Facultat d'Informàtica de Barcelona Univ....
Transcript of Facultat d'Informàtica de Barcelona Univ....
Facultat d'Informàtica de Barcelona
Univ. Politècnica de Catalunya
Administració de Sistemes Operatius
Network services
������������ �������� �� �� ������������ �������
Topics
� 1. Introduction to OS administration� 2. Installation of the OS� 3. Users management� 4. Applications management� 5. System monitoring� 6. Maintenance of the file system� 7. Local services� 8. Network services� 9. Protection and security
Objectives
� Knowledge
� Main elements in a network
� Main network services and protocols
� Superserver, portmapper, DNS, FTP, WWW, e-mail
� Habilities� Services configuration
� Superserver� DNS� FTP� WWW� E-mail
Transmission systems
� Local area networks (LAN)� RS-232
� Ethernet
� Token ring
� FDDI (optical fiber)
� Wide area networks (WAN)� Gigabit ethernet, and 10GbE
� Frame relay
� X-25
� ATM
Protocols
� Each network has its own link protocol� ... and we have TCP/IP on top
� Modem
� Ethernet
� Token ring
� Gigabit ethernet
� ATM
� Frame relay
� X-25
IP networks and hosts
� IP Network classes� Class A (0)
� 1.0.0.0 - 127.0.0.0� 7 network bits, 24 host bits (16 milions of hosts - 2)
� Class B (10)� 128.0.0.0 - 191.255.0.0� 16 network bits (16K-2 networks), 16 host bits (64K-2
hosts)
� Class C (110)� 192.0.0.0 - 223.255.255.0� 24 network bits (2M-2 networks), 8 host bits (254 hosts in
each subnetwork)
IP networks and hosts
� Network classes� Class D: multicast addresses (1110)
� 224.0.0.0 - 240.0.0.0
� Class E: reserved for future use (11110)� 240.0.0.0 - 248.0.0.0
� Class F� 248.0.0.0 - 252.0.0.0
� Class G� 252.0.0.0 - 254.0.0.0
IP networks and hosts
� IP addresses with special meanings� 0.0.0.0: this host
� 0.host: host on this network
� 127.anything: loopback (not seen in the network)
� 255.255.255.255: LAN broadcast
� network.255: broadcast at the specified network
� Private addresses (intranet only):� 10.0.0.0 - 10.255.255.255: 1 class A network� 172.16.0.0 - 172.31.255.255: 16 class B networks� 192.168.0.0 - 192.168.255.255: 255 class C networks
Subnetting
� Usually the number of machines in the same network is
under 100� Class A and B addresses are underutilized
� Subnetting: use a portion of the host address to extend
the network address� Can use an arbitrary number of bits, not byte-aligned
149 76 12 4
149 76 12 4
256*256 hosts
10 bits
subnet
2^10 = 1024 subnets
de 2^6 = 64 hosts
6 bits
host
IP address management
� IANA: Internet Assigned Numbers Authority� www.iana.org
� Regional Internet Registries (RIRs)� ARIN: American Registry for Internet Numbers
� www.arin.net
� RIPE NCC: Europe, Middle East and Central Asia� www.ripe.net
� Internet Service Providers (ISPs)� ESNIC: www.nic.es
� Domains at “.es”
Gateways
� Subnets usually represent the physical structure of the
network� An office, room, floor... � An ethernet host is only accessible to the hosts connected
into the same subnet� Same cable
� Gateway: host connected to serveral networks, with the
hability to transfer information across them
149.76.
12.4149.76.
12.5
149.76.
13.40
149.76.
13.43
149.76.12.1
149.76.13.1Gateway
Routing
� Determine where a message has to be sent given its
destination address� The router selects the output path given the routing tables
� Association between a target IP address with a network
interface
149.76.
12.4
149.76.
12.5
149.76.
13.40
149.76.
13.43
192.45.
2.87
192.45.
2.93... ...
...
eth2 eth1
eth0
IP port classification
� Privileged ports: 0 - 1023� Assigned by the IANA
� Only a privileged user (root) can start services on them
� Registered ports: 1024 - 49151� Registered within IANA to avoid collisions
� Registry of the usual services associated to the ports� /etc/services
� Dynamic ports: 49152 - 65535� Used in temporary connections
� Answers to requests
/etc/services
� Relates services with port numbers� DB accessed by several programs (netstat, ... )
� servicename port/protocol aliaslist
echo 7/tcp
echo 7/udp
systat 11/tcp users
systat 11/udp users
ftp-data 20/tcp
ftp-data 20/udp
# 21 is registered to ftp, but also used by fsp
ftp 21/tcp
ftp 21/udp fsp fspd
ssh 22/tcp
ssh 22/udp
telnet 23/tcp
telnet 23/udp
# 24 - private mail system
smtp 25/tcp mail
smtp 25/udp mail
domain 53/tcp
domain 53/udp
http 80/tcp www www-http
http 80/udp www www-http
Network Address Translation (NAT)
� A router translates internal IP addresses for his own one� Allows to use a private IP address, keeping connectivity
with the Internet
� The router records all outgoing connections, and relates
them to the inbound communications� Outgoing connection:
� 192.168.1.25 (port 1085) -> 212.106.192.142 (1085)
� Inbound communication:� 212.106.192.142 (1085) -> 192.168.1.25 (1085)
NAT, side effects
� Internal addresses are not visible from outside� Only the router can be attacked
� Network security depends on router security and good
maintenance
� Internal machines can not offer services to Internet� Except when Port Address Translation (PAT) is enabled
� Impact on network performance� All Internet connections go through the router
� Each packet requires a certain CPU time
� Some services can not be used on NAT� When they have incoming connections
� FTP, IRC, Netmeeting...
Port Address Translation (PAT)
� Indicate to the router implementing NAT that some
incoming connections must be redirected to internal
machines � Mapping router ports to ports in a local machine
212.16.13.84
192.168.12.1Internet
192.168.
12.4
192.168.
12.5 ...
Ports 22,25,80
Ports 25,80 Port 22
Firewalls
� Server that determines which communications can be
established between two networks� Typically works at link level
� Does not know the application
� It can keep state� Allows related connections and inbound connections
Firewall
(Firewall == security) ?
� Firewalls are supplementary elements enforcing system
security� Their use can just offer a false idea of security
� Other aspects related to security cannot be relaxed
because of the use of a firewall
� Other security tools in the local network and servers are
still necessary
Server types (type of services)
� Connexion oriented
� The servers keeps session state
� Increased performance
� Low fault tolerance
� Non-connexion oriented� No session state
� There are no sessions
� Requests must be self-contained� Client requests must carry all the information needed, as
there is no session
� Increased fault tolerance
Server types (authoritative)
� Primary
� Keeps the main copy of the information� In case of divergency, the service relies on the primary
server
� One for each service
� Secondary� Keep copies of the information
� Updated periodically to/from the primary server� Several for each service� Allow load balancing� Can be used as backup in case the primary server fails
Server types (authoritative)
� cache servers (and/or proxies)
� Keep copies of the most-used information
� Several for each service are possible� Performance benefits
� They can incorporate tasks related to security, filtering,
log...
Superserver (inetd)
� An active service uses resources, even when it is not
being used� For services that are used not so often...
� telnet, ftp, ssh...� Superserver listens to all active ports, and activates the
service only when necessary� Receives the request� Starts the server associated� Transfers the request to it
� Limitations� It cannot keep information among connections� Process creation overhead
� not really important when the service is started sporadically
/etc/inetd.conf
� Especifies the services listened by the superserver
� Service (port) to be listen to (in /etc/services)
� Protocol
� User/group
� Binary to execute to start the service
� Arguments ( arg0 = process name, ... )
# If you make changes to this file, either reboot your machine or send the
# inetd a HUP signal: Do a "ps x" as root and look up the pid of inetd. Then do a "kill -HUP <pid of inetd>".
# The inetd will re-read this file whenever it gets that signal.
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
# The first 4 services are really only used for debugging purposes, so
# we comment them out since they can otherwise be used for some nasty
# denial-of-service attacks. If you need them, uncomment them.
# echo stream tcp nowait root internal
# discard stream tcp nowait root internal
...
/etc/inetd.conf
� Services typically started by inetd
# File Transfer Protocol (FTP) server:
#ftp stream tcp nowait root /usr/sbin/tcpd proftpd
# Telnet server:
#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
# The comsat daemon notifies the user of new mail when biff is set to y:
comsat dgram udp wait root /usr/sbin/tcpd in.comsat
# Shell, login, exec and talk are BSD protocols
#shell stream tcp nowait root /usr/sbin/tcpd in.rshd -L
#login stream tcp nowait root /usr/sbin/tcpd in.rlogind
# POP and IMAP mail servers
#
# Post Office Protocol version 3 (POP3) server:
#pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popa3d
# Internet Message Access Protocol (IMAP) server:
#imap2 stream tcp nowait root /usr/sbin/tcpd imapd
# Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers."
# tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot -r blksize
Remote Procedure Calls (RPC)
� Remote execution of routines� Identified by a service and request numbers
� RPC servers� Implement a set of remote routines
� Listen to a dynamic port
� Portmapper� Registers the RPC servers
� Associates port number with the server routines
� Needed by other services� NFS, NIS...
Portmapper
� All state is kept in main memory� In case of failure, all RPC servers must be restarted also� All RPC servers are registered in the portmapper when
started
Client
Portmapper
Server
Register service
(num, port)
Request service (num)
Port
RPC
Result
Domain Name System (DNS)
� Translates machine names to IP addresses� Hostname -> IP address
� IP address -> hostname
� Dificulties� High number of machines connected to Internet!!
� High number of changes in machines and names
� Solution� Hierarchical distribution of the information
� Domains
� Domain authority is delegated to the domain itself
DNS: how it works
� Authority is delegated� Each domain administers its own server
� Root servers are known to all domains
� Domain server known to the domain
� Iterative name resolution
PCDNS
server
/etc/resolv.conf
www.google.com
a.root-
servers
b.root-
servers ...“www.google.com?”
“.com”
.com
“www.google?”
“.google”
“www?”
“www”
internic.net
iana.org
alldomains.com
NS3.GOOGLE.COM
216.239.36.10
...DNS: RFCs 1034/1035
DNS: service efficiency
� Convenient use of caches (cache servers)� High temporal locality
� Avoid repeating the same search again and again
� High spatial locality� Avoid continuously visiting the root servers � Reduce the number of steps in an iterative search
DNS: service efficiency
� DNS can be used for load balancing of other services� Add several IP address for the same hostname
� Each answer replies with a different IP address� Round Robin, “geografical” criteria...
� Example� www.google.com, from different locations
;; ANSWER SECTION:
www.google.com. 693 IN CNAME www.l.google.com.
www.l.google.com. 93 IN A 66.249.85.104
www.l.google.com. 93 IN A 66.249.85.99
;; ANSWER SECTION:
www.google.com. 900 IN CNAME www.l.google.com.
www.l.google.com. 300 IN A 64.233.161.99
www.l.google.com. 300 IN A 64.233.161.104
www.l.google.com. 300 IN A 64.233.161.147
DNS client configuration
� /etc/host.conf� Indicates where hostnames are searched, and the search
order
� /etc/hosts� Translations for local machines
� /etc/resolv.conf� Domains that should be automatically searched, and
� IP addresses of the local domain DNS servers
DNS server configuration
� /etc/named.conf
� Defines...
� DNS domains
� IP address ranges
� Indicates whether a machine has the primary, a secondary
or a cache server
� Files giving direct translation
� Name.domain -> IP address
� 1 file for each administered domain
� Files giving reverse translation� IP address -> name.domain
� 1 file for each IP address range
DNS record types
� SOA (Start of Authority)� Serial number (to record information updates)
� Times for retry and update of information
� Expiration time
� Minimum TTL (time-to-live)
DNS record types
� A – Direct translation� Hostname -> IP address
� romeu IN A 147.83.32.4
� CNAME – alias name� hostname -> alias_hostname
� romeu IN CNAME lp_romeu
� PTR – reverse translation� IP address -> DNS hostname
� 4 IN PTR romeu.ac.upc.edu.
DNS record types
� NS – domain delegation� DNS domain -> server IP address
� ac IN NS 147.83.32.3
� MX - mail exchanger� DNS domain -> mail server IP address
� ac IN MX 147.83.33.10
� And others...� HINFO, WKS,...
DNS configuration example
� domain “ac.upc.edu”, as a primary server
/etc/named.conf
options {
directory “/var/named”;
// query-source address * port 53;
};
zone “ac.upc.edu” IN {
type master;
file “ac.zone”;
allow-update { none; };
};
zone “3.168.192.in-addr.arpa” IN {
type master;
file “3.168.192.zone”;
allow-update { none; };
};
DNS configuration example
� Domain “ac.upc.edu”
/var/named/ac.zone
$TTL 86400
@ 1D IN SOA pcxavim.ac.upc.edu. root.pcxavim.ac.upc.edu. (
42 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
pcxavim 1D IN A 192.168.3.1
pcxavim2 1D IN A 192.168.3.250
;
laptop1 1D IN CNAME pcxavim
laptop2 1D IN CNAME pcxavim2
/var/named/3.168.192.zone...
...
1D IN NS @
1 1D IN PTR pcxavim.ac.upc.edu.
250 1D IN PTR pcxavim2.ac.upc.edu.
Activity
� In groups, discuss� We have 3 servers (server1, server2 i server3) with these
records� server1 IN A 123.123.123.1� server2 IN A 123.123.123.2� server3 IN A 123.123.123.3
� We want to add the following service hostnames:� www in server1 (server2 is the www backup)� ftp in server1 and server2� ingoing/outgoing e-mail in server3
� Which new records would you add?
DNS-related tools
� whois domain� Retrieves contact information about the domain
� dig [@server] request� Requests DNS records
� Several parameters can be controlled� Server, record type, recursive/iterative resolution...
� Provides the records associated with the request� Can provide debugging information
Dynamic Host Configuration (DHCP)
� Automates the distribution of network information to
hosts� IP address to be used
� Current network location
� The machine can be unknown by DHCP � Guest machines accessing an organization
� It is assumed that having the ability to connect the
machine authorizes the user to access the network� MAC-level access control can be implemented
� IP addresses are obtained from address sets defined by the
administrator
Dynamic Host Configuration (DHCP)
� Usually the DHCP server supports BOOTP� Internet Bootstrap Protocol
� Provides information for a machine to boot properly� Boot file (amb size), operating system� DNS domain name, domain name servers� Host name, IP address, and network mask� List of gateways� Root directory for the OS� ...
Dynamic Host Configuration (DHCP)
� Example/etc/dhcpd.conf
ddns-update-style none;
subnet 192.168.3.0 netmask 255.255.255.0 {
range 192.168.3.9 192.168.3.250;
default-lease-time 28800 ; max-lease-time 57600;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.3.255;
option routers 192.168.3.1;
option domain-name-servers 192.168.3.1;
option domain-name "ac.upc.edu";
}
host pcxavim2 {
hardware ethernet 00:03:47:B8:69:62;
# fixed-address 192.168.3.2;
}
To ifconfig
To route
Into
/etc/resolv.conf
DHCP: RFC 2131
Dynamic Host Configuration (DHCP)
� It is possible to update the DNS records when DHCP
assigns a new IP address
dhcpdDNS
server
(named)
update zone “ac.upc.edu”
update zone “3.168.192...”
/etc/dhcpd.conf
ddns-update-style interim;
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret pRP5FapFoJ95JEL06sv4PQ==;
};
zone ac.upc.edu. {
primary 192.168.3.1;
key DHCP_UPDATER;
}
/etc/named.conf
key DHCP_UPDATER {
... /* Same algorithm and secreta key */
};
zone ac.upc.edu. {
type master;
file “ac.zone”;
allow-update { key DHCP_UPDATER; };
};
...
Activity
� In group, discuss� How can we correctly implement DHCP when the server
machine can suffer failures? � Which kind of problems do we need to solve?� Are they already implemented in DHCP?
Hypertext Transfer Protocol (HTTP)
� Data transfer service� Non-connection oriented
� Clients have no state in the server
� Each request is self-contained
� Even that, it uses TCP!!
Client
httpd
connect/accept
GET /path/to/file
<file contents>
HTTP/1: RFC 2616
Apache Web Server (httpd 2.x)
� http 2.x protocol� /etc/httpd/httpd.conf
� Execution as a non-privileged user
� Parallelism through processes/threads� Several concurrent requests� Process/thread number configurable
� Specific configuration options at directory level
� Virtual domains� Separation by IP address� Separation by DNS name (http v1.1)
File Transfer Protocol (FTP)
� Data transfer service� Connection oriented
� Control connection� Remembers the state between requests
� cwd/put/get
� Data connection � active / passive
� New connection for each file transfer
Client
ftpd
Command
<ok / error>
Data connection
FTP: RFC 959
FTP configuration
� Different for each server� wu-ftpd, proftd,vsftpd...
� /etc/ftpusers� Lists users that can NOT access the machine by FTP
� root
� Option chroot <directory> � Anonymous FTP
� Changes the file system root for the server process only,
onto the given directory� Avoids access to the full file system� Basic commands must be available in <directory>
� /etc, /bin
� ls, ...
� It can be useful for regular users
Simple Mail Transfer Protocol (SMTP)� Elements composing the e-mail subsystem
� MUA - Mail User Agent
� User aplication to read/write e-mail
� MSA - Mail Submission Agent
� Aplication that transfers e-mail from the client to the MTA
� It checks for errors before the mail is sent to the Internet
� MTA - Mail Transport Agent
� Aplication relaying the e-mail across machines
� Delivery Agent
� Aplication on the target machine that saves the e-mail on the
user mailbox
� Mailbox: file or database storing the mail
� Access Agent
� Aplication allowing the user to access his/her mail
Components of SMTP
outlook
mutt
sendmail
sendmail/
ssmtp
Internet
postfix
procmail
mail.local
mbox
MUA
MUA
MUA
MSA
MTA
MTA
DA
DA
MUA
mutt
AA/MUA
Inet POP
SMTP
IMAP
SMTP
SSMTP
SMTP: RFC 821
Contents of an e-mail� Envelop
� Destination of the e-mail (user mail address)
� Source of the e-mail (user mail address)
� Usually not visible to users
� Headers
� Collection of message properties
� Sent date
� Origin, destination
� They can be different from the ones in the envelop!
� List of hosts through which the e-mail has passed
� Message body
� ASCII text (7 bits)
E-mail client configuration
� E-mail reception� Accessing a local mailbox
� Accessing a remote mailbox (Access Agent)� POP
� E-mail transmission from the server to a local mailbox
� IMAP� Access to the remote mailbox
� Sending e-mail� SMTP server
E-mail server configuration
� Sending e-mail - sendmail� Messages sent directly to the receiver
� Local user destination: finds the MX record in DNS� [email protected]
� Otherwise, sent through a mail relay� There is no direct access to the receiver
� Receiving e-mail� E-mails saved locally
� POP, IMAP to the same server
� Mail relay to an external server� POP, IMAP to a remote server
E-mail server configuration
� E-mail aliases allow...� Redirect e-mails to another destination
� Possibly in a different machine
� Users with several names� root, www, postmaster, webmaster -> usuari@machine
� Store the e-mails into a file� spam: /dev/null
� Send e-mail to a program� autoftp: “| /usr/bin/ftpserver”
� Define mailing lists� But there are better ways to do it
� Majordomo, Mailman, ListProc, SmartList, ...
E-mail server configuration
� E-mail aliases� Defined in /etc/aliases or /etc/mail/aliases
� Compiled with � $ newaliases
� Command execution in aliases� Smrsh execution environment
� Restricted shell for sendmail� Only commands in specific directories can be executed
� /etc/smrsh or /usr/adm/sm.bin
Security configuration
� User authentication� E-mail servers do not ask for username and password by
default� SASL can be added
� Envelops may be false/incorrect on purpose� SPAM...
� E-mail relays� The server will always try to send the e-mail to the
destination� Open Relays -> SPAM
Security considerations
� E-mail confidentiality� E-mails travel with no encryption (plain text)
� TLS (SSL) is only between MUA and MTA� MTA-MTA transfers use no encryption
� Users are responsible of any encryption
� PGP - Pretty Good Privacy� For message encryption � User signature check� Based on public key algorithms
Security considerations
� Installing e-mail filters� Anti-spam
� Spamassasin, gray lists, black lists, ...
� Anti-virus� Clam AV, Amavis, f-prot, ...
Activity
� In group� We have installed a spam filter... whenever an e-mail with
such characteristic is detected, which will be the action
taken?
� And what would be the appropriate action for an e-mail
containing a virus?
Post Office Protocol (POP)
� Allows users to access the incoming mailbox� Transfers the e-mails to the local machine� User authentication with no encryption
� pop3s works encrypted on top of SSL
POP3: RFC 1939
Internet Message Access (IMAP)
� Allow users manage their mailbox� Remote management� User authentication
� Allows encryption
� imaps on top of SSL
IMAP: RFC 3501
Secure Shell
� Replaces the old rsh/rlogin and telnet services� Adds security
� User authentication based on RSA or DSA� User clients sign the session identifier with private key � The server uses the public key (.ssh/authorized_keys) to
check whether the signature is correct� Password-based authentication can also be used
� Encrypts the information sent through the connection� Confidentiality: 3DES, Blowfish...� Integrity: hmac-md5...
Secure Shell
� The server executes the command or the user command-
line interpreter� With the user's credentials
� Transparent session� When the characteristics of the connection do not require
the use of a pseudo-terminal
� Useful for binary data transfers
� Login session� Can include TCP and/or X11 forwarding
� DISPLAY=hostname:10.0
SSH: RFC 2434(?)
Activity
� In group� Secure shell allows to implement secure data transfers
� How would you implement secure copy and secure file
transfer on top of ssh?
Radius
� Offers remote authentication for users � Allows to configure a user DB with...
� Name� Password� Different properties
� Includes accounting of login time for each user
� Other servers/devices use it to authenticate users� routers� dial-ups
Network File System (NFS)
� Allows to access files in a remote machine� Keeps the semantics of the local file system
� Transparent to the user� Implemented on top of RPC's
Shared disk
NFS serverNFS client
OSOS
open/close
read/write
...
NFS protocol
Local disk
Mount remote NFS
� The remote directory is seen as if it were local
NFS client
OS
Local diskShared disk
NFS server
OS
/home
/
usr
home
Access permissions
� Convenient to have same UIDs in both remote and local
machines� File systems keep UIDs, not usernames
� Automatic translation of UID's� Special users
� Root, nobody
� Options� no_root_squash, root can su to any user!� all_squash, all remote users become nobody
� Less access privileges
� Nobody itself can be redefined according to /etc/passwd� anonuid=UID,anongid=GID
NFS server configuration
� /etc/exports� Exported directory
� Authorized machines + flags� rw, ro� root_squash, no_root_squash
# sample /etc/exports file
/ master(rw) trusty(rw,no_root_squash)
/projects proj*.local.domain(rw)
/usr *.local.domain(ro) @trustedgroup(rw)
/home/joe pc001(rw,all_squash,anonuid=150,anongid=100)
/pub (ro,insecure,all_squash)
SMB - Samba
� Allows to export...� Files
� Printers
� Access control at the level of each user� Username and password authentification
� Not based on the UID, but in the username� Password transmission
� Plain text/encrypted
� Access control at the level of machines� Cannot set different permissions depending on the
machine accessing the files� Can be implemented using different resource names, each
exported to the appropriate machines
LDAP
� Lightweight Directory Access Protocol� Allows to access DB with user information
� Username, password...
� In directory service format (X.500)
� Offers a mechanism to authenticate users� /etc/passwd, /etc/shadow, /etc/group...� ... can be downloaded into the LDAP DB
� It can be integrated into the system, so that the regular
commands can access it, in addition to the usual files