l220: advanced linux system administration ii · web viewoverriding file security checks postfix...

L220: Advanced Linux System Administration IIcourse materials

originally released under the GFDL by LinuxIT

modified and released under the GFDL by University of Zagreb University Computing Centre SRCE (“the publisher”)

University of Zagreb University Computing Centre SRCE

________________________________________________________________________________

Copyright (c) 2005 LinuxIT.Permission is granted to copy, distribute and/or modify this documentunder the terms of the GNU Free Documentation License, Version 1.2or any later version published by the Free Software Foundation;with the Invariant Sections being History, Acknowledgements, with theFront-Cover Texts being “released under the GFDL by LinuxIT”.

Copyright (c) 2014 SRCE.Permission is granted to copy, distribute and/or modify this documentunder the terms of the GNU Free Documentation License, Version 1.2or any later version published by the Free Software Foundation;with the Invariant Sections being History, Acknowledgements, with theFront-Cover Texts being “modified and released under the GFDL by University of Zagreb University Computing Centre SRCE”.

see full GFDL license agreement on p. 133.

2

________________________________________________________________________________

AcknowledgmentsThe original material was made available by LinuxIT's technical training centre www.linuxit.com.

The original manual is available online at http://savannah.nongnu.org/projects/lpi-manuals/.

The modified version of this manual is available at http://www.srce.unizg.hr/linux-akademija/.

HistoryCVS version 0.0 January 2004, Adrian Thomasset <[email protected]>.Reviewed/Updated April 2004, Andrew Meredith <[email protected]>.Review/Update May 2005, Adrian Thomasset <[email protected]>.

February 2014. Title: L220: Advanced Linux System Administration II (version 1.0). Revised and modified at University of Zagreb University Computing Centre SRCE (“the publisher”) by Vladimir Braus.

NotationsCommands and filenames will appear in the text in bold.

The <> symbols are used to indicate a non optional argument.The [] symbols are used to indicate an optional argument

Commands that can be typed directly in the shell are highlighted as below

command

No GuaranteeThe manual comes with no guarantee at all.

3

mailto:[email protected]

mailto:[email protected]

http://savannah.nongnu.org/projects/lpi-manuals/


________________________________________________________________________________

University Computing Centre SRCE

As the major national infrastructural ICT institution in the area of research and higher education in Croatia, the University Computing Centre SRCE is providing a modern, sustainable and reliable e-infrastructure for research and education community.

This includes computing and cloud services, high performance computing, advanced networking, communication systems and services, middleware, data and information systems and infrastructure. At the same time SRCE acts as the computing

and information centre of the largest Croatian university – the University of Zagreb, and is responsible for the coordination of the development and usage of e-infrastructure at the University.

Furthermore, by applying cutting edge technologies SRCE continuously enriches academic and reserach e-infrastructure and its own service portfolio. This enables the active participation of Croatia and Croatian scientists in European and global research and higher education area and projects.

Since its founding in 1971 as a part of the University of Zagreb, at that time the only Croatian university, SRCE has provided an extended advisory and educational support to institutions and individuals from the academic and research community in the use of ICT for education and research purposes.

From its beginnings, and still today, SRCE has been recognized as an important factor of the development of modern e-infrastructure at the national level, participating in different projects and providing services like Croatian Intenet eXchange (CIX).

SRCE has a 41 year old tradition of organizing professional courses from the field of ICT.

University Computing Centre SRCEJosipa Marohnića 510000 ZagrebCroatia

http://www.srce.unizg.hre-mail: [email protected]: +385 1 6165 555

4


Mail and Lists________________________________________________________________________________

Table of Contents

DNS..................................................................................................................................................71. Basic Bind Configuration..........................................................................................................7

1.1 The Logging Statement..........................................................................................................81.2 The Options Statement........................................................................................................101.3 The Zone Statement............................................................................................................111.4 The Access Control Lists (acl) Statement............................................................................12

2. Create and Maintain Zone Files..............................................................................................133. Securing a DNS Server............................................................................................................15

3.1 Server Authentication...........................................................................................................153.2 DATA Integrity and Authenticity...........................................................................................17

MAIL AND LISTS..........................................................................................................................191. Using Sendmail........................................................................................................................19

1.1 Configuration Settings..........................................................................................................191.2 Virtual Hosting......................................................................................................................21

2. Configuring Mailing Lists........................................................................................................222.1 Majordomo and Sendmail....................................................................................................22

3. Managing Mail Traffic..............................................................................................................243.1 Mail Filtering with Procmail..................................................................................................24

WEB SERVICES............................................................................................................................271. Implementing a Web Server....................................................................................................27

1.1 Installing Apache..................................................................................................................271.2 Monitoring apache load........................................................................................................271.3 Using Apachectl...................................................................................................................281.4 Basic Configuration Options................................................................................................291.5 Restricting Client Access.....................................................................................................311.6 Client Basic Authentication..................................................................................................31

2. Maintaining a Web Server.......................................................................................................322.1 HTTPS Overview.................................................................................................................322.2 SSL Virtual Hosts.................................................................................................................332.3 Managing Certificates..........................................................................................................342.4 Virtual Hosts.........................................................................................................................35

3. Implementing a Proxy Server.................................................................................................373.1 Getting Started.....................................................................................................................373.2 Access Lists and Access Control.........................................................................................373.3 Additional Configuration Options.........................................................................................393.4 Reporting Tools....................................................................................................................403.5 User Authentication (using PAM).........................................................................................42

5


Mail and Lists________________________________________________________________________________

NETWORK CLIENT MANAGEMENT...........................................................................................441. DHCP Configuration................................................................................................................44

1.1 Default DHCP Configurations..............................................................................................441.2 Dynamic DNS......................................................................................................................461.3 DHCP Relay.........................................................................................................................48

2. NIS Configuration.....................................................................................................................492.1 Master Server Configuration................................................................................................492.2 Slave Server Configuration..................................................................................................502.3 Client Setup.........................................................................................................................502.4 Setting up NFS home directories.........................................................................................512.5 Basic NIS Administration.....................................................................................................51

3. LDAP Configuration.................................................................................................................523.1 What is ldap.........................................................................................................................523.2 OpenLDAP server configuration..........................................................................................533.3 Client configuration files.......................................................................................................543.4 Migrating System Files to LDAP..........................................................................................543.5 LDAP Authentication Scheme..............................................................................................57

4. PAM Authentication.................................................................................................................594.1 PAM Aware Applications......................................................................................................594.2 PAM Configuration...............................................................................................................60

SYSTEM SECURITY.....................................................................................................................611. Iptables/Ipchains......................................................................................................................61

1.1 The Chains...........................................................................................................................611.2 The Tables...........................................................................................................................621.3 The Targets..........................................................................................................................621.4 Example Rules.....................................................................................................................63

2. Differences with Ipchains........................................................................................................643. Security Tools..........................................................................................................................65

3.1 SSH......................................................................................................................................653.2 LSOF....................................................................................................................................673.3 NETSTAT.............................................................................................................................683.4 TCPDUMP...........................................................................................................................683.5 NMAP...................................................................................................................................70

Vježbe (Exercises) ......................................................................................................................73

GNU Free Documentation License...........................................................................................133

6


Mail and Lists________________________________________________________________________________

DNS

NOTICE

Computer name resolution can be performed in a number of ways, including /etc/hosts file and DNS.

/etc/hosts file is a convenient way to manage name resolution for a small number of computers, such as a small home network with just two or three machines. /etc/hosts must be updated on every computer on a network whenever any machine’s name or IP address changes or whenever a computer is added to or removed from the network.

In addition to /etc/hosts and DNS, several other name resolution systems exist, including Network Information Service (NIS), Windows Internet Name Service (WINS), and more.

1. Basic Bind Configuration

The configuration file for a Bind server is /etc/named.conf. This file has the following main entries:

Main entries in named.conf

logging Specify where logs are written too and what needs to be logged

options Global options are set here (e.g the path to the zone files)

zone Defines a zone: the name, the zone file, the server type

acl Access control list

server Specific options for remote servers

Let's look at a typical configuration file for a caching only server. We will add entries to it as we go to create new zones, logging facilities, security, etc.

7

Mail and Lists________________________________________________________________________________

Skeleton named.conf fileoptions {

directory "/var/named";datasize 100M;

}; zone "." IN {

type hint;file "named.ca";

};

zone "localhost" IN {type master;file "localhost.zone";allow-update { none; };

};

zone "0.0.127.in-addr.arpa" IN {type master;file "named.local";allow-update { none; };

};

1.1 The Logging Statement

The syntax for logging is:

logging { channel "channel_name" { file "file_name";

versions number_of_files; size log_size; syslog < daemon | auth | syslog | authpriv | local0 -to- local7 | null >; severity <critical | error | warning | notice | info | debug | dynamic >; print-category yes_or_no; print-severity yes_or_no; print-time yes_or_no; }; category "category_name" { "channel_name"; }; };

The channel defines where logs are sent to (file, syslog or null). If syslog is selected then the facility and the log level can be specified too.

The category clause defines the type of information sent to a given channel (or list of

8


Mail and Lists________________________________________________________________________________

channels). The type of channel is given then the default logging facility is used

category default { default_syslog; default_debug; };

Example:

We choose not to use the syslog daemon and log everything to a file called “LOG” that will be created in the same directory as the zone files (default /var/named/). For this we will create the channel foo_channel. Next we want to log queries using this channel.

The entry in named.conf will look like this:

logging {channel foo_channel {

file "LOG"; print-time yes; print-category yes; print-severity yes; };

category "queries" { "foo_channel"; };};

Categories such as queries are predefined and listed in the named.conf(5) manpages. However some of the names have changed since BIND 8, so we include as a reference the list of categories for BIND 9 below:

BIND 9 Logging Categoriesdefault Category used when no specific channels (log levels, files ...) have

been definedgeneral Catch all for messages that haven't been classified belowdatabase Messages about the internal zone filessecurity Approval of requestsconfig Processing of the configuration fileresolver Infornation about operations performed by clientsxfer-in or xfer-out Received or sent zone filesnotify Log NOTIFY messagesclient Client activityupdate Zone updatesqueries Client Queriesdnssec DNSEC transactionslame-servers Transactions sent from servers marked as lame-servers

9


Mail and Lists________________________________________________________________________________

1.2 The Options Statement

The global options for the server are set at the beginning of named.conf. The syntax is:

options{option1;option2;....

};

We next cover the most common options.

versionManpage says “The version the server should report via the ndc command. The default is the real version number of this server, but some server operators prefer the string (surely you must be joking )”

version " (surely you must be joking) ";

directoryThe working directory of the server directory "/var/named";

fetch-glue (default yes) - obsoletePrevent the server from resolving NS records (the additional data section). When a record is not present in the cache BIND can determine which servers are authoritative for the newly queried domain. This is often used in conjunction with recursion no.

notify (default yes)Send DNS NOTIFY messages to the slave servers to notify zone changes (helps speed up convergence)

recursion (default yes)The server will perform recursive queries when needed

forward (only or first)The default value is first and causes the sever to query the forwarders before attempting to answer a query itself. If the option is set to only the server will always ask the forwarders for an answer. This option has to be used with forwarders.

10


Mail and Lists________________________________________________________________________________

forwarders (list)List of servers to be used for forwarding. The default is an empty list.

forwarders { 10.0.0.1; 10.0.0.10;};

datasize Limit the size of the cache datasize 512M;

allow-query (list)A lists of hosts or networks that may query the server

allow-recursion (list)List of hosts that can submit recursive queries

allow-transfer (list)List of hosts (usually the slaves) who are allowed to do zone transfers

1.3 The Zone Statement

The syntax for a zone entry in named.conf is as follows:

zone domain_name {type zone_type;file zone_file;local_options;

};

We first look at the local_options available. Some of these are the same options with the same syntax as the global options we have just covered (with some additional ones). The most common ones are notify, allow-transfer and allow-query. Additional ones are masters (list of master servers) or dialup.

The domain_name is the name of the domain we want to keep records for. For each domain name there is usually an additional zone that controls the local in-addr.arpa zone.

The zone_type can either be

master the server has a master copy of the zone fileslave the server has a version of the zone file that was downloaded from a

master server hint predefined zone containing a list of root serversstub similar to a slave server but only keeps the NS records

11


Mail and Lists________________________________________________________________________________

The zone_file is a path to the file containing the zone records. If the path is not an absolute path then the path is taken relatively to the directory given earlier by the directory option (usually /var/named).

Example master zone entries, allowing zone transfers to a slave server at 10.1.2.3:

zone seafront.bar {type master;file "seafront.zone";allow-transfer{10.1.2.3;);

};

zone 2.1.10.in-addr.arpa {type master;file "10.1.2.zone"allow-transfer{10.1.2.3;);

};

The next example is the corresponding named.conf zone section for the slave server, assuming the master has the IP 10.1.2.1:

zone "seafront.bar" IN { type slave; masters {10.1.2.1;}; file "slave/seafront.zone";};

zone "2.1.10.in-addr.arpa" IN { type slave; masters {10.1.2.1;}; file "slave/10.1.2.local";};

1.4 The Access Control Lists (acl) Statement

Rather than use IPs it is possible to group lists of IP addresses or networks and assign a name to this grouping.

Exmaple acl:

acl internal_net {10.0.0.0/8; };

12


Mail and Lists________________________________________________________________________________

There are built-in ACLs as follow:

any all hostsnone no hostlocalhost all IP address for the local interfaceslocalnets network associated to the localhost interfaces

The Server Statement

This statement is used to assign configuration options for a specific server. For example if a server is giving bad information it can be marked as bogus. One can also set the keys associated with a server for hosts authentication when using DNSSEC (see section 4. Securing a DNS Server)

2. Create and Maintain Zone Files

The format of the zone files is defined in RFC 1035 and contains resource records (RR) for the administered domain or sub-domain.

The types of resource records are:

1 – Start Of Authority (SOA)

root-name TTL IN SOA name-server email-address (serial number;refresh;retry;expire;minimum;)

The SOA record includes the following details: the primary name server for the domain the responsible party for the domain a timestamp (serial number) that changes whenever you update your domain the number of seconds before the zone should be refreshed the number of seconds before a failed refresh should be retried the upper limit in seconds before a zone is considered no longer authoritative the negative result TTL (for example, how long a resolver should consider a negative

result for a subdomain to be valid before retrying).

The root-name is often replaced with an “@” symbol which resolves to the name of the

13


Mail and Lists________________________________________________________________________________

zone specified in named.conf.

Example:

$TTL 86400@ 1D IN SOA ns.seafront.bar. root.seafront.bar. ( 46 ; serial (d. adams) 1H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum

2 – Records defining the name-servers for this domain, NS records

domain-name IN NS name-server

Example:

IN NS ns

NOTICE1. If the name of the domain is missing then @ is assumed2. The fully qualified name of the name-server is ns.seafront.bar.. A host name that

doesn't end with a dot will automatically have the domain-name '@' appended to it. Here for examplens becomes ns.seafront.bar.

3 – Records defining the mail-servers for this domain, MX records

domain-name IN MX PRI mail-server

The PRI entry is a priority number. If several mail-servers are defined for a domain then the servers with the lowest priority number are used first.

4 – Authoritative information for hosts on the domain, called A records

host-name IN A IP-address

Authority Delegation

When defining the name-servers responsible for another sub-domain additional NS records are added as well as some glue records which are simple A records resolving the DNS servers.

Example:

14


Mail and Lists________________________________________________________________________________

devel.myco.com. IN NS ns1.devel.myco.comns1 IN A 192.168.21.254

Reverse zone files

5 – Authoritative PTR records, resolving IP addresses

n IN PTR host-name

3. Securing a DNS Server

In 1995, following major security flaws discovered in DNS, a new topic called DNSSEC was started within the IETF. This DNSSEC protocol is described in a sequence of three draft documents known as RFC2535bis and proposes to handle server authentication as well as data authenticity.

3.1 Server Authentication

DNSSEC attempts to handle vulnerabilities that occur during unauthorised dynamic updates as well as spoofed master impersonations. These involve host-to-host authentications between either a DHCP or a slave server and the master server.

The dnssec-keygen tool is used to generate a host key on the master server that can then be transferred on a slave server. This authentication mechanism is call TSIG and stands for Transaction Signature. Another mechanism is SIG0 and is not covered in these notes.

Master Configuration

1. First generate the host key on the master server called seafront.bar:

dnssec-keygen –a HMAC-MD5 -b 256 -n host seafront.bar.

This will create the following public and a private key pair:

Kseafront.bar.+157+49196.key Kseafront.bar.+157+49196.private

Notice: These keys must NOT be inserted in the zone files (there is an IN KEY section in the public key that is misleading, looks like a RR). The public and the private keys are identical: this means that the private key can be kept in any location. This also means that the public key shouldn't be published.

The content of the Kseafront.bar.+157+49196.key is:

15


Mail and Lists________________________________________________________________________________

seafront.bar. IN KEY 512 3 157 QN3vIApnV76WS+a2Hr3qj+AqZjpuPjQgVWeeMMGSBC4=

2. In the same directory as the server's named.conf configuration file create the file slave.key with the following content:

key "seafront.bar." { algorithm hmac-md5; secret "QN3vIApnV76WS+a2Hr3qj+AqZjpuPjQgVWeeMMGSBC4=";};

3. Apply the following changes in named.conf:

include "/etc/slave.key";

zone "seafront.bar" IN { type master; file "seafront.zone"; allow-transfer { key seafront.bar.; };};

zone 2.1.10.in-addr.arpa {type master;file "10.1.2.zone"allow-transfer { key seafront.bar.; );

};

Slave Configuration

Copy the slave.key file to the slave server in the directory containing named.conf. Add the following server and include statements to named.conf:

server 10.1.2.1 { (this is the IP for the master server) keys {seafront.bar.;};};


Troubleshooting

Restart named on both servers and monitor the logs. Notice that DNSSEC is sensitive to time stamps so you will need to synchronise the servers (using NTP). Then run the following command on the master server in the same directory where the dnssec keys where generated:

16


Mail and Lists________________________________________________________________________________

dig @10.1.2.1 seafront.bar AXFR -k Kseafront.bar.+157+49196.key

3.2 DATA Integrity and Authenticity

This aspect of DNSSEC is above the level of this manual and is simply a summary of the concepts involved. Data authenticity may be compromised at different levels.

The recognised areas are: altered slave zone files cache impersonation cache poisoning.

New RR records

The integrity and authenticity of data is guaranteed by signing the Resource Records using a private key. These signatures can be verified using a public DNSKEY. Only the validity of the DNSKEY needs to be established by the parent server or “delegation signer” DS.

So we have the following new RRs in the zone files:

RRSIG the signature of the RR set DNSKEY public key used to verify RRSIGsDS the Delegation Signer

Signing Zone Records

These are the basic steps:

1. Create a pair of public/private zone signing keys (ZSK)

dnssec-keygen -a DSA -b 1024 -n zone seafront.bar.

You should get two files such as these:

Kseafront.bar.+003+31173.key Kseafront.bar.+003+31173.private

2. Insert the public key into the unsigned zone file:

17


Mail and Lists________________________________________________________________________________

cat Kseafront.bar.+003+31173.key >> seafront.bar

3. Sign the zone file

dnssec-signzone -o seafront.bar Kseafront.bar.+003+31173

You should see a message such as:

WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNINGWARNING WARNINGWARNING WARNINGWARNING This version of dnssec-signzone produces zones that are WARNINGWARNING incompatible with the forth coming DS based DNSSEC WARNINGWARNING standard. WARNINGWARNING WARNINGWARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNINGseafront.zone.signed

This is due to the fact that the dnssec-signzone tool doesn't support the -k switch which would allow to make use of a key signing key (KSK) which is then forwarded to a parent zone to generate a DS record.

If you want to make use of this signed zone, change the filename in named.conf to “seafront.bar.signed”

18


Mail and Lists________________________________________________________________________________

Mail and Lists

A wide variety of SMTP servers can run on Linux. The most popular servers are:

Sendmail This server has long dominated Internet mail delivery. sendmail has also earned a reputation for a difficult-to-master configuration file format. Fortunately, tools to create a configuration file from a simpler file are common.

Postfix This server is comparable to sendmail in popularity. Postfix uses a series of small programs to handle mail delivery tasks, as opposed to the monolithic approach used bysendmail. Its configuration is much easier to handle than is sendmail’s.

Exim This mail server is not quite as popular as sendmail or Postfix, but it is still a popular Linux mail server. Like sendmail, Exim uses a monolithic design, but Exim’s configuration file is much more intelligible. This server includes extensive pattern - matching tools that are very useful in fighting spam.

1. Using Sendmail

Sendmail is a general purpose internetwork email routing facility that supports many kinds of mail-transfer and delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the Internet.

1.1 Configuration Settings

DNS Settings1. We first want to make sure that mail will be sent to our machine. We assume that we

have properly configured a domain called seafront.bar with BIND 8 or 9. Let's make sure that the zone file for this domain has an MX record pointing to our system.

For example if our machine is called test1 and has the IP 192.168.246.12 then we need the following lines:

seafront.bar. IN MX 10 test1.seafront.bar.

test1.seafront.bar. IN A 192.168.246.12

19


Mail and Lists________________________________________________________________________________

2. Next we need to make sure that this information is read by the resolvers, so we add the following at the top of the file /etc/resolv.conf:

nameserver 127.0.0.1

domain seafront.bar

Sendmail Settings

We go into sendmail's main configuration directory /etc/mail. Here we need to do the following:

1. By default sendmail is configured to listen for connections ONLY for the 127.0.0.1 interface. In order to make sendmail listen to all interfaces we need to comment out the following line in /etc/mail/sendmail.mc using 'dnl' which stands for “do next line”:

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

2. Once this is done run:

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Notice: Make sure /etc/sendmail.cf isn't also there, if it is, delete it.

3. Restart sendmail and try the following:

telnet test1.seafront.bar 25

Warning: If you get a connection then sendmail is responding. This doesn't mean that sendmail will deliver mail (relay) for you!

3. To configure sendmail to relay for you you need to add the IP for your machine to the /etc/mail/access file:

192.168.246.12 RELAY 4. Finally, we also need to tell sendmail to accept mail for @seafront.bar addresses.

For this, add the domain name to /etc/mail/local-host-names:

seafront.bar

Restart sendmail and send a mail to an existing user. If you have a user tux on the machine then check the output of the following:

20

Mail and Lists________________________________________________________________________________

mail -v -s "test seafront domain" [email protected] < /etc/passwd

1.2 Virtual Hosting

We want the server seafront.bar to accept mail for the city.bar domain. For this we follow the following steps.

The DNS entries

We need to add an MX record for the city.bar domain. Here is the whole block for clarity:

seafront.bar. IN MX 10 test1.seafront.bar.

city.bar. IN MX 10 test1.seafront.bar.

test1.seafront.bar. IN A 192.168.246.12

Reload the zone file:

rndc reload

Sendmail Settings

1. We need to make sendmail accept mail for users at @city.bar. For this we add the next line to the local-host-names file:

city.bar

If mail is sent to [email protected] and tux is a valid user on test1.seafront.bar then mail will be delivered to the local user tux.

To avoid this we can use the /etc/mail/virtusertable database.

2. If you want to forward mail onto another account here are example entries for the virtusertable database:

[email protected] [email protected]@city.bar [email protected] local-list

Here mail for user tux is diverted to [email protected], the user administrator is the catchall account and lists are redirected to local lists (this needs to point to a valid list defined in the aliases).

21


Mail and Lists________________________________________________________________________________

2. Configuring Mailing Lists

2.1 Majordomo and Sendmail

Pre-installation Configuration

1. In the Makefile, replace /bin/perl with the path to the perl binary on your system (usually /usr/bin/perl):

PERL = /usr/bin/perl

To make things easier we will leave the W_HOME as is:

W_HOME = /usr/test/majordomo-$(VERSION)

You need to create the directory /usr/test

mkdir /usr/test

Create a group called majordomo with GID 45, and add a user called majordomo with UID 123

groupadd -g 45 majordomouseradd -g 45 –u 123 majordomo

2. In the sample.cf file we need to define our domain (for example seafront.bar). This is also where the path to the sendmail binary is set:

$whereami = "seafront.bar";$sendmail_command = "/usr/sbin/sendmail";

Now we can run

make installmake install-wrapper

Finally you can test the configuration as suggested with the following:

cd /usr/test/majordomo-1.94.5; ./wrapper config-test

22


Mail and Lists________________________________________________________________________________

If all goes well you will be prompted to register to the majordomo mailing list. Since we do not have a valid email address, answer NO to the question.

Sendmail Configuration

The sendmail configuration involves adding appropriate entries in /etc/aliases for each mailing list we create. But before that we need a symbolic link in /etc/smrsh pointing to the majordomo wrapper binary, and here is why.

In order to limit the number of programs mail can be piped to (using a '| command' instead of an email address) sendmail defines a set of commands known as “sendmail restricted shells” or smrsh. The list of restricted shells is contained in /etc/smrsh which are symbolic links to the actual binaries we allow mail to be piped to.

We will make the wrapper binary available, which is located in /usr/test/majordomo-1.94.5, with the following:

ln -s /usr/test/majordomo-1.94.5/wrapper /etc/smrsh

Before adding the entries to /etc/aliases we need to decide on a name for our first list, and we choose ... test.

Remember that before sending mail to the list [email protected] we first need to subscribe to this list by sending a mail to [email protected] with the contents subscribe test. Some work needs to be done for this to work.

Creating the list “test” (as documented in NEWLIST):

1. Create an empty file called test and a file containing information about the list called test.info in the directory /usr/test/majordomo-1.94.5/lists/

2. Create the following aliases in /etc/aliases:

majordomo: "|/usr/test/majordomo-1.94.5/wrapper majordomo"test: "|/usr/test/majordomo-1.94.5/wrapper resend -l test test-list"test-list: :include:/usr/test/majordomo-1.94.5/lists/testtest-request: "|/usr/test/majordomo-1.94.5/wrapper request-answer test"owner-test: tuxtest-approval: tux

3. Run newaliases and restart sendmail.

Majordomo Test

Send an email to [email protected] with the content: subscribe test

23

Mail and Lists________________________________________________________________________________

If all goes well you will receive a response with further steps to be taken.

3. Managing Mail Traffic

3.1 Mail Filtering with Procmail

Procmail is a program for filtering electronic mail. It is very useful for presorting and preprocessing large amounts of incoming mail. You can use it to sort out mail from mailing lists, to dispose of junk mail, to send automatic replies, or even to run a mailing list.

The Procmail is generally not started from the command line. It is usually invoked by mail delivery subsystems (like Sendmail or Postfix) or from a mail retrieval agent (such as fetchmail). The companion tool formail allows Procmail to be used in batch-processing on mail that already is in a user's mailbox.

The primary use of Procmail is to filter messages into several mailboxes, based on the headers. This filtering is done based on the rules set down in your ~/.procmailrc file.

Procmail is normally installed on most distributions by default. Run which procmail to find out where Procmail is located (usually that is /usr/bin/procmail).

In depth information can be found in the procmail, procmailrc and procmailex manpages. Here are a few examples taken from procmailex(5).

The Procmail agent uses recipes, to determine where to deliver the various mail messages.

A promailrc file is a sequence of recipes of the form:

:0 [flags] [ : [locallockfile] ] <zero or more conditions (one per line)> <exactly one action line>

Each recipe that Procmail uses consists of flags, conditions and action. The next tables cover the main flags, conditions and actions available.

Flags DescriptionH Egrep the header (default).B Egrep the bodyE This recipe only executes if the immediately preceding recipe was not executed.

24

Mail and Lists________________________________________________________________________________

Flags Descriptione This recipe only executes if the immediately preceding recipe failed w Wait for the filter or program to finish and check its exit codeThe conditions are extended regular expressions with the additional conditions below:

Conditions Description! Invert the condition$ Evaluate the remainder of this condition according to sh(1) substitution rules

inside double quotes, skip leading whitespace, then reparse it? Use the exitcode of the specified program< Check if the total length of the mail is shorter than the specified (in decimal)

number of bytes> Check if the total length of the mail is larger than the specified (in decimal)

number of bytes

The action line can start with one of

Action line Description! Forwards to all the specified mail addresses| Starts the specified program{ Followed by at least one space, tab or newline will mark the start of a

nesting blockAnything else

interpret as a mailbox (file or directory relative to current directory or MAILDIR)

Examples:

Sort all mail coming from the lpi-dev mailing list into the mail folder LPI:

:0:* ^To.*lpi-devLPI

Forward mails between two accounts main.address and the-other.address. This rule is for the procmailrc on the main address account. Notice the X-Loop header used to prevent loops:

:0 c* !^X-Loop: [email protected]

25


Mail and Lists________________________________________________________________________________

| formail -A "X-Loop: [email protected]" | \$SENDMAIL -oi [email protected]

The c option tells Procmail to keep a local copy.

Filtering Spam

Spam filtering generally takes place using SpamAssassin. This program analyzes your mail for its likely level of "spamminess", and gives it a numeric score; anything greater than 5 is generally considered spam, and is marked up as such, by adding an "X-Spam-Status: yes" header.

The new mail server automatically runs all emails through SpamAssassin. You can filter messages that SpamAssassin marks as spam by adding the following recipe to your .procmailrc file:

:0:* ^X-Spam-Status: yesspam

26


Mail and Lists________________________________________________________________________________

Web Services1. Implementing a Web Server

1.1 Installing Apache

The apache source code can be downloaded from www.apache.org.

There are two versions of the apache server: 1.3 and 2.x

The configure script allows us to customise the installation. In particular we can choose which modules we want to compile etc. Modules can either be

- statically compiled with--enable-MODULE (where MODULE is the Module Indentifier ) or--enable-modules=”MOD1 MOD2 ...”

- dynamically compiled with--enable-mods-shared=”MOD1 MOD2 ...”

-disabled with--disable-MODULE

1.2 Monitoring apache load

SNMP

Create a read-only SNMP community and restart the snmpd daemon:

/etc/snmp/snmp.confrocommunity lifesavers

Restart the snmpd service:

/etc/init.d/snmpd restart

Check that you can browse information about your system using the community name lifesavers:

snmpwalk -v 1 -c lifesavers localhost ip

27


Mail and Lists________________________________________________________________________________

MRTG

MRTG stands for “multi-router traffic grapher” and uses SNMP to get information about the system.

cfgmaker --output=/etc/mrtg/seafront.cfg \ -ifref=ip --global "workdir: /var/www/mrtg/stats" \

lifesavers@localhost

This will create a file called /etc/mrtg/seafront.cfg. We next update the information in /var/www/mrtg/stats with the following command:

mkdir /var/www/mrtg/statsmrtg /etc/mrtg/seafront.cfg This should be run at regular intervals so it should be run through a cron job.

Task: The graphical output for MRTG will be saved in /var/www/mrtg/stats as an HTML document. This is not a usual place to keep files for the apache server. After the next section, we will make the appropriate changes to httpd.conf to make this directory accessible through the webserver.

Many other tools are available such as Webalizer which analyse the access logs of the apache server.

1.3 Using Apachectl

The apachectl script is used to control the httpd daemon. It takes the following options:

apachectl option Description – extract from apachectl(8)start Start the Apache httpd daemon. Gives an error if it is already

running. This is equivalent to apachectl -k startstop Stops the Apache httpd daemon. This is equivalent to apachectl -k

stoprestart Restarts the Apache httpd daemon. If the daemon is not running, it is

started. This command automatically checks the configuration files as in configtest before initiating the restart to make sure the daemon doesn’t die. This is equivalent to apachectl -k restart

28


Mail and Lists________________________________________________________________________________

fullstatus Displays a full status report from mod_status. For this to work, you need to have mod_status enabled on your server and a text-based browser such as lynx available on your system. The URL used to access the status report can be set by editing the STATUSURL variable in the script.

status Displays a brief status report. Similar to the fullstatus option, except that the list of requests currently being served is omitted

graceful Gracefully restarts the Apache httpd daemon. If the daemon is not running, it is started. This differs from a normal restart in that currently open connections are not aborted. This is equivalent to apachectl -k graceful

configtest Run a configuration file syntax test. It parses the configuration files and either reports Syntax Ok or detailed information about the particular syntax error. This is equivalent to apachectl -t

1.4 Basic Configuration Options

Section 1: General Options

KeepAlive on/off Allows a client to perform multiple requests through a single connection

MaxKeepAliveRequests 100 Maximum number of requests during a persistent connection

KeepAliveTimeout 15 Number of seconds to wait for a next request on the same connection

Single Threaded Server

The httpd daemon is a single threaded process which needs to fork child daemons to deal with multiple connections – only with apache2 is it possible to build a multi threaded server.

StartServers 8 Number of httpd servers to start

MinSpareServers 5 Minimum number of spare servers to keep loaded in memory

MaxSpareServers 20 Maximum number of spare servers to keep loaded in memory

MaxClients 150 Maximum number of server processes allowed at any one time

MaxRequestsPerChild 1000 Maximum number of requests before a child is “retired”

29

Mail and Lists________________________________________________________________________________

Multi Threaded Server

These options are available only for apache2 and onwards. You need to recompile apache to enable threads. Most current apache2 binary distributions are still single threaded because of conflicts with most dynamic modules which don't support multi threading yet.

StartServers 2 Notice that this is much lower than the single threaded server

MinSpareThreads 25 Minimum number of spare threads

MaxSpareThreads 75 Maximum number of spare threads

ThreadsPerChild 25 Number of worker threads per child

MaxClients 150 Maximum number of server processes allowed at any one time

MaxRequestsPerChild 0 Never retires?

Listen 80 Specify which port to listen on. Can be of the form IP:port

LoadModule MODULE INDENTIFIER /PATH-TO/MODULE Section where dynamic modules are loaded

Include FILE Read extra configuration options from FILE. Apache2 has a conf.d directory for this

Section 2 :Server Configuration

ServerName The name of the server – can be different

User Name of the user the server runs as

Group Name of the group the server runs as

DocumentRoot The directory the where HTML files are kept

<Directory> Specify options (access control,...) for directories containing HTML files

Alias URL alias for a given directory

AliasScript Same as “Alias” option but for directories containing CGI scripts

DirectoryIndex Set the name of the file which will be used as an index

Section 3: Virtual Hosts

We will cover virtual hosts when configuring SSL servers later in this chapter. For now we distinguish two concepts: <VirtualHost IP:PORT> IP based virtual host

<VirtualHost HOSTNAME:PORT> Name based virtual

30

Mail and Lists________________________________________________________________________________

1.5 Restricting Client Access

Host based control is available using the keywords Order, Deny from and Allow from on directories

<Directory PATH-TO-DIRECTORY> ... </Directory>

or locations

<Location URL> ... </Location>

The next configuration paragraph will allow anybody to access the directory /var/www/safe except the host with IP 192.168.3.101:

<Directory /var/www/safe>

Order allow,denyDeny from 192.168.3.101Allow from all

</Directory>

Alias /safe /var/www/safe

Notice: The Order keyword is important. If we reverse the above order to Order deny,allow then the following would happen: host 192.168.3.101 would first be denied access because of the Deny rule but the Allow rule is read last and will subsequently grant it access. The default access is given by the last argument in the order directive. I.e. “Order allow,deny” has a default of “deny”.

1.6 Client Basic Authentication

The htpasswd tool is used to create passwords for users. For example, we create a new file in the ServerRoot directory called passwords-for-directory1 with a password for user gnu:

htpasswd -c passwords-for-directory1 gnu

If we choose to implement client authentication for the directory /var/www/html/seafront we need to add the following paragraph to httpd.conf:

31

Mail and Lists________________________________________________________________________________

<Directory /var/www/html/seafront>

AuthType basicAuthName "protected site"AuthUserFile conf/seafront.passwdRequire user gnu

</Directory>

Notice: Alternatively, with httpd2 configurations we could create a file called seafront.conf with the above content and save it in the /etc/httpd/conf.d directory.

Reread the configuration file with:

apachectl graceful

2. Maintaining a Web Server

2.1 HTTPS Overview

The secure socket layer protocol SSL allows any networked applications to use encryption. This can be thought of as a process which wraps the socket preparing it to use encryption at the application level.

In the case of HTTPS, the server uses a pair of keys, public and private. The server's public key is used by the client to encrypt the session key, the private key is then used to decrypt the session key for use.

The public key is published using certificates. A certificate contains the following information:

- Name and Address, Hostname, etc.- Public Key- TTL- (optional) ID + Signature from a certificate authority (CA)

The certificate will be used to establish the authenticity of the server. A valid signature from a known CA is automatically recognised by the client's browser. With Mozilla for example these trusted CA certificates can be found by following the links: Edit -> Preferences -> Privacy & Security -> Certificates then clicking on the “Manage Certificates” button and the Authorities tab.

32

Mail and Lists________________________________________________________________________________

Start SSL Handshake

Send Certificate

Send encrypted session key

Encrypt HTTP session with session key

On the other hand communications would be too slow if the session was encrypted using public key encryption. Instead, once the authenticity of the server is established, the client generates a unique secret session key which is encrypted using the servers public key found in the certificate. Once the server receives this session key it can decrypt it using the private key associated with the certificate. From there on the communication is encrypted and decrypted using this secrete session key generated by the client.

2.2 SSL Virtual Hosts

A separate apache server can be used to listen on port 443 and implement SSL connections. However most default configurations involve a single apache server listening on both ports 80 and 443.

For this an additional Listen directive is set in httpd.conf asking the server to listen on port 443. Apache will then bind to both ports 443 and 80. Non encrypted connections are handled on port 80 while an SSL aware virtual host is configured to listen on port 443:

<VirtualHost _default_:443>

SSL CONFIGURATION

</VirtualHost>

The SSL CONFIGURATION lines are:

33

1

client server

2

3

4


Mail and Lists________________________________________________________________________________

SSLEngine onSSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXPSSLCertificateFile PATH_TO_FILE.crtSSLCertificateKeyFile PATH_TO_FILE.key

We need to generate the servers private key (FILE.key) and certificate (FILE.crt) to complete this configuration.

2.3 Managing Certificates

The keys and certificates are usually kept in subdirectories of /etc/httpd/conf called ssl.crt and ssl.key.

There should also be a Makefile that will generate both a KEY and a CERTIFICATE in PEM format which is base64 encoded data.

Using the Makefile

For example if we want to generate a self-signed certificate and private key simply type:

make mysite.crt

The Makefile will generate both files mysite.key (the private key) as well as mysite.crt (the certificate file containing the public key). You can use the following directives in httpd.conf: SSLCertificateFile ... mysite.crtSSLCertificateKeyFile ... mysite.key

Certificate Requests

On a production server you would need to generate a new file called a “certificate request” with:

openssl req -new -key mysite.key -out mysite.csr

This file can be sent to a certificate authority (CA) to be signed. The certificate authority will send back the signed certificate.

Pass Phrases

34

Mail and Lists________________________________________________________________________________

A private key can be generated with or without a passphase, and a private key without a passphrase can be constructed from an existing private key.

A passphrased file: If a private key has a passphrase set then the file starts with

-----BEGIN RSA PRIVATE KEY-----Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC, ---- snip ----.....

this means that the file is protected by a pass-phrase using 3DES. This was generated by the line /usr/bin/openssl genrsa -des3 1024 > $@ in the Makefile. If the -des3 flag is omitted NO passphrase is set.

You can generate a new private key (mysite-nophrase.key) without a passphrase from the old private key (mysite.key) as follows:

openssl rsa -in mysite.key -out mysite-nopass.key

2.4 Virtual Hosts

Name based virtual hosts

We will first discuss the situation where only one IP has been assigned to the server but there are several A records or CNAME records pointing to the same IP.

Example: Modify the zone files to include a new CNAME record for test1.seafront.bar to point to the actual name of the web server.

e.g. test1.seafront.bar. IN CNAME server1.seafront.bar.server1 IN A 192.x.x.x

In httpd.conf it will be enough to create the following:

<VirtualHost test1.seafront.bar:80> ServerAdmin [email protected] DocumentRoot /var/www/html/test1 ServerName test1. seafront.bar</VirtualHost>

Example 2: Create an SSL aware VirtualHost for test1

35

Mail and Lists________________________________________________________________________________

- Make the certificate and the key: make host1.seafront.bar - Add these lines to httpd.conf:

<VirtualHost 192.168.3.200:443>SSLEngine onSSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXPSSLCertificateFile /etc/httpd/conf/test1.seafront.bar.crtSSLCertificateKeyFile /etc/httpd/conf/test1.seafront.bar.outServerAdmin [email protected]

DocumentRoot /var/www/html/test1 ServerName test1.seafront.bar </VirtualHost>

Notice that the certificate that is presented once you connect to the https://test1 site is incorrect. This is because test1.seafront.bar resolves to the servers IP address and the server will start the SSL handshake before looking at the HTTP request. The next section will fix that.

IP Based Virtual Hosts

Example: We will directly create a series of virtual SSL aware hosts and verify that they present the client with the correct certificate.

- Assign new IP addresses to the eth0 interface: ifconfig eth0:0 X.X.X.X- For each IP enter a new A record: www1 IN A X.X.X.X- For each host create a self signed certificate.- Enter a <VirtualHost X.X.X.X:443> paragraph in httpd.conf.

Notice: You may have to change the existing SSL virtual host from <VirtualHost _default_:443> to <VirtualHost 127.0.0.1:443>

This prevents the default host certificate from being presented irrespective of the site hostname.

Test that https://www1 and https://www2 do present the proper certificates.Notice that if you permanently accept a certificate it will be added to the list of CA certificates on your browser!

36


Mail and Lists________________________________________________________________________________

3. Implementing a Proxy Server

3.1 Getting Started

You can verify that the squid proxy server is installed using:

rpm -q squid

Most versions will install the /etc/init.d/squid rc-script that creates the initial caching directories. If this is not the case squid can initialise these cache directories with the -z switch.

squid –z

NOTICEYou may need to add an access rule in the squid configuration file before being able to rebuild the cache (see the next section “Access Lists and Access Control”)

The configuration file is /etc/squid/squid.conf. The syntax of this file can be checked using the -k switch:

squid -k check

As with most network services the /etc/init.d/squid rc-script is used to start the service.

3.2 Access Lists and Access Control

Access Lists (acl)

In squid.conf the access lists have the following format:

acl aclname acltype string/file

In the simplest cases an acl defines a list of hosts, networks or domains and is given a name. This list can then be granted or denied access using the access control command http_access described in the next paragraph.

37


Mail and Lists________________________________________________________________________________

The next line defines an access list name called localnet corresponding to the local LAN:

acl localnet src 192.168.2.0/255.255.255.0

The main ACL types are listed below:

acltype descriptionsrc IP/netmask or IP1-IP2/netmask (client's IP address)dst IP/network (URL requested)arp MAC addresssrcdomain .example.com (client addresses)dstdomain .example.com (URLs requested)time range of timesport space separated list of ports or range of the form p1-p2

Access control (http_access)

With http_access a particular access list is either allowed or denied access via the proxy. The format is as follows:

http_access allow|deny aclname

The http_access requests are read in sequence and the first rule matched is used. To allow access to all computers on the network insert the following before the http_access deny all line: http_access allow localnet

38


Mail and Lists________________________________________________________________________________

3.3 Additional Configuration Options

The following table is a list of additional options available to further control the squid proxy.

Option Descriptionhttp_port the port squid uses to listen for requests (default 3128)

cache_peer specify another proxy server to query whenever an object isn't cached

cache_mem limit the amount of additional memory used to cache objects (this parameter doesn't limit the maximum process size)

cache_swap_low percentage of swap utilisation. Once this limit is passed objects start to be cached to disk

cache_swap_high percentage of swap utilisation. Once this limit is approached objects start getting evicted from the proxy cache

maximum_object_size objects larger than this will not be cached

maximum_object_size_in_memory objects larger than this will not be kept in the memory cache

Memory Management (from the SQUID FAQ section 8)

“This version of SQUID stores incoming objects only in memory, until the transfer is complete. At that point it decides whether or not to store the object on disk. This means that when users download large files, your memory usage will increase significantly. The squid.conf parameter maximum_object_size determines how much memory an in-transit object can consume before we mark it as uncachable. When an object is marked uncachable, there is no need to keep all of the object in memory, so the memory is freed for the part of the object which has already been written to the client. In other words, lowering maximum_object_size also lowers Squid-1.1 memory usage.”

“If your cache performance is suffering because of memory limitations, you might consider buying more memory. But if that is not an option, There are a number of things to try:

Try a different malloc library [compile SQID with a different malloc] Reduce the cache_mem parameter in the config file. This controls how many ''hot''

objects are kept in memory. Reducing this parameter will not significantly affect performance, but you may recieve some warnings in cache.log if your cache is busy

Turn the memory_pools off in the config file. This causes Squid to give up unused memory by calling free() instead of holding on to the chunk for potential, future use.

Reduce the cache_swap parameter in your config file. This will reduce the number of objects Squid keeps. Your overall hit ratio may go down a little, but your cache will perform significantly better

Reduce the maximum_object_size parameter (Squid-1.1 only). You won't be able to cache the larger objects, and your byte volume hit ratio may go down, but Squid will perform better overall”

39


Mail and Lists________________________________________________________________________________

3.4 Reporting Tools

Most log analysis tools available for squid are listed on the following site:

http://www.squid-cache.org/Scripts/

The main logfile for squid is the /var/log/squid/access.log file. Next is a short overview of calamaris and webalizer. Also notice that webmin produces log reports based on calamaris.

cachemgr.cgi script

The current squid package installs a CGI script in /usr/lib/squid called cachemgr.cgi. One can copy this across to the /var/www/cgi-bin directory where all CGI scripts can run from. It is recommended however to set up a separate directory with htaccess authentication.

Calamaris

The code is GPL and can be downloaded from http://cord.de/tools/squid/calamaris. You can generate reports as follow:

cat /var/log/squid/access.log | calamaris

# Summarylines parsed: 221 invalid lines: 0 parse time (sec): 0

# Incoming requests by methodmethod request % Byte % sec kB/sec --------------------------------- --------- ------ -------- ------ ---- ------- GET 221 100.00 1244262 100.00 3 1.68 --------------------------------- --------- ------ -------- ------ ---- ------- Sum 221 100.00 1244262 100.00 3 1.68

# Incoming UDP-requests by statusno matching requests

# Incoming TCP-requests by statusstatus request % Byte % sec kB/sec --------------------------------- --------- ------ -------- ------ ---- ------- HIT 35 15.84 42314 3.40 0 6.11 MISS 182 82.35 1197840 96.27 1 4.97 ERROR 4 1.81 4108 0.33 120 0.01 --------------------------------- --------- ------ -------- ------ ---- ------- Sum 221 100.00 1244262 100.00 3 1.68

In order to get information on webpage requests per host one can use the -R switch: There are many more switches available (check the manpages for calamaris).

40

Mail and Lists________________________________________________________________________________

There are also a number of scripts that can run hourly or monthly reports. These scripts are included in the EXAMPLES file distributed with calamaris.

calamaris -R 5 /var/log/squid/access.log

# Incoming TCP-requests by hosthost / target request hit-% Byte hit-% sec kB/sec --------------------------------- --------- ------ -------- ------ ---- ------- 192.168.2.103 72 0.00 323336 0.00 0 10.24 *.redhat.com 35 0.00 126726 0.00 0 10.44 *.suse.co. 20 0.00 63503 0.00 0 13.15 *.lemonde.fr 6 0.00 109712 0.00 1 16.39 207.36.15.* 5 0.00 8946 0.00 0 3.94 *.akamai.net 4 0.00 12428 0.00 1 4.43 other: 2 requested urlhosts 2 0.00 2021 0.00 1 0.71 192.168.2.101 63 0.00 295315 0.00 1 4.65 cord.de 17 0.00 115787 0.00 0 20.86 *.doubleclick.net 13 0.00 26163 0.00 1 2.07 *.google.com 10 0.00 30646 0.00 1 3.71 *.squid-cache.org 8 0.00 51758 0.00 1 6.53 <error> 4 0.00 4290 0.00 0 10474 other: 6 requested urlhosts 11 0.00 66671 0.00 5 2.28 --------------------------------- --------- ------ -------- ------ ---- -------Sum 135 0.00 618651 0.00 1 6.51

Webalizer

This tool is often installed by default on some Linux distributions. It is also GPL'ed and can be downloaded from http://www.mrunix.net/webalizer/.

By editing the /etc/webalizer.conf file one can choose between apache access logs, ftp transfer logs or squid logs.

Example graphics generated with Webaliser:

41


Mail and Lists________________________________________________________________________________

3.5 User Authentication (using PAM)

To prevent unauthorised users browsing on the Internet you can setup squid to ask for a username and password. IMPORTANT: You cannot have user authentication and transparent proxy at the same time! The work around is to block all outgoing requests on port 80, except the ones from the Squid proxy itself. Users are then forced to manually set up their browsers to use the proxy. Configuration settings for PAM authentication:

Here are the list of options you need to set in the squid.conf file:

squid.conf PAM authentication settings

[Older versions] authenticate_program /usr/lib/squid/pam_auth[Squid V2.5] auth_param basic program /usr/lib/squid/pam_auth auth_param basic children 5 auth_param basic realm Anvil Internet Proxy auth_param basic credentialsttl 2 hours

acl password proxy_auth REQUIRED

http_access allow password

The PAM configuration in /etc/pam.d: Here we register squid to use the Pluggable Authentication Module.This is done by adding a file in /etc/pam.d/ called squid with the following content

/etc/pam.d/squid

auth required /lib/security/pam_stack.so service=system-auth

auth required /lib/security/pam_nologin.so

account required /lib/security/pam_stack.so service=system-auth

password required /lib/security/pam_stack.so service=system-auth

session required /lib/security/pam_stack.so service=system-auth

session required /lib/security/pam_limits.so

This is a standard policy description on what to do when a person logs on.The login session is abstracted into 4 part: auth, account, password and session. PAM then uses a specific library function which handles each stage.Notice that most lines request the system-auth service which is the

42


Mail and Lists________________________________________________________________________________

/etc/pam.d/system-auth file.

Also note the following from the pam_auth man page.

When used for authenticating to local UNIX shadow password databases the program must be running as root or else it won't have sufficient permissions to access the user password database. Such use of this program is not recommended, but if you absolutely need to then make the program setuid root

chown root pam_auth chmod u+s pam_auth

Please note that in such configurations it is also strongly recommended that the program is moved into a directory where normal users cannot access it, as this mode of operation will allow any local user to brute-force other users passwords. Also note the program has not been fully audited and the author cannot be held responsible for any security issues due to such installations.

43


Mail and Lists________________________________________________________________________________

Network Client Management

1. DHCP Configuration

Dynamic Host Configuration Protocol (DHCP) is network protocol for automatically assigning TCP/IP information to client machines. Each DHCP client connects to the centrally-located DHCP server that returns the client's network configuration including IP address, gateway, and DNS servers.

WARNING: You should not attempt to run a DHCP server unless you are certain not to interfere with the network you are currently using – The safest option for this section is to be totally isolated from the network and use a hub or a switch to connect the classroom together.

1.1 Default DHCP ConfigurationsThe basic communication process between a client workstation joining a TCP/IP network and the DHCP server is depicted below.

The DHCPDISCOVER request is sent using the broadcast 255.255.255.255

The DHCP server can use two methods to allocate IP addresses:

1. A dynamic IP is assigned for a client host chosen from a range of IPs

2. A fixed IP is assigned for a specific host (identified using the MAC address, similar to

44


Mail and Lists________________________________________________________________________________

bootp)Since a single DHCP server can be used to administer IPs over several networks, the dhcpd.conf configuration file is composed of global options followed by network sections:

Example network block:

subnet 10.0.0.0 netmask 255.0.0.0 {....}

In the next example we will assign both dynamic IP addresses and a fixed IP address:

subnet 10.0.0.0 netmask 255.0.0.0 {

range 10.5.5.10 10.5.5.200;

host proxy {

hardware ethernet 00:80:C6:30:0A:7E;

fixed-address 10.5.5.2;

}

}

For each subnet it is possible to give information on network services, such as

- the default gateway - the DNS domain name and the NIS domain name- the DNS servers

In the subnet section above these directives would look like this:

option routers 10.254.254.254;option nis-domain "nisdomain";option domain-name "seafront.bar";option domain-name-servers 10.0.0.2;

The database of dynamically assigned IP addresses is stored in /var/lib/dhcp/dhcpd.leases.

This file should not be modified by hand. DHCP lease information for each recently assigned IP address is automatically stored in the lease database. The information includes the length of the lease, to whom the IP address has been assigned, the start and end dates for the lease, and the MAC address of the network interface card that was used to retrieve the lease.

45


Mail and Lists________________________________________________________________________________

NOTICE

When the DHCP server is started for the first time, it fails unless the dhcpd.leases file exists. Use the command touch /var/lib/dhcpd/dhcpd.leases to create the file if it does not exist.

If the same server is also running BIND as a DNS server, this step is not necessary, as starting the named service automatically checks for a dhcpd.leases file.

To start the DHCP service, use the command /sbin/service dhcpd start. To stop the DHCP server, use the command /sbin/service dhcpd stop.

If more than one network interface is attached to the system, but the DHCP server should only be started on one of the interfaces, configure the DHCP server to start only on that device. In /etc/sysconfig/dhcpd, add the name of the interface to the list of DHCPDARGS:

DHCPDARGS=eth0

1.2 Dynamic DNS

We assume that we still have the private/public key used for the seafront TSIG authentication, we will use this same key to allow the DHCP server to update the zone files on the DNS server.

Additional Configurations on the DHCP Server

On the DHCP server add the following to the dhcpd.conf file

ddns-update-style interim;ignore client-updates;key seafront.bar. { algorithm hmac-md5; secret QN3vIApnV76WS+a2Hr3qj+AqZjpuPjQgVWeeMMGSBC4=; };

zone seafront.bar. { primary 192.168.3.100; key seafront.bar.; }

zone 3.168.192.in-addr.arpa. { primary 192.168.3.100; key seafront.bar.;

46


Mail and Lists________________________________________________________________________________

}

Optionally, it is possible to set a specific host name and domain name for a given host with the keywords

ddns-hostname host_nameddns-domain-name domain_name

If the ddns-hostname option is not present then the DHCP server will try and use the name provided by the client. The domain on the other hand cannot be set by the client, so if ddns-domain-name is not present then the DHCP server will use the value given by the domain-name option.

Additional Configurations on the DNS Server

On the DNS server we need to do the following:

1. If you are using DNSSEC signed zone files then we need to use the unsigned zones.

2. Add the allow-update option to the seafront.bar entry:

zone "seafront.bar" IN { type master; file "seafront.zone"; allow-update { key seafront.bar.; }; allow-transfer { key seafront.bar.; };

};

and do the same with the in-addr.arpa zone:

zone "3.168.192.in-addr.arpa" IN { type master; file "192.168.3.local"; allow-update { key seafront.bar.; }; allow-transfer { key seafront.bar.;};};

Testing with nsupdate

nsupdate is a utility used to request the name server to update its database. nsupdate takes commands like nslookup does, if run without arguments.

47


Mail and Lists________________________________________________________________________________

The following commands are good to know:

server [server address] - Sets the target server for who to send updates.

key [keyname] [secret] - Tell nsupdate what your key is.

zone [zonename] - Explicitly choose a zone to send updates for. If unspecified, nsupdate will guess.

update [...] - Request an update to record.

send - Send updates.

show - Show updates that haven't been sent.

Client Configuration

On Linux clients it is possible to set the DHCP_HOSTNAME variable in the interface setup script. In Redhat-like variants this would be in the /etc/sysconfig/network-scripts/ifcfg-ethX files. Notice that this is simple a hostname, the domain name will be appended to that name on the DHCP sever.

1.3 DHCP Relay

The DHCPDISCOVER packets from clients reach the server through the broadcast 255.255.255.255, however broadcasts are blocked by routers.

So in a configuration with multiple networks and a single DHCP server each router needs to be able to relay DHCPDISCOVER broadcasts from a given network to the DHCP server.

For a Linux router this is done using the dhcp-relay or dhcrelay (more recent) tool. Both tools take a mandatory single argument which is th IP of the DHCP server.

By default the relay tools will listen on all network interfaces for DHCP requests. One can specify an interface with the -i option:

dhcrelay -i eth0 IP_FOR_DHCP_server

48


Mail and Lists________________________________________________________________________________

2. NIS Configuration

2.1 Master Server ConfigurationOn a Linux system the network information system (NIS) server is called ypserv (package name: ypserv). The RPM package has the same name and installs the following main files:

Files installed with ypserv Description /etc/rc.d/init.d/yppasswdd script for the daemon allowing users to change passwords /etc/rc.d/init.d/ypserv script for ypserv daemon /etc/rc.d/init.d/ypxfrd script for daemon used to speed up transfers to slave

servers /etc/ypserv.conf main configuration file for ypserv /var/yp/Makefile Makefile for database files – should only be used on the

master server

1. Choose a nisdomain name

In /etc/sysconfig/network set the variable NISDOMAIN. For example we can set the nisdomain to linis as follows\

NISDOMAIN=linis # entry in /etc/sysconfig/network

The file /etc/sysconfig/network will be sourced by the ypserv initscript.

2. Make sure the master server will push map changes to the slave servers. For this you need to edit the file /var/yp/Makefile and put

NOPUSH=false

3. Start the ypserv daemon

/etc/init.d/ypserv restart

4. Check that the nisdomain has been properly set

nisdomainnamelinis

49


Mail and Lists________________________________________________________________________________

5. Create the databases, the -m option to ypinit is to indicate the server is a master server

/usr/lib/yp/ypinit –m

Enter the list of slave servers you will run on this domain. This will create a number of DBM files in /var/yp/linis as well as a file called /var/yp/ypservers.

2.2 Slave Server Configuration

On the slave server, we need to install the ypserv package too. This time we run ypinit and point it to the the master server:

/etc/rc.d/init.d/ypserv start

/usr/lib/yp/ypinit -s MASTER_IP

Also make sure to leave the line NOPUSH=true in /var/yp/Makefile

2.3 Client Setup

On the client the main service is called ypbind (package name: ypbind). This daemon is responsible for binding to a NIS server and successfully resolves names and passwords as needed.

The main configuration file is /etc/yp.conf.

If the NISDOMAIN variable is set in /etc/sysconfig/network which is sourced by the rc-script /etc/init.d/ypbind then the NIS server will be detected using the broadcast. One can also configure yp.conf and specify. Once this is set one can start ypbind

/etc/init.d/ypbind start

Make sure that the nis keyword is added to /etc/nsswitch.conf.

50


Mail and Lists________________________________________________________________________________

2.4 Setting up NFS home directories

Once the NIS server and clients are setup as above, anybody with an account on the NIS server can log onto a client machine with ypbind pointing at the correct server.

All that is needed is for the user is to access a home directory. This can be done in a number of ways. We will describe one implementation using NFS.

We assume that all the home directories are on a single server with the following IP address 10.0.0.1

All the clients are on the 10.0.0.0/8 network.

On the NFS server

Edit /etc/exports and add

/home 10.0.0.1/8(rw)

Notice that root_squash will apply automatically.

On the client

Edit /etc/fstab and add

10.0.0.1:/home /home defaults 0 0

2.5 Basic NIS Administration

With the latest versions of ypserv a number of default maps are created using source files in /etc. It is possible to alter the YPPWDDIR and YPSRCDIR variables in the Makefile to build maps from alternative files from custom locations.

Updates are made with the Makefile in /var/yp. The targets are all, passwd, group ...

Copy the new maps to /var/yp/linis and run yppush to update the slave servers:

yppush MAP_NAME

51


Mail and Lists________________________________________________________________________________

Additional Commands

Command Descriptionypcat get values from a database, for example ypcat passwd

ypwhich return the name of the NIS server on the network

3. LDAP Configuration

3.1 What is ldap

LDAP stands for Lightweight Directory Access Protocol. The protocol allows access to data in a tree-like structure using attributes. LDAP can be thought of as a specialised database which handles trees. Since directories are also trees, navigating LDAP fields is like navigating a directory. Added to this LDAP has been designed mainly for optimal access. This clarifies the words Directory and Access.

The Distinguished Name

An item in the database can be referenced using a unique Distinguished Name (dn). This is similar to a file's full path in a directory. Each intermediate subfolder is called a Relative Distinguished Name.

Distinguished Name dc=example, dc=com

ou=People ou=Aliases

cn=Tux

dn: cn=Tux, ou=People , dc=Example, dc=com

More Terminology

DIT The Data Information TreeDN Distinguished NameRDN Relative Distinguished NameLDIF LDAP Data Interchange Format

52


Mail and Lists________________________________________________________________________________

Attributes:

dc Domain Componentcn Common Namec Country l Locationo Organisation ou Organisational Unitsn Surnamest Stateuid User id

3.2 OpenLDAP server configuration The server is called slapd (Standalone LDAP daemon) and its configuration file is: /etc/openldap/slapd.conf

We will cover each section of this file in more detail.

Importing schemas There is an include clause in slapd.conf which tells the LDAP server which schemas should be loaded.

We need at least the following:

include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/misc.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/inetorgperson.schema

Database Definition

Available DBMs (Database Managers) are ldbm or the more recent bdb.

We will use bdb:

database bdb

53


Mail and Lists________________________________________________________________________________

You need to specify the root or base for the LDAP directory, as well as the directory where the database file will be kept. This is done below:

suffix "dc=example,dc=com"directory /var/lib/ldap/

The following lines are only needed when modifying the LDAP server online. You can then specify an administrator username/password. Use the slappasswd to generate an encrypted hash (see 3.4 Migrating System Files to LDAP):

rootdn "cn=Manager,dc=example,dc=com"rootpw {SSHA}KiXS5htbnVEQp7OrjoteQZHHICs0krBO

3.3 Client configuration files

There are two configuration files called ldap.conf. Here is what they do:

The /etc/ldap.conf file is used by the nss_ldap and pam_ldap modules The file /etc/openldap/ldap.conf is used by the tools ldapsearch and ldapadd

For example, to save time typing:

ldapsearch -b “dc=example,dc=com” -x

you can add the next lines to /etc/openldap/ldap.conf

BASE dc=example, dc=comHOST 127.0.0.1

So far we have configured slapd and the configuration file for ldapsearch in particular. Once we have populated an LDAP directory we will be able to test our setup by typing:

ldapsearch –x

3.4 Migrating System Files to LDAP

There are two methods available to populate an LDAP directory.

If the ldap daemon slapd is stopped, we can do an offline update using slapadd While slapd is running, it is possible to perform an online update using ldapadd or

ldapmodify

54

Mail and Lists________________________________________________________________________________

We will also use migration tools which can be downloaded from http://www.padl.com/OSS/MigrationTools.html.

Creating LDAP directories offline

We are going to work in the directory containing the LDAP migration Perl scripts which we have downloaded from www.padl.com.

Notice: Some distributions may include the migration tools with the LDAP server package.

You should have the following files:

migrate_automount.pl migrate_base.plCVSVersionInfo.txt migrate_common.phMake.rules migrate_fstab.plMigrationTools.spec migrate_group.plREADME migrate_hosts.plads migrate_netgroup.plmigrate_netgroup_byhost.pl migrate_aliases.pl migrate_netgroup_byuser.pl migrate_all_netinfo_offline.sh migrate_networks.pl migrate_all_netinfo_online.sh migrate_passwd.pl migrate_all_nis_offline.sh migrate_profile.pl migrate_all_nis_online.sh migrate_protocols.pl migrate_all_nisplus_offline.sh migrate_rpc.pl migrate_all_nisplus_online.sh migrate_services.pl migrate_all_offline.sh migrate_slapd_conf.pl migrate_all_online.sh

First edit migrate_common.ph and change the $DEFAULT_BASE variable to:

$DEFAULT_BASE = "dc=example,dc=com";

NOTICEWhen migrating the /etc/passwd file one can either use shadow passwords or not. When using shadow passwords an added objectClass called shadowAccount is used in the LDAP record and there is no need to migrate the shadow password file.

We create our first LDIF file called base.ldif to serve as our root:

/migrate_base.pl > base.ldif

This flat file will be converted into bdb (or ldbm) files stored in /var/lib/ldap as follows:

slapadd -v < base.ldif

55

Mail and Lists________________________________________________________________________________

We next choose to migrate the password without shadow passwords as follows:

./migrate_passwd.pl /etc/passwd passwd.ldif

The entries in passwd.ldif should look like this: dn: uid=test,ou=People,dc=example,dc=comuid: testcn: testobjectClass: accountobjectClass: posixAccountobjectClass: topuserPassword: {crypt}$1$FGrRfa0u$lo5XwA9xxssmjboNB2Z361loginShell: /bin/bashuidNumber: 505gidNumber: 506homeDirectory: /home/test

Now let's add this LDIF file to our LDAP directory:(remember that LDAP is stopped so we are still offline)

slapadd -v -l passwd.ldif orslapadd -v < passwd.ldif

NOTICE: Make sure all the files in /var/lib/ldap belong to user ldap.

TESTING:

Restart the LDAP server:

/etc/init.d/ldap restart

Search all the entries in the directory:

ldapsearch -x

If the ldap server does not respond, or the result from ldapsearch is empty, it is possible to show the content of the LDAP databases in /var/lib/ldap with the slapcat command.

56


Mail and Lists________________________________________________________________________________

Creating LDAP Directories Online

The LDAP server can be updated online, without having to shut the ldap service down. For this to work we must specify a rootdn and a rootpw in /etc/openldap/slapd.conf.

The password is generated from the command line as follows

sldappasswdNew password:Re-enter new password: {SSHA}XyZmHH1RlnSVXTj87UvxOAOCZA8oxNCT

We next choose the rootdn in /etc/openldap/slapd.conf to be

rootdn "cn=Manager,dc=example,dc=com"rootpw {SSHA}XyZmHH1RlnSVXTj87UvxOAOCZA8oxNCT

The next line will update the LDAP entries

ldapmodify -f passwd.ldif -x -D ''dc=example,dc=com'' –WEnter LDAP Password:

3.5 LDAP Authentication Scheme

Server Configuration

We assume that the LDAP server has been configured as above.

The passwords in the LDAP directory can also be updated online with the ldappasswd command.

The next line will update the password for user tux on the LDAP server.

ldappasswd -D "cn=Manager,dc=example,dc=com" -S -x -W \ "uid=tux,ou=People,dc=example,dc=com"

The -S switch is used to configure a new password.

We assume that the IP address for the server is 10.0.0.1 and that the domain component is “dc=example,dc=com”

57


Mail and Lists________________________________________________________________________________

You may allow users to change their passwords on the LDAP server as follows:

1. Copy the passwd PAM file /etc/share/doc/nss_ldap-version/pam.d/passwd to /etc/pam.d

2. Add the following access rule in /etc/openldap/slapd.conf

access to attrs=userPassword by self write by anonymous auth by * none

Client Configuration

The clients need to have the nss_ldap package installed (some distributions have a separate pam_ldap package with the PAM related modules and files). The following files and libraries are installed:

/etc/ldap.conf set the hostname and the domain component of the LDAP server used for authentications

/lib/libnss_ldap-2.3.2.so an ldap module for the NameService Switch

/lib/security/pam_ldap.so the PAM ldap module

/usr/lib/libnss_ldap.so a symbolic link to /lib/libnss_ldap-2.3.2.so

/usr/share/doc/nss_ldap-207/pam.d sample files for programs using PAM

If we don't use SSL certificates then /etc/ldap.conf is as follows:

The /etc/ldap.conf filehost 10.0.0.1 base dc=example,dc=com ssl no pam_password md5

Next in /etc/pam.d replace the file called login with /usr/share/doc/nss_ldap-207/pam.d/login. This will tell the authentication binary /bin/login to use the pam_ldap.so module.

Finally the /etc/nsswitch.conf needs to have the following line:

passwd ldap files

Check the /var/log/ldap/ldap.log file on the server to follow the authentication process.

58


Mail and Lists________________________________________________________________________________

4. PAM Authentication

Services or applications which need authentication can use the pluggable authentication module (PAM) mechanism which offers a modular approach to the authentication process. For example, if a new hardware authentication scheme is added to a system, using smart cards or prime number generators, and if corresponding PAM library modules are available for this new scheme, then it is possible to modify existing services to use this new authentication scheme.

4.1 PAM Aware Applications

Services which use pluggable authentication modules have been compiled with libpam. For example sshd is such a service: ldd `which sshd` | grep pam libpam.so.0 => /lib/libpam.so.0 (0x00941000)

These applications will scan the PAM configuration files which in turn tell the application how the authentication will take place.

59


Mail and Lists________________________________________________________________________________

4.2 PAM Configuration

PAM configuration is controlled with the single file /etc/pam.conf. This file contains a list of services and a set of instructions, as follows:

service type control module-path module-arguments

However, if the directory /etc/pam.d exists then pam.conf is ignored and each service is configured through a separate file in pam.d. These files are similar to pam.conf except that the service name is dropped:

type control module-path module-arguments

type: defines the “management group type”. PAM modules are classified into four management groups which define different aspects of the authentication process:

account: check the validity of the account (eg. does the users have a UNIX account, is the user authorised to use the application ...)

auth: the authentication method. This points to a module(s) responsible for the challenge-response

password: defines how to change user passwords, if at allsession: modules that are run before and after a service is granted

control: defines what action to take if the module fails. The simple controls are:

requisite: a failure of the module results in the immediate termination of the authentication process

required: a failure of the module will result in the termination of the authentication once all the other modules of the same type have been executed

sufficient: success of the module is sufficient except if a prior required module has failed

optional: success or failure of this module are not taken into account unless it is the only requirement of its type

module-path: the path to a PAM module (usually in /lib/security)

module-arguments: list of arguments for a specific module

60


Mail and Lists________________________________________________________________________________

System Security

1. Iptables/Ipchains

What is a Packet Filter?A packet filter is a piece of software which looks at the header of packets as they pass through, and decides the fate of the entire packet. It might decide to DROP the packet (i.e., discard the packet as if it had never received it), ACCEPT the packet (i.e., let the packet go through), or something more complicated. - from the “Packet Filtering HOWTO” by Rusty Russell

For more in depth information see the HOWTOs at www.netfilter.org.

In this section we introduce the iptables concepts of chains, tables and targets. We then look at some examples to illustrate network address translation (NAT) as well as the special cases of masquerading and transparent redirections.

1.1 The Chains

A chain is a list of rules which by considering criteria found in the packet's header will make decisions about the type of action to take (target). There are five chains corresponding to different stages in the netfilter framework: PREROUTING, INPUT, FORWARD, POSTROUTING and OUTPUT.

Below is a diagram of the progression of a packet through the kernel netfilter framework:

61


Mail and Lists________________________________________________________________________________

1.2 The Tables

There are three built-in tables (the IP Tables) which allow to carry out different tasks as listed below.

filter: this is the default table and the packets are never altered. Packets are available from the following chains:INPUT for packets coming into the box itselfOUTPUT for locally-generated packetsFORWARD for packets being routed through the box (check the value of

/proc/sys/net/ipv4/ip_forward)

nat: this table only deals with network address translations (NAT) it is consulted when a packet creating a new connection is encountered. Packet headers connected with routing can be altered here. The following chains are considered:PREROUTING alters the packets as they come inPOSTROUTING alters packets as they go outOUTPUT alters locally generated packets before routing

mangle: used for specialized packet alterations. Targets in this table allow the TOS or TTL field to be modified. Until kernel 2.4.17 it could only interact with two chains:PREROUTING for altering incoming packets before routingOUTPUT for altering locally-generated packets before routingSince kernel 2.4.18, the three other chains are also supported:INPUT for packets coming into the box itselfFORWARD for altering packets being routed through the boxPOSTROUTING for altering packets as they are about to go out

1.3 The Targets

The part of the filtering rule which determines what action to take if the rule is matched is called a target and is preceded by a -j flag (jump). Here is an overview of available targets for a given table:

62


Mail and Lists________________________________________________________________________________

all tables: ACCEPT, REJECT, DROP, LOG, ULOG, TCPMSS, MIRRORfilter: (nothing individual to this chain)nat: DNAT, SNAT, MASQUERADE, REDIRECTmangle: TOS, MARK, DSCP, ECN

There are more targets, but they come as part of additional extension kernel modules.

1.4 Example Rules

1. Example filter rules:

Drop incoming icmp-request as well as outgoing icmp-reply packets

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

Notice: The protocol extension flags allow you to specify more information about a specific protocol. In the case of TCP packets for example you may have:

-p tcp –tcp-flags ALL SYN,ACK

ALL stands for SYN ACK FIN RST URG and PSH. This rule says that all flags must be examined and of those, if the SYN and ACK flags are set, the rule is true.

2. Example Destination Network Address Translation (DNAT):

All requests on port 80 for host 192.168.3.100 are redirected to the host 10.1.1.1 on port 80:

iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.3.100 \ --dport 80 -j DNAT --to 10.1.1.1:80

3. Example Source Network Address Translation (SNAT):

The SNAT target is used to change the Source Address. For example, in the case where a router switches from the address on all outgoing packets leaving through ppp0 to its own (public) IP address. The line would look like this:

iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.3.0/24 -d 0/0 \ -j SNAT –to ROUTER_IP

This rule can also be written using the MASQUERADE target:

iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.3.0/24 -d 0/0 -j MASQUERADE

63


Mail and Lists________________________________________________________________________________

4. Example Redirection:

A redirection is a special case of DNAT where the –-to host is the same host. For example if a proxy server is running on a router, all requests through port 80 can be PRE-routed through port 3128 with:

iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

TASK: At this stage if you want to implement a transparent proxy with the previous redirection rule you will have to change the configuration file squid.conf and add the following:

httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on

Remember that if you have implemented an authentication scheme with squid you may have to disable it for the transparent proxy to work.

2. Differences with Ipchains

Some of the main improvement over ipchains:

With iptables, each filtered packet is only processed using rules from one chain rather than multiple chains. In other words, a FORWARD packet coming into a system using ipchains would have to go through the INPUT, FORWARD, and OUTPUT chains in order to move along to its destination. However, iptables only sends packets to the INPUT chain if they are destined for the local system and only sends them to the OUTPUT chain if the local system generated the packets. For this reason, you must be sure to place the rule designed to catch a particular packet in the correct chain that will actually see the packet.

The advantage is that you now have finer-grained control over the disposition of each packet. If you are attempting to block access to a particular website, it is now possible to block access attempts from clients running on hosts which use your host as a gateway. An OUTPUT rule which denies access will no longer prevent access for hosts which use your host as a gateway.

Additional Matching Extensions

Matching extensions are implemented in iptables as modules. Modules are invoked with the -m switch.

For example the state module makes it possible to distinguish new packets and packets from an established connect. The packet is tested for a matching state. Particular state

64


Mail and Lists________________________________________________________________________________

values are NEW, ESTABLISHED, RELATED or INVALID.

iptables -A INPUT -p tcp -m state –-state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -m state –-state NEW,ESTABLISHED -j ACCEPT

Matching extension modules are listed below.

Module Description Option (example)connrate matches the current connection

rate--connrate [!] [from]:[to]

dstlimit This module allows you to limit the packet per second (pps) rate on a per destination IP or per destination port base

--dstlimit avg

icmp this extension is loaded if ‘--protocol icmp’ is specified

--icmptype [!] typename

iprange specify a range of IPs --src-range IP-IPlength matches the length of the packet --length length

mac match the MAC source --mac-source [!] address

state determine the state of a packet (NEW,ESTABLISHED,RELATED,INVALIDE)

–state state

3. Security Tools3.1 SSH

For a first description of the ssh client and sshd server see the section on “Basic Security” in the lpi-manuals document for LPI 102. For an in depth presentation see the Internet draft “The SSH (Secure Shell) Remote Login Protocol” at http://www.free.lp.se/fish/rfc.txt.

This section covers the server configuration file and briefly discusses other mechanisms that the SSH protocol offers such as X11 forwarding and port forwarding.

65


Mail and Lists________________________________________________________________________________

sshd_con fig overview

Port 22 Specify which port to listen on. Multiple “Port” options can be used

Protocol 2,1 Specify version 1 or version 2 SSH protocol. Can be a comma separated list. If both are supplied, they are tried in the order presented.

DenyUsers [USER]@HOST Deny users from a specific host. Wild cards such as * can be used

IgnoreRhosts yes/no Default is yes – Ignore the ~/.rhosts and ~/.shosts filesPermitEmptyPasswords yes/no Default is no – Allow login with an empty passwords

when password authentication is allowedPermitRootLogin yes/no Allow or disallow root access X11Forwarding yes/no Instructs the remote end to route X11 traffic back

through the ssh tunnel to the user's X session. Unless disabled, the xauth settings will be transferred in order to properly authenticate remote X applications

Port Forwarding

It is possible to do port forwarding with the SSH client. This is often used to provide a simple mechanism to encrypt a connection. For example one can open a local (-L) port (1234) pointing to the remote host (www.google.com) on another port (80) as follows: ssh -L 1234:www.google.com:80 127.0.0.1

Quick VPN

This is a user-space VPN as opposed to other types of VPNs which are kernel based.

/usr/sbin/pppd noauth pty \ "ssh SOME_HOST -l root '/usr/sbin/pppd notty noauth 192.168.0.1:192.168.0.2'" \192.168.0.2:192.168.0.1

66

http://www.google.com/


Mail and Lists________________________________________________________________________________

3.2 LSOF

lsof shows open files used by processes. Traditionally it is used to list PIDs of processes running on a given directory:

lsof +D DIRECTORY

lsof will output the following information:

NAME: name of the processPID: process ID USER: name of the user to whom the process belongsFD: File desciptor (e.g u = read write, r = read, w = write)TYPE: The file type (e.g REG = regular file)DEVICE: Major/Minor number (e.g 3,16 =/dev/hda16 )SIZE: Size or offset of the fileNODE: Inode of the file NAME: The name of the file

lsof can also be used to display network sockets. For example the following line will list all internet connections:

lsof -i

You can also list connections to a single host:

lsof -i @HOST

For example if a host TOFFY is connected to your localhost on port 1234, the following would display information about the connection:

lsof -i @TOFFY:1234

67

Mail and Lists________________________________________________________________________________

3.3 NETSTAT

netstat is used to print network connections, routing tables, etc.

Main options are:

-r display routing tables -l only listening services-C display route cache --inet restrict to network sockets

Protocol types are:

-t select tcp -u select udp

3.4 TCPDUMP

tcpdump dumps traffic on a network.

From the man page:

The TCP Packet

The general format of a tcp protocol line is:

src > dst: flags data-seqno ack window urgent options

Src and dst - the source and destination IP addresses and ports.

Flags - some combination of S (SYN), F (FIN), P (PUSH) or R (RST) or a single ‘.’ (no flags).

Data-seqno - describes the portion of sequence space covered by the data in this packet (see example below).

Ack - sequence number of the next data expected in the other direction on this connection.

Window - the number of bytes of receive buffer space available in the other direction on this connection.

Urg - indicates there is ‘urgent’ data in the packet.

Options - tcp options enclosed in angle brackets (e.g., <mss 1024>)

68


Mail and Lists________________________________________________________________________________

Capturing TCP packets with particular flag combinations (e.g SYN-ACK, URG-ACK, etc.)

There are 8 bits in the control bits section of the TCP header:

CWR | ECE | URG | ACK | PSH | RST | SYN | FIN

Let’s assume that we want to watch packets used in establishing a TCP connection. Recall the structure of a TCP header without options:

0 15 31 ----------------------------------------------------------------- | source port | destination port | ----------------------------------------------------------------- | sequence number | ----------------------------------------------------------------- | acknowledgment number | ----------------------------------------------------------------- | HL | rsvd |C|E|U|A|P|R|S|F| window size | ----------------------------------------------------------------- | TCP checksum | urgent pointer | -----------------------------------------------------------------

A TCP header usually holds 20 octets of data, unless options are present. The first line of the graph contains octets 0 - 3, the second line shows octets 4 - 7 etc.

Starting to count with 0, the relevant TCP control bit are contained in octet 13:

0 7| 15| 23| 31 ----------------|---------------|---------------|---------------- | HL | rsvd |C|E|U|A|P|R|S|F| window size | ----------------|---------------|---------------|---------------- | | 13th octet | | |

Let’s have a closer look at octet no. 13:

| | |---------------| |C|E|U|A|P|R|S|F| |---------------| |7 5 3 0|

These are the TCP control bits we are interested in. We have numbered the bits in this octet from 0 to 7, right to left, so the PSH bit is bit number 3, while the URG bit is number 5.

Recall that we want to capture packets with only SYN set. Let’s see what happens to octet 13 if a TCP datagram arrives with the SYN bit set in its header:

69


Mail and Lists________________________________________________________________________________

|C|E|U|A|P|R|S|F||---------------||0 0 0 0 0 0 1 0||---------------||7 6 5 4 3 2 1 0|

Looking at the control bits section we see that only bit number 1 (SYN) is set.

Assuming that octet number 13 is an 8-bit unsigned integer in network byte order, the binary value of this octet is

00000010

and its decimal representation is

7 6 5 4 3 2 1 0 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 1*2 + 0*2 = 2

We’re almost done, because now we know that if only SYN is set, the value of the 13th octet in the TCP header, when interpreted as a 8-bit unsigned integer in network byte order, must be exactly 2.

This relationship can be expressed as

tcp[13] == 2

3.5 NMAP

nmap is the network exploration tool and security scanner.

The scanner makes use of the fact that a closed port should (according to RFC 793) send back an RST. In the case if a SYN scan, connections that are half opened are immediately close by nmap by sending an RST itself.

The main scan types are:

SYN or Half-open: -sSnmap will send a synchronisation packet SYN asking for a connection. If the remote host send a RST/ACK it is assumed that the port is closed. If the remote host sends a SYN/ACK this indicates that the port is listening.

UDP: -sU

70


Mail and Lists________________________________________________________________________________

UDP is connectionless. So there is no need for a 3 way handshake as with TCP. If a port is closed the server will send back a ICMP PORT UNREACHABLE. One then deduces that all the other ports are open (not reliable in the case were ICMP messages are blocked).

TCP NULL: -sNTCP packet with no flags set. Closed port will send a RST when receiving these packets (except with MS Windows).

TCP Xmas: -sXTCP packet with the FIN+URG+PUSH flags set. The remote host should send back a RST for all closed ports when receiving a Xmas packet.

71

Vježbe


Vježbe__________________________________________________________

Vježba 1: Upoznavanje s radnim okruženjem1. Prijavite se na sustave kojima ćete se služiti u vježbama. Zabilježite njihovu

trenutačnu konfiguraciju:

Napomena: Nije nužno da su sve postavke na početku tečaja postavljene ili ispravne (ipak ih zabilježite). Neke postavke će se tijekom tečaja mijenjati.

74

IP-adresa: _________________

IP-adresa: __________________Mreža/maska: _________________

Hostname (FQDN): _________________

Gateway: _________________

DNS: _________________

Mreža/maska: _________________ IP-adresa: _________________

IP-adresa: _________________

Hostname (FQDN): _________________

Gateway: _________________

DNS: _________________

server1

server2


Vježbe__________________________________________________________

Vježba 2: DNSJednostavna konfiguracija (forward only)1. Na sustavu server1 instalirajte pakete bind i bind-utils

(yum install bind bind-utils).

2. U datoteku /etc/named.conf unutar sekcije options (na primjer iza retka s oznakom directory) upišite:

forward only;forwarders { 161.53.2.69; 161.53.2.70;};

Obrišite ili označite kao komentar redak: listen-on-v6 port 53 { ::1; };

Pokrenite naredbu /usr/sbin/named-checkconf kako biste provjerili postoje li greške u konfiguracijskoj datoteci /etc/named.conf.

3. Pokrenite named i postavite da se pokreće prilikom svakog pokretanja sustava:

service named startchkconfig named on

Napomena: Ako ne postoji datoteka rndc.key, skripta /etc/init.d/named će je stvoriti, što može potrajati i nekoliko minuta.

Provjerite radi li named ispravno:

dig @127.0.0.1 www.srce.hrilinslookup www.srce.hr 127.0.0.1

Definiranje zona

4. Dodajte sljedeći tekst na kraj datoteke /etc/named.conf:

zone "tecaj.hr" IN { type master; file "zone/tecaj.hr";};

zone "1.168.192.in-addr.arpa" IN {

75


Vježbe__________________________________________________________

type master; file "zone/192.168.1";};zone "2.168.192.in-addr.arpa" IN { type master; file "zone/192.168.2";};

5. Provjerite postoji li definicija za root-zonu:

zone "." IN { type hint; file "named.ca";};

6. Promijenite forward only; u forward first;

Napomena: Ova izmjena ne utječe na izvođenje vježbe, ali dobro ju je napraviti zbog preglednosti koda.

7. Stvorite direktorij u koji će se upisivati podaci za zone:

mkdir /var/named/zonechown named:named /var/named/zonechmod 770 /var/named/zone

8. U direktoriju /var/named/zone stvorite datoteke tecaj.hr, 192.168.1 i 192.168.2 na sljedeći način:

Neka datoteka tecaj.hr ima sljedeći sadržaj (na mjestu opcije serial umjesto 2014030201 možete upisati oznaku koja odgovara aktualnom datumu):

$TTL 1D@ IN SOA tecaj.hr. root.tecaj.hr. ( 2014030201 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum

NS server1.tecaj.hr.

localhost A 127.0.0.1server1 A 192.168.1.100

A 192.168.2.201server2 A 192.168.2.202Neka datoteka 192.168.1 ima sljedeći sadržaj:

76


Vježbe__________________________________________________________



100 PTR server1.tecaj.hr.

Neka datoteka 192.168.2 ima sljedeći sadržaj:



201 PTR server1.tecaj.hr.202 PTR server2.tecaj.hr.

Provjerite s /usr/sbin/named-checkconf postoje li greške u datoteci named.conf.

Provjerite postoje li greške u zonama:

/usr/sbin/named-checkzone tecaj.hr /var/named/zone/tecaj.hr/usr/sbin/named-checkzone 1.168.192.in-addr.arpa /var/named/zone/192.168.1/usr/sbin/named-checkzone 2.168.192.in-addr.arpa /var/named/zone/192.168.2

9. Pokrenite service named reload.

Provjerite je li sve u redu:

nslookup server1.tecaj.hr 127.0.0.1

(Upišite naredbu nslookup server1.tecaj.hr 192.168.2.201. Koji ste rezultat dobili i zašto?)

U datoteci /etc/init.d/named proučite što radi naredba service named reload. Na koje načine ona pokušava ostvariti da named ponovno učita konfiguracijsku datoteku? Koji je prvi način? Kada će se pokrenuti drugi način?

10. U datoteci /etc/named.conf (u sekciji options) izmijenite redak u kojem piše

77


Vježbe__________________________________________________________

listen-on port 53 { 127.0.0.1; };

tako da on glasi:

listen-on port 53 { any; };

U sekciji options izmijenite postojeći ili dodajte novi (ako ne postoji) redak s direktivom allow-query tako da piše:

allow-query { 192.168.1.0/24; 192.168.2.0/24; localhost; };

Pokrenite service named reload (ili service named restart). Provjerite je li sve u redu:

nslookup server1.tecaj.hr 192.168.2.201

Postavke na klijentima

11. Na sustavu server1 izmijenite datoteku /etc/resolv.conf tako da njezin sadržaj bude:

search tecaj.hrnameserver 192.168.1.100nameserver 192.168.2.201

Sadržaj datoteke /etc/sysconfig/network neka bude:

NETWORKING=yesHOSTNAME=server1.tecaj.hrGATEWAY=192.168.1.1

Provjerite sadržaj datoteka /etc/sysconfig/network-scripts/ifcfg-eth0 i /etc/sysconfig/network-scripts/ifcfg-eth1 i napravite izmjene ako je potrebno (posebno provjerite vrijednosti varijabli IPADDR, PREFIX i GATEWAY).

Ponovno pokrenite sustav. (Aktivacija načinjenih izmjena moguća je i bez ponovnog pokretanja sustava - dovoljno je ponovno pokrenuti odgovarajuće servise. Ponovnim pokretanjem sustava provjerit ćemo prije nastavka rada jesu li načinjene izmjene trajne.)

Napomena: Ako želite, možete isključiti Network Manager (yum -y remove NetworkManager; service network restart).

12. Na sustavu server2 izmijenite datoteku /etc/resolv.conf tako da njezin sadržaj bude:

search tecaj.hrnameserver 192.168.2.201

Provjerite radi li naredba nslookup server1.

78


Vježbe__________________________________________________________

Sadržaj datoteke /etc/sysconfig/network na sustavu server2 neka bude:

NETWORKING=yesHOSTNAME=server2.tecaj.hrGATEWAY=192.168.2.201

Provjerite sadržaj datoteke /etc/sysconfig/network-scripts/ifcfg-eth0 i napravite izmjene ako je potrebno.

Ponovno pokrenite sustav.

79


Vježbe__________________________________________________________

Vježba 3: Sekundarni DNS

1. Na sustavu server1 izmijenite konfiguracijsku datoteku za DNS (/etc/named.conf) tako da u sekciju options (na primjer nakon retka s allow-query) dodate:

allow-transfer { 192.168.2.202; };

U definicije svih zona (datoteke tecaj.hr, 192.168.1 i 192.168.2 u direktoriju /var/named/zone) dodajte server2.tecaj.hr kao dodatni name server, a serial number povećajte za jedan

Na primjer, zaglavlje zone tecaj.hr izgledat će ovako:

@ IN SOA tecaj.hr. root.tecaj.hr. ( 2014030202 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum

NS server1.tecaj.hr.NS server2.tecaj.hr.

Ponovno pokrenite named. (Da smo izmjene radili samo na zonama, tada bi bilo dovoljno da pokrenemo naredbu rndc reload.)

2. Na sustavu server2 instalirajte paket bind (umetnite instalacijski medij u optički uređaj, potražite odgovarajući paket u direktoriju Packages te instalirajte ga naredbom rpm, na primjer: rpm -i bind-9.8.2-0.17.rc1.el6_4.6.i686.rpm).

3. Na sustavu server2 izmijenite datoteku /etc/named.conf tako da u sekciji options bude:

listen-on port 53 { any; };

forward first;forwarders { 192.168.2.201;};

allow-query { 192.168.1.0/24; 192.168.2.0/24; localhost; };

80


Vježbe__________________________________________________________

Na kraj datoteke /etc/named.conf dodajte podatke o zonama:

zone "tecaj.hr" IN { type slave; masters { 192.168.2.201; }; file "slaves/tecaj.hr";};

zone "1.168.192.in-addr.arpa" IN { type slave; masters { 192.168.2.201; }; file "slaves/192.168.1";};

zone "2.168.192.in-addr.arpa" IN { type slave; masters { 192.168.2.201; }; file "slaves/192.168.2";};

4. Provjerite postoji li direktorij /var/named/slaves. Ako ne postoji napravite ga. Ako postoji i nije prazan, obrišite njegov sadržaj (rm /var/named/slaves/*).

Provjerite s /usr/sbin/named-checkconf postoje li greške u datoteci named.conf i nakon toga pokrenite named:

service named startchkconfig named on

Provjerite s nslookup server1.tecaj.hr localhost je li sve u redu.

Proučite sadržaj direktorija /var/named/slaves. Što se dogodilo?

5. Na sustavu server2 izmijenite sadržaj datoteke /etc/resolv.conf tako da bude:

search tecaj.hrnameserver 192.168.2.201nameserver 192.168.2.202

Na sustavu server1 zaustavite named: service named stop.

Na sustavu server2 pokrenite nslookup.

81


Vježbe__________________________________________________________

Provjerite rezultate sljedećih upita:

> server1

Odgovor bi trebao biti: Default server: 192.168.2.201Address: 192.168.2.201#53Default server: 192.168.2.202Address: 192.168.2.202#53

> server2

Nakon kratkog čekanja, odgovor bi trebao biti:

Server: 192.168.2.202Address: 192.168.2.202#53

Name: server1.tecaj.hrAddress: 192.168.1.100Name: server1.tecaj.hrAddress: 192.168.2.201

Što možete zaključiti iz rezultata upita?

Ponovno pokrenite named na sustavu server1 (service named start).

82


Vježbe__________________________________________________________

Vježba 4: DNSSEC1. Na sustavu server1 (u nekom direktoriju koji nije dostupan ostalim korisnicima, na

primjer u home-direktoriju ili direktoriju /var/named/zone) pokrenite naredbu:

dnssec-keygen -a HMAC-MD5 -b 256 -n host tecajhr

Napomena: Na sporijim sustavima kreiranje ključa može trajati i desetak minuta.

U radnom direktoriju stvorit će se dvije nove datoteke, na primjer:

Ktecajhr.+157+45497.keyKtecajhr.+157+45497.private

Primjer sadržaja datoteke key-datoteke (Ktecajhr.+157+45497.key):

tecaj.hr. IN KEY 512 3 157 WmcHtBlHmTyw7HNM9+h6Brlp+EjGmqLmHW6Y6tMvXJg=

Primjer sadržaja private-datoteke (Ktecajhr.+157+45497.private):

Private-key-format: v1.3Algorithm: 157 (HMAC_MD5)Key: WmcHtBlHmTyw7HNM9+h6Brlp+EjGmqLmHW6Y6tMvXJg=Bits: AAA=Created: 20140302191527Publish: 20140302191527Activate: 20140302191527

U ovom primjeru konkretna vrijednost ključa je: WmcHtBlHmTyw7HNM9+h6Brlp+EjGmqLmHW6Y6tMvXJg=

Napomena: U obje je datoteke vrijednost ključa ista jer je riječ o simetričnom algoritmu za kriptiranje. Vrijednost ključa je tajni podatak koji ne bi trebao biti dostupan ostalim korisnicima na sustavu.

2. Stvorite datoteku /etc/slave.key sljedećeg sadržaja:

key "tecajhr" { algorithm hmac-md5; secret "WmcHtBlHmTyw7HNM9+h6Brlp+EjGmqLmHW6Y6tMvXJg=";};

(Umjesto "WmcHtBlHmTyw7HNM9+h6Brlp+EjGmqLmHW6Y6tMvXJg=" upišite vrijednost Vašeg ključa.)

83


Vježbe__________________________________________________________

Postavite odgovarajuće postavke na datoteku /etc/slave.key:

chown root:named /etc/slave.keychmod 640 /etc/slave.key

3. U datoteku /etc/named.conf (na primjer iza include "/etc/named.root.key";) dodajte redak:


U sekciju koja opisuje zonu tecaj.hr dodajte:

allow-transfer { key tecajhr; };

Provjerite da u sekciji options piše:

dnssec-enable yes;dnssec-validation no;

Provjerite s /usr/sbin/named-checkconf postoje li greške u datoteci named.conf.

Ponovno pokrenite named: service named restart

Napomena: Zone 1.168.192.in-addr.arpa i 2.168.192.in-addr.arpa su radi potreba ove vježbe namjerno ostale su nepromijenjene. U stvarnom slučaju primijenili bismo isti postupak i na njih (tj. dodali bismo redak allow-transfer { key tecajhr; }; u sve sekcije koje opisuju zone).

4. Na sustavu server2 zaustavite named (service named stop) i obrišite podatke u direktoriju /var/named/slaves (na primjer: rm /var/named/slaves/*).

Ponovno pokrenite named: service named start

Provjerite sadržaj direktorija /var/named/slaves. Koje su se zone kopirale? Nedostaje li koja?

Provjerite što se dogodilo:

nslookup server1.tecaj.hr localhostnslookup 192.168.2.201 localhost

4. Kopirajte datoteku /etc/slave.key sa sustava server1 na sustav server2 (na primjer, naredbom scp ili neposredno kopirajući tekst (copy&paste) iz jednog u drugi terminalski prozor).

Postavite datoteci /etc/slave.key (na sustavu server2) odgovarajuća prava pristupa:

84


Vježbe__________________________________________________________

chown root:named /etc/slave.keychmod 640 /etc/slave.key

U datoteku /etc/named.conf na sustavu server2 dodajte sljedeće retke:


server 192.168.2.201 { keys tecajhr;};

Ponovno pokrenite named.

Pogledajte sadržaj direktorija /var/named/slaves. Što se promijenilo?

Potražite redak s ključnom riječju TSIG u datoteci /var/log/messages.

85


Vježbe__________________________________________________________

Vježba 5: Sendmail i PostfixU ovoj vježbi postavit ćemo mail-poslužitelje (MTA) na sustavima server1 i server2. Na sustavu server1 postavit ćemo Sendmail, a na sustavu server2 Postfix.

Obzirom da je na sustavu server1 već instaliran Postfix, prvo ćemo Postfix zamijeniti sa Sendmailom ...

Instaliranje Sendmaila

1. Aplikacija alternatives služi za stvaranje i upravljanje alternativnim softverskim paketima na sustavu. Na sustavu server1 provjerite trenutačnu situaciju s MTA:

alternatives --display mta

Napomena: Uvid u trenutačnu situaciju možete dobiti i sa ls -l /etc/alternatives/mta* | cut -f10- -d" " odnosno( cd /etc/alternatives ; ls -l mta* | cut -f10- -d" " )

Ukoliko sendmail nije instaliran, instalirajte ga:

yum install sendmail sendmail-cf m4

Ako je potrebno, zaustavite postfix i onemogućite njegovo pokretanje prilikom pokretanja sustava:

service postfix stopchkconfig postfix off

Zamijenite Postfix sa Sendmailom:

alternatives --set mta /usr/sbin/sendmail.sendmail

Kako biste dobili detaljniji uvid u načinjene promjene, ponovno pokrenite

( cd /etc/alternatives ; ls -l mta* | cut -f10- -d" " )

U datoteci /etc/mail/sendmail.mc dodajte riječ dnl na početak retka koji glasi:

DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

Nakon izmjene, taj redak izgleda ovako:

dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl

86


Vježbe__________________________________________________________

Napomena: Riječ je o retku kojim se određuje da sendmail prihvaća konekcije samo na adresi 127.0.0.1. Ovime smo osigurali da se taj redak kod sljedećeg stvaranja nove konfiguracijske datoteke za sendmail ignorira (sendmail će prihvaćati konekcije na svim mrežnim sučeljima).

Stvorite novu konfiguracijsku datoteku:

mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.origm4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Provjerite u čemu se razlikuju nova i stara konfiguracijska datoteka:

diff /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig

Napomena: Izmjene smo mogli napraviti i neposredno na datoteci sendmail.cf, na primjer: sed -i.orig 's/Addr=127.0.0.1,//' /etc/mail/sendmail.cf

Pokrenite sendmail:

chkconfig sendmail onservice sendmail start

2. Pošaljite poruku korisniku root (mail [email protected]). Provjerite je li isporučena.

Proučite sadržaj direktorija /var/spool/mail.

3. Ako je potrebno, instalirajte telnet (yum install telnet).

Pokrenite telnet:

telnet localhost 25

i upišite sljedeće:

HELPEHLO pogodi-tko-sam.hrMAIL From: [email protected] To: [email protected]: Opasna prijetnjaPozdrav od hakera..QUIT

87

Vježbe__________________________________________________________

Je li isporučena nova poruka za korisnika root?

Proučite zapise u log-datoteci /var/log/maillog.

MX-zapisi (DNS), local-host-names i aliasi

4. U zonu tecaj.hr (datoteka /var/named/zone/tecaj.hr) dodajte sljedeći MX-zapis:

tecaj.hr. IN MX 10 server1.tecaj.hr.

Pokrenite rndc reload.

Provjerite ispravnost nove konfiguracije: nslookup -query=mx tecaj.hr

5. U datoteku /etc/mail/local-host-names upišite sljedeći redak:

tecaj.hr

Ponovno pokrenite sendmail: service sendmail restart.

Pošaljite poruku na adresu [email protected]. Provjerite je li isporučena.

6. U datoteku /etc/aliases dodajte redak:

ime.prezime: root

Pokrenite newaliases.

Pošaljite poruke na [email protected] i [email protected]:

mail -s "Ovo je /etc/passwd" [email protected] < /etc/passwdmail -s "Ovo je /etc/passwd" [email protected] < /etc/passwd

Provjerite jesu li poruke isporučene.

Mail queue

7. Popis poruka koje čekaju u redu za isporuku (mail queue) može se ispisati naredbama sendmail -bp i mailq. Provjerite ima li na sustavu server1 neisporučenih poruka koje čekaju u redu.

Pokušajte poslati sljedeću poruku:

mail -s "Oprostite na smetnji" [email protected] < /dev/null

Provjerite je li poruka ostala čekati u redu za isporuku:

88

Vježbe__________________________________________________________

mailq

Neisporučene poruke nalaze se u direktoriju /var/spool/mqueue. Pogledajte sadržaj tog direktorija i usporedite ga s prethodnim rezultatom naredbe mailq:

ls -l /var/spool/mqueue

Proučite sadržaj kontrolne datoteke (s prefiksom qf):

more /var/spool/mqueue/qf*

Pronađite u log-datoteci /var/log/maillog zapise vezane uz isporuku poruke koje ste poslali.

Pokušajte odgovoriti na sljedeća pitanja: Kojem je poslužitelju u domeni srce.hr naš poslužitelj pokušao proslijediti poruku?

Koji je SMTP reply-kod naš poslužitelj dobio kad je pokušao isporučiti poruku?

Zašto je poruka ostala u redu (nije isporučena primatelju niti se vratila pošiljatelju)?

Obrišite poruke koje čekaju u redu:

rm /var/spool/mqueue/*

8. Pokušajte poslati sljedeću poruku:

mail [email protected] < /dev/null

Što se dogodilo? Nemojte je obrisati iz reda za isporuku. Iskoristit ćemo je u nastavku ove vježbe.

Postfix

9. Provjerite je li na sustavu server2 instaliran i pokrenut Postfix:

service postfix status

Upoznajte se s aktualnom konfiguracijom:

postconf mail_versionpostconf inet_interfaces

Proučite koje su standardne postavke programa Postfix izmijenjene zapisima u main.cf:

89


Vježbe__________________________________________________________

postconf -n

U datoteci /etc/postfix/main.cf postavite vrijednost varijable inet_interfaces na all:

inet_interfaces = all

Obrišite redak u kojem piše inet_interfaces = localhost ili ga pretvorite u komentar: # inet_interfaces = localhost

Ponovno pokrenite Postfix:

service postfix restart

Napomena: Obzirom da je u datoteci main.cf promijenjena vrijednost varijabla inet_interfaces (promijenjene su postavke koje se odnose na mrežno sučelje), nije bilo dovoljno pokrenuti postfix reload.

10. Na sustavu server1 provjerite je li poruka koju smo pokušali poslati korisniku [email protected] još uvijek u redu za isporuku (mailq).

Ručno pokrenite obradu poruka koje čekaju u redu:

sendmail -q

Provjerite je li poruka još uvijek u redu. Provjerite je li ju primatelj na sustavu server2 primio.

Mail relayingObzirom da server2 za sada još uvijek ne može pristupati sadržajima na Internetu (za to je potrebno implementirati NAT na sustavu server1, što ćemo napraviti kasnije), postavit ćemo da sva pošta sa sustava server2 ide preko sustava server1. Isto tako, postavit ćemo da sustav server1 prihvaća i prosljeđuje svu poštu za sustav server2.

Također, postavit ćemo (putem datoteke .forward) da se pošta za korisnika [email protected] prosljeđuje i korisniku root na sustavu server1.

11. Na sustavu server2 promijenite sadržaj datoteke /etc/postfix/main.cf tako da piše:

relayhost = [server1.tecaj.hr]

Pokrenite postfix reload.

90

Vježbe__________________________________________________________

Provjerite jesu li izmjene prihvaćene: postconf relayhost.

12. Na sustavu server1 u datoteku /etc/mail/access dodajte redak:

Connect:192.168.2 RELAY

Pokrenite naredbu

makemap hash /etc/mail/access.db < /etc/mail/access

(ili ponovno pokrenite sendmail).

13. Na sustavu server2 pokušajte poslati poruku korisniku [email protected]:

mail [email protected] < /dev/null

Na oba sustava (server1 i server2) pokrenite naredbu mailq i provjerite na kojem je sustavu ova poruka završila u redu za isporuku (trebala bi biti na sustavu server1).

Što znači dobiveni rezultat?

14. Na sustavu server2 u home-direktoriju korisnika root stvorite datoteku .forward sljedećeg sadržaja:

\root (\root obavezno mora biti u prvom retku)[email protected]

Postavite odgovarajuća prava pristupa:

chmod 644 .forward

Pošaljite poruku korisniku [email protected] i provjerite je li ona isporučena na obje adrese navedene u datoteci .forward.

91


Vježbe__________________________________________________________

Vježba 6: Majordomo

Instaliranje Majordoma

1. Ako na sustavu server1 nije instaliran kompajler za C, instalirajte ga (yum install gcc).

Preuzmite s Interneta Majordomovu distribucijsku arhivu i raspakirajte je u direktoriju /tmp:

cd /tmpwget http://www.greatcircle.com/majordomo/1.94.5/majordomo-1.94.5.tar.gz tar xvf majordomo-1.94.5.tar.gz cd majordomo-1.94.5

2. U datoteci Makefile načinite sljedeće izmjene:

PERL = /usr/bin/perlW_HOME = /usr/local/majordomoTMPDIR = /var/tmp

(Vrijednost varijable TMPDIR mogla je i ostati nepromijenjena. Naime originalna vrijednost varijable TMPDIR [direktorij /usr/tmp] je simbolički link na /var/tmp.)

U datoteci sample.cf načinite sljedeće izmjene:

$whereami = "tecaj.hr";$sendmail_command = "/usr/sbin/sendmail";

(Druge postavke za varijablu sendmail_command treba obrisati ili pretvoriti u komentar.)

Stvorite direktorij /usr/local/majordomo te korisnika i skupinu majordomo:

mkdir /usr/local/majordomogroupadd -g 45 majordomouseradd -g 45 -u 123 majordomousermod –a –G majordomo mail

Pokrenite prevođenje i instalaciju izvršnog koda:

make installmake install-wrapper

92


Vježbe__________________________________________________________

Napravite provjeru (na pitanje: „Shall I send email to [email protected] to register this version?“ odgovorite s no):

cd /usr/local/majordomo./wrapper config-test

Omogućite da sendmail pokreće Majordomov wrapper:

ln -s /usr/local/majordomo/wrapper /etc/smrsh

U datoteku /etc/mail/sendmail.mc dodajte sljedeći redak (uočite da su prvi navodnici backquote):

define(`confDONT_BLAME_SENDMAIL',`GroupWritableDirPathSafe,GroupWritableIncludeFile')

i pokrenite

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

Ponovno pokrenite sendmail (service sendmail restart).

Napomena: Oni koji se odluče za neposredno editiranje datoteke /etc/mail/sendmail.cf trebaju dodati sljedeći redak u datoteku sendmail.cf (potražite gdje se u datoteci sendmail.cf nalazi ključna riječ DontBlameSendmail i na tom mjestu napravite izmjenu):

O DontBlameSendmail=GroupWritableDirPathSafe,GroupWritableIncludeFile

Napomena: Ovime smo isključili dio sigurnosnih ograničenja implementiranih u program sendmail koja ne dozvoljavaju da rad s datotekama i direktorijima koji su group-writable.

U datoteku /etc/aliases dodajte nove aliase:

majordomo: "|/usr/local/majordomo/wrapper majordomo"majordomo-owner: root

i pokrenite naredbu newaliases.

Provjerite radi li ispravno ono što ste do sada napravili:

echo help | mail -s "help" majordomo

93


Vježbe__________________________________________________________

Definiranje lista

3. Ako ne postoji korisnik tux stvorite ga (tux će biti vlasnik liste koju ćemo stvoriti u nastavku vježbe): useradd -c "Tux the Penguin" tux

Podesite sve što je potrebno za novu listu koja će se zvati moja-lista.

Prvo je potrebno stvoriti praznu datoteku /usr/local/majordomo/lists/moja-lista:

touch /usr/local/majordomo/lists/moja-listachgrp majordomo /usr/local/majordomo/lists/moja-listachmod 664 /usr/local/majordomo/lists/moja-lista

Sljedeći je korak stvaranje datoteke moja-lista.info. U njoj će se nalaziti uvodne informacije o listi:

cat > /usr/local/majordomo/lists/moja-lista.infoOvo je lista za sve moje obožavatelje.^D (control-D)

Stvorite nove aliase. U datoteku /etc/aliases dodajte:

moja-lista: "|/usr/local/majordomo/wrapper resend -l moja-lista moja-lista-outgoing"moja-lista-outgoing: :include:/usr/local/majordomo/lists/moja-listamoja-lista-request: "|/usr/local/majordomo/wrapper request-answer moja-lista"owner-moja-lista: tuxmoja-lista-approval: tux

i pokrenite naredbu newaliases.

Pošaljite poruku Majordomu i proučite odgovor:

echo lists | mail -s "" majordomo

Napomena: Obzirom da nismo stvorili datoteku /usr/local/majordomo/lists/moja-lista.config, Majordomo će je po primitku ove poruke sam stvoriti. Možete proučiti njezin sadržaj.

Predbilježbe i slanje poruka4. Pokušajte se predbilježiti na listu:

echo subscribe moja-lista | mail -s "" majordomo

94


Vježbe__________________________________________________________

Dobit ćete odgovor s uputama što dalje trebate učiniti (a to je da na adresu [email protected] pošaljete poruku poput:auth 35219738 subscribe moja-lista [email protected]).

Pošaljite poruku kojom potvrđujete zahtjev za predbilježbom:

mail -s "" majordomo auth 35219738 subscribe moja-lista [email protected].

Pročitajte odgovor koji ste dobili.

Pogledajte sadržaj datoteke /usr/local/majordomo/lists/moja-lista.

Pogledajte koju je poruku dobio tux (more /var/spool/mail/tux).

5. Konačno, pošaljite poruku na listu:

echo "Pozdrav svima." | mail -s "Juhuhu ..." moja-lista

95

Vježbe__________________________________________________________

Vježba 7: Procmail1. Provjerite je li na sustavu server1 Procmail postavljen kao lokalni mail delivery agent

(MDA):

grep "^Mlocal" /etc/mail/sendmail.cf

Kada Procmail ne bi bio postavljen kao lokalni mail delivery agent, tada bismo mu poštu upućivali na filtriranje putem datoteke .forward.

2. Neka se sva pošta koja dođe od korisnika tux automatski arhivira u datoteku tux (u home-direktoriju).

U tu svrhu kao korisnik root na sustavu server1 stvorite (u home-direktoriju) datoteku .procmailrc sljedećeg sadržaja:

:0:* ^From.*tux@server1\.tecaj\.hr$HOME/tux

U gornjem je primjeru :0 oznaka za početak recipea, a prva zvjezdica (*) u drugom retku je oznaka za početak uvjeta. Ostatak uvjeta je regularni izraz (regular expression) kojim se opisuje traženi uzorak. U našem slučaju to je uzorak na početku retka (^) koji započinje s From nakon čega slijedi proizvoljan niz znakova koji završava s [email protected].

Navedeni izraz odgovara različitim varijantama From-zaglavlja poput: From: [email protected] ili From: Tux the Penguin <[email protected]>

Neka Vam tux pošalje neku poruku. Što se s njom dogodilo?

3. Neka se sve poruke koja dođu s liste moja-lista automatski arhiviraju u komprimiranu datoteku moja-lista.gz. Poruke se trebaju pojaviti i u standardnom mailboxu.

U tu svrhu na početak datoteke .procmailrc dodajte:

:0c:* ^(From|Cc|To).*moja-lista| gzip >> $HOME/moja-lista.gz

Pošaljite poruku na adresu moja-lista te provjerite je li se poruka pojavila u mailboxu i je li arhivirana u datoteci moja-lista.gz.

96

Vježbe__________________________________________________________

4. Korisnik root na sustavu server2 ([email protected]) često šalje svojim poslovnim kolegama poruke sa šalama. Takve poruke naslovljava s „joke“ ili „funny“.

Obzirom da ne želimo da se takve poruke pojavljuju u našem mailboxu, automatski ćemo ih pohraniti u arhivu jokes. Te poruke također želimo automatski proslijediti drugom poznatom šaljivđiji i ljubitelju viceva - korisniku tux na sustavu server1.

U tu svrhu u datoteku .procmailrc dodajte:

:0: * ^From.*root@server2\.tecaj\.hr* ^Subject.*(joke|funny){ :0c ! [email protected] :0 jokes}

Pošaljite poruku kao [email protected]:

[root@server2 ~]# mail -s "joke #1453" [email protected] < /etc/motd

i provjerite radi li sve kako treba.

97


Vježbe__________________________________________________________

Vježba 8: Apache

Jednostavna konfiguracija web-poslužitelja Apache

1. Na sustavu server1 instalirajte web-poslužitelj Apache:

yum install httpd

U datoteci /etc/httpd/conf/httpd.conf (otvorite je u editoru) pronađite vrijednosti sljedećih varijabli, zabilježite njihovu vrijednost te pročitajte komentare koji ih opisuju:

ServerRoot __________________

DocumentRoot __________________

Include __________________

User __________________

Group __________________

PidFile __________________

Listen __________________

KeepAlive _______MaxKeepAliveRequests _______KeepAliveTimeout _______

StartServers _______ MinSpareServers _______ MaxSpareServers _______ ServerLimit _______ MaxClients _______MaxRequestsPerChild _______

Promijenite vrijednost varijable ServerName tako da bude www.tecaj.hr (pohranite izmjene i izađite iz editora).

2. U zonu tecaj.hr (datoteka /var/named/zone/tecaj.hr) dodajete sljedeći zapis:

www CNAME server1.tecaj.hr.

i pokrenite naredbu rndc reload (provjerite s nslookup www je li izmjena registrirana).

98

Vježbe__________________________________________________________

3. Pokrenite web-poslužitelj (service httpd start). Provjerite odaziva li se web-poslužitelj na adresi http://www.tecaj.hr.

Ako je sve u redu pokrenite naredbu chkconfig httpd on.

(Što se događa ako pokušate pristupiti adresi http://www.tecaj.hr/index.html?)

4. U direktoriju na koji u datoteci /etc/httpd/conf/httpd.conf upućuje varijabla DocumentRoot (a to je /var/www/html) stvorite datoteku index.html sljedećeg sadržaja:

<HTML><HEAD><TITLE>Pozdrav svijetu</TITLE></HEAD><BODY>Pozdrav svima!</BODY></HTML>

Ponovno provjerite što se nalazi na adresama http://www.tecaj.hr i http://www.tecaj.hr/index.html.

5. Pokrenite naredbu telnet localhost 80 (umjesto localhost također možete upisati server1 ili www) i upišite:

GET / HTTP/1.1Host: www.tecaj.hr[Enter] (Prazan redak)

Proučite rezultat.

Ponovno pokrenite naredbu telnet localhost 80. Ovaj put upišite samo:

GET /

Proučite rezultat.

Još jednom pokrenite naredbu telnet localhost 80. Ovaj put upišite:

HEAD / HTTP/1.1Host: www.tecaj.hr[Enter]

Napomena: Komunikaciju između web-poslužitelja i klijenta moguće je pratiti pomoću naredbe curl -v. Na primjer:

curl -v http://www.tecaj.hr

99

Vježbe__________________________________________________________

6. Stvorite direktorij /var/www/html/prijatelji:

mkdir /var/www/html/prijateljicp /var/www/html/index.html /var/www/html/prijatelji/index.html

Pokrenite naredbu telnet localhost 80 i upišite:

GET /prijatelji

Rezultat je poruka o greški 301 Moved Permanently i preusmjeravanje na novi URL.

Ponovite naredbu telnet localhost 80, ali ovaj put upišite

GET /prijatelji/

Basic Authentication

7. Stvorite datoteku www.passwd u direktoriju /etc/httpd/conf na sljedeći način:

htpasswd -c -b /etc/httpd/conf/www.passwd root glavnihtpasswd -b /etc/httpd/conf/www.passwd tux sporedni

Napomena: U prvoj smo naredbi rabili prekidač -c koji stvara datoteku, obzirom da prije pokretanja naredbe ciljna datoteka nije postojala. Da smo u drugoj naredbi ponovno rabili taj prekidač, izgubili bismo sav prethodni sadržaj.)

Pogledajte što se nalazi u datoteci /etc/httpd/conf/www.passwd.

U datoteku httpd.conf (direktorij /etc/httpd/conf) dodajte (može i na kraj datoteke):

<Directory /var/www/html/prijatelji> AuthType basic AuthName "Restricted Stuff" AuthUserFile conf/www.passwd Require user root tux </Directory>

Pokrenite service httpd reload.

Pokušajte pristupiti URL-u http://www.tecaj.hr/prijatelji.

100

Vježbe__________________________________________________________

Napomena: U ovom smo konkretnom slučaju umjesto Require user root tux mogli koristiti i direktivu Require valid-user. Korisnici se također mogu grupirati u skupine. U tom bismo slučaju, na primjer, u datoteku www.group upisali:

prijatelji: root tux

a u httpd.conf bismo napisali:

<Directory /var/www/html/prijatelji> AuthType basic AuthName "Restricted Stuff" AuthUserFile conf/www.passwd AuthGroupFile conf/www.group Require group prijatelji </Directory>

8. Pokrenite naredbu telnet localhost 80 i upišite:

GET /prijatelji/

Proučite rezultat.

Kriptirajte (Base64 encoding) string „tux:sporedni“:

echo -n "tux:sporedni" | openssl base64 -base64

Rezultat je kod koji ćemo u nastavku koristi za autentikaciju (na primjer: dHV4OnNwb3JlZG5p).


GET /prijatelji/ HTTP/1.1Authorization: Basic dHV4OnNwb3JlZG5pHost: localhost[Enter]

Pogledajte kako to isto izgleda s naredbom curl:

curl -v -u tux:sporedni http://www.tecaj.hr/prijatelji/

101

Vježbe__________________________________________________________

Vježba 9: Virtualni web-poslužitelji1. Stvorite direktorij /var/www/portal i u njemu datoteku index.html sljedećeg

sadržaja:

<HTML><HEAD><TITLE>Portal</TITLE></HEAD><BODY>Pozdrav posjetiteljima portala!</BODY></HTML>


portal CNAME server1.tecaj.hr.

i pokrenite naredbu rndc reload.

3. U datoteku httpd.conf (u direktoriju /etc/httpd/conf) dopišite (na kraj datoteke):

NameVirtualHost *:80

<VirtualHost *:80> DocumentRoot /var/www/html ServerName www.tecaj.hr ServerAlias www

ErrorLog /var/log/httpd/error.log CustomLog /var/log/httpd/requests.log combined</VirtualHost>

<VirtualHost *:80> DocumentRoot /var/www/portal ServerName portal.tecaj.hr ServerAlias portal

ErrorLog /var/log/httpd/portal-error.log CustomLog /var/log/httpd/portal-requests.log common</VirtualHost>

Pokrenite naredbu service httpd reload.

102


Vježbe__________________________________________________________

Napomena: S obzirom na to da je virtualni poslužitelj s direktivom ServerName www.tecaj.hr naveden prvi u konfiguracijskoj datoteci, on ima najviši prioritet i može se smatrati primarnim (default) poslužiteljem. To znači da ako web-poslužitelj primi upit koji ne odgovara niti jednoj od direktiva ServerName (na primjer za poslužitelj server1.tecaj.hr), bit će poslužen od strane prvog virtualnog poslužitelja navedenog u konfiguracijskoj datoteci (u našem slučaju www.tecaj.hr).

4. Pistupite (curl, wget ili Firefox) sljedećim URL-ovima:

http://www.tecaj.hrhttp://portal.tecaj.hrhttp://server1.tecaj.hr

i provjerite radi li sve kako treba.

Sljedeća dva primjera pokazuju kako u praksi funkcionira mehnizam virtualnih poslužitelja.


GET / HTTP/1.1Host: www.tecaj.hr[Enter]

Zapamtite rezultat i ponovno pokrenite telnet localhost 80. Ovaj put upišite:

GET / HTTP/1.1Host: portal.tecaj.hr[Enter]

Uočite razliku u odnosu na prethodni rezultat. Što je uzrok različitim rezultatima? Koji bi rezultat bio kad bi se ponovila naredba telnet localhost 80 i upisalo: Host: server1.tecaj.hr?

103


Vježbe__________________________________________________________

Vježba 10: HTTPSU ovoj vježbi stvorit ćemo na sustavu server1 novi sigurni virtualni web-poslužitelj (https://trgovina.tecaj.hr). U tu svrhu dodijelit ćemo sustavu dodatnu IP-adresu (192.168.1.110) koju će koristiti samo taj poslužitelj. Certifikat za sigurni web-poslužitelj sami ćemo kreirati. One koji poslužitelju pristupe putem URL-a http://trgovina.tecaj.hr preusmjerit ćemo na sigurni poslužitelj.

1. Pogledajte direktorij /etc/httpd/conf.d. U njemu se nalaze dodatne konfiguracijske datoteke koje se standardno učitavaju zajedno s datotekom httpd.conf prilikom pokretanja web-poslužitelja (u datoteci httpd.conf postoji odgovarajuća direktiva Include conf.d/*.conf).

2. Instalirajte paket mod_ssl (yum install mod_ssl).

Nakon instalacije paketa mod_ssl pojavit će se u direktoriju /etc/httpd/conf.d nova datoteka ssl.conf.

U toj se datoteci nalaze direktive nužne za uporabu SSL-a. U stvarnom slučaju svakako bismo pregledali i modificirali tu datoteku, međutim za potrebe ove vježbe nećemo je mijenjati (no, u svakom slučaju, možete je ipak pregledati i upoznati se s direktivama specifičnim za SSL).

3. Certifikate za novi poslužitelj pohranit ćemo u direktorij /etc/httpd/ssl:

mkdir /etc/httpd/ssl

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ -keyout /etc/httpd/ssl/trgovina.key \ -out /etc/httpd/ssl/trgovina.crt

Nakon pokretanja gore navedene naredbe, trebat će interaktivno upisati neke podatke potrebne za stvaranje certifikata. Upišite sljedeće:

Country Name (2 letter code) [XX]:HRState or Province Name (full name) [Some-State]:.Locality Name (eg, city) []:ZagrebOrganization Name (eg, company) [Internet Widgits Pty Ltd]:Trgovina d.o.o.Organizational Unit Name (eg, section) []:.Common Name (e.g. server FQDN or YOUR name) []:trgovina.tecaj.hrEmail Address []:[email protected]

Nakon toga pokrenite naredbu:

chmod 600 /etc/httpd/ssl/trgovina.*

104

Vježbe__________________________________________________________

Novostvoreni certifikat možete pogledati sljedećom naredbom:

openssl x509 -in /etc/httpd/ssl/trgovina.crt -text -noout | more


trgovina A 192.168.1.110

U zonu 1.168.192.in-addr.arpa (datoteka /var/named/zone/192.168.1) dodajete sljedeći zapis:

110 PTR trgovina.tecaj.hr.

U obje zone (u zapisu SOA) povećajte serial number.

Pokrenite rndc reload.

5. Stvorite novu datoteku /etc/sysconfig/network-scripts/ifcfg-eth0:0 sa sljedećim sadržajem:

TYPE=EthernetONBOOT=yesBOOTPROTO=noneIPADDR=192.168.1.110PREFIX=24GATEWAY=192.168.1.1IPV6INIT=noNAME=eth0:0

Ako je potrebno, pokrenite service network restart.

6. Stvorite direktorij /var/www/trgovina i u njemu datoteku index.html sljedećeg sadržaja:

<HTML><HEAD><TITLE>Trgovina d.o.o.</TITLE></HEAD><BODY>Niske cijene svaki dan!</BODY></HTML>

7. Stvorite datoteku /etc/httpd/conf.d/trgovina.conf u kojoj će se nalaziti direktive za konfiguraciju novog poslužitelja. Neka ta datoteka ima sljedeći sadržaj:

105

Vježbe__________________________________________________________

<VirtualHost 192.168.1.110:443>SSLEngine on

SSLCertificateFile /etc/httpd/ssl/trgovina.crtSSLCertificateKeyFile /etc/httpd/ssl/trgovina.key

ServerName trgovina.tecaj.hrDocumentRoot /var/www/trgovinaServerAlias trgovina

CustomLog /var/log/httpd/trgovina-access.log commonErrorLog /var/log/httpd/trgovina-error.log

</VirtualHost>

<VirtualHost 192.168.1.110:80>ServerName trgovina.tecaj.hrServerAlias trgovinaDocumentRoot /var/www/trgovina

Redirect 301 / https://trgovina.tecaj.hr/</VirtualHost>

8. Pokrenite naredbu service httpd reload. Nakon toga pristupite sljedećim URL-ovima:

https://trgovina.tecaj.hrhttp://trgovina.tecaj.hr

106


Vježbe__________________________________________________________

Vježba 11: snmpd i MRTG

snmpd

1. Sačuvajte originalnu konfiguracijsku datoteku snmpd.conf:

yum install net-snmp mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf-orig

2. Stvorite novu konfiguracijsku datoteku /etc/snmp/snmpd.conf sljedećeg sadržaja:

rocommunity publicsyslocation "Srce, Ucionica B"syscontact [email protected]

3. Pokrenite snmpd:

service snmpd startchkconfig snmpd on

4. Instalirajte paket net-snmp-utils:

yum install net-snmp-utils

5. Pokrenite sljedeće naredbe i proučite rezultate:

snmpwalk -v1 -cpublic 127.0.0.1 syslocationsnmpwalk -v1 -cpublic 127.0.0.1 sysnamesnmpwalk -v1 -cpublic 127.0.0.1 system

MRTG

6. Instalirajte paket mrtg:

yum install mrtg

Sačuvajte originalnu konfiguracijsku datoteku mrtg.cfg:

mv /etc/mrtg/mrtg.cfg /etc/mrtg/mrtg.cfg-bak

107

Vježbe__________________________________________________________

7. Stvorite novu konfiguracijsku datoteku /etc/mrtg/mrtg.cfg sljedećom naredbom:

cfgmaker --output=/etc/mrtg/mrtg.cfg \ -ifref=name --global "workdir: /var/www/mrtg/stats" \

public@localhost

8. Stvorite direktorij /var/www/mrtg/stats:

mkdir /var/www/mrtg/stats

9. Paket mrtg je prilikom instalacije stvorio cron-datoteku /etc/cron.d/mrtg. Pogledajte njezin sadržaj.

10. Sačuvajte originalnu datoteku /etc/httpd/conf.d/mrtg.conf:

mv /etc/httpd/conf.d/mrtg.conf /etc/httpd/conf.d/mrtg.conf-orig

Stvorite novu datoteku /etc/httpd/conf.d/mrtg.conf sljedećeg sadržaja:

Alias /mrtg /var/www/mrtg

<Location /mrtg> Options Indexes</Location>

Pokrenite service httpd reload.

11. Pristupite URL-u http://server1.tecaj.hr/mrtg i proučite što se tamo nalazi. Proučite i sadržaj poddirektorija stats.

Stvorite datoteku /var/www/mrtg/stats/index.html sljedećom naredbom:

indexmaker --output /var/www/mrtg/stats/index.html \--columns=1 /etc/mrtg/mrtg.cfg

i posjetite URL http://server1.tecaj.hr/mrtg/stats.

108


Vježbe__________________________________________________________

Vježba 12: SquidObzirom da ekipa iz mreže 192.168.2.0/24 još uvijek ne može pristupati Internetu (čekaju da u jednoj od posljednjih vježbi postavimo NAT na sustav server1), omogućit ćemo im da u međuvremenu pristupaju web-sadržajima putem web-posrednika (web proxy). Pristup posredniku dozvolit ćemo samo iz naše interne mreže i to samo do web-sadržaja na standardnim portovima 80 i 443. Načinit ćemo najjednostavniju konfiguraciju koja to omogućava.

Firefox na sustavu server2 podesit ćemo ručno tako da sadržajima na webu pristupa putem posrednika.

Na kraju ćemo s alternativnog repozitorija EPEL Repo instalirati paket Clamaris za analizu sistemskih zapisa.

1. Na sustavu server1 instalirajte Sqiud (yum install squid).

Sačuvajte originalnu konfiguracijsku datoteku:

mv /etc/squid/squid.conf /etc/squid/squid.conf-bak

Stvorite novu konfiguracijsku datoteku /etc/squid/squid.conf sa sljedećim sadržajem:

acl Safe_ports port 80acl Safe_ports port 443http_access deny !Safe_ports

acl interna_mreza src 192.168.2.0/24http_access allow interna_mrezahttp_access deny all

http_port 3128

Pokrenite Squid (service squid start).

2. Na sustavu server2 podesite Firefox korisniku root tako da pristupa web-sadržajima putem posrednika.

Pokrenite Firefox i odaberite Edit / Preferences /Advanced / Network.

Kliknite na dugme Settings... i u prozoru Connection Settings upišite postavke za posrednika (kao na slici).

109


Vježbe__________________________________________________________

3. Pokušajte pristupiti sljedećim URL-ovima (koji se nalaze izvan lokalne mreže 192.168.2.0/24):

http://www.srce.hr https://abc.srce.hr

4. Na sustavu server1 dodajte EPEL Repo na popis paketnih repozitorija:

rpm -Uvh \http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Provjerite nalazi li se EPEL Repo na popis paketnih repozitorija:

yum repolist

5. Instalirajte paket Calamaris:

yum install calamaris

110


Vježbe__________________________________________________________

6. Pokrenite sljedeće naredbe i proučite rezultat:

cat /var/log/squid/access.log | calamaris

calamaris -R 5 /var/log/squid/access.log

7. Stvorite direktorij /var/www/html/calamaris:

mkdir /var/www/html/calamaris

Pokrenite naredbu:

calamaris -a -F html \/var/log/squid/access.log > /var/www/html/calamaris/index.html

Posjetite URL http://server1.tecaj.hr/calamaris.

8. Na kraju, možemo isključiti EPEL Repo s popisa paketnih repozitorija.

U datoteci /etc/yum.repos.d/epel.repo sve retke u kojima piše enabled=1 zamijenite s enabled=0.

Napomena: EPEL Repo smo s popisa paketnih repozitorija mogli isključiti i na druge načine. Na primjer: yum-config-manager --disable epel.

Popis paketnih repozitorija može se ispisati naredbom yum repolist all.

111


Vježbe__________________________________________________________

Vježba 13: DHCP

Osnovne postavke DHCP-poslužitelja

1. Na sustavu server1 instalirajte paket dhcp (yum install dhcp).

Provjerite u datoteci /etc/init.d/dhcpd u kojem se direktoriju na Vašem sustavu treba nalaziti konfiguracijska datoteka za DHCP-poslužitelj (obično je to /etc/dhcp/dhcpd.conf). Zapamtite taj podatak.

Napravite konfiguracijsku datoteku za DHCP-poslužitelj (/etc/dhcp/dhcpd.conf) tako da ima sljedeći sadržaj:

subnet 192.168.2.0 netmask 255.255.255.0 { option routers 192.168.2.201; option subnet-mask 255.255.255.0;

option domain-name "tecaj.hr"; option domain-name-servers 192.168.2.201;

range 192.168.2.220 192.168.2.240;}

Napomena: Ako bismo htjeli da se IP-adresa sustavu server2 dodjeljuje putem DHCP-a, ali da mu uvijek bude dodijeljena ista IP-adresa, tada bismo unutar sekcije za mrežu 192.168.2.0 dopisali:

host server2 { hardware ethernet 08:00:27:A8:09:46;

fixed-address 192.168.2.202;}

(U gornjem primjeru umjesto 08:00:27:A8:09:46 treba napisati konkretnu ethernet-adresu navedenog sučelja.)

U primjeru koji slijedi to nećemo napraviti, tj. kod dodjeljivanja IP-adrese sustavu server2 nećemo utjecati na vrijednost dodijeljene adrese. To znači da se sustavu server2 može dodijeliti bilo koja adresa iz zadanog raspona (od 192.168.2.220 do 192.168.2.240).

S obzirom na to da konfiguracijska datoteka upućuje da će DHCP-poslužitelj posluživati samo mrežu 192.168.2.0/24 na koju je spojeno mrežno sučelje eth1, u datoteci /etc/sysconfig/dhcpd možemo zadati da se DHCP-poslužitelj veže samo uz to sučelje.

112


Vježbe__________________________________________________________

Stoga neka datoteka /etc/sysconfig/dhcpd sadrži sljedeći redak:

DHCPDARGS=eth1

Provjerite postoje li greške u konfiguracijskoj datoteci DHCP-poslužitelja:

service dhcpd configtest

Pokrenite dhcpd i postavite da se pokreće prilikom svakog pokretanja sustava:

service dhcpd startchkconfig dhcpd on

Proučite sadržaj datoteke /var/lib/dhcpd/dhcpd.leases.

Osnovne postavke DHCP-klijenta

2. Na sustavu server2 podesite mrežno sučelje eth0 tako da adresu preuzima od DHCP-poslužitelja.

Prije izmjena sačuvajte trenutačne postavke sučelja eth0:

cp /etc/sysconfig/network-scripts/ifcfg-eth0 /tmp/ifcfg-eth0-nodhcp

Promijenite sadržaj datoteke /etc/sysconfig/network-scripts/ifcfg-eth0 tako da u njoj piše:

DEVICE=eth0TYPE=EthernetONBOOT=yesBOOTPROTO=dhcp

U slučaju potrebe ponovno pokrenite mrežu (service network restart).

Provjerite koju adresu ima sučelje eth0.

3. Ponovno pogledajte sadržaj datoteke /var/lib/dhcpd/dhcpd.leases na sustavu server1.

4. Pokrenite ping server2 (na bilo kojem od sustava). Što se dogodilo i zašto?

5. Vratite prethodne postavke sučelja sučelja eth0:

cp /tmp/ifcfg-eth0-nodhcp /etc/sysconfig/network-scripts/ifcfg-eth0

(i ako je potrebno ponovno pokrenite naredbu service network restart).

113


Vježbe__________________________________________________________

Vježba 14: Dynamic DNS (DDNS)1. Na sustavu server1 stvorite HMAC-MD5-keyfile s imenom dhcpupdate:

dnssec-keygen -a HMAC-MD5 -b 256 -n USER dhcpupdate

U radnom direktoriju pojavit će se dvije nove datoteke, na primjer: Kdhcpupdate.+157+26467.key i Kdhcpupdate.+157+26467.private.

Na primjer, neka je sadržaj datoteke Kdhcpupdate.+157+26467.key:

dhcpupdate. IN KEY 0 3 157 S9fpDs3dmJQF7k5kGE6U80skG+DuOlAKZnWo5OQXLh4=

U gornjem je primjeru „S9fpDs3dmJQF7k5kGE6U80skG+DuOlAKZnWo5OQXLh4=“ vrijednost novog ključa.

Stvorite datoteku /etc/dhcpupdate.key sa sljedećim sadržajem:

key "dhcpupdate" { algorithm hmac-md5; secret "S9fpDs3dmJQF7k5kGE6U80skG+DuOlAKZnWo5OQXLh4=";};

(Umjesto „S9fpDs3dmJQF7k5kGE6U80skG+DuOlAKZnWo5OQXLh4=“ upišite vrijednost Vašeg ključa.)

Postavite odgovarajuće postavke datoteci /etc/dhcpupdate.key te je kopirajte kao /etc/dhcp/dhcpupdate.key (potrebno je napraviti dvije datoteke s istim sadržajem zbog različitih prava pristupa):

chown root:named /etc/dhcpupdate.keychmod 640 /etc/dhcpupdate.key

cp /etc/dhcpupdate.key /etc/dhcp/dhcpupdate.keychown root:root /etc/dhcp/dhcpupdate.keychmod 640 /etc/dhcp/dhcpupdate.key

Napomena: Zadnje tri naredbe moguće je zamijeniti jednom:

install -o root -g root -m 0640 \/etc/dhcpupdate.key /etc/dhcp/dhcpupdate.key.

2. Na sustavu server1 u datoteku /etc/named.conf dodajte redak:

include "/etc/dhcpupdate.key";

114


Vježbe__________________________________________________________

U zone za koje želite da se dinamički mijenjaju dodajte:

allow-update { key dhcpupdate; };

U našem slučaju to su zone tecaj.hr i 2.168.192.in-addr.arpa.

Iz zona tecaj.hr i 2.168.192.in-addr.arpa (datoteke tecaj.hr i 192.168.2 u direktoriju /var/named/zone) obrišite sve podatke za server2 (uključivši i one koje ga definiraju kao sekundarnog name-servera).

Ponovno pokrenite named.

Napomena: Obzirom da sustav server2 neće imati stalnu IP-adresu, nije prikladno da bude sekundarni name-server. Također, njegove smo podatke u potpunosti izbrisali iz DNS-tablica jer će ubuduće te podatke upisivati DHCP-poslužitelj.

3. Pomoću naredbe nsupdate provjerite je li sve u redu:

nsupdate> server 192.168.1.100> key dhcpupdate S9fpDs3dmJQF7k5kGE6U80skG+DuOlAKZnWo5OQXLh4=

(Na ovom mjestu upišite vrijednost Vašeg ključa.)> zone tecaj.hr.> update add server5.tecaj.hr. 600 IN A 192.168.2.205> send> zone 2.168.192.in-addr.arpa.> update add 205.2.168.192.in-addr.arpa. 600 IN PTR server5.tecaj.hr.> send> quit

Ukoliko je sve u redu, tada se nakon pokretanja komandi send neće javiti poruka o greški.

Služeći se naredbom nslookup dodatno provjerite radi li sve kako treba:

nslookup server5nslookup 192.168.2.205

4. Na sustavu server1 na početak datoteke /etc/dhcp/dhcpd.conf dodajte:

ddns-updates on;ddns-update-style interim;update-static-leases on;ignore client-updates;

include "/etc/dhcp/dhcpupdate.key";

zone tecaj.hr. { primary 192.168.1.100; key dhcpupdate;}

115


Vježbe__________________________________________________________

zone 2.168.192.in-addr.arpa. { primary 192.168.1.100; key dhcpupdate;}

Ponovno pokrenite dhcpd: service dhcpd restart.

5. Na sustavu server2 izmijenite datoteku /etc/resolv.conf tako da je njezin sadržaj bude:search tecaj.hrnameserver 192.168.2.201

Na sustavu server2 zaustavite named i onemogućite njegovo pokretanje prilikom pokretanja sustava:

service named stopchkconfig named off

Podesite mrežno sučelje eth0 na sustavu server2 tako da adresu preuzima od DHCP-poslužitelja. Neka je sadržaj /etc/sysconfig/network-scripts/ifcfg-eth0:

DEVICE=eth0TYPE=EthernetONBOOT=yesBOOTPROTO=dhcpDHCP_HOSTNAME=server2

Napomena: Uočite novu varijablu DHCP_HOSTNAME.

Ako je potrebno, pokrenite naredbu service network restart.

S ifconfig provjerite je li se promijenila IP-adresa na sučelju eth0. Koja je nova adresa?

Na stroju server1 pogledajte ponovno sadržaj datoteke /var/lib/dhcpd/dhcpd.leases.

Provjerite s nslookup je li zabilježena promjena IP-adrese stroja server2.

Napomena: Ako ručno radite izmjene u sadržaju zone koja koristi Dynamic DNS (DDNS), tada prvo zamrznite zonu: rndc freeze tecaj.hr

Nakon što ste završili s izmjenama odmrznite zonu (učitajte izmjene i ponovno dozvolite DDNS): rndc thaw tecaj.hr

(Sustav će odgovoriti porukom: The zone reload and thaw was successful.)

116


Vježbe__________________________________________________________

Vježba 15: LDAPU ovoj vježbi stvorit ćemo LDAP-poslužitelj na sustavu server1 (bez replikacije), prenijet ćemo podatke o korisnicima u LDAP-ovu bazu i napravit ćemo da se autentikacija korisnika prilikom prijavljivanja na sustav server2 obavlja putem LDAP-poslužitelja na sustavu server1.

Napomena: Premda će rezultat ove vježbe biti potpuno funkcionalne postavke na sustavima, te postavke ne bi bile primjerene u stvarnom okruženju (LDAP-ovu bazu bi u stvarnom okruženju trerbalo dopuniti, omogućiti replikaciju podataka, uključiti i sam poslužitelj u sustav autentikacije putem LDAP-a, uspostaviti kriptiranu komunikaciju između poslužitelja i klijenata, postaviti dodatna sigurnosna ograničenja i slično). Stoga ovu vježbu ni u kojem slučaju ne treba shvatiti kao potpune upute kako podestiti LDAP za potrebe autentikacije na Linuxu. Ova vježba prikazuje samo minimalno programsko okruženje u kojem se to može uspostaviti.

Osnovne postavke poslužitelja OpenLDAP

1. Na sustavu server1 instalirajte pakete openldap, openldap-servers i openldap-clients:

yum install openldap openldap-servers openldap-clients

Napomena: Postoje dva načina konfiguriranja poslužitelja OpenLDAP. Stari je način putem datoteke slapd.conf, a novi je način putem LDIF-datoteka u direktoriju slapd.d. Mi ćemo se služiti novim načinom.

Napravite kopiju direktorija /etc/openldap/slapd.d:

cp -R /etc/openldap/slapd.d /etc/openldap/slapd.d-orig

2. Editirajte datoteke olcDatabase={2}bdb.ldif i olcDatabase={1}monitor.ldif koje se nalaze u direktoriju /etc/openldap/slapd.d/cn=config:

cd /etc/openldap/slapd.d/cn\=config

Izmijenite sadržaj datoteke olcDatabase={2}bdb.ldif (vi olcDatabase\=\{2\}bdb.ldif) tako da piše:

olcSuffix: dc=tecaj,dc=hr

olcRootDN: cn=Manager,dc=tecaj,dc=hr

olcRootPW: 123

117


Vježbe__________________________________________________________

Ako u datoteci olcDatabase={2}bdb.ldif postoji redak koji počinje s olcConfigFile (na primjer: olcConfigFile: /etc/openldap/slapd.conf.bak), obrišite ga.

Izmijenite sadržaj datoteke olcDatabase={1}monitor.ldif (vi olcDatabase\=\{1\}monitor.ldif) tako da piše:

olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peer-cred,cn=external,cn=auth" read by dn.base="cn=Manager,dc=tecaj,dc=hr" read by * none

3. Stvorite datoteku /var/lib/ldap/DB_CONFIG na sljedeći način:

cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

Provjerite postavke datoteka u direktoriju /var/lib/ldap i ako je potrebno pokrenite naredbu chown -R ldap:ldap /var/lib/ldap.

Provjerite jesu li sve konfiguracijske postavke ispravno zadane:

/usr/sbin/slaptest

Ako jesu, pokrenite LDAP-poslužitelj:service slapd startchown -R ldap:ldap /var/lib/ldapservice slapd restart

Napomena: LDAP-poslužitelj u modusu debug možete pokrenuti, na primjer, na sljedeći način: slapd -u ldap -g ldap -d 255 (popis i objašnjenje svih debugging-razina pogledajte na http://www.openldap.org/doc/admin24/runningslapd.html).

Provjerite radi li LDAP-poslužitelj. Zadajte naredbu:ldapsearch -x -H ldap://localhost -b '' \

-s base '(objectclass=*)' namingContexts

Uočite da je u gornjoj naredbi '' prazan string (a ne dvostruki navodnici).

Ako dobijete odgovor koji sadrži:

dn:namingContexts: dc=tecaj,dc=hr

to je znak da je najvjerojatnije sve u redu.

Ako je sve u redu, nagradite se naredbom chkconfig slapd on.

118


Vježbe__________________________________________________________

4. Zadajte naredbu:

ldapsearch -h localhost -D "cn=Manager,dc=tecaj,dc=hr" \ -w 123 -b "dc=tecaj,dc=hr" -s sub "objectclass=*"

Stvorite novu datoteku /etc/openldap/ldap.conf sljedećeg sadržaja:

BASE dc=tecaj,dc=hrHOST 127.0.0.1

Sada možete pokrenuti prethodnu naredbu u njezinom kraćem obliku (bez navođenja poslužitelja i baze):

ldapsearch -D "cn=Manager,dc=tecaj,dc=hr" -w 123 -s sub "objectclass=*"

5. Trenutačna je administracijska lozinka vrlo jednostavna i upisana je nekriptirana u datoteku olcDatabase={2}bdb.ldif. Promijenit ćemo lozinku i upisati je u kriptiranom obliku.

Neka je nova lozinka p@ssword. Kriptirajte je:

slappasswd -s p@ssword{SSHA}MzZOUVoiW2o2DoSVbE3uGrpwPtoX7ssa

Rezultat naredbe slappasswd -s p@ssword je kriptirana inačica nove lozinke. Nju ćemo upisati u datoteku olcDatabase={2}bdb.ldif (u direktoriju /etc/openldap/slapd.d/cn=config), na mjesto stare lozinke 123:

olcRootPW: {SSHA}MzZOUVoiW2o2DoSVbE3uGrpwPtoX7ssa

Pokrenite service slapd restart i pokušajte izvršiti prethodnu naredbu ldapsearch s novom lozinkom:

ldapsearch -D "cn=Manager,dc=tecaj,dc=hr" -w p@ssword \ -s sub "objectclass=*"

6. Preostalo je još za urediti ispis logova. Na kraj datoteke /etc/rsyslog.conf dodaje redak:

local4.* /var/log/ldap.log

Pokrenite naredbu: service rsyslog restart i provjerite je li se stvorila datoteka /var/log/ldap.log.

119


Vježbe__________________________________________________________

Vježba 16: Autentikacija putem LDAP-aKopiranje sistemskih podataka u LDAP (Migration Tools)

1. Instalirajte paket migrationtools (yum install migrationtools).

Izmijenite postavke u datoteci /usr/share/migrationtools/migrate_common.ph tako da piše:

$DEFAULT_MAIL_DOMAIN = "tecaj.hr";

$DEFAULT_BASE = "dc=tecaj,dc=hr";

2. Za potrebe ove vježbe neka na sustavu server1 postoji korisnik tux čija je korisnička lozinka 1, a na sustavu server2 korisnici tux s lozinkom 2 i tom s proizvoljnom lozinkom.

Na sustavu server1 pokrenite sljedeće naredbe:

useradd -c "Tux the Penguin" tux (ako korisnik tux ne postoji već od prije)(echo 1 ; echo 1) | passwd tux

Na sustavu server2 pokrenite sljedeće naredbe:

useradd -c "Tux the Penguin" tux(echo 2 ; echo 2) | passwd tuxuseradd -c "Thomas Cat" tom(echo jerry ; echo jerry) | passwd tom

3. Zaustavite slapd (service slapd stop).

Napomena: Migraciju podataka moguće je napraviti i s pokrenutim poslužiteljem slapd (on-line). U tom bismo slučaju umjesto naredbe slapadd u nastavku koristili naredbu ldapmodify. Mi ćemo migraciju napraviti s isključenim poslužiteljem.

Prije početka kopiranja podataka proučite sadržaj direktorija /var/lib/ldap.

Pokrenite sljedeće naredbe:

/usr/share/migrationtools/migrate_base.pl > /tmp/base.ldif

slapadd -v -b "dc=tecaj,dc=hr" -l /tmp/base.ldif

/usr/share/migrationtools/migrate_passwd.pl /etc/passwd > /tmp/passwd.ldif

slapadd -v -b "dc=tecaj,dc=hr" -l /tmp/passwd.ldif

120


Vježbe__________________________________________________________

Napomena: U ovom ćemo dijelu vježbe prenijeti samo dio sistemskih podataka u LDAP (prenijet ćemo podatke o korisnicima). U stvarnoj bismo situaciji vjerojatno prenijeli sve podatke (skripta migrate_all_offline.sh).

Ponovno proučite sadržaj direktorija /var/lib/ldap. Što se promijenilo?

Promijenite atribute datotekama u direktoriju /var/lib/ldap:

chown ldap:ldap /var/lib/ldap/*

Ponovno pokrenite slapd (service slapd start).


ldapsearch -x -W -D 'cn=Manager,dc=tecaj,dc=hr' \ -b 'ou=People,dc=tecaj,dc=hr' dn cn

ldapsearch -x -w p@ssword -D 'cn=Manager,dc=tecaj,dc=hr' \ -b 'uid=tux,ou=People,dc=tecaj,dc=hr' dn cn uid userPassword

Postavke na klijentima

4. Na sustavu server2 instalirajte paket openldap-clients (umetnite instalacijski medij u optički uređaj, potražite odgovarajući paket u direktoriju Packages te instalirajte ga naredbom rpm, na primjer: rpm -i openldap-clients-2.4.23-31.el6.i686.rpm).

Provjerite radi li prethodna naredba i na sustavu server2:

ldapsearch -x -w p@ssword -h server1 -D 'cn=Manager,dc=tecaj,dc=hr' \ -b 'uid=tux,ou=People,dc=tecaj,dc=hr' dn cn uid userPassword

5. Na sustavu server2 instalirajte pakete nscd, pam_ldap i nss-pam-ladpd. Na primjer:

rpm -i nscd-2.12-1.107.el6.i686.rpm rpm -i pam_ldap-185-11.el6.i686.rpm rpm -i nss-pam-ldapd-0.7.5-18.el6.i686.rpm

6. Preimenujte originalnu datoteku /etc/ldap.conf (ako postoji):

mv /etc/ldap.conf /etc/ldap.conf-orig

121


Vježbe__________________________________________________________

Stvorite novu datoteku /etc/ldap.conf sa sljedećim sadržajem:

base dc=tecaj,dc=hrsuffix "dc=tecaj,dc=hr"uri ldap://192.168.2.201pam_password md5

Izmijenite datoteku /etc/sysconfig/authconfig tako da piše:

USELDAPAUTH=yesUSELDAP=yes

Na kraj datoteke /etc/nslcd.conf dodajte sljedeće retke (ili izmjenite postojeće retke ako navedene direktive već postoje):

uri ldap://192.168.2.201base dc=tecaj,dc=hr

Pokrenite naredbe:

chkconfig nslcd on shutdown -r now

7. Na sustavu server2 izmijenite sadržaj datoteke /etc/nsswitch.conf tako da piše:

passwd: ldap filesshadow: ldap files

Pokušajte se prijaviti na sustav server2 kao korisnik tux (ssh tux@server2). Pokušajte se prvo prijaviti s lozinkom 2. Je li Vam uspjelo? A s lozinkom 1?

Odjavite se sa sustava (kao korisnik tux).

8. Na sustavu server1 zaustavite LDAP-server (service slapd stop). Ponovno se pokušajte prijaviti na sustav server2 kao korisnik tux. Koja je lozinka ovaj put bila uspješna. Zašto?

Odjavite se sa sustava (kao korisnik tux).

Ponovno pokrenite slapd na sustavu server1.

9. Provjerite možete li se prijaviti na sustav server2 kao korisnik tom (ssh tom@server2). Odjavite se sa sustava.

122


Vježbe__________________________________________________________

Na sustavu server2 izmijenite sadržaj datoteke /etc/nsswitch.conf tako da sada piše:

passwd: ldap [NOTFOUND=return] files

Pokušajte se ponovno prijaviti kao korisnik tom. Je li Vam uspjelo?

10. Na sustavu server2 izmijenite datoteku /etc/nsswitch.conf tako da (ponovno) piše:

passwd: filesshadow: files

Napomena: U ovoj smo vježbi sve izmjene na poslužitelju server2 radili ručno. Izmjene je moguće napraviti i pomoću grafičkog alata system-config-authentication i(li) pomoću tekstne aplikacije authconfig-tui.

123


Vježbe__________________________________________________________

Vježba 17: iptables

Osnovne postavke vatrozida

1. Na sustavu server1 proučite sadržaj datoteke /etc/sysconfig/iptables-config.

Pohranjuju li se postavke (rules) vatrozida prilikom njegovog zaustavljanja i(li) restartanja? U slučaju potvrdnog odgovora promijenite te postavke (tako da piše IPTABLES_SAVE_ON_STOP="no" i IPTABLES_SAVE_ON_RESTART="no").

Proučite konfiguraciju zapisanu u datoteci /etc/sysconfig/iptables.

Pokrenite vatrozid:

service iptables start

Ako nisu pokrenuti, pokrenite servise named, httpd, squid i slapd.

Provjerite možete li sa sustava server2 pristupiti tim servisima na sustavu server1.

(Za provjeru prisutupa LDAP-poslužitelju možete pokrenuti naredbu:ldapsearch -h 192.168.2.201 -D "cn=Manager,dc=tecaj,dc=hr" \-w p@ssword -s sub "objectclass=*". Pristup DNS-u provjerite naredbom nslookup. Za ostalo možete koristiti wget, na primjer: wget -e http_proxy=192.168.2.201:3128 http://192.168.2.201/)

2. Na sustavu server1 napravite kopiju datoteke iptables:

cp /etc/sysconfig/iptables /etc/sysconfig/iptables-orig

Na odgovarajuće mjesto u datoteku /etc/sysconfig/iptables (na primjer, odmah nakon retka za ssh) dodajte sljedeće retke:

-A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT-A INPUT -m state --state NEW -p tcp --dport 389 -j ACCEPT-A INPUT -m state --state NEW -p tcp --dport 3128 -j ACCEPT-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Pokrenite naredbu:

service iptables restart

Na sustavu server2 ponovno provjerite možete li pristupiti ranije navedenim servisima.

124


Vježbe__________________________________________________________

Transparentni web-posrednik

3. Sustav server1 podesit ćemo tako da se ponaša kao transparentan web-posrednik (samo za port 80). To ćemo napraviti tako da sve web-konekcije (na port 80) koje prolaze kroz sustav server1 a dolaze iz interne mreže, preusmjerimo na web-posrednika (Squid) na portu 3128. Squid ćemo podesiti tako da radi kao transparentan posrednik.

Na sustavu server1 na kraj datoteke /etc/sysconfig/iptables dodajte sljedeće retke:

*nat-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128 COMMIT

Izmijenite sadržaj datoteke /etc/squid/squid.conf tako da piše:

http_port 3128 intercept

Ako nije uključen, uključite ip-forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

Ponovno pokrenite vatrozid i Squid:

service iptables restartservice squid restart

4. Na sustavu server2 pokušajte pristupiti web-sadržajima izvan lokalne mreže bez „vidljive“ uporabe posrednika.

Na primjer:

wget http://www.srce.hr

ili podesite Firefox tako da ponovno ne koristi web-posrednika (pogledajte vježbu 12) i pokušajte pristupiti nekom sadržaju izvan lokalne mreže (na primjer http://www.srce.hr).

NAT

5. Na sustavu server1 u datoteku /etc/sysconfig/iptables na odgovarajuće mjesto (prije direktiva s REJECT, na primjer iza direktiva koje su upisane u koraku 2 ove vježbe) dodajte sljedeće retke:

-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT-A FORWARD -i eth1 -o eth0 -j ACCEPT

125


Vježbe__________________________________________________________

Izmijenite direktive u sekciji nat (one se nalaze na kraju datoteke, pogledajte korak 3 ove vježbe). Neka ta tablica izgleda ovako:

*nat-A POSTROUTING -o eth0 -j MASQUERADECOMMIT

Obrišite ranije unesene direktive za transparentnog web-posrednika:-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128


service squid stopservice iptables restart

6. Na sustavu server2 ponovno pokušajte pristupiti web-sadržajima izvan lokalne mreže (uočite da je Squid na sustavu server1 isključen).

126


Vježbe__________________________________________________________

Vježba 18: sshd

Osnovne postavke

1. Na sustavu server2 onemogućite prijavljivanje na korisnički račun root putem protokola SSH.

U datoteci /etc/ssh/sshd_config promijenite vrijednost varijable PermitRootLogin tako da ona glasi:

PermitRootLogin no

Pokrenite naredbu: service sshd restart

Pokušajte se putem protokola SSH prijaviti na sustav server2 kao korisnik root.

Sigurno prijavljivanje bez lozinki

2. Omogućit ćemo sigurno prijavljivanje korisnika root sa sustava server1 na korisnički račun tux na sustavu server2 bez uporabe lozinke.

Na sustavu server1 (kao korisnik root) pokrenite sljedeću naredbu:

ssh-keygen -q -t rsa -f ~/.ssh/id_rsa -C '' -N ''

Pogledajte koje su dvije datoteke nastale u direktoriju ~/.ssh.

Sadržaj datoteke id_rsa.pub kopirajte na kraj datoteke ~tux/.ssh/authorized_keys na sustavu server2.

Napomena: Pripazite da vlasnik direktorija .ssh i datoteke authorized_keys bude korisnik tux (i da pripadaju odgovarajućoj skupini) te da prava pristupa na direktorij .ssh budu 700, a na datoteke authorized_keys budu 640:

chown -R tux:tux ~tux/.sshchmod 700 ~tux/.sshchmod 640 ~tux/.ssh/authorized_keys

To možete jednostavnije napraviti ovom naredbom:ssh-copy-id tux@server2

Pokušajte se sa sustava server1 prijaviti na sustav server2 kao korisnik tux:

ssh tux@server2

127


Vježbe__________________________________________________________

Dodatne informacije

DNS BIND9 Master and Slave DNS Server setup on CentOS 6.5 (Dorián Ocsovszki)

http://ocsovszki-dorian.blogspot.com/2013/12/bind9-master-and-slave-dns-server-setup.html

Using the rndc Utilityhttp://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-bind-rndc.html

DNSSEC verification with dighttp://backreference.org/2010/11/17/dnssec-verification-with-dig/

Securing Zone Transfers With Bind 9 (John Cartwright)http://www.grok.org.uk/docs/tsig.html

HOWTO turn BIND into a Validating Resolver (Rick van Rein) http://dnssec.surfnet.nl/?p=402

Validating and Exploring DNSSEC with dig (Mark Bryars)http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/

Sendmail Understanding SMTP Error Messages (Heinz Tschabitscher)

http://email.about.com/cs/standards/a/smtp_error_code.htm

SMTP reply codeshttp://www.greenend.org.uk/rjk/tech/smtpreplies.html

SMTP Commands (Andy Welter)http://the-welters.com/professional/smtp.html

Overriding File Security Checkshttp://www.sendmail.com/sm/open_source/tips/DontBlameSendmail/

Postfix Postfix Standard Configuration Examples

http://www.postfix.org/STANDARD_CONFIGURATION_README.html

Majordomo Majordomo

http://www.greatcircle.com/majordomo/

Creating a Majordomo E-Mail Listhttp://www.gsp.com/support/virtual/email/majordomo/list/

128


Vježbe__________________________________________________________

Procmail Procmail (Red Hat Linux 7.2: The Official Red Hat Linux Reference Guide)

http://www.centos.org/docs/2/rhl-rg-en-7.2/s1-email-procmail.html

Mail Filtering with Procmail (Ian Soboroff)http://userpages.umbc.edu/~ian/procmail.html

Introduction to Procmailhttp://partmaps.org/era/mail/procmail-presentation.html

Apache SpamAssassin Used via Procmail http://wiki.apache.org/spamassassin/UsedViaProcmail

Apache How To Create a SSL Certificate on Apache for CentOS 6 (Etel Sverdlov)

http://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-centos-6

How To Set Up Apache Virtual Hosts on CentOS 6 (Etel Sverdlov)http://www.digitalocean.com/community/articles/how-to-set-up-apache-virtual-hosts-on-centos-6

VirtualHost Exampleshttp://httpd.apache.org/docs/current/vhosts/examples.html

Using User Authenticationhttp://www.apacheweek.com/features/userauth

Common Apache Misconfigurations (Paul Waring)http://wiki.apache.org/httpd/CommonMisconfigurations

HTTP Testing Basic Authentication with telnet and openssl

http://community.mcafee.com/thread/41920

SNMP Install and configure SNMP on RHEL or CentOS

http://www.it-slav.net/blogs/2008/11/11/install-and-configure-snmp-on-rhel-or-centos/

MRTG MRTG 2.17.4 configuration reference (Tobias Oetiker)

http://oss.oetiker.ch/mrtg/doc/mrtg-reference.en.html

MRTG Implementation Manual (Florin Prunoiu)http://www.enterastream.com/whitepapers/mrtg/mrtg-manual.html

SQUID

129


Vježbe__________________________________________________________

cachemgr (Cache Manager) configuration for Squid (Nikesh Jauhari)http://linuxpoison.blogspot.com/2008/06/cachemgr-cache-manager-configuration.html

DDNS Dynamic DNS and DHCP (Jordan Sissel)

http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/

DDNShttp://wiki.debian.org/DDNS

LDAP Setting up OpenLDAP on CentOS 6

http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1-setup/installSetup/settingUpOpenLDAPOnCentos6.htm

Minimal LDAP configuration on RHEL6 in stages and detailshttp://spectlog.com/content/Minimal_LDAP_configuration_on_RHEL6_in_stages_and_details

Introduction to LDAP (Brad Marshall)http://quark.humbug.org.au/publications/ldap/ldap_tut.html

OpenLDAP Software 2.4 Administrator's Guidehttp://www.openldap.org/doc/admin24/

I nstalling OpenLDAP on Redhat / CentOS 6. 3 (Suneet Shah)http://wiki.openiam.com/pages/viewpage.action?pageId=7635198

LDAP authentication using pam_ldap and nss_ldaphttp://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/pamnss.html

CentOS : secure OpenLDAP traffic with SSLhttp://blog.wains.be/2007/07/13/centos-secure-openldap-traffic-with-ssl/

LDAP Migration Tools MigrationTools

http://www.padl.com/OSS/MigrationTools.html

LDAP Authentication In Linuxhttp://www.howtoforge.com/linux_ldap_authentication

PAM Pluggable Authentication Modules (PAM)

http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-pam.html

How PAM workshttp://www.tuxradar.com/content/how-pam-works

130

http://wiki.openiam.com/display/~suneet_shah

http://wiki.openiam.com/pages/viewpage.action?pageId=7635198


Vježbe__________________________________________________________

Understanding and configuring PAM (Vishal Srivistava)http://www.ibm.com/developerworks/linux/library/l-pam/index.html

NIS Configuring NIS under Red Hat Linux

http://bradthemad.org/tech/notes/redhat_nis_setup.php

iptables NAT with Linux and iptables

http://www.karlrupp.net/en/computer/nat_tutorial

Fundamentals of iptables (Rajnesh Kumar Siwal) http://www.youtube.com/watch?v=fQF2vEvqHgU

131


Vježbe__________________________________________________________

Dodatak: Mrežne postavke na Virtualboxu

132


Vježbe__________________________________________________________

133

GNU FDL License Agreement ______________________________________________________________

GNU Free Documentation LicenseVersion 1.2, November 2002 Copyright (C) 2000, 2001, 2002 Free Software Foundation, Inc.59 Temple Place, Suite 330, Boston, MA 02111-1307 USAEveryone is permitted to copy and distribute verbatim copiesof this license document, but changing it is not allowed.

0. PREAMBLE

The purpose of this License is to make a manual, textbook, or other functional and useful document "free" in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or non-commercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

This License is a kind of "copyleft", which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.

1. APPLICABILITY AND DEFINITIONS

This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you". You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.

A "Modified Version" of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

A "Secondary Section" is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document's overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.

The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.

A "Transparent" copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not "Transparent" is called

134


"Opaque".

Examples of suitable formats for transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML, for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.

The "Title Page" means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.

A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements", "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when you modify the Document means that it remains a section "Entitled XYZ" according to this definition.

The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.

2. VERBATIM COPYING

You may copy and distribute the Document in any medium, either commercially or non-commercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

You may also lend copies, under the same conditions stated above, and you may publicly display copies.

3. COPYING IN QUANTITY

If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document's license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.

135


4. MODIFICATIONS

You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document, and from those of previous versions (which should, if there were any, be listed in the History section of the Document). You may use the same title as a previous version if the original publisher of that version gives permission.

B. List on the Title Page, as authors, one or more persons or entities responsible for authorship of the modifications in the Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has fewer than five), unless they release you from this requirement.

C. State on the Title page the name of the publisher of the Modified Version, as the publisher. D. Preserve all the copyright notices of the Document. E. Add an appropriate copyright notice for your modifications adjacent to the other copyright

notices. F. Include, immediately after the copyright notices, a license notice giving the public

permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.

G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts given in the Document's license notice.

H. Include an unaltered copy of this License. I. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at

least the title, year, new authors, and publisher of the Modified Version as given on the Title Page. If there is no section Entitled "History" in the Document, create one stating the title, year, authors, and publisher of the Document as given on its Title Page, then add an item describing the Modified Version as stated in the previous sentence.

J. Preserve the network location, if any, given in the Document for public access to a Transparent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the original publisher of the version it refers to gives permission.

K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the section, and preserve in the section all the substance and tone of each of the contributor acknowledgements and/or dedications given therein.

L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.

M. Delete any section Entitled "Endorsements". Such a section may not be included in the Modified Version.

N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with any Invariant Section.

O. Preserve any Warranty Disclaimers.

If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version's license notice. These titles must be distinct from any other section titles.

You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of your Modified Version by various parties--for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

136


The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

5. COMBINING DOCUMENTS

You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.

The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

In the combination, you must combine any sections Entitled "History" in the various original documents, forming one section Entitled "History"; likewise combine any sections Entitled "Acknowledgements", and any sections Entitled "Dedications". You must delete all sections Entitled "Endorsements."

6. COLLECTIONS OF DOCUMENTS

You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

7. AGGREGATION WITH INDEPENDENT WORKS

A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an "aggregate" if the copyright resulting from the compilation is not used to limit the legal rights of the compilation's users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.

If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document's Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.

8. TRANSLATION

Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.

If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.

9. TERMINATION

You may not copy, modify, sublicense, or distribute the Document except as expressly provided for under this License. Any other attempt to copy, modify, sublicense or distribute the Document is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such

137


parties remain in full compliance.

10. FUTURE REVISIONS OF THIS LICENSE

The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License "or any later version" applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

138

l220: advanced linux system administration ii · web viewoverriding file security checks postfix...

Documents