ITI-481: Unix Administration Meeting 3

Today’s Agenda Hands-on exercises with booting and software installation. Account Management Basic Network Configuration Setting Inetd Exercise: Disabling Services with Inetd

Exercise: Using Red Hat Package Manager Place your Linux CD in your drive - the files on your CD can be accessed via the directory /mnt/cdrom. You may have to issue the “mountcd” command on your system to mount the CD ROM. The RedHat/RPMS directory on your CDROM contains many RPM files. Install tcpdump off of the Red Hat CD: > cd /mnt/cdrom/RedHat/RPMS > rpm –ivh tcpdump i386.rpm Uninstall elm software : > rpm -e elm Question: Is pine installed on your system? If so, what is the version number?

Exercise: Installing ssh1 from Source SSH is a program that allows you to securely access a server from a remote location. Download ssh1 from tar.gz tar.gz From the download directory: > tar -xvzf ssh tar.gz > cd ssh >./configure > make > make install

Exercise: Changing Runlevels As root, type the following: shutdown –t 30 –h “System Downtime Beginning” Hit the power switch on your machine to turn the system back on after the shutdown process is complete (you should see a bash# prompt). NEVER turn power off without a proper shutdown. At the LILO prompt, enter “ linux 1.” (Linux only) After booting into single-user mode, type: init 5

Unix System Accounts Access to system resources is controlled through user and group assignment. Two types of user accounts: –Normal user –Root user

Components for Account Creation /etc/password /etc/shadow /etc/group Home Directory ( /home/username ) Initialization scripts (.login,.bash_profile,.cshrc ) – copied from /etc/skel

Passwords Should always be encrypted –Crypt – up to 8 characters –MD5 – up to 256 characters Should be a combination of random letters, numbers, and special characters. Stored in /etc/password or /etc/shadow (preferred). Can be disabled by putting * in password field.

/etc/password Entry format (One Entry Per Line): username:encrypted password:user ID (UID):default group (GID):name (GECOS): home directory:login shell Sample entry (no shadow file): kkaplan:boQavhhaCKaXG:500:500:Kellee Kaplan:/home/kkaplan:/bin/tcsh Sample entry (with shadow file): kkaplan:x:500:500:Kellee Kaplan:/home/kkaplan:/bin/bash Typical file permissions: -rw-r--r-- 1 root root 865 Mar 28 10:44 /etc/passwd

/etc/shadow Entry format: login name:encrypted password: other options for password expiration and changing Sample entry: kkaplan:$1$iwdVDnei&aBcxvpyYi06qu2wll.MAE.:10987:0:9999 9:7:-1:-1: Typical permissions: -r root root 752 Jan 31 11:45 /etc/shadow

/etc/group Entry format: group name:encrypted group password:GID:comma-separated list of group members Sample entry: staff:x:103:kkaplan,jsmith,jdoe

Account Management Tools Command line –Users: useradd, userdel, usermod, –Groups: groupadd, groupdel, groupmod –Specific fields: passwd, chsh Graphical –LinuxConf –Control-panel

Exercise: Account Creation Create an entry in /etc/group for a new group called “students:” students:x:103: Create an entry by hand in /etc/passwd for an account called student2: student2:x:501:103:Student 2:/home/student2:/bin/bash Create an entry for student2 in /etc/shadow. Leave the password field with an * for now: student2:*::::::: Use passwd to change the password for the account. Create a home directory for your new account. Change ownership of the directory to the username for your new account and set permissions on the directory to 755. Login to the student2 account and verify that it is working.

Exercise: Account Creation with Command Line Tools Use useradd to create an account for student3. Use the appropriate flags to set a default group of “students,” a home directory of /home/student3, and a password of your choosing. Login to the student3 account. Use userdel to remove the student3 account.

Basic TCP/IP Network Configuration If the install program detects a NIC card during the install process, you will be prompted to enter network settings. Network setting are configured at boot time through an rc script: /etc/rc.d/init.d/network Network rc script sets network settings designated in /etc/sysconfig : – /etc/sysconfig/network Hostname and gateway –/etc/sysconfig/network-scripts/ifcfg-eth0 IP address, broadcast, netmask –(These are the files that contain the network address settings your network admin gives you).

Domain Name Service Client Configuration Local IP address, host name combination set in /etc/hosts. To use DNS for host name resolution, need to enable it in /etc/nsswitch.conf: hosts: files dns DNS servers defined in /etc/resolv.conf : search domainname nameserver IP-address Sample File: search rutgers.edu nameserver nameserver

Network Configuration Utilities Text-based –ifconfig Shows various network setting, such as the IP address associated with a NIC. –hostname Displays and sets the machine’s hostname –route Displays and sets network routes and gateways. Network Monitoring Utilities –ping –traceroute –netstat

Daemons A unix process designed to handle a specialized function, usually to run server based processes. Run in the background. Run two possible ways: –Standalone - Usually started through rc scripts. Always resident in process table (ps –ef or ps – aux show Unix processes running on the system) –Inetd - started via the Inetd network server

Inetd Inetd is a "Superserver" for network server-related processes. Configuration file: /etc/inetd.conf Controls starting and stopping of network services like telnet and ftp. Connections made on specific ports are handed over to the appropriate daemon.

/etc/inetd.conf Define specific services run through inetd. Per service format: srvce_name sock_type protocol [no]wait user srvr_orig srvr_prog_args Sample entry: telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd For security reasons, comment out entries for services not being used. Administrators rarely manually add entries to inetd.conf Restart inetd after making any configuration changes: kill -HUP `cat /var/run/inetd.pid`

/etc/services Inetd needs to know on what port (network application identification number) the service being started needs to listen. Maps servcies to specific ports. /etc/services : Entry format: service port/protocol Sample entry: telnet 23/tcp This file is already configured and populated for you but can be a good reference for “well known” TCP ports

TCP Wrappers Access restrictions to TCP applications can be enabled using TCP Wrappers. In inetd.conf, the network service is called through /usr/sbin/tcpd instead of directly. Access control set through /etc/hosts.allow and /etc/hosts.deny allows you to selectively allow/deny remote access to network services based on IP address and/or hostname. Connections to TCP wrapped services are logged. Generally used for security reasons.

Example: Denying Access via /etc/hosts.allow file The format of /etc/hosts.allow and /etc/hosts.deny is: Service name: [ip or host], [ip or host]… Adding the following entries to the /etc/hosts.allow files will stop users from AOL and the IP address range * from accessing your system via telnet: in.telnetd: ,.aol.com

Exercise: Disabling Services in Inetd Disable telnet access to your system by commenting out the entry for telnet. Restart inetd: kill -HUP `cat /var/run/inetd.pid` Verify that the telnet daemon has been disabled – what happens when you type… >telnet localhost

Homework Read Chapters 8,18, and 20 in Linux Administration: A Beginner’s Guide.