auth_pam
allow_httpd_squid_script_anon_write
allow_httpd_sys_script_anon_write
allow_java_execstack
. . . snip . . .
ite
d.
1-22
pr
re
ed
AL
riz
ho
ut
na
EV
t
uc
od
AT
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
1-23
or
N
is
ite
d.
PY
ib
oh
pr
C
n
tio
bu
ri
st
di
IO
n
io
AT
t
uc
od
pr
re
ed
AL
riz
ho
ut
na
EV
1-24
Lab 1
EV
AL
riz
ho
ut
na
Page: 1-26
Time: 10 minutes
Requirements: b (1 station)
ed
Page: 1-29
Time: 10 minutes
Requirements: b (1 station)
AT
t
uc
od
Page: 1-32
Time: 10 minutes
Requirements: bb (2 stations)
pr
re
N
C
tio
bu
Page: 1-45
Time: 5 minutes
Requirements: b (1 station)
ri
st
di
Page: 1-41
Time: 20 minutes
Requirements: b (1 station)
or
IO
n
io
Page: 1-36
Time: 15 minutes
Requirements: bb (2 stations) c (classroom server)
is
O
ite
PY
ib
oh
pr
d.
1-25
Lab 1
Objectives
y Discover what services are running and listening for connections.
y Configure xinetd to provide a variety of limits for connecting to services.
EV
Task
1
Securing xinetd Services
Requirements
b (1 station)
AL
AT
t
uc
od
2)
pr
re
$ su -l
Password: makeitso
ed
1)
riz
ho
ut
na
Relevance
Identifying and securing running services is crucial in today's hostile
network environments. xinetd provides several powerful features for
securing the services it provides.
or
IO
n
io
tio
bu
3)
ri
st
di
When examining a list of services such as this one, there are some questions that
should always be asked about each one: What is the purpose of the service? Is it
really necessary for this machine?
List the services bound to UDP ports using one of the following commands:
O
ite
PY
ib
oh
d.
List the services listening on TCP ports using one of the following commands:
# netstat -tlp
1-26
4)
pr
is
netstat -ulp
lsof -i UDP
ss -uap
. . output omitted . . .
#
#
#
.
# lsof -i TCP
# ss -tlp
EV
5)
Install the in.telnetd server and client for use in the remaining steps:
AL
6)
riz
ho
ut
na
# chkconfig telnet on
ed
7)
File: /etc/xinetd.d/telnet
t
uc
n
io
tio
bu
ri
st
di
IO
= /usr/sbin/in.telnetd
+= USERID
+= DURATION
= 5
= 1
= /etc/go-away.banner
or
8)
od
+
+
+
+
service telnet
{
. . . snip . . .
server
log_on_failure
log_on_success
instances
per_source
banner
}
AT
pr
re
is
d.
Cause xinetd to re-read its configuration files and check the log for indications of
errors:
ite
9)
PY
ib
oh
pr
File: /etc/go-away.banner
+ This is a secured system. Unauthorized access is prohibited.
+ All access is logged.
1-27
AL
riz
ho
ut
na
10)
EV
. . . snip . . .
# tail /var/log/messages | grep xinetd
xinetd[1714]: Starting reconfiguration
xinetd[1714]: Swapping defaults
xinetd[1714]: Reconfigured: new=1 old=0 dropped=0 (services)
t
uc
od
AT
pr
re
ed
# telnet localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is ^].
This is a secured system. Unauthorized access is prohibited.
All access is logged.
. . . snip . . .
login: guru
Password: work
Last login: Tue May 31 13:59:06 from localhost.localdomain
$ ]
telnet> z
IO
n
io
or
[1]+ Stopped
telnet localhost
# telnet localhost
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is ^].
This is a secured system. Unauthorized access is prohibited.
All access is logged.
Connection closed by foreign host.
# fg
telnet localhost
tio
bu
ri
st
di
is
PY
ite
d.
1-28
# tail /var/log/messages
. . . snip . . .
xinetd[5497]: START: telnet pid=28392 from=127.0.0.1
xinetd[5497]: FAIL: telnet per_source_limit from=127.0.0.1
xinetd[5497]: EXIT: telnet status=0 pid=28392 duration=47(sec)
ib
Examine the log for evidence of the telnet connection being denied:
oh
11)
pr
Lab 1
Objectives
y Configure a sensor (using xinetd) to log connection attempts.
EV
Task
2
Enforcing Security Policy
Requirements
b (1 station)
with xinetd
Estimated Time: 10 minutes
AL
1)
riz
ho
ut
na
Relevance
Once a security policy - such as "no telnet" - has been established, it is
important to have some mechanism to detect violations of the policy and
report them to the administrator.
Create a new xinetd service configuration file with this content:
ed
t
uc
od
AT
pr
re
File: /etc/xinetd.d/notelnet
+ service notelnet
+ {
+
disable
= no
+
type
= INTERNAL
+
flags
= SENSOR
+
protocol
= tcp
+
port
= 23
+
socket_type = stream
+
wait
= no
+
user
= root
+
log_type
= FILE /var/log/violators
+
banner
= /etc/notelnet-violation.banner
+ }
or
IO
n
io
C
O
ite
PY
ib
oh
d.
3)
pr
File: /etc/notelnet-violation.banner
+ Remember the new security policy!
+ *telnet* is no longer acceptable.
+ Your IP address has been logged.
is
tio
bu
ri
st
di
2)
Modify the /etc/services file so that the line for the telnet protocol contains an
alias for the new service name. The new line should read:
1-29
4)
notelnet # Telnet
EV
File: /etc/services
- telnet
23/tcp
+ telnet
23/tcp
riz
ho
ut
na
Configure xinetd to use the new notelnet service and check the logs for signs of
problems (correct as necessary):
AL
pr
re
AT
5)
ed
Examine the log output carefully for any errors, and correct your service definition
if needed.
t
uc
od
# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is ^].
Remember the new security policy!
*telnet* is no longer acceptable.
Your IP address has been logged.
Connection closed by foreign host.
IO
or
tio
bu
is
Cleanup
ri
st
di
# tail /var/log/violators
FAIL: notelnet address from=::1
pr
Clean up the xinetd services so that future lab exercises will operate correctly:
PY
ite
ib
oh
7)
n
io
6)
d.
1-30
8)
Modify the /etc/services file so that the line for the telnet protocol no longer
contains the alias for the notelnet service:
EV
notelnet # Telnet
t
uc
od
AT
pr
re
ed
AL
riz
ho
ut
na
File: /etc/services
- telnet
23/tcp
+ telnet
23/tcp
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
1-31
Lab 1
Objectives
y Use TCP Wrappers to secure various services.
EV
Task
3
Securing Services with TCP
Requirements
bb (2 stations)
Wrappers
Estimated Time: 10 minutes
AL
od
t
uc
2)
AT
pr
re
ed
1)
riz
ho
ut
na
Relevance
A frequent security need is the ability to prevent connections to services
from specific IP addresses. The TCP Wrapper framework provides a
centralized place to enforce these IP address based connection
restrictions.
or
IO
n
io
File: /etc/hosts.allow
+ ALL: 127. [::1] 10.100.0.254
+ sshd: 10.100.0.Y
+ vsftpd: 10.100.0.0/255.255.255.0 EXCEPT 10.100.0.Y
di
Configure TCP wrappers to deny all connections not matching a rule in the
hosts.allow file (any existing comments can be left in place):
3)
tio
bu
ri
st
Normally you would permit the local IP address of the system to all services as
well (adding it to the first line). It is left off only to facilitate testing within the lab.
O
PY
ite
d.
1-32
ib
oh
pr
4)
is
File: /etc/hosts.deny
+ ALL: ALL
5)
6)
EV
# chkconfig telnet on
riz
ho
ut
na
Verify you can connect to the SSH and telnet services via loopback, but not your
assigned IP:
Connection is established.
t
uc
od
AT
pr
re
ed
AL
# ssh guru@localhost
The authenticity of host localhost (127.0.0.1) cant be established.
RSA key fingerprint is 36:fe:89:5a:d4:57:da:3d:29:9d:6b:d4:27:65:fd:3e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added localhost (RSA) to the list of known hosts.
guru@localhosts password: work
. . . snip . . .
# exit
logout
Connection to localhost closed.
# telnet localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is ^].
This is a secured system, unauthorized access is prohibited.
All access is logged.
login: ]
telnet> close
Connection closed.
or
IO
n
io
Connection is denied
# ssh guru@10.100.0.X
ssh_exchange_identification: Connection closed by remote host
# telnet 10.100.0.X
Trying 10.100.0.X...
Connected to 10.100.0.X.
Escape character is ^].
This is a secured system, unauthorized access is prohibited.
All access is logged.
Connection closed by foreign host.
tio
bu
ri
st
di
Connection is established
is
O
ite
d.
Verify you can connect to the FTP service via both loopback and your assigned IP:
# ftp localhost
PY
ib
oh
pr
7)
Connection is denied
1-33
Connection is established
EV
U
# ftp 10.100.0.X
Connected to 10.100.0.1 (10.100.0.1).
220 (vsFTPd 2.2.2)
Name (10.100.0.X:guru): c
Connection is established
AL
riz
ho
ut
na
If you are working with a lab partner, wait for them to reach this point before
continuing.
9)
ed
8)
t
uc
od
AT
pr
re
# tail -n 20 /var/log/messages
. . . snip . . .
xinetd[25390]: libwrap refused connection to telnet (libwrap=in.telnetd) from ::ffff:9.100.0.X
xinetd[25390]: FAIL: telnet libwrap from=10.100.0.X
xinetd[25311]: START: telnet pid=25390 from=10.100.0.X
xinetd[25311]: EXIT: telnet status=0 pid=25390 duration=0(sec)
IO
n
io
If you are working with a lab partner, wait for them to reach this point before
continuing.
11)
Verify that you can connect to the SSH service of your designated lab partner's
system:
or
10)
tio
bu
ri
st
di
# ssh guru@10.100.0.Y
The authenticity of host stationY (10.100.0.Y) cant be established.
RSA key fingerprint is 1f:63:ea:ed:07:bf:82:09:79:99:08:57:e9:79:d0:28.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added stationY,10.100.0.Y (RSA) to the list of known hosts.
guru@stationYs password: work
$ exit
Connection is established
logout
Connection to 10.100.0.Y closed.
is
O
ite
PY
ib
oh
pr
d.
1-34
12)
Attempt to connect to your lab partner's FTP and telnet service (expecting to be
denied):
EV
# ftp 10.100.0.Y
Connected to 10.100.0.Y (10.100.0.Y).
421 Service not available.
ftp> quit
# telnet 10.100.0.Y
Trying 10.100.0.Y...
Connection is denied
AL
riz
ho
ut
na
Connected to stationY.
Escape character is ^].
This is a secured system, unauthorized access is prohibited.
All access is logged.
Connection closed by foreign host.
ed
IO
n
io
or
Clean up the TCP Wrappers rules to prevent conflicts with future lab exercises:
tio
bu
ri
st
di
# >/etc/hosts.deny
# >/etc/hosts.allow
15)
t
uc
od
Optional: Examine log files again looking for evidence of the denial messages
associated with your lab partner's attempts to connect to your services.
Cleanup
14)
AT
pr
re
13)
Clean up telnet and ftp services so that future lab exercises will operate
correctly:
is
O
ite
PY
ib
oh
pr
d.
1-35
Lab 1
Objectives
y Use Netfilter stateful packet filtering to protect the system.
EV
Task
4
Securing Services with
Requirements
bb (2 stations) c (classroom server)
Netfilter
Estimated Time: 15 minutes
AL
or
IO
n
io
N
C
is
ib
d.
ite
5)
PY
oh
pr
# telnet 10.100.0.254
Trying 10.100.0.254
tio
bu
ri
st
di
# iptables -F
# iptables -t nat -F
# iptables -t mangle -F
4)
t
uc
3)
AT
Change the chain policies for all chains in the filter table to DROP:
od
2)
pr
re
ed
1)
riz
ho
ut
na
Relevance
Netfilter provides a powerful packet manipulation framework that can be
used to protect networked services. Today's hostile network environments
basically necessitate packet filtering, and Netfilter's stateful rules allow
even simple configurations to provide impressive security.
EV
AL
riz
ho
ut
na
6)
ed
7)
Add rules to allow connection tracked traffic (i.e. stateful rules) to be accepted:
pr
re
8)
t
uc
od
AT
IO
n
io
Add a rule to allow this host to send ICMP echo-request messages (so that the
ping command will work):
or
ri
st
di
9)
tio
bu
is
PY
ib
oh
pr
10)
ite
# iptables -A OUTPUT -p tcp --sport 1024:65535 --dport telnet -m state --state NEW -j ACCEPT
Try to use telnet to connect to server1 by IP address:
# telnet 10.100.0.254
d.
11)
1-37
AL
12)
riz
ho
ut
na
EV
Trying 10.100.0.254...
Connected to 10.100.0.254.
Escape character is ^].
Red Hat Enterprise Linux Server release 6.0 (Santiago)
Kernel 2.6.32-71.el6.i686 on an i686
login: ]
telnet> close
Connection closed.
Try to use telnet to connect to server1 by hostname:
AT
pr
re
13)
ed
# telnet server1
telnet: server1: Name or service not known
server1: Host name lookup failure
od
t
uc
# iptables -I OUTPUT 4 -p udp --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
# iptables -I OUTPUT 5 -p tcp --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
IO
n
io
14)
or
tio
bu
ri
st
di
# telnet server1
Trying 10.100.0.254...
Connected to 10.100.0.254.
Escape character is ^].
Red Hat Enterprise Linux Server release 6.0 (Santiago)
Kernel 2.6.32-71.el6.i686 on an i686
login: ]
telnet> close
Connection closed.
is
Wait for your lab partner to reach this point before continuing with this step.
PY
ite
ib
oh
pr
15)
d.
# ping stationY
PING stationY.example.com (10.100.0.Y) from 10.100.0.X : 56(84) bytes of data.
1-38
. . . snip . . .
c
EV
16)
Allow echo requests of a reasonable size (the default is 56 bytes), but don't allow
large flood pings:
AL
17)
riz
ho
ut
na
t
uc
od
AT
pr
re
ed
IO
n
io
or
--- stationY.example.com ping statistics -1 packets transmitted, 0 received, 100% packet loss, time 10000ms
ri
st
di
18)
Find the rule which allows this system to initiate telnet connections:
19)
tio
bu
is
PY
ite
Replace the rule that allows this system to connect using telnet, with one that
permits SSH:
ib
20)
oh
pr
d.
# iptables -D OUTPUT 6
Rule number must match the one found in Step 19.
# iptables -I OUTPUT 6 -p tcp --sport 1024: --dport 22 -m state --state NEW -j ACCEPT
1-39
21)
Drop down to single-user mode and then back to run-level 5 to demonstrate that
the rules are restored:
init 1
. . snip . . .
init 5
. . snip . . .
IO
n
io
24)
t
uc
Cleanup
od
# iptables -nvL
. . . output omitted . . .
AT
pr
re
23)
ed
AL
#
.
#
.
riz
ho
ut
na
22)
EV
or
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
1-40
Lab 1
Objectives
y Practice troubleshooting common system errors.
EV
Task
5
Troubleshooting Practice
Requirements
b (1 station)
AL
AT
The first time the troubleshooting framework is started, you are required to
confirm some information about your system:
t
uc
od
2)
pr
re
# tsmenu
ed
1)
riz
ho
ut
na
Relevance
Troubleshooting scenario scripts were installed on your system as part of
the classroom setup process. You use these scripts to break your system
in controlled ways, and then you troubleshoot the problem and fix the
system.
IO
n
io
Confirm the distribution of Linux is correct by selecting Yes and then press .
or
ri
st
di
This first break system scenario is a simple HOW-TO for the tsmenu program
itself. Its function is to familiarize you with the usage of the program:
tio
bu
3)
Use the UP and DOWN arrow keys to select 'Troubleshooting Group #0'.
Use the LEFT and RIGHT arrow keys to select OK and press to continue.
You are taken to the 'Select Scenario Category' screen.
is
O
PY
ite
d.
ib
oh
pr
4)
1-41
5)
EV
riz
ho
ut
na
The 'Break system?' screen provides you with a more detailed description of the
scenario and asks whether you want to proceed and "break the system now?".
Read the description of the problem and then Select Yes and press .
AL
6)
pr
re
ed
You are taken to the 'SYSTEM IS BROKEN!' screen. Select OK and press . The
system is now locked on the selected scenario and will not permit you to run
another scenario until the current scenario is solved.
t
uc
od
7)
AT
IO
ri
st
di
You can also get information about the currently locked problem by re-running the
tsmenu program. As the root user, launch the tsmenu program:
tio
bu
# tsmenu
8)
or
# cat /problem.txt
. . . output omitted . . .
n
io
You can re-read the description of the scenario two different ways. First, the
description is written into a text file. Display the contents of this file:
is
ite
d.
1-42
PY
ib
oh
10)
Use the UP and DOWN arrow keys to select the 'Description' menu item, then
select OK and press to continue.
pr
9)
Select the 'Hints' menu item several times until you have seen all of the available
hints for the learn-01.sh scenario.
12)
The 'Check' menu item is used to check if the currently locked troubleshooting
scenario has been correctly solved. Select 'Check', then select OK and press .
EV
11)
AL
riz
ho
ut
na
You are presented with the message 'ERROR: Scenario not completed'. This
indicates that the conditions required by the script have not yet been met. If you
feel that you have solved the problem, then you may need to carefully review the
requirements as listed in the 'Description'. If you are still unsure about how to
proceed then you should consult with the instructor.
t
uc
od
or
IO
n
io
# tsmenu
AT
# touch /root/solved
14)
pr
re
13)
ed
di
15)
tio
bu
ri
st
Each time the tsmenu program launches, it checks to see if you have solved the
current problem. If you leave the tsmenu program open, then you can check a
problem at any time by following these steps:
is
O
ite
d.
You should now proceed to complete the troubleshooting scenarios shown in the
following table using the same basic procedure as shown in the previous steps.
PY
ib
16)
oh
pr
1-43
TCP Wrappers
tcpwrappers-01.sh
EV
Group 2
IP Tables
iptables-01.sh
Group 2
Xinetd
xinetd-01.sh
t
uc
od
AT
pr
re
ed
AL
riz
ho
ut
na
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
1-44
Lab 1
Objectives
y Examine the effect of the cp and mv commands on SELinux file contexts
EV
Task
6
SELinux File Contexts
Requirements
b (1 station)
AL
Create a new file and view the default SELinux file context assigned:
ed
1)
riz
ho
ut
na
Relevance
When copying and moving files, the SELinux security label (file context)
attached to a file can be modified. Understanding the effect of commands
on these file context labels will allow you to fix and avoid file context
problems.
2)
/etc/testfile
t
uc
od
AT
pr
re
IO
n
io
Copy and move the file into the /tmp directory and view the file contexts assigned
to the new files:
or
# cp /etc/testfile /tmp/testfile-cp
# mv /etc/testfile /tmp/testfile-mv
# ls -Z /tmp/testfile-*
-rw-r--r--. root root unconfined_u:object_r:user_tmp_t:s0 /tmp/testfile-cp
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /tmp/testfile-mv
tio
bu
ri
st
di
Set the file context on the moved file to the correct value for the new location:
3)
is
O
ite
PY
ib
oh
pr
d.
1-45
or
N
is
ite
d.
PY
ib
oh
pr
C
n
tio
bu
ri
st
di
IO
n
io
AT
t
uc
od
pr
re
ed
AL
riz
ho
ut
na
EV
AL
riz
ho
ut
na
EV
Content
Naming Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
DNS A Better Way . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Domain Name Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Delegation and Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Server Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Resolving Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Resolving IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Basic BIND Administration . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Configuring the Resolver . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Testing Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Lab Tasks
16
1. Configuring a Slave Name Server . . . . . . . . . . . . . . . . . . 17
ed
Chapter
t
uc
od
AT
pr
re
or
IO
n
io
di
tio
bu
ri
st
DNS CONCEPTS
is
O
ite
PY
ib
oh
pr
d.
Naming Services
pr
re
Before DNS
ed
AL
riz
ho
ut
na
EV
t
uc
od
AT
Connected to sri-nic
220 SRI-NIC.ARPA FTP Server Process 5Z(47)-6
at Fri 25-Dec-87 20:28-PST
Name (sri-nic.arpa:dkelson): anonymous
331 ANONYMOUS user ok, send real ident as password.
Password:
230 User ANONYMOUS logged in at Fri 25-Dec-87 20:28-PST.
ftp> get NETINFO:HOSTS.TXT
200 Port 4.158 at host 128.114.130.3 accepted.
150 ASCII retrieve of <NETINFO>HOSTS.TXT.5 started.
226 Transfer completed. 652121 bytes transferred.
local: NETINFO:HOSTS.TXT remote: NETINFO:HOSTS.TXT
652121 bytes received in 22.74 seconds (28 Kbytes/s)
ftp> quit
221 QUIT command received. Goodbye.
or
IO
n
io
O
ite
PY
ib
oh
pr
d.
2-2
is
% ftp sri-nic
tio
bu
ri
st
di
This system worked well when ARPAnet was small, but as ARPAnet
grew, researchers quickly realized that this HOSTS.TXT system was
not going to scale. Among other problems, SRI was being
overwhelmed trying to maintain and distribute the file, people were
often requesting the same host name for different sites (a conflict SRI
did not even have the authority to resolve, other than by informally
adopting a first-come, first-serve policy), and system administrators
often found that their systems' copies of the file were inconsistent
with other systems' copies. By the time updated copies made their
way across ARPAnet, they were already out-of-date.
pr
re
Replacing HOSTS.TXT
ed
AL
riz
ho
ut
na
EV
t
uc
od
AT
primary goal of the re-write was making version 9 more robust and
secure.
BIND Security Troubles
or
IO
n
io
All versions of BIND have had poor security track records, although
BIND 9 is much better. In light of its track record, it is important that
BIND updates be closely tracked and applied. This is normally done
through the operating system vendor, as BIND is the standard DNS
server shipped with Unix systems.
di
O
ite
PY
ib
oh
d.
pr
is
tio
bu
ri
st
2-3
DNS Structure
ed
AL
riz
ho
ut
na
EV
TLD Country
pr
re
AT
.de Germany
od
.it Italy
Description
.jp Japan
t
uc
TLD
IO
n
io
.arpa DNS structure (like reverse lookups) and other meta info
commercial
.edu
educational institutions
.gov
.int
or
.com
This inverted database offers several advantages over the flat map
provided by the earlier HOSTS.TXT scheme. Individual hosts are
grouped into logical subdomains, which are further organized into
logical domains, allowing management responsibilities for each
domain and subdomain to be delegated, removing the necessity for a
single administrator like SRI-NIC.
ite
PY
ib
oh
pr
.org
is
.net
tio
bu
U.S. military
ri
st
di
.mil
The original list also included all of the 2-letter ISO country codes.
This table shows a few examples:
All of these TLDs are still in use today, along with several newer
TLDs which have been officially adopted over the years.
d.
EV
AL
riz
ho
ut
na
.fuzzywuzzy.com.
The inverted tree structure of DNS also makes possible a logical,
tree-walking approach to determine IPs from FQDNs. For example, to
resolve www.fuzzywuzzy.com, a resolver will first ask a root name
server for the answer. That server will tell the resolver where to find
the name server for the com. zone, which will tell the resolver where
to find the name server for the fuzzywuzzy.com. zone, which will
return the IP address for www.fuzzywuzzy.com.
" "
AT
pr
re
ed
.gov
.edu
.info
t
uc
od
.com
n
io
whitehouse
usps
IO
cnn
linuxtraining
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
2-5
pr
re
Delegation
ed
AL
riz
ho
ut
na
EV
t
uc
od
AT
n
io
or
IO
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
2-6
Server Roles
pr
re
ed
AL
riz
ho
ut
na
EV
t
uc
od
AT
or
IO
n
io
NS
oh
Zone Transfer
NS
ite
PY
ib
d.
Secondary Masters
(Slaves)
NS
pr
Primary Master
is
It's important to keep in mind that most name servers fill a variety of
roles. They may be primary master servers for some zones, while
simultaneously being secondary master servers for other zones and
caching servers for all other zones.
tio
bu
ri
st
di
Authorative nameservers
for example.com
2-7
Resolving Names
ed
AL
riz
ho
ut
na
EV
pr
re
zone. The TTL for positive caching is adjustable in the zone file using
the $TTL variable and can be set on individual records. The TTL for
each record is one of the parameters returned in answer to every
DNS query.
od
AT
t
uc
When setting the TTL, keep in mind that doing so is always making a
trade-off between accuracy and performance. Long TTLs improve
network performance, but mean out-of-date DNS records will be
cached for a long time, while short TTLs mean that cached DNS
records are always likely to be accurate, but that DNS queries will
have to be made more frequently.
or
IO
n
io
O
ite
PY
ib
oh
d.
2-8
pr
For negative results, the TTL is configured in the SOA record for the
is
tio
bu
ri
st
di
EV
NS
NS NS
NS
NS
NS NS
NS
riz
ho
ut
na
AL
D
4
NS
NS NS
NS
pr
re
ed
AT
NS
t
uc
od
IO
n
io
or
PC
A:
B:
C:
D:
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
2-9
Resolving IP Addresses
pr
re
ed
AL
riz
ho
ut
na
EV
t
uc
od
AT
or
IO
n
io
While IPv4 uses the .in-addr.arpa domain, IPv6 uses the ip6.arpa
domain. For example:
is
oh
pr
ite
PY
6.6.6.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.0.0.b.0.a
e.f.f.3.ip6.arpa
ib
tio
bu
ri
st
di
d.
2-10
""
.com
EV
arpa
in-addr
AL
riz
ho
ut
na
192
ed
255
255
od
AT
pr
re
or
IO
n
io
tio
bu
ri
st
hostname station53.example.com
255
di
53
255
t
uc
0
2
is
O
ite
PY
ib
oh
pr
d.
2-11
ed
AL
riz
ho
ut
na
EV
pr
re
The rndc command can be used for more fine grained control of the
running named process. For example, service named reload will
reload all zones, but rndc reload zone_name will reload just the
specified zone. The following table shows examples of other
commands (a complete list is produced by running rndc without and
arguments):
or
Description
reload zone
stats
querylog
dumpdb
tio
bu
ri
st
di
stop
is
PY
ite
notrace
ib
trace level
oh
halt
pr
flush
status
d.
Option
IO
n
io
t
uc
od
AT
EV
/etc/resolv.conf
search domain.tld
nameserver w.x.y.z
Client Configuration
ed
AL
riz
ho
ut
na
pr
re
t
uc
od
AT
or
di
nameserver 10.100.0.254
nameserver 82.165.40.134
nameserver 192.128.167.77
IO
n
io
File: /etc/resolv.conf
tio
bu
ri
st
When given a fully qualified domain name, the resolver will connect
to the name servers listed, in the order in which they are listed, and
query them for the IP address of that fully qualified domain name
until it gets a positive response or an authoritative negative response.
O
ite
PY
ib
oh
d.
pr
This tells the resolver to first search for host.domain1.com and then
to search for host.domain2.com if host.domain1.com cannot be
found when asked to search for a bare hostname.
is
File: /etc/resolv.conf
2-13
Testing Resolution
EV
ping, telnet
host
dig
Querying a specific server
nslookup
Testing Configurations
ed
AL
riz
ho
ut
na
default.
pr
re
or
IO
n
io
$ ping foo.example.com
$ telnet foo.example.com
t
uc
od
AT
$ dig www.gurulabs.com
; <<>> DiG 9.7.0-P2 <<>> www.gurulabs.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55825
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
IN
;; ANSWER SECTION:
www.gurulabs.com. 3600
IN
64.245.157.8
IN
IN
IN
IN
NS
NS
NS
NS
ns2.p02.dynect.net.
ns3.p02.dynect.net.
ns1.p02.dynect.net.
ns4.p02.dynect.net.
ite
PY
ib
oh
d.
Notice that the dig command outputs results in "zone file" format by
2-14
;;
;;
;;
;;
pr
$ host www.gurulabs.com
www.gurulabs.com has address 67.137.148.8
$ host gurulabs.com
gurulabs.com has address 67.137.148.8
gurulabs.com mail is handled by 5 mail.gurulabs.com.
is
The following examples show queries with the host and dig
commands:
;; AUTHORITY SECTION:
gurulabs.com.
172800
gurulabs.com.
172800
gurulabs.com.
172800
gurulabs.com.
172800
tio
bu
$
.
$
.
ri
st
di
nameserver is specified on the command line, they both will use the
nameserver lines in /etc/resolv.conf. Both of these forms query
the name server ns1.gurulabs.com about the host
www.gurulabs.com:
;; QUESTION SECTION:
;www.gurulabs.com.
One important difference between dig and host is that host will
automatically use the search list specified in resolv.conf, and dig
will not (although both commands have options to control this
behavior).
AL
riz
ho
ut
na
EV
$ nslookup
> www.kersplat.com
Server: server1.example.com
Address: 10.100.0.254#53
Non-authoritative answer:
Name:
www.kersplat.com
Address: 205.178.145.166
> exit
t
uc
od
AT
pr
re
ed
$ nslookup www.kersplat.com
Server: server1.example.com
Address: 10.100.0.254#53
Non-authoritative answer:
Name:
www.kersplat.com
Address: 205.178.145.166
or
IO
n
io
This example shows the result of one of the more common errors
seen in BIND DNS zone files. The data portion of the CNAME record
for the zulu host is missing the terminating dot (period) and
subsequently has had the origin string appended causing the domain
portion (example.com) to be repeated:
di
tio
bu
IN
ri
st
# dig zulu.example.com
. . . snip . . .
;; QUESTION SECTION:
;zulu.example.com.
86400
IN
CNAME
station1.example.com.example.com.
;; AUTHORITY SECTION:
example.com.
600
IN
SOA
is
O
ite
PY
ib
oh
pr
d.
;;
;;
;;
;;
;; ANSWER SECTION:
zulu.example.com.
2-15
Lab 2
EV
t
uc
od
AT
pr
re
ed
AL
riz
ho
ut
na
Page: 2-17
Time: 30 minutes
Requirements: b (1 station) c (classroom server)
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
2-16
Lab 2
Objectives
y Install the BIND name server and configure it to act as a slave for the
example.com and the 0.100.10.in-addr.arpa classroom domains.
EV
Task
1
Configuring a Slave Name
Requirements
b (1 station) c (classroom server)
Server
Estimated Time: 30 minutes
AL
1)
riz
ho
ut
na
Relevance
Slave name servers provide redundancy and load balancing for DNS record
resolution.
t
uc
or
IO
n
io
3)
AT
od
2)
pr
re
$ su -l
Password: makeitso
ed
tio
bu
ri
st
di
is
ib
oh
PY
ite
d.
pr
4)
EV
5)
Configure the system to act as a slave server for the example.com domain by
adding the following to the end of the existing configuration file:
od
AT
pr
re
6)
ed
AL
riz
ho
ut
na
File: /etc/named.conf
+ zone "example.com" {
+
type slave;
+
file "slaves/example.com.zone";
+
masters { 10.100.0.254; };
+ };
t
uc
Leave this terminal window open (and running tail) for the duration of the lab
task.
IO
n
io
7)
or
Validate the basic syntax and structure of your new configuration file using the
supplied BIND program:
tio
bu
ri
st
di
If errors are reported, re-open the file and repair it as needed. You may get
notified of newly changed defaults, but should not see any error messages. An
example of a notification would be the following: the default for the
is
oh
pr
8)
ite
[ OK ]
PY
ib
d.
2-18
9)
Verify that the needed files and directories are mounted into the chroot:
AL
ed
10)
riz
ho
ut
na
EV
od
Examine the contents of the system log by looking at the running tail command
in terminal [X2]. There should be a line similar to:
t
uc
11)
AT
pr
re
# ls -R /proc/$(pgrep named)/root/
. . . output omitted . . .
n
io
or
IO
Examine the contents of the zone database file that was created from the zone
transfer from the master server:
is
# less /var/named/slaves/example.com.zone
. . . output omitted . . .
PY
d.
The lookup returned the correct answer, but which name server is providing
them?
ite
# host station1
station1.example.com. has address 10.100.0.1
ib
oh
pr
13)
tio
bu
12)
ri
st
di
This indicates that the transfer of the zone file from 10.100.0.254 (server1) was
successful.
2-19
14)
Try another lookup using the verbose option to see (among other things) the
server that gave the answer:
EV
AL
riz
ho
ut
na
# host -t A -v station1
Trying "station1.example.com."
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31519
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;station1.example.com.
IN
;; ANSWER SECTION:
station1.example.com. 86400 IN
10.100.0.1
ed
server1.example.com.
od
;; ADDITIONAL SECTION:
server1.example.com. 86400 IN
NS
AT
pr
re
;; AUTHORITY SECTION:
example.com.
86400 IN
10.100.0.254
t
uc
or
15)
IO
n
io
N
C
is
d.
2-20
ite
File: /etc/resolv.conf
- nameserver 10.100.0.254
+ nameserver 127.0.0.1
PY
Use a text editor to modify the /etc/resolv.conf so that it defaults to using your
own server for name resolution:
ib
16)
oh
pr
tio
bu
ri
st
di
Run the query again, this time specifying the slave name server running on your
local system for name resolution:
17)
Verify that only the correct entries are present. If not, modify the
/etc/resolv.conf file again.
EV
If your station is currently configured to use DHCP, when the DHCP lease is
renewed, any changes made to /etc/resolv.conf will be lost. To prevent this,
disable DNS configuration updating from DHCP, then restart your network
interface:
ed
t
uc
od
AT
pr
re
#
#
#
.
19)
AL
riz
ho
ut
na
18)
or
IO
n
io
Verify that names in the example.com domain are now resolved by this system's
name server by default:
Configure the name server as a slave server for the appropriate reverse lookup
zone by adding these lines to the end of the named.conf configuration file:
is
21)
tio
bu
# host 10.100.0.1
Host 1.0.100.10.in-addr.arpa not found: 3(NXDOMAIN)
ri
st
di
20)
O
ite
PY
ib
oh
pr
d.
2-21
File: /etc/named.conf
ed
AL
riz
ho
ut
na
22)
EV
+
+
+
+
+
zone "example.com" {
type slave;
file "slaves/example.com.zone";
masters { 10.100.0.254; };
};
zone "0.100.10.in-addr.arpa" {
type slave;
file "slaves/0.100.10.in-addr.arpa.zone";
masters { 10.100.0.254; };
};
od
AT
# named-checkconf
pr
re
Verify that the configuration file does not contain typographical errors by running it
through the BIND syntax checker:
t
uc
If errors are reported then double check the configuration file and correct the
errors.
Restart the named daemon so that the new configuration takes effect:
or
[ OK ]
[ OK ]
tio
bu
ri
st
di
24)
IO
n
io
23)
Try the reverse lookup of this station's IP address again. This time it should
succeed:
is
# host 10.100.0.1
1.0.100.10.in-addr.arpa. domain name pointer station1.example.com.
O
ite
PY
ib
oh
pr
d.
2-22
AL
riz
ho
ut
na
EV
Content
HTTP Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Apache Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Dynamic Shared Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Adding Modules to Apache . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Apache Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . 8
httpd.conf Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . 9
httpd.conf Main Configuration . . . . . . . . . . . . . . . . . . . . . 10
HTTP Virtual Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Virtual Hosting DNS Implications . . . . . . . . . . . . . . . . . . . . 12
httpd.conf VirtualHost Configuration . . . . . . . . . . . . . . . . 13
Port and IP based Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . 14
Name-based Virtual Host . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Apache Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Log Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
The Webalizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Lab Tasks
19
1. Apache Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2. Apache Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3. Configuring Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . . . . 25
ed
Chapter
t
uc
od
AT
pr
re
or
IO
n
io
di
tio
bu
ri
st
USING APACHE
is
O
ite
PY
ib
oh
pr
d.
HTTP Operation
HTTP v1.1
ed
AL
riz
ho
ut
na
EV
. . . output omitted . . .
pr
re
You can also use the w3m text-mode web browser which allows you
to do HEAD requests using the -dump_head option:
od
AT
HTTP is the protocol that powers the World Wide Web. It is a simple,
stateless file transfer protocol consisting of a client-side request and
a server-side response. Both the request and the response are
structured in three parts: a request method/response code, a header
section followed by a blank line, and a body section.
t
uc
n
io
Finally, the Lynx text-mode web browser allows for HEAD requests
using the -head option:
or
IO
PY
ite
Server Response
ib
oh
HTTP/1.1 200 OK
Date: Fri, 12 Jan 2007 01:24:27 GMT
Server: Apache
Set-Cookie: Apache=66.62.77.11.279431042161867442;
d.
8-2
pr
is
GET / HTTP/1.1
Host: www.linuxtraining.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686)
Accept: text/xml, image/png, image/jpeg, image/gif
Accept-Language: en-us, en;
Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
Keep-Alive: 300
Connection: keep-alive
$ telnet www.google.com 80
Trying 216.239.53.100...
Connected to www.google.com (216.239.53.100).
Escape character is ^].
GET / HTTP/1.1
. . . snip . . .
Client Request
tio
bu
You can view the server headers using the HTTP HEAD request
method. You can connect to web servers and manually issue GET
requests using telnet . . .
ri
st
di
$ netstat -tp
tcp 0 0 entmoot:32931 www.google.com:80 ESTABLISHED
t
uc
od
AT
pr
re
ed
AL
riz
ho
ut
na
EV
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
8-3
Apache Architecture
AL
riz
ho
ut
na
EV
http://modules.apache.org/
ed
Apache History
http://httpd.apache.org/docs/2.2/mod/
Third-party modules
General Architecture
pr
re
t
uc
od
AT
In 1995, most people running web servers were using NCSA's httpd
1.3 software which NCSA had stopped actively maintaining. A group
of web server administrators led by Brian Behlendorf began collecting
all the various patches they were individually using to make NCSA's
httpd more usable, and A PAtCHy sErver was born. Shortly thereafter
the Apache Group re-wrote Apache from the ground up. Less than a
year after it was created Apache had become the most commonly
used web server and has continued to pull ahead of other
competitors. Apache owns more than 60% market share on the
Internet, according to the NetCraft survey, which can be found online
at http://www.netcraft.com/archives/web_server_survey.html.
or
IO
n
io
is
pr
Efficiency: Multi-process/Multi-thread
oh
ite
PY
ib
d.
The Apache web server can be downloaded freely from the Apache
Software Foundation (ASF) at http://www.apache.org/.
Comprehensive documentation is also available at the site.
tio
bu
ri
st
di
Apache Availability
EV
pr
re
Non-threadsafe Modules
ed
AL
riz
ho
ut
na
t
uc
od
AT
If you use the threaded worker MPM, you must make sure that all of
the modules that you load into Apache are also threadsafe (meaning
the module's source code has been synchronized to work with
multiple threads). Otherwise a condition called "deadlock" can occur
in which a thread enters a mode to wait for a signal that the program
has no mechanism to send and the program hangs.
IO
n
io
or
is
O
ite
PY
ib
oh
pr
tio
bu
d.
File: /etc/sysconfig/httpd
- #HTTPD=/usr/sbin/httpd.worker
+ HTTPD=/usr/sbin/httpd.worker
ri
st
di
8-5
AL
riz
ho
ut
na
EV
pr
re
ed
http://modules.apache.org/
t
uc
od
AT
core Core Apache HTTP Server features that are always available
(must be compiled in).
mpm_common A collection of directives that are implemented by
more than one multi-processing module (MPM).
perchild MPM allowing daemon processes serving requests to be
assigned a variety of different UIDs.
prefork Implements a non-threaded, pre-forking web server. This
is how Apache 1.3 works.
threadpool Yet another experimental variant of the standard
worker MPM.
mpm_winnt MPM optimized for WinNT (NT/2000/XP/2003).
worker MPM implementing a hybrid multi-threaded, multi-process
web server.
or
IO
n
io
is
O
ite
PY
ib
oh
pr
d.
8-6
tio
bu
ri
st
di
AL
riz
ho
ut
na
EV
ed
conf.d/mod_modulename.conf
pr
re
t
uc
od
AT
IO
n
io
or
O
ite
PY
ib
oh
d.
# apxs -i -a -c mod_modulename.c
. . . output omitted . . .
pr
The APache eXtenSion utility can build the module and install the
shared object file into the Apache library directory. The -a option
causes the command to insert the required LoadModule directive into
the httpd.conf file. If the -A option is used, the command will insert
the directive commented out. An example of using this utility is:
is
$ httpd -l
. . . output omitted . . .
y php, mod_perl
y mod_ssl, mod_python
y mod_auth_mysql, mod_auth_pgsql, mod_auth_kerb
y mod_dav_svn, mod_authz_ldap
tio
bu
ri
st
di
8-7
ed
AL
riz
ho
ut
na
EV
pr
re
t
uc
od
AT
The main configuration file for Apache is httpd.conf. This file allows
for configuring global options, options that affect the main server,
and virtual hosting options. Options include the port to have the
server listen on, the server's document root directory location, or the
MPM configuration.
n
io
or
is
O
ite
PY
ib
oh
pr
d.
8-8
The global environment for the Apache configuration has options that
affect the server itself. Directives such as MinSpareServers and
KeepAliveTimeOut tune the server's operation, and directives such as
ServerName, Listen, and LoadModule configure the server's
environment. Module specific configuration files are loaded with the
line:
tio
bu
ri
st
di
Include conf.d/*.conf
IO
httpd.conf Section 1
ed
AL
riz
ho
ut
na
EV
pr
re
ServerName The name and port that the server uses to identify
itself. Example: www.example.com:80
ServerRoot The absolute path specifying the directory structure
od
AT
t
uc
under which the Apache configuration and log files are kept. On
Red Hat, this is usually set to /etc/httpd/.
StartServers Accepts a numeric argument specifying how many
servers to initially start.
MinSpareServers/MaxSpareServers These directives take
numerical arguments regulating the size of the idle Apache server
pool. At all times, at least MinSpareServers will be held in
reserve, and no more than MaxSpareServers will be running idle.
MaxClients Specifies the maximum number of simultaneous
client connections that Apache will handle. Others who connect
when the server is "full", will get a 503 (Service Unavailable) "error"
message, instead.
ServerLimit Specifies the maximum number of Apache
processes which may run. This setting will prevent the
MinSpareServers directive from causing Apache to launch more
spares.
LoadModule Used to load modules into the server and activate
them.
Listen Specifies the port(s) to which Apache should bind. By
default, this is 80 for HTTP and 443 for HTTPS.
User/Group Specify the user and group (either by name or ID) the
Apache process should run as. For security reasons, it's a good
idea to create a special user and group for this.
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
8-9
pr
re
Shared Directives
ed
AL
riz
ho
ut
na
EV
od
AT
t
uc
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
8-10
Virtual Servers
ed
AL
riz
ho
ut
na
EV
pr
re
t
uc
od
AT
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
The older HTTP 1.0 protocol does not provide the Host: header and
is therefore limited to IP-based solutions for virtual hosting. On the
other hand, the HTTP 1.1 protocol introduces, and requires, the Host:
header, providing a way for the client application to specify the fully
qualified domain name of the server to which it is connecting. This
allows multiple virtual servers to all listen on the same IP and port
and route requests to the appropriate virtual server by name only.
File: httpd.conf
http://httpd.apache.org/docs-2.2/vhosts/mass.html.
8-11
ed
AL
riz
ho
ut
na
EV
pr
re
AT
Although virtual hosts can share a single server, each virtual host still
requires its own DNS record. For IP-based hosting, each DNS record
must point to one or more unique IP addresses. To conserve IP
addresses, HTTP version 1.1 added the Host: header, which made
name-based virtual hosting possible. Although virtual hosts may share
a single IP when using name-based virtual hosting, clients are
required to include the server's fully qualified domain name in the
Host: header. This makes it possible to distinguish the intended
virtual host for each request.
t
uc
od
or
IO
n
io
C
O
ite
PY
ib
oh
pr
d.
8-12
is
ifcfg-eth0
ifcfg-eth0:1
ifcfg-eth0:2
ifcfg-eth0:3
tio
bu
ri
st
di
VirtualHost Directives
ed
AL
riz
ho
ut
na
EV
NameVirtualHost *:80
<VirtualHost *:80>
ServerAdmin sinuhe@linuxtraining.com
DocumentRoot "/srv/lt"
ServerName www.linuxtraining.com
ServerAlias linuxtraining.com
</VirtualHost>
pr
re
t
uc
od
AT
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
8-13
ed
AL
riz
ho
ut
na
EV
Port-based
Multiple Sites Single Host
Single IP Address and Host Name
No Additional DNS Entries
Client Specifies Port in URL
Listen and NameVirtualHost Directives
IP-based
Multiple IP Addresses Single Host
Multiple Network Interfaces
Network Interface Aliases
One-to-One Domain to IP Address
VirtualHost Directive for Each Virtual Host
pr
re
The best practice is to use IP-based virtual hosting from port 80. You
can host multiple domains from the same server by binding the IP
addresses of the domains to the network interface of the single host.
These IP addresses must then exist in the DNS for the domains they
serve.
t
uc
od
AT
or
IO
n
io
<VirtualHost 192.0.2.166>
ServerName www.foo.com
DocumentRoot /srv/www/virtual/foo.com/docroot
</VirtualHost>
is
oh
pr
ite
PY
<VirtualHost 209.140.64.2>
ServerName www.bar.com
DocumentRoot /srv/www/virtual/bar.com/docroot
</VirtualHost>
ib
d.
8-14
File: httpd.conf
<VirtualHost 192.0.34.166:3080>
ServerName www.foo.com
DocumentRoot /srv/www/virtual/foo.com-port3080/docroot
. . . snip . . .
</VirtualHost>
<VirtualHost 192.0.34.166:80>
ServerName www.foo.com
DocumentRoot /srv/www/virtual/foo.com-port80/docroot
. . . snip . . .
</VirtualHost>
tio
bu
Listen 80
Listen 3080
ri
st
di
File: httpd.conf
ed
AL
riz
ho
ut
na
EV
File: httpd.conf
pr
re
NameVirtualHost *:80
t
uc
od
AT
With the HTTP1.1 specification's Host: header, you can now specify
virtual hosting based on the fully-qualified domain name of the host.
The benefit is that you can now host multiple virtual domains from a
single host bound to a single IP address.
or
IO
n
io
Each virtual host has a DNS entry pointing to the same IP address.
This IP address must be specified in the NameVirtualHost directive in
the Apache httpd.conf configuration file. Alternatively, you can
specify all inbound IP addresses by using the wildcard character, *,
with the NameVirtualHost directive.
<VirtualHost *:80>
ServerName www.foo.com
DocumentRoot /srv/www/virtual/foo.com/docroot
. . . snip . . .
</VirtualHost>
tio
bu
ri
st
di
<VirtualHost *:80>
ServerName www.bar.com
DocumentRoot /srv/www/virtual/bar.com/docroot
. . . snip . . .
</VirtualHost>
is
O
ite
PY
ib
oh
pr
d.
8-15
Apache Logging
EV
Log formats
Common Log Format
Combined logs
Log customization
LogFormat
CustomLog
riz
ho
ut
na
access_log
AL
ErrorLog
ed
Apache Logging
error_log
SELinux Context: httpd_log_t
pr
re
od
AT
Custom LogFormat
t
uc
Traditionally web servers have used Common Log Format (CLF), and
depending on what you plan on doing with your Apache logs, you
may need to use CLF. For example if you plan on using a log analysis
package which only supports CLF. CLF logs the requesting host
("host"), the username of the client as reported by identd ("ident"), the
user ID used if the request was for a password-protected document
("authuser"), the date and time of the request ("date"), the response
returned to the client ("status"), and the number of bytes returned to
the client ("bytes").
or
IO
n
io
http://httpd.apache.org/docs-2.2/mod/mod_log_config.html#formats
O
ite
PY
ib
oh
pr
d.
8-16
is
tio
bu
Log Customization
ri
st
di
Another standard log format is the "combined" log which extends the
CLF by adding the previous URL the client was at ("referer") and what
software the client is using ("user agent").
Log Analysis
ed
AL
riz
ho
ut
na
EV
pr
re
Multiple utilities exist that can process raw logs and produce more
meaningful data. These tools provide services like access summaries,
graphing, charts, etc. on a daily, weekly, or monthly basis. The
reports are often rendered in HTML making them immediately
accessible.
t
uc
od
AT
Browsing through your Apache log files can give you isolated
information about pages accessed, kbytes downloaded, etc., but to
be useful you need summaries of the information into reports. This
analysis can give you information about parts of the site that are not
being visited or let you know when your system needs to be
upgraded.
Analog is the oldest log analysis tool. The reports it produces have a
dated look and lack the detail of newer tools.
or
IO
n
io
Keep in mind that the web logs may need periodic rotating. Every
10,000 hits will use approximately one megabyte of drive space, so
as your server becomes popular, the web logs could overload your
storage unless they are periodically trimmed. Apache ships with the
rotatelogs program which can be used to automatically rotate log
files by doing logging through a pipe. This example will rotate the
access log every 24 hours (that's every 86,400 seconds).
ite
PY
ib
oh
pr
d.
is
tio
bu
ri
st
di
8-17
The Webalizer
pr
re
The Webalizer
ed
AL
riz
ho
ut
na
EV
Webalizer can process your web server logs and create graphs and
statistics such as:
Number of hits per hour, day, month, etc.
Entry and exit pages
Top referrers
Bandwidth usage by hour, day, month, etc
By default, report available at
http://server/usage/
t
uc
od
AT
n
io
or
IO
is
O
ite
PY
ib
oh
pr
http://server/usage/
tio
bu
ri
st
di
d.
8-18
Lab 8
EV
AL
riz
ho
ut
na
Page: 8-20
Time: 15 minutes
Requirements: b (1 station) c (classroom server)
ed
Page: 8-23
Time: 15 minutes
Requirements: b (1 station)
pr
re
t
uc
od
AT
Page: 8-25
Time: 45 minutes
Requirements: b (1 station) d (graphical environment)
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
8-19
Lab 8
Objectives
y Explore the Apache Configuration
y Determine which Apache modules are configured to load
EV
Task
1
Apache Architecture
Requirements
b (1 station) c (classroom server)
AL
ed
1)
riz
ho
ut
na
Relevance
Apache has many components and can be installed onto a system in a
wide variety of ways by a Linux distributor. Knowing how Apache is
installed on the system will enable you to quickly administer it.
od
IO
or
tio
bu
ri
st
di
3)
n
io
t
uc
2)
AT
pr
re
# ls -l /etc/httpd
total 28
drwxr-xr-x 2 root root 4096 Aug 18 15:19 conf
drwxr-xr-x 2 root root 4096 Aug 18 17:41 conf.d
lrwxrwxrwx 1 root root 19 Aug 18 14:50 logs -> ../../var/log/httpd
lrwxrwxrwx 1 root root 27 Aug 18 14:50 modules -> ../../usr/lib/httpd/modules
lrwxrwxrwx 1 root root 13 Aug 18 14:50 run -> ../../var/run
is
O
ite
d.
8-20
PY
ib
oh
pr
4)
Examine the main configuration file stripping out all comments to see just the
actual configuration directives:
AL
riz
ho
ut
na
5)
EV
# cd /etc/httpd/conf
# less httpd.conf
6)
t
uc
tio
bu
ri
st
di
List which Apache modules are available from the repositories configured on your
system (most Apache module RPMsincluding 3rd party modulesfollow the
naming convention mod_module_name):
8)
cd /etc/httpd/conf.d/
ls -l
. . output omitted . . .
cat manual.conf
cat README
or
#
#
.
#
#
IO
n
io
7)
od
AT
pr
re
ed
is
O
ite
d.
The Apache web server comes with many modules for specific features and
functionality. Most modules are loaded by default. For example, the mod_proxy
module enables Apache to function as a caching proxy server. Determine which
Apache modules are enabled:
PY
ib
oh
9)
pr
8-21
t
uc
[ OK ]
or
IO
n
io
11)
AT
od
10)
pr
re
ed
AL
riz
ho
ut
na
EV
ri
st
di
tio
bu
is
O
ite
PY
ib
oh
pr
d.
8-22
Lab 8
Objectives
y Create an index.html file
EV
Task
2
Apache Content
Requirements
b (1 station)
AL
1)
riz
ho
ut
na
Relevance
Being able to create minimal content for Apache is a basic task for System
Administrators. By doing so, an administrator can confirm that Apache is
serving up the correct files.
od
AT
pr
re
ed
t
uc
Determine what file(s) Apache looks for by seeing what parameter the
DirectoryIndex directive has by default:
The files are listed in order of preference from left to
right. The index.html.var can be used for auto
language negotiation between Apache and the web
browser.
tio
bu
ri
st
# ls -al /var/www/html/
total 4
drwxr-xr-x 2 root root 4096 Jul 15 2009 .
drwxr-xr-x 9 root root 4096 Aug 18 14:50 ..
di
or
2)
IO
n
io
is
3)
d.
PY
cat /etc/httpd/conf.d/welcome.conf
ite
#
#
#
#
#
#
ib
oh
pr
8-23
4)
EV
#
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /error/noindex.html
</LocationMatch>
AL
riz
ho
ut
na
od
Create the new /var/www/html/index.html file with content that identifies your
workstation:
t
uc
5)
AT
pr
re
ed
or
IO
n
io
tio
bu
ri
st
di
is
O
PY
ite
6)
ib
oh
pr
File: /var/www/html/index.html
+ <!DOCTYPE html>
+ <html lang="en-US">
+ <head>
+ <meta charset="UTF-8">
+ <title>Your Names Web Server</title>
+ </head>
+ <body>
+ <h1>StationX</h1>
+ <p>Hello, World!</p>
+ </body>
+ </html>
d.
8-24
Lab 8
Objectives
y Configure Apache Virtual Hosts
y Use the "Main" server for global settings
y Create virtual servers for www.superthingy.org and
www.random-nonsense.com
EV
Task
3
Configuring Virtual Hosts
Estimated Time: 45 minutes
AL
riz
ho
ut
na
Requirements
b (1 station) d (graphical environment)
t
uc
or
IO
n
io
$ su -l
Password: makeitso
2)
AT
od
1)
pr
re
ed
Relevance
Using virtual hosts is a method that webservers use to host more than one
domain on the same server. Making use of virtual hosts will allow an
administrator to save resources by combining multiple domains onto a
single server, thus reducing the extra overhead of maintaining a single
server for each site being served.
tio
bu
ri
st
di
Before you can bring up any virtual hosts, name resolution must be functioning
properly. In order to avoid configuring BIND with a new zone for your virtual hosts,
configure the /etc/hosts file for name resolution. Add your virtual hosts to the
127.0.0.1 line as follows:
File: /etc/hosts
- 127.0.0.1 localhost.localdomain localhost
+ 127.0.0.1 localhost.localdomain localhost www.superthingy.orga
is
www.random-nonsense.com
ite
PY
ib
d.
# mkdir -p /srv/www/{html,superthingy,random-nonsense}
# restorecon -R /srv/www
oh
pr
3)
8-25
4)
Configure Apache to handle requests for your virtual hosts by creating a virtual
host configuration file snippet that will be automatically included into the Apache
configuration and adding a NameVirtualHost directive as the first line in the file:
AL
riz
ho
ut
na
5)
EV
File: /etc/httpd/conf.d/vhosts-127.0.0.1.conf
+ NameVirtualHost 127.0.0.1:80
ed
t
uc
od
AT
pr
re
6)
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
8-26
File: /etc/httpd/conf.d/vhosts-127.0.0.1.conf
NameVirtualHost 127.0.0.1:80
<VirtualHost 127.0.0.1:80>
ServerName www.superthingy.org
ServerAdmin webmaster@superthingy.org
DocumentRoot /srv/www/superthingy
ErrorLog logs/superthingy-error_log
TransferLog logs/superthingy-access_log
<Directory /srv/www/superthingy>
Options Indexes FollowSymLinks ExecCGI Includes
</Directory>
</VirtualHost>
pr
re
ed
AL
riz
ho
ut
na
AT
<VirtualHost 127.0.0.1:80>
ServerName www.random-nonsense.com
ServerAdmin webmaster@random-nonsense.com
DocumentRoot /srv/www/random-nonsense
ErrorLog logs/random-nonsense-error_log
TransferLog logs/random-nonsense-access_log
<Directory /srv/www/random-nonsense>
Options Indexes FollowSymLinks ExecCGI Includes
</Directory>
</VirtualHost>
t
uc
od
IO
or
tio
bu
ri
st
di
Open a second terminal window, switch to a root login shell, and monitor the
Apache error log:
is
oh
pr
$ su -l
Password: makeitso
# tail -f /var/log/httpd/error_log
ite
d.
# apachectl configtest
Syntax OK
PY
Run a syntax check on the changes you have made to the Apache configuration:
ib
8)
n
io
7)
EV
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
8-27
9)
EV
[ OK ]
[ OK ]
11)
Use a web browser to connect to the http://localhost URL. Did you get the
expected results? Can you explain what happened?
AT
pr
re
ed
AL
riz
ho
ut
na
10)
t
uc
od
or
IO
n
io
ri
st
di
Configure your localhost to be its own virtual web server by setting up another
name-based virtual host by appending the following to the configuration file
previously created:
tio
bu
12)
is
O
ite
PY
ib
oh
pr
d.
8-28
Run a syntax check on the changes you have made to the Apache configuration:
IO
N
ri
st
di
[ OK ]
[ OK ]
tio
bu
Use a web browser to connect to the http://localhost URL. You should now
see the index.html of your main server document root, or the test page.
Cleanup
is
PY
d.
cd /etc/httpd/conf.d
mv vhosts-127.0.0.1.conf vhosts-127.0.0.1.conf.disabled
service httpd restart
. . output omitted . . .
ite
#
#
#
.
ib
oh
pr
16)
or
15)
n
io
AT
t
uc
14)
od
# apachectl configtest
Syntax OK
pr
re
13)
ed
AL
riz
ho
ut
na
EV
File: /etc/httpd/conf.d/vhosts-127.0.0.1.conf
+ <VirtualHost 127.0.0.1:80>
+ ServerName localhost
+ ServerAlias localhost.localdomain
+ ServerAdmin webmaster@localhost.localdomain
+ DocumentRoot /var/www/html
+ ErrorLog logs/localhost-error_log
+ TransferLog logs/localhost-access_log
+ <Directory /var/www/html>
+
Options Indexes FollowSymLinks ExecCGI Includes
+ </Directory>
+ </VirtualHost>
8-29
17)
Exit from the tail command, and exit from the second terminal.
Administrative privileges are no longer required; exit the root shell to return to an
unprivileged account:
t
uc
od
AT
pr
re
ed
AL
# exit
riz
ho
ut
na
18)
EV
c
d
d
or
IO
n
io
tio
bu
ri
st
di
is
O
ite
PY
ib
oh
pr
d.
8-30