UNIT II Configuring additional hardware. Everyday task using Linux. X window system configuration. Setting up email servers. Setting up files services using Samba. NFS file services. Setting up proxy services. Setting up printer services.
Configuring additional hardware Sound card. Displays &Display cads. Network cards. Modems, USB drivers. CD writers.
USB DRIVERS What is USB? USB= Universal Serial Bus The universal serial bus (USB) is a connection between a host computer and a number of peripheral devices. It was originally created to replace a wide range of slow and different buses—the parallel, serial, and keyboard connections.
Cont… The latest revision of the USB specification added high-speed connections with a theoretical speed limit of 480 MBps. USB Device Basics: A USB device is a very complex thing, as described in the official USB documentation. the Linux kernel provides a subsystem called the USB core to handle most of the complexity.
Cont.. End points: The most basic form of USB communication is through something called an endpoint. Out endpoint: A USB endpoint can carry data in only one direction, either from the host computer to the device. In endpoint: direction, either from the device to the host computer.
USB driver overview
USB device overview A USB endpoint can be one of four different types that describe how the data is transmitted:
Types of endpoint transmission CONTROL INTERRUPT BULK ISOCHRONOUS.
Control Control endpoints are used to allow access to different parts of the USB device. They are commonly used for configuring the device, retrieving information about the device, sending commands to the device, or retrieving status reports about the device. these endpoints are usually small in size. Every USB device has a control endpoint called “endpoint 0”.
Cont.. Interrupt endpoints: Interrupt endpoints transfer small amounts of data at a fixed rate every time the USB host asks the device for data. Bulk endpoints: Bulk endpoints transfer large amounts of data.
Cont… ISOCHRONOUS endpoints: Isochronous endpoints also transfer large amounts of data, but the data is not always guaranteed to make it through.
USB Logical Unit Devices usually have one or more configurations. Configurations often have one or more interfaces. Interfaces usually have one or more settings. Interfaces have zero or more endpoints.
USB and Sysfs:
Lifecycle of USB Urbs Created by a USB device driver. Assigned to a specific endpoint of a specific USB device. Submitted to the USB core, by the USB device driver. Submitted to the specific USB host controller driver for the specified device by the USB core. Processed by the USB host controller driver that makes a USB transfer to the device. When the urb is completed, the USB host controller driver notifies the USB device driver.
X Window System
X Window System X-Window Introduction : The 5 Elements of X-Window System 1. X-Serve 2. X-Clients 3. X-Protocol 4. X-library 5. X-toolkit
Cont… The Architecture of X-window : Client/Server The Characteristic of X-window : multi-platform Tool Kit of X-Server configuration. Config file for X-Server
X Window System What is X window system? The X Window System, commonly called "X," is a graphical windowing interface that comes with all popular Linux distributions. X is available for many Unix-based operating systems; the version of X that runs on Linux systems with x86-based CPUs is called "XFree86.
Information on installing X Running X: What X looks like, and how to run it. X Clients: Running programs in X. Window Operations: How to manipulate a window.
Cont… Xterm: Running a shell in X. Configuring X: Desktop: Moving around the desktop. Xterm: Running a shell in X. Configuring X: Making X run the way you want it to.
Setting up email servers.
Email Email has many aspects that work together to give people almost instant communication from any computer on the internet to any other computer There are three main parts that we will look at: sending email on a server, receiving email on a server and receiving email as a client The simplest is to receive email as a client. You merely put in the name of the server that holds your email and download it.
Cont.. On Linux, you can view your email through many different programs. There are graphical programs like Mozilla, Ximian Evolution and Kmail You can also use programs from the command line like 'pine' and 'mutt'
Email Email has many aspects that work together to give people almost instant communication from any computer on the internet to any other computer There are three main parts that we will look at: sending email on a server, receiving email on a server and receiving email as a client The simplest is to receive email as a client. You merely put in the name of the server that holds your email and download it.
Cont.. You merely put in the name of the server that holds your email and download it. On Linux, you can view your email through many different programs. There are graphical programs like Mozilla, Ximian Evolution and Kmail You can also use programs from the command line like 'pine' and 'mutt'
Email on the Server Getting and reading email is simple on a client, but setting up a server to get and send email requires a little more understanding of how email works There are three parts to have an email server The MTA – Mail Transport Agent (most people use the program called 'sendmail') The LDA – Local Delivery Agent (most people use the program procmail)
Cont… IMAP and POP3 servers – these are two ways to get email from a server. When a client connects to a server to get email, they will use one of these servers
Setting up Sendmail Sendmail normally runs with all RedHat distributions, so you won't need to start any service. Sendmail is a Mail Transport Agent – this means that it is a program which moves mail from one computer to another computer. It is estimated that 80% of all email is handled by Sendmail today. With Sendmail, you can do many things, like block spam, relay mail, have forwarders and configure ways to route mail automatically across networks.
Cont… With Send mail, you can do many things, like block spam, relay mail, have forwarders and configure ways to route mail automatically across networks. Like most Linux programs, Send mail is changed through configuration files
Setting up Sendmail Setting up Sendmail can be an enormous task if you want to do complicated things, but if we just want it to accept email, we can keep it simple. First change into /etc/mail where the sendmail files are saved Sendmail has a different configuration, where you edit files and then compile them into a form that Sendmail likes to see.
Cont… First open the file “access” - This is the file that contains all the domains that will be allowed to use your Send mail to send emails. You’ll also want to make a file called “relay-domains” and put your domain in there. This is to stop people from outside using your server to send spam You need to add in your domain here and any domains that might be own your network
Setting up Sendmail You'll also want to open up the file “local-host-names” - This will contain other names for your computer, so that Sendmail will still accept mail from these domains. This file should contain any other names you have for your computer Now your sendmail will know who it is good to accept mail from and who it is not good.
Setting up Sendmail The actual sendmail configuration file is in “sendmail.cf” but it has become so complicated they made another configuration file, which you then compile to make into the “sendmail.cf” In RedHat, they use this program called “m4” to generate the sendmail.cf file So after we edit the “sendmail.mc” file, we use m4 to change it, like [root@comp root]# m4 sendmail.mc > sendmail.cf
Setting up Sendmail Now that you have the configuration set up for Sendmail, you can restart the service if you want to take the new changes into affect So we use the service command to restart sendmail [root@comp root]# service sendmail restart And you can check to see if it's running by using 'ps -aux' and you'll see an entry that says, “sendmail: accepting connections” This means that it is up and running and people can send email to your server
Cont… And you can check to see if it's running by using 'ps -aux' and you'll see an entry that says, “send mail: accepting connections” This means that it is up and running and people can send email to your server But how does anyone else on the Internet know how to send email to your server?
MX Records MX Records – Mail Exchange records are part of the DNS system for the entire Internet. In order for other computers to know where to send you email, you need to have the correct MX records set up on some Name Server on the internet. They use a numerical priority determines the order in which servers should be used. The server with the lowest priority is the primary. In DNS, the MX records will look like the following.
Local Delivery Agents In most RedHat distributions, Sendmail will get the mail from some server on the Internet and then pass it off to another program for local delivery This means there is another layer of handling before an email will reach your inbox. Procmail is usually the program that is chosen to do the local delivery. The reason that there is another layer is that it is easy to do things to mail after it has come in with procmail. For example, you could sort mail into different folders, delete it if it is spam or make copies of everybody's email
Procmail When a new message comes in, Procmail will start automatically and deliver the mail to the correct folder for the person to read it You can change how mail is delivered though through a procmail configuration file. Initially, there is no configuration file for procmail, because it will just give whatever mail comes in to the person who should receive it
Cont… You can make one yourself though by creating a file called “/etc/procmailrc” This is the file where you can put rules that will change how mail is delivered
Procmail configuration Procmail configuration let's you do almost anything you can imagine to email, but you have to know the right way to configure Once you have the procmailrc file open, you can start putting rules.
Cont… For example, if you want to make a copy of everyone's email so you can read it yourself: :0c /home/mycopy-email The ':0' part says that a new rule is starting. The 'c' says copy all email and the following line says where to copy it.
Procmail Example: If you wanted to delete all email that came from a certain domain :0 * ^From.*bad-person@bad-domain.com /dev/null The first line says a new rule is starting. The next line checks if the 'From' field is from bad-person@bad-domain.com
Cont… The last line says move that message to /dev/null if the email is from that person /dev/null is like the trash bin for linux. If you move something there, it delete's it automatically.
IMAP and POP3 The last part of setting email on the server is to have a way for users to get that email. The most popular way is through to services called IMAP and POP3 IMAP - Internet Message Access Protocol It permits a "client" email program to access remote message stores as if they were local.
Cont… For example, email stored on an IMAP server can be manipulated from a desktop computer at home, a workstation at the office, and a notebook computer while traveling, without the need to transfer messages or files back and forth between these computers.
Turning on IMAP To get IMAP and POP3 working on your server, it is not difficult, but can be confusing because there are no startup scripts in the “rc.d” folder To get them started, you need to edit a file called “/etc/inetd.conf” This file has a list of all the services that are running and what ports they are connected on.
Cont.. Look down the list until you see the info for port “139” – pop3 and “143” – IMAP. Uncomment those lines and the next time you restart the server, IMAP and pop3 should be started
POP3 The other way to get email is through the POP3 service POP – Post Office Protocol It was the first way to get email from a server. POP3 is the latest version, which has replaced POP2.
Cont… POP is different from IMAP in that everything is downloaded to the client machine. Thus, if you make a change to your mail, it will only be changed on the client machine and not the server You can turn it on using the same procedures from IMAP
SMTP You will also hear about SMTP servers if you use computers. SMTP – Simple Mail Transfer Protocol – is a program that runs on a server and will send messages When we set up and turned on Sendmail, the SMTP server also started. When you send email from a client computer, you need a SMTP server to send it through. This is what is responsible for sending those messages to the rest of the Internet
Cont… It operates on port 25. A good way to see if it is running, try [root@comp root]# telnet localhost 25 What this command will do is use the telnet program to connect to port 25 on the computer you are using. You will then be able to see the protocol and server messages coming from the SMTP server
IMAP and POP You can also see how the IMAP and POP servers work by using the same telnet idea IMAP runs on port 143 POP3 runs on port 110 [root@comp root]# telnet localhost 143 [root@comp root]# telnet localhost 110
Cont… What happens then is that the IMAP or POP server thinks it is connected to something that will know how to speak it's language. If you knew the protocol that IMAP or POP used, you could get your email this way too.
Local and Remote Email You should be aware of when you are getting email from remotely and when you are accessing it locally on the server If you telnet into a server, and use a program like 'pine' or 'mutt' this means that you are accessing the local copy of the email. Your email is saved in a file in the “/var/mail” directory under your username. These programs open up that file and break it up so that it looks like there are many messages.
Cont… IMAP and POP3 are services that run on a server that allow client computers to use different programs (like Microsoft Outlook) to access email over a network. IMAP and POP will also open up your mail file, but they are not programs you use to read email. They are servers that will send your email to program that asks for it
Updating programs Sendmail, especially, but also IMAP and POP3 have been vulnerable to many security holes in the past. This is because they run as root, so if you can break in through the program, you can have root access to the system So one of the first things to do is to update Sendmail (get the newest from sendmail.org) and then IMAP as well. Generally, the installations are pretty easy, but we might need to change startup scripts.
Reference For more information about Sendmail: http://www.sendmail.org/ More information about Procmailhttp://userpages.umbc.edu/~ian/procmail.html More info about IMAP http://www.imap.org/about/ More info about SMTP http://www2.rad.com/networks/1998/smtp/smtp.htm
NFS
Network File System What is NFS? The Network File System is a file system that may be accessed via a network connection. The Network File System (NFS) was developed to allow machines to mount a disk partition on a remote machine as if it were on a local hard drive.
Cont… This allows for fast, seamless sharing of files across a network With other file systems, the storage device must be directly attached to the local system. However, with NFS this is not a requirement, making possible a variety of different configurations, from centralized file system servers, to entirely diskless computer systems
Cont… 1. Means server keeps no state: NFS developed by Sun Microsystems Native method for file sharing between Unix/Linux systems Stateless protocol(2&3): 1. Means server keeps no state: 2. Renders server crashes `easily recoverable‘
Cont… Systems are clients, servers or both Clients import shared file systems Servers export shared file systems Servers easy to implement via network daemons Clients require kernel modifications Linux systems normally work as both already NFS is NOT Unix/Linux specific (e.g. PCNFS)
Exporting System Exporting handled by daemons .nfsd and Must be running for NFS export to work Exported file systems listed in /etc/exports, format is: hostname(flags) [hostname(flags)] Important flags: (read only) (read/write)
Cont… _squash (map all uid/gid to something) (specify user ID to map to) (specify group ID to map to) After changing /etc/exports, restart NFS killall -HUP rpc.nfsd killall -HUP mount
Viewing exports ● Use showmount: $ showmount -e $ showmount -e hostname Export list for landlord.gbdirect.co.uk: /usr/local/gbdirect/cvsroot roti.gbdirect.co.uk /home/adamg /home/andylong
Cont… Mount a remotely exported directory Usually have to be super user: $ mount hostname:/share name /local/directory If successful, the export named /share name on host hostname is mounted on our mount point /local/directory Files accessed
Cont… just as if local Remote host must be exporting the directory You must have access permission Your local mount point must exist Exactly like mounting a device
Samba Security
What is samba? Samba provides file and print services for Microsoft Windows clients. These services may be hosted off any TCP/IP-enabled platform. The original deployment platforms were UNIX and Linux, though today it is in common use across a broad variety of systems. The Samba project includes not only an impressive feature set in file and print serving capabilities, but has been extended to include client functionality, utilities to ease migration to Samba, tools to aid interoperability with Microsoft Windows, and administration tools.
Who Needs Samba? You’ve got a UNIX server storing large amounts of research data, and want to share this data among a group of Windows-based client machines. You’ve got Linux workstations that need to print to a printer which is connected to a Windows machine. Many other interoperability scenarios, not just limited to Windows and UNIX (Macs, too!)
Why is there a need for securing Samba? Like any other networked service, Samba can be maliciously exploited in the wrong hands, if not configured properly. Sensitive data (financial, EPHI, HR, etc.) can potentially be compromised Inherent legal liability More simply, annoyances created by not securely locking down shared services (printer bombs, etc.)
What are the different approaches for securing Samba? User Share Domain ADS (Active Directory) Server
User Level Security Simplest - default setting since Samba-2.2.x client sends a session setup request directly following protocol negotiation. This request provides a username and password, which the server can either accept or reject. client expects to be able to mount shares without further specifying a password.
Share-Level Security client authenticates itself separately for each share. It sends a password along with each tree connection request (share mount), but it does not explicitly send a username with this operation. The client expects a password to be associated with each share, independent of the user. This means that Samba has to work out what username the client probably wants to use, since the SMB server is not explicitly sent the username.
Domain Security Mode provides a mechanism for storing all user and group accounts in a central, shared, account repository. repository is shared between domain (security) controllers. Servers that act as domain controllers provide authentication and validation services to all machines that participate in the security context for the domain. For most purposes at Yale, this is obsolete in favor of ADS
ADS Security Mode Samba can join an Active Directory domain using NT4 style RPC based security, if the domain is run in native mode The term realm is used to describe a Kerberos-based security architecture (such as is used by Microsoft ADS) In the event that Samba cannot correctly identify the appropriate ADS server using the realm name, use the password server option in smb.conf
Server Security (deprecated) left over from the time when Samba was not capable of acting as a domain member server. It is highly recommended not to use this feature - many drawbacks Samba server reports to the client that it is in user-level security. The client then does a session setup as described earlier. The Samba server takes the username/password that the client sends and attempts to log into the password server by sending exactly the same username/password that it got from the client.
Reference The Samba Website: http://www.samba.org The Official Samba-3 HOWTO and Reference Guide: http://www.samba.org/samba/docs/man/Samba3-HOWTO/ Workstation Support Services (WSS): http://wss.yale.edu Information Security Office (ISO): http://www.yale.edu/its/security/
WEB SERVER SETUP
Web server Apache Web Server is used Daemon is httpd (service httpd start/stop/restart)
Apache Configuration Directives Server Name Min and Max Servers Document Root CGI Enable/Disable User Directory Directory Index Mime Types Modules
File used Apache Configuration file: /etc/httpd/conf/httpd.conf Log files: /var/log/httpd/access_log and /var/log/httpd/error_log Modules /etc/httpd/modules Default Document Root /var/www/html Default CGI Root /var/www/cgi-bin
Basic Setting Change the default value for ServerName www.<your-domain.com> in httpd.conf and put the website content in /var/www/html Additionally you can configure Name based Virtual Hosting (allow more than one websites to run on the same server)
Squid Setup What is a Web Proxy? A proxy is a host which relays web access requests from clients used when clients do not access the web directly used for security, logging, accounting and performance browser proxy web
Obtaining Squid Source code (in C) from www.squid-cache.org Binary executables Linux (comes with RedHat and others) FreeBSD Windows Pre-installed in Fedora/Enterprise Linux
Basic Settings Edit the /etc/squid/squid.conf file to configure squid Squid Setup Basic Settings Edit the /etc/squid/squid.conf file to configure squid Configuration options: Disk Cache size and location Authentication Allowed Hosts Any other access restrictions (sites, content, size, time of access etc.) using ACL service squid start/stop/restart
Squid.conf Configuration Squid Setup Squid.conf Configuration cache_dir ufs /var/spool/squid/cache 100 16 256 auth_param basic program /usr/lib/squid/ncsa_auth /etc/shadow acl sidbiusers proxy_auth required http_access allow sidbiusers acl our_network src 172.28.250.0/24 http_access allow our_network (Note: use squid –z for the first time to create the cache directory and its subdirectories)
Thank you