SUSE Linux Enterprise Server Administration (Course 3037)

SUSE Linux Enterprise Server Administration (Course 3037)

Chapter 9Enable Internet Services

SUSE Linux Enterprise Server Administration (Course 3037) 2

Objectives

• Configure SUSE Linux Enterprise Server Time

• Enable a Web Server (Apache)

• Enable the Extended Internet Daemon (xinetd)

• Enable an FTP Server


Configure SUSE Linux Enterprise Server Time

• Objectives– SUSE Linux Enterprise Server Time Overview– How to Synchronize Time with hwclock and netdate– What Network Time Protocol (NTP) Is– How to Synchronize Time with NTP


SUSE Linux Enterprise Server Time Overview

• Hardware clock and system clock– Hardware clock

• Runs independently of any control program• Part of the ISA standard• Also called the BIOS clock or CMOS clock

– System time• Time kept by a clock inside the Linux kernel• Driven by a timer interrupt• Number of seconds since 00:00:00 January 1, 1970,

UTC• Synchronized to the hardware clock when Linux first

starts


SUSE Linux Enterprise Server Time Overview (continued)

• Hardware clock and system clock (continued)– date and adjtimex commands

• Adjust system time– ntpd

• Regulates the system clock– hwclock command

• Sets the hardware clock– Linux kernel maintains local time zone for the system



• GMT (UTC) and local time– UTC (Universal Time Coordinated)

• Also referred to as GMT (Greenwich mean time)• Variable HWCLOCK in /etc/sysconfig/clock has the value

-u

– Local time• Variable HWCLOCK has the value --localtime

• Time configuration files– Current time (system time) is calculated using variable

TIMEZONE • In the file /etc/sysconfig/clock



• Time configuration files (continued)– Directory /usr/share/zoneinfo/

• Database of all time zones

– cat /proc/driver/rtc• Displays the hardware clock time


How to Synchronize Time with hwclock and netdate

• How to use hwclock– Tool for accessing the hardware clock– Displays the current time– Sets the hardware clock to a specified time– Sets the hardware clock to the system time– Sets the system time from the hardware clock– Run hwclock periodically

• To insert or remove time from the hardware clock

– Uses device special file /dev/rtc


How to Synchronize Time with hwclock and netdate (continued)


How to Synchronize Time with hwclock and netdate (continued)

• How to use netdate– Sets up the system time once only– Syntax: netdate timeserver1 timeserver2. . .

• timeserver represents a time server on a network

• netdate client compares server times with its own time

• Time differences are sorted into groups and used to update time on the local server

– Syntax: netdate time_source• Synchronizes time to a specific external time source

– hwclock --systohc or hwclock –w• Sets the hardware clock to the system clock time


What Network Time Protocol (NTP) Is

• NTP– Industry standard protocol – Uses UDP on port 123 to communicate between time

providers and time consumers– NTP time provider

• Server that provides NTP time

– NTP time consumer• Seeks NTP time from an NTP time provider

– NTP synchronizes clocks to the UTC standard– Keeps track of consistent time variations


What Network Time Protocol (NTP) Is (continued)

• Stratum– Designation of the location of servers in NTP tree

hierarchy

• NTP daemon (xntpd)– Used by server and client to give and obtain time– Designed to adjust time continuously

• Regularly correcting local computer clock on the basis of collected correction data

• Continuously correcting local time with the help of time servers in the network

• Enabling management of local reference clocks



• NTP terms– Drift

• ntpd measures and corrects for incidental clock frequency error

– And writes the current value to a file /etc/ntp/drift

– Jitter• Estimated time error of the peer clock

• How the NTP daemon works– Automatically synchronizes system time

• With a time server on an ongoing basis



• How the NTP daemon works (continued)– Correction takes place in small increments– Synchronizations occur about once per minute

• Increasing gradually to once per 17 minutes

– Slewing• NTP adjustment for small time differences

– Stepping• NTP adjustment for large time differences

– NTP averages the results of several time exchanges


How to Synchronize Time with NTP

• Start NTP from the command line– Start script is /etc/init.d/xntpd– Central configuration file is /etc/ntp.conf– Start NTP daemon using rcxntpd start– Stop NTP daemon using rcxntpd stop– Restart NTP daemon using rcxntpd restart– Check status using rcxntpd status– Start NTP automatically when system boots

• insserv /etc/init.d/xntpd


How to Synchronize Time with NTP (continued)

• Adjust the time with ntpdate– Perform a one-time update of the client to the server

• rcxntpd stop

• ntpdate timeserver

• hwclock --systohc

• rcxntpd start

• Configure the NTP server (/etc/ntp.conf)– Add following entries to /etc/ntp.conf

server 127.127.1.0 # local clock (LCL)

fudge 127.127.1.0 stratum 10 # LCL is unsynchronized



• Configure the NTP server (/etc/ntp.conf) (continued)– Entries for current time

## Outside source of synchronized timeserver ptbtime1.ptb.deserver ptbtime2.ptb.de

– Synchronization methods• Polling• Broadcasting

– Entries including name for the drift filedriftfile /var/lib/ntp/drift/ntp.driftlogfile /var/log/ntp



• Configure an NTP client with YaST– Start YaST NTP Client module– Configure NTP client to start each time you boot your

system– Enter an NTP server– Configure your server to synchronize against multiple

remote hosts • Or against a locally connected clock (optional)

– Configure the NTP client by selecting Finish– Close the YaST Control Center (optional)



• Trace the time source with ntptrace– ntptrace

• Traces source of time that a time consumer is receiving

• Lists

– Client name

– Its stratum

– Its time offset from the local host

– Synchronization distance

– ID of the reference clock attached to a server

– Synchronization distance is a measure of clock accuracy



• Query the NTP daemon status– Enter ntpq –d to display information such as:

• remote• refid• st• when• poll• reach• delay• offset• jitter


Exercise 9-1 Configure Linux Time with NTP

• In this exercise, you do the following:– Part I: Check System Time and Hardware Clock Time– Part II: Enable NTP Client with YaST


Enable a Web Server (Apache)

• Objectives– How a Web Server Works– Apache and SUSE Linux Enterprise Server– How to Configure an Apache HTTP Server with YaST


How a Web Server Works

• What a Web server is– Software program that runs on a host computer

• And delivers files over the Internet

– Lets you publish Hypertext Markup Language (HTML) documents

– Can also distribute many other types of files– Must be physically connected to a TCP/IP-based

network


How a Web Server Works (continued)

• How a Web server labels content types– Web browser relies on a Multipurpose Internet Mail

Extension (MIME) header• To correctly identify and display document types

– More than 360 MIME types are included with the Apache Web server

• URL components– Protocol, such as http://, https://, ftp://– Domain, can be divided into two parts– Resource, specifies full path to the resource


How a Web Server Works (continued)

• How a Web server delivers content– Web server works in a client-server relationship

• Client programs are usually Web browsers

– Client program requests information• Apache then delivers the actual resource

– HTML pages can be stored in a directory– Requests and transfers use HTTP

• Which is part of the TCP/IP suite of protocols

– Commands and data are passed to port 80 • Through a TCP connection


Apache and SUSE Linux Enterprise Server

• Installation of Apache packages– Basic installation, select package apache2– Multiprocessing, install apache2-prefork or apache2-

worker– Documentation, install apache2-doc– Development and compilation, install apache2-devel

• Activating Apache– Activate it in the runlevel editor– Test Apache entering http://localhost/ in a Web

browser


Apache and SUSE Linux Enterprise Server (continued)

• Storing Web resource files for Apache– Static Web pages

• Place your files in /srv/www/htdocs/

– Custom CGI scripts• Store custom CGI scripts in /srv/www/cgi-bin/

– Log files• Apache writes log messages to

/var/log/apache2/access_log



• Expanding Apache functionality– Apache can execute CGI scripts in diverse

programming languages– There are modules for secure data transmission– In Apache2 almost everything is handled by means of

modules– Apache 2 does not necessarily need to be a Web

server• There is a proof-of-concept POP3 server module based

on Apache



• Security guidelines for Apache Web server– Limit unneeded servers– Limit access to DocumentRoot– Specify subdirectories for user Web content– Keep updated on vulnerabilities


How to Configure an Apache HTTP Server with YaST

• Steps– Start the YaST HTTP Server module– Enable the HTTP server by selecting Enabled– Adapt the firewall to the ports where Apache2 listens

(optional)– Edit HTTP server settings– View existing HTTP server logs– Save the settings– Close the YaST Control Center (optional)


How to Configure an Apache HTTP Server with YaST (continued)


Exercise 9-2 Enable a Basic Apache Web Server

• In this exercise, you do the following:– Part I: Configure an Apache Server– Part II: Test the Apache Server Configuration


Enable the Extended Internet Daemon (xinetd)

• Objectives– What inetd Is– How to Configure xinetd with YaST– How to Manage xinetd Manually– How to Configure the TCP Wrapper


What inetd Is

• Many services are administered and started through inetd or xinetd

• Acts as a mediator of connection requests for a series of services

• Advantage– Saving resources (especially memory)

• Disadvantage– Delay occurs while the required service is loaded,

started, and connected• Use inetd for services that are occasionally needed


How to Configure xinetd with YaST

• Steps– Start the YaST Network Services (inetd) module– Enable the inetd super daemon– Configure a service to be administered by inetd– Change the status of all installed services to on or off

(optional)– Save the configuration setting and start the inetd (or

xinetd) daemon– Close the YaST Control Center (optional)


How to Configure xinetd with YaST (continued)


How to Manage xinetd Manually

• Start, stop, and restart xinetd– /etc/init.d/xinetd script started by xinetd– insserv xinetd

• Automatically starts xinetd at boot– rcxinetd status

• Verify whether daemon is activated or not– rcxinetd start or rcxinetd stop

• Manually start and stop the xinetd daemon


How to Manage xinetd Manually (continued)

• Configure xinetd– How to Edit the File /etc/xinetd.conf

• Default parameters syntaxdefaults{

key operator parameter parameter. . .}

• Service syntaxservice service_name{

key operator parameter parameter. . .}

– Operators include =, -=, and +=



• Configure xinetd (continued)– How to Edit the File /etc/xinetd.conf

• First entry is optional and enables default configurations

• Other entries contain configuration for the respective network service

– The directory /etc/xinetd.d/• Holds configuration file for every service• Directive includedir /etc/xinetd.d

– Prompts xinetd to interpret all files in this directory• Using separate files improves transparency



• Configure xinetd (continued)– Internal services example

# /etc/xinet.d/echo# default: off# description: An echo server. This is the tcp version.service echo{type = INTERNALid = echo-streamsocket_type = streamprotocol = tcpuser = rootwait = nodisable = yes

}



• Configure access control– Parameters

• only_from

– Defines which hosts can use which service

• no_access

– Defines which hosts can be excluded from access

• access_time

– Defines at which times the service is available

• disabled

– Completely shuts off a server

– Can only be used in the defaults section



• Configure log files– Record failed and unauthorized connection attempts– Shut off a service but still retain its logging functions

• Configure only_from without using any additional parameters

– Logging through xinetd is controlled by the log_type statement

• Along with the attributes log_on_success and log_on_failure

– Log the circumstances of how and why the network service was used


How to Configure the TCP Wrapper

• The role of the tcpd daemon– Regulates access to inetd services– Wrapper acts as a filter– Steps

• Logs name and address of requesting host• Verifies if the request is permitted• Starts the corresponding daemon• Then the wrapper is deleted from memory

– After an authorized server has started• It can accept additional connections• Without consulting the wrapper


How to Configure the TCP Wrapper (continued)

• How to configure access controls– Edit /etc/hosts.allow and /etc/hosts.deny files– Files syntax: daemon: host [: option : option ...]– Examples

• /etc/hosts.allow:ALL: pluto.example.comALL EXCEPT vsftpd: mars.example.comvsftpd: andromeda.example.com• /etc/hosts.deny:ALL: ALL



• How to check the TCP wrapper– Use tcpdchk command– tcpdmatch command

• Provides information about how tcpd would handle various types of access attempts

– Moles and trappers• You can enter shell commands in the configuration files

– To be executed when request matches a pattern

• ExampleALL: ALL: spawn echo "Access of %u@%h to %d" >> /var/log/net.log


Exercise 9-3 Configure the Internet Daemon (xinetd) and TCP Wrappers

• In this exercise, you do the following:– Part I: Enable xinetd Services with YaST– Part II: Enable xinetd Services Manually– Part III: Configure TCP Wrappers


Enable an FTP Server

• Objectives– The Role of an FTP Server– How FTP Works– Advantages of PureFTPd Server– How to Install and Run PureFTPd Server– How to Configure PureFTPd Server


The Role of an FTP Server

• Basic features:– Sending, receiving, deleting, and renaming files– Creating, deleting, and changing directories– Transferring data in binary or ASCII mode

• Allows accesses after authentication against a password database– These are the files /etc/passwd and /etc/shadow– PureFTPd supports authentication against its own

password database

• Guest access can be set up as anonymous FTP


How FTP Works

• Uses two TCP connections– One sends FTP command (port 21)– Second connection is created when a file is ready for

transfer

• Types of data transfer– Active data transfer

• FTP client offers FTP server an unprivileged TCP port for data channel connection (port 20)

– Passive data transfer• FTP server offers FTP client an unprivileged TCP port for

a data channel connection


Advantages of PureFTPd Server

• PureFTPd features:– Consistent use of chroot environments– Uncomplicated configuration of virtual FTP servers– Virtual users independent of the system users listed in

the file /etc/passwd– Configuration via command-line parameters or with a

configuration file


How to Install and Run PureFTPd Server

• Use YaST Install and Remove Software module– To install the PureFTPd server

• /etc/pure-ftpd/pure-ftpd.conf– Configuration file

• Run PureFTPd server– From the command line

• Enter pure-ftpd options– From a start script

• Enter /etc/init.d/pure-ftpd start (or rcpure-ftpd start)• Enter rcpure-ftpd stop to stop the service


How to Install and Run PureFTPd Server (continued)

• Run PureFTPd server (continued)– From a start script

• insserv /etc/init.d/pure-ftpd to initialize pure-ftp upon start-up

– From inet.d• Add a corresponding entry to the file /etc/inetd.conf

• Example:

ftp stream tcp nowait root /usr/sbin/tcpd pure-ftpd -A -i


How to Configure PureFTPd Server

• How to configure anonymous FTP– You need to have an FTP user and home directory in

the file /etc/passwd• You do not need to create any subdirectories

– You can also use command pure-ftp– Files uploaded to the server belong to the user ftp

• How to configure FTP with virtual hosts for anonymous FTP– Virtual FTP hosts allow a number of FTP sites to be

hosted on one machine


How to Configure PureFTPd Server (continued)

• How to configure FTP with virtual hosts for anonymous FTP (continued)– Create virtual network devices

• Using ifconfig

– Create symbolic link in /etc/pure-ftpd/

• How to configure FTP for authorized users– Important for those who are hosting Web sites– Use pure-ftpd command

• pure-ftpd -A –E

• pure-ftpd -a 500 -E


How to Configure PureFTPd Server (continued)

• How to configure FTP with virtual users not included in /etc/passwd– PureFTP users are separated from system users

• And can only access the system by FTP

– Administer PureFTPd users in a separate database• Create a system user with useradd

• Create the FTP users with pure-pw

• Specify options such as quotas or size limits in MB

• Regenerate password file using pure-pw mkdb

– Start PureFTPd with -j


How to Manage PureFTPd Logs

• PureFTPd sends messages to the syslog daemon

• PureFTPd can also write its own log files– Use option -O format:logfile– Format can be clf, stats, or w3c– You can also modify PureFTP configuration file


Exercise 9-4 Configure Anonymous PureFTPd Access

• In this exercise, you will configure anonymous PureFTPd access


Summary• System time is maintained by the interrupt timer

– And obtained from the computer hardware clock

• netdate utility– Synchronizes system time

• With that of another computer on the network

• NTP – Accurately coordinates system time on your network

• NTP automatically adjusts for local time drift

• To configure NTP, you may use YaST – Or edit the /etc/ntp.conf file


Summary (continued)

• Apache Web server (httpd) – The most common Web server on Linux systems

• Internet Super Daemon (inetd) or Extended Internet Super Daemon (xinetd)– Used to start some network daemons

• TCP wrapper daemon (tcpd)– Used with inetd or xinetd to provide additional security

• File Transfer Protocol (FTP)– Main TCP/IP protocol to transfer files across the

Internet


Summary (continued)

• PureFTPd server– Installed and used on SLES to provide FTP services to

clients

• Configure PureFTPd– Use pure-ftpd command– Or entries in the /etc/pure-ftpd/pure-ftpd.conf file

SUSE Linux Enterprise Server Administration (Course 3037)

Documents

Transcript of SUSE Linux Enterprise Server Administration (Course 3037)