|
Connecting
to Shared Directories With NFS and SAMBA
ip addr = display ip address information
hostname = displays hostname (without
argument), sets hostname (with argument)
Example:
hostname cgermany = sets the server’s hostname to cgermany.
ifconfig = display and set TCP/IP configuration
dhclient = release/renew ip address
iwconfig = linux wireless utility
NFS
- Unix uses NFS to transfer and share files across a
network. To connect to a directory
that is already
shared, use the mount command like so:
mount –t
nfs RemotePCname:/ExportedDirectoryName
/LocalMountPointDirectory
In other words:
mount –t nfs cgermany:/Data
/root/HoldMe would connect to a server with
the host name “cgermany” exporting a directory
called “Data” and mount it to the
“/root/HoldMe”
directory.
SMBFS - Microsoft does not offer true NFS
support (naturally), so to access Windows
XP/2000/2003/98/95 shared directories, Unix/Linux ust
use the Server Message Block (SMB) file system,
which until recently was mounted as
“smbfs”. The syntax is a bit different from
mounting shared Unix directories. The old way =
mount –t smbfs
//Windows2003Server/SharedFolderName /LocalMountPointDirectory.
Now there is a new way, as
"smbfs" is deprecated (no longer used)
with Linux Fedora Core 5 and above. Always changing!
In its place you have to use "cifs", the common
internet file system. It's syntax is as follows:
mount –t
cifs
//Windows2003Server/SharedFolderName /LocalMountPointDirectory
Alternatively, you can pass options in to "cifs"
mounts to access windows machines as alternate
users. Example:
mount –t
cifs
//Windows2003Server/C$ /LocalMountPointDirectory
-o username=administrator
In other words:
mount –t smbfs //cgermany/Data
/root/HoldMe would connect to a Microsoft
server with the host name “cgermany” sharing a
folder called “Data” and mount it to the “/root/HoldMe”
directory.
smbmount = a command for mounting Microsoft
Windows shared folders. Like the mount command
above. Just as "smbfs", if you are using
Fedora Core 5 or above you will have to use "cifs"
as this is no longer supported. The Old Syntax:
smbmount //Windows2003Server/SharedFolderName
/LocalMountPointDirectory
smbclient = like smbmount, but offers a FTP
interface. Syntax:
smbclient
//Windows2003Server/SharedFolderName
Sharing Files Under NFS
To share a files on Unix/Linux, a directory must be
exported. This involves:
1.
First adding an entry to the
/etc/exports file. It can be a simple line, like
“/Data (rw)”. The (rw) stands for read-write, (ro)
for read-only. Below,
the
“192.168.20.0/255.255.255.0” says allow any host on
the 192.168.20.x
network to access the shared
folder. You could specify a single IP address,
a
range, an entire network, or specific host names.
/Data
192.168.20.0/255.255.255.0(rw,sync)
/SharedStuff 192.168.20.0/255.255.255.0(rw,sync)
/SuperFunYay 0.0.0.0/0.0.0.0(ro,sync)
2. Disable the firewall by going into
the GNOME GUI and click
REDHAT BUTTON -> SYSTEM SETTINGS -> SECURITY
LEVEL.
3.Then we need to set appropriate
permissions with chmod 777 (you can
tighten them later).
4. Run the
exportfs –a
command to update the exported file system.
Example: exportfs -a
5. Restart the NFS
process by typing:
/etc/rc.d/init.d/nfs restart
/etc/rc.d/init.d/nfslock restart
Sometimes the daemons do not start in
the correct order, and this may cause NFS not to
function. If
you are still having problems after
restarting nfs and nfslock, try starting the daemons
in the correct
order by typing the following:
/usr/sbin/rpc.mountd
/usr/sbin/rpc.nfsd
/usr/sbin/rpc.rquotad
rpcinfo = checks to see if rpc daemons are
running. Use: rpcinfo –p
and check for mountd, nfsd and quotad.
Sharing
Files Under SAMBA
To make Unix/Linux shared folders
available to Windows, you need to use the SAMBA
daemon. First the
configuration should be set up in
the /etc/samba/smb.conf
file. Here you can set the NetBIOS name,
shared directories and printers. Examples of
"/etc/samba/smb.conf":
[aprinter]
path = /usr/spool/public
read only = yes
printable = yes
guest ok = yes |
[CGermanyStuff]
comment = C. Germany's Stuff
path = /CGermanyStuff
valid users = unixuser root charles guest
public =yes
writable = yes
printable = no |
[stuff]
comment = General Public
path = /stuff
public = yes
read only = yes
|
Then, you must start/restart the SAMBA
daemon using:
/etc/rc.d/init.d/smb start,
or you may simply use the command:
service smb restart .
Note: You will also need to assign a samba
password to a Unix account on the server using
the smbpasswd command listed below.
smbpasswd = this command will allow you to
assign a user a SAMBA (Windows) password in addition
to
their Unix/Linux password. This way they can
access the shared files from their Windows machine.
Syntax: smbpasswd
–a
TheUserName . Of course, the user will have
to already exist (have been created)
on the server.
FTP Server (vsftpd)
/etc/init.d/vsftpd start, stop,
restart
= ftp daemon (service)
chkconfig
vsftpd
on = causes vsftp daemon to start when booting.
/etc/vsftpd/vsftpd.conf
= ftp configuration file. Change the “anon_root”
variable in
the config
file to the location where anonymous access files
are stored.
After making changes, restart the
daemon with /etc/init.d/vsftpd
restart . Don’t forget you may
need to
change some permissions with chmod. You can add
this line to the /etc/inittab file to restart
the
FTP service each time Linux/Unix boots. Example:
20:3:wait:/etc/init.d/vsftpd
restart .
Or use the chkconfig
command to autostart it during each boot.
Some versions of Linux have a “wu-ftpd”,
whereas others do not. If so, change the “disable =
yes”
to “disable = no” in the /etc/xinetd.d/wu-ftpd
file. Then restart xinetd.d process with a
/etc/rc.d/init.d/xinetd
restart.
HTTP (Apache Web) Server
-
Create directories and html files inside of /var/www/html
.
-
Start Apache Web Server using:
/etc/rc.d/init.d/httpd
start .
-
Configuration file is located in
/etc/httpd/conf/httpd.conf
.
-
Use
the chkconfig
command to autostart it during each boot.
You may need to change permissions
using chmod, and you may have to remove proxy server
settings in your web browser to get Apache to
display its web pages in a browser as "localhost".
Telnet Server
The Linux telnet
service (daemon) is xinetd.
1.
Configure the file /etc/xinetd.d/telnet
.
2.
Start
the telnet daemon
/etc/rc.d/init.d/xinetd
start .
3. Add hosts to /etc/hosts.allow
and /etc/hosts.deny
.
DHCP Server
The Linux
DHCP service (daemon) is
“dhcpd”.
1.
Configure the file
/etc/dhcp.conf
your scope and subnet settings.
2.
Start
the DHCP daemon
/etc/rc.d/init.d/dhcpd
start .
3. Add hosts to /etc/hosts.allow
and /etc/hosts.deny
or ALL:ALL for everyone.
4. Use chkconfig to make it start automatically
each boot.
Note: As with most of the other
server daemons, each time you modify any
configuration
files, you must restart the daemon or service.
Example: “/etc/rc.d/init.d/dhcpd
restart”.
DNS Server
The Linux
DNS service (daemon) is
“named”.
To start it: “/etc/rc.d/init.d/named
start” . Use chkconfig to make it start
automatically each boot. Each time you modify any
DNS configuration files, restart the named daemon
with “/etc/rc.d/init.d/named
restart”.
1.
Configure the DNS server name daemon files:
Configuration Files:
1. /etc/named.conf = list of DNS
zones and their type (master/slave)
2. /var/named/zonename.zone =
resource records for forward lookup
3. /var/named/*.in-addr.arpa = PTR
records (reverse lookup)
4. /var/named/named.local = PTR
record identifying loopback
5. /var/named/named.ca = IP addresses
of top level DNS servers (DNS cache file)
2.
Start
the DHCP daemon
/etc/rc.d/init.d/named
start .
3. Add hosts to /etc/hosts.allow
and /etc/hosts.deny
or ALL:ALL for everyone.
4. Use chkconfig to make it start automatically
each boot.
Routing
If your Linux machine has two NIC cards (it's
multihomed), then it can serve as a router.
Just like Microsoft's Routing and Remote Access,
huh? :-)
route = displays route table
ip forwarding
= enables routing from one subnet to another through
multiple NIC card on a PC.
To do this, add the number “1” to the file
/proc/sys/net/ipv4/ip_forward . To enable routing
automatically at boot, add the line
“net.ipv4.ip_forward = 1” to the file /etc/sysctl.conf
.
route add = adds a route to the routing table.
Unix, Cisco, hmmm, such a resemblance...
I wonder who copied who?
Syntax =
route add net
192.0.0.0 mask 255.255.255.0 192.168.20.1
The statement above says send any
packets destined for 192.x.x.x to interface
192.168.20.1 .
Just about identical to Cisco’s way of doing things,
yes?
ip route add
= like the route command above.
Syntax =
ip route add 192.0.0.0/24 via
192.168.20.1
route del
= removes entries from the routing table.
Note: Routing table entries are lost
on each reboot. To make the entries permanent, add
the “route add” or “ip route add” command for each
route to the /etc/rc.d/rc.local
file.
These will load with each startup then.
traceroute = tool to help troubleshoot routing
problems.
SQUID
SQUID is the free Linux proxy server. Cool,
huh? And cheaper than ISA!
Instructions for setup are:
1. Install SQUID and dependencies from
Fedora Core 4 CD#1 or an RPM package you
download.
2. Add "0.0.0.0" or/and "ALL:ALL" to the
"hosts.allow" file in the "etc/" folder.
You may also
add specific IP addresses or an entire network address such
as "192.168.20.0".
3. Remove any addresses that you want to
allow if they are in "hosts.deny" in the
"etc/" folder.
This file overrides "hosts.allow".
4. Configure access lists in the "squid.conf"
file in the "/etc/squid/" folder. You
must change the
"http_access deny all" to "http_access allow all". Also,
change "http_reply_access deny all" to
"allow all". You may enable or disable the http_manager
as well. You may also reconfigure the
default port of 3128 by changing "http_port".
5. Disable your firewall, or confiure it
to allow incoming requests over ports
3128, 80, 8080, and 443.
6. Configure your own web browser to use
your proxy server's address and port
settings. This will test
the loopback (127.0.0.1) response.
7. Finally, test the proxy server by
configuring another machine to use it.
8. Any changes that you make to SQUID
configuration files should be followed
by restarting the SQUID
daemon. You may stop/start/restart by:
/etc/rc.d/init.d/squid restart
/etc/rc.d/init.d/squid stop
/etc/rc.d/init.d/squid start
9. Don't forget that you mak also
cause SQUID to start automatically
with the "chkconfig" command.
|
Happy SQUIDding!
Firewall
There is a GUI firewall interface for both Fedora
Core 2 and Fedora Core 4. It is comparable to
Microsoft's
"ICF" firewall, and as easy to
configure if that's important. However, to
truly unleash
the power of Linux's firewall, you need to be able
to configure rules for chains using iptables, and
this means using the console, not the severely
limited GUI interface.
The Linux firewall works with “chains” of rules.
There are three types of default chains for which
one may specify rule:
1. INPUT = packet coming
in
2. FORWARD = bypass through
3. OUTPUT = packets going out
Note:
Fedora Core 4 Adds a 4th CHAIN to the standard three called
"Chain RHFirewall1INPUT (2 references)".
This chain is implemented when you click
"Desktop" >
"System Settings" > "Security Level" and then
select "Enable Firewall"
from the dropdown list.
By default, it is set to block all incoming requests. You may
graphically add daemons and ports to allow by checking the appropriate
box,
or you may type in ports in the format "Port#:tcp" in the box at the bottom.
Example:
"23:tcp" or "23:telnet".
For the command line exercises of iptables, you need to completely disable the
graphical firewall in Fedora by selecting
"Desktop" > "System Settings" >
"Security Level" and selecting "Disable Firewall" from
the dropdown list.
Then, only the three standard chains listed above will apply.
Suggested LAB:
1. After disabling the graphical firewall as described above, make sure all rules have
been deleted in IPTABLES
by typing "iptables -L"
to list all rules and chains. If there are any rules, flush them by typing "iptables -F".
You are now wide open, with no firewall protection at this point. (Your shields are down).
2. Add rules. Of the three CHAINS, you are interested in "INPUT" since that answers any requests coming into
your Linux server for services. The proper way to add
rules is to add the ports/protocols/services you want
to allow FIRST, then add a "CATCH-ALL"
rule that will DROP or REJECT any other packets not using ports and
protocols specifically allowed at the bottom. This CATCH-ALL rule should always be at the bottom of the
other rules so it will be evaluated last.
Therefore, if you choose create a new rule allowing another port after
you have created your CATCH-ALL rule,
delete the CATCH-ALL rule with "iptables -D INPUT Line#",
add the
new rule with "iptables -A INPUT etc.",
and then add the CATCH-ALL rule back again at the end with
"iptables -A INPUT etc.". If you have multiple NIC cards, don't forget to specify the interface that you want to
set the rule on with "-i eth0" or "-i eth1".
3. Add a rule to allow HTTP traffic for the APache web server over port 80:
iptables -A INPUT -j ACCEPT -p tcp --destination-port 80 -i eth0
4. Add a rule to allow FTP traffic for VSFTPD over port 21:
iptables -A INPUT -j ACCEPT -p tcp --destination-port 21 -i eth0
5. Add a CATCHALL rule to block or drop any opther traffic not specified:
iptables -A INPUT -j DROP -p tcp -i eth0
6. Now, look at the rules you have so far with the command "iptables -L".
Notice that you have three rules,
the two "ALLOW" rules and the CATCHALL rule to drop anything else.
Test your rules by trying to access a
web page from your APACHE server from another computer. Since port 80 is allowed, you can. Try to FTP
to your Linux server from another computer. Since you have a rule that allows port 21, you can. Now, try
to telnet to your
server. Since telnet is port 23 and not specifically allowed, the CATCH-ALL rule blocks
incoming telnet requests and you can not connect.
7. Let's say we change our minds and want to allow telnet as well, while still blocking any other ports.
We can add the rule with:
iptables -A INPUT -j ACCEPT -p tcp --destination-port 23 -i eth0
8. Now, list your INPUT chain rules with "iptables L".
Notice that you have 4 rules. However, your
CATCH-ALL rule to block
all packets was added before your rule to allow telnet port 23.
Therefore,
let's delete the CATCH-ALL and add it backso that it will appear on the bottom as the last rule,
and therefore the "CATCHALL".
Notice that in the listing, the CATCHALL drop rule appears as
the third rule in the list.
Therefore, delete the 3rd rule, or "CATCHALL" with:
iptables -D INPUT 3
9. Finally, add the CATCHALL rule back to the bottom of the iptables rule list under the INPUT chain using:
iptables -A INPUT -j DROP -p tcp -i eth0
10. To finish, list your rules using "iptables -L".
Test FTP, telnet and HTTP to your Linux server
from another computer.
The “iptables” command can be used to
modify the rules on these chains. Examples:
1. iptables –F = flush
all previous rules and start over
2. iptables –P FORWARD
DROP = drop forwarded packets by default
3. iptables –A FORWARD –s
192.168.20.0/24 –j ACCEPT = forward only
packets
originating form the 192.168.20.x
network.
4. iptables –L = list
the rules in memory
SWITCHES
1. A =
add a new rule. (Syntax = iptables + A +
chain(INPUT, OUTPUT, FORWARD)
2. D =
delete a rule. (Syntax = iptables + D +
chain(INPUT, OUTPUT, FORWARD) + rule #
Examples:
1. BLOCK ALL HTTP = iptables -A OUTPUT -s 0.0.0.0/24 -d 0.0.0.0/24 -p 80 -j DROP
2. BLOCK everything = iptables -A OUTPUT -s 0.0.0.0/24 -d 0.0.0.0/24 -p ALL- j DROP
3. ALLOW HTTP = iptables -A OUTPUT -s 192.168.20.0/24 -d 192.168.20.2/24 -p 80 -j ACCEPT
Here's what displays on my IPTables with Telnet, FTP and HTTP enabled:
Chain RHFirewall1INPUT (2 references)
ACCEPT tcp anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp anywhere anywhere state NEW tcp dpt:telnet
Other Useful Commands:
1. dhclient releases and renews IP address for DHCP
2. ifconfig displays ip address.
Also can be used to bring a NIC up or down.
Would you like fries with that firewall?
Security Tools and Tweaks
1. nohup = allows you to run a
process and exit, leaving it running.
Example: nohup updatedb &
2. su = switch user command.
Basically, what Microsoft calls a "secondary
logon". In
Unix, it lets you log in as a user of
lesser power than root, and yet still do
things that require root permission.
Example: su – root . Safer.
3.
sudo
= allows user to run only certain programs as root
if the are listed in the
/etc/sudoers file. Syntax =
sudo kill -3 3456 .
4. nmap = network mapper, can
show running services on computer. Powerful tool.
Syntax = nmap
–sT ComputerName .
1.
nmap -sP
192.168.20.0/24 = Initiates ping
sweep of specified network.
2. nmap -sP -PT80
192.168.20.0/24 = TCP ping scan.
Bit more sophisticated,
can use port 80 (http) to traverse routers that are blocking
ICMP traffic.
The "-PT80" specifies port 80.
3. nmap -sS
192.168.20.200 = Initiates a stealth
port scan of the specified IP,
revealing open ports and protocols.
4. nmap -sF
192.168.20.0/24 = Port scan entire
network.
5. nmap -sF
192.168.20.0/24 -oN Scans.txt = Port
scan entire network.
Save the results to a file called "Scans.txt".
6. nmap -sS
192.168.20.200 -D 192.168.20.52 =
This specifies a stealth port
scan with the "-sS" option and a decoy with the "-D" option.
This means we
are spoofing the IP address of 192.168.20.52 while we scan
192.168.20.200.
If 192.168.20.200 trusts 192.168.20.52, then it trusts us.
192.168.20.52
needs to be up and running on the net for the spoof to hides
us properly, as
it will be receiving SYN and ACK flag traffic.
7. nmap -I
192.168.20.200 = "Ident" option,
identifies user of particular TCP
connection by using port 113.
8. nmap -O
192.168.20.200 = Scans with the "-O"
option to discover the
operating system of the machine being scanned.
9. nmap -p80 -O 192.168.20.200 = Scans
machine for operating system even if
ports are closed using port 80 (http).
10. nmap -h =
help (displays all the options)
5. nslookup = Same as
Microsoft's command line DNS tool. nslookup
works by posing as a secondary
DNS server and requesting zone transfers. Zone
transfers must be enabled and allowed
to the requesting IP address for nslookup to
function. This would be an area to lock
down. If someone can get a zone transfer from
your DNS server, they get a very useful
map of all your IP addresses and host names.
Example:
[cgermany @ cgermany]$ nslookup
[cgermany @ cgermany]$ > set
type=any
[cgermany @ cgermany]$ > ls -d numa.numa.net >>
HostsToHack.txt
[cgermany @ cgermany]$ > quit
[cgermany @ cgermany]$
6. whois
- queries domain name for info. Example:
whois numa.numa .
7.
fuser = identify any users or processes
using a file or directory.
8.
Suggestion for IDS: Download and install “tripwire”,
a Linux IDS/alarm system.
Wireless
Access!
I have a Netgear 54Mbps 802.11g PCMCIA wireless card
I use with my laptop. Wireless drivers are a
bit difficult to install under Linux. I tried
several different approaches, but was unable to get
any Linux drivers to work with my wireless card.
I then decided I would use the Windows ".inf" and
".sys" fiels and "DriverLoader", a program that
allows you to use Windows drivers with Linux.
It worked, with a 128-bit WEP encryption, MAC
filtering and a hidden SSID! I will list the
procedures I followed to get my card working as well
as some useful commands.
iwconfig -
command to access all wireless settings. By
itself it lists signals strength, encryption key,
SSID, MAC address and several other pieces of
information.
dhclient - releases and renews an IP address.
Like the "ipconfig /release" and "ipconfig /renew"
in Windows.
ifup -
short command to bring a specified interface up.
Example: ifup eth0
ifdown - short command to bring a specified
interface down. Example: ifdown eth0
ifconfig eth0 up - command to bring a
specified interface up.
ifconfig eth0 down - command to bring a
specified interface down.
Trusted Access
This feature
allows access
allowed to a Unix server without a
password/authentication.
I'm not sure if this is a good idea, but if security
is not a concern, to do this:
1.
Add hosts to
/etc/hosts.equiv file.
2.
Create .rhosts
file in home directory of each user to use trusted
access.
Example: /home/cgemany/ .rhosts
To log in with trusted access:
1.
rlogin
TheComputerName
2.
To copy files =
rcp TheComputerName:/etc/hosts localhost:/root
3.
rsh = Run a shell
command on the remote computer.
Example: rsh
TheRemotePC pwd .
©2005 C. Germany |
Contact
