Network Administration

719 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
719
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Network Administration

  1. 1. Home Page Title Page Network Administration Preetam Patil KReSIT, IIT Bombay Page 1 of 82 mailto:yogi@it.iitb.ac.in Go Back Full Screen Close Quit
  2. 2. Network Administration Home Page GOAL: Keeping the network running properly, and configuring and man- aging services that are provided over the network! Title Page • There are many services that we use regularly . . . • and there are some which work in the background (e.g. DNS) en- abling other services to run smoothly! • We’ll take a look at some of them: Page 2 of 82 – DNS – E-Mail Go Back – Firewalls and Proxies Full Screen – FTP – some misc utilities Close Quit
  3. 3. Home Page Title Page Domain-name System Page 3 of 82 Go Back Full Screen Close Quit
  4. 4. Address resolution - Earlier Home Page • The name-to-address mapping of all hosts known were used to be stored in all hosts, in /etc/hosts file Title Page • There used to be periodic updates to this mapping file • This worked well till the size of Internet was small, but couldn’t be continued because – new hosts and names were being added frequently, so keeping the Page 4 of 82 file updated was problematic – name space collision- two hosts could possibly choose the same Go Back name independently, causing collision – administrative authority- different networks were under different Full Screen administrative controls, and there was no reason why you needed to update global database for local hostname changes Close Quit
  5. 5. Solution: building distributed hierarchical database Home Page • Called Domain Name System which is a tree of domains! “DNS is a Title Page set of protocols for distributed database” • The network is broken into a hierarchy of domains • The namespace is organized as a tree according to organizational or administrative boundries Page 5 of 82 • Each node, called a domain, is given a label, and the name of the domain is the concatenation of all the labels of the domains from the Go Back root to the current domain, listed from right to left, separated by dots Full Screen • A label need only be unique within its domain Close Quit
  6. 6. Namespace Organization • Moreover, the namespace is partitioned into several areas called Home Page zones, each starting at a domain and extending down to the leaf do- mains or to domains where other zones start zones usually represent Title Page administrative boundries Page 6 of 82 Go Back Full Screen Close Quit
  7. 7. Home Page What is a domain? Title Page • A domain is a registry which may contain: – definitions of subdomains and information about how to reach one – address of contact person for the domain – name-to-address mappings (or the reverse way) Page 7 of 82 – information about how to route mails for the domain Go Back – information about the well-known services provided by the do- main Full Screen Close Quit
  8. 8. Home Page Resolvers Title Page • A resolver is a client of the DNS • Resolvers are used by networking applications to query the DNS • Resolvers direct the queries at name servers that contain parts of the distributed database, using the DNS protocols Page 8 of 82 • The resolver libraries are located in the application layer of the net- Go Back working software of each TCP/IP capable machine Full Screen Close Quit
  9. 9. BIND (Berkeley Internet Name Domain) Home Page • Consists of a DNS Name-server (called named) and resolver libraries Title Page • BIND deals primarily with zones • Types of servers – Caching only server: ∗ a Caching Only Server is a server that is not authoritative for any zone Page 9 of 82 ∗ this server queries and asks other servers, who have authority Go Back for any zone ∗ all servers keep data in their cache until the data expires, based Full Screen on TTL(“Time-to-live”) field which is maintained for all re- source records Close Quit
  10. 10. BIND (Berkeley Internet Name Domain) Home Page • Types of servers (contd...) – Slave server: Title Page ∗ a server that always forwards queries it cannot satisfy from its cache, to a fixed list of forwarding servers instead of interact- ing with the authoritative servers – Authoritative servers: ∗ the servers which are authorized to answer qeuries for any en- Page 10 of 82 tries in their zones ∗ They are further classified as Primary and Secondary Go Back ∗ Primary servers ae the servers where the records for the zone Full Screen for which it’s authoritative are maintained ∗ Secondary servers get the zone records from the primary Close server Quit
  11. 11. BIND configurartion Files Home Page • Boot File ( /etc/named.conf ) – this is the file that is read when named starts up Title Page – this tells the server what type of server it is, which zones it has authority over and where to get its initial data • Resolver Configuration ( /etc/resolv.conf ) – designates the name-servers on the network that should be sent Page 11 of 82 queries – this is the file referred by the resolver in the system Go Back • Cache initialization file ( /var/named/root.cache ) Full Screen – tells the nameserver about which are the authoritative nameserver for the root of the domain (this is the starting point for any lookup) Close Quit
  12. 12. Home Page BIND configurartion Files (contd . . . ) Title Page • Zone data files: – hosts: contains all the data about machines and subdomains in this zone – hosts.rev : this file specifies the IN-ADDR.ARPA domain (this is a special domain for allowing address-to-name(reverse) Page 12 of 82 mapping) Go Back – named.local : this file specifies the address-to-name mapping for the local loopback interface, known as localhost Full Screen Close Quit
  13. 13. Home Page Format of a Zone data file Title Page • The zone data file is specified using Standard Resource Record For- mat • The format specifies different types of objects, like – A: name-to-IP address mapping – MX: Mail exchanger for the domain Page 13 of 82 – NS: authoritative Name-server for the domain Go Back – PTR: IP address-to-name(reverse) mapping – CNAME: Canonical name- providing aliases Full Screen Close Quit
  14. 14. Home Page Title Page DNS Utilities • nslookup: used for looking up DNS data; provides interactive inter- face if not specified domain name on command line • host: a simple utility for performing DNS lookups Page 14 of 82 • dig: a flexible tool for interrogating DNS name servers, used mainly by DNS administrators to debug DNS problems Go Back Full Screen Close Quit
  15. 15. Home Page Title Page E-Mail Services Page 15 of 82 Go Back Full Screen Close Quit
  16. 16. Home Page E-mail Services Title Page • E-mail: the most important application on Internet! • This is because of the following features of e-mail systems: – the protocol is robust and reliable – there are a variety of ways one can access e-mail Page 16 of 82 – it’s flexible – it works with any type of network access – it’s almost instant, but without requiring everyone to be online Go Back • these features are the result of the many components which we’ll take a look at! Full Screen Close Quit
  17. 17. How is Mail delivered? Home Page There are four important components of email system: Title Page • MUA - Mail Users Agent This is the program a user uses for sending/reading emails • MTA - Mail Transfer Agent is used to pass mail from the sending machine to the receiving machine over the network There is a MTA program running on both ends Page 17 of 82 • MDA - Mail Delivery Agent on the receiving machine receives the mail from its MTA Go Back • SMTP - Simple Mail Transfer Program Protocol is used by the MTAs on both machines to pass mail between them Full Screen SMTP usually runs on port 25 Close Quit
  18. 18. Mail between full-time Internet machines Home Page Title Page Page 18 of 82 Go Back Full Screen Close Quit
  19. 19. Home Page UUCP Title Page • UUCP stands for Unix-to-Unix copy • UUCP can be used for mail transport • Salient Features of UUCP – can run on different types of networks Page 19 of 82 – efficient on resources Go Back – allows local mail accounts, global addresses – creating UUCP domains requires minimum configuration Full Screen Close Quit
  20. 20. Home Page Mail User Agents (MUA) Title Page • Many choices of MUAs, also referred to as mail-readers available, as discussed in previous sessions • text-based mail-readers: mutt, pine, mh, elm etc. • GUI-based mail-readers: evolution, kmail, mozilla mail client, etc. Page 20 of 82 • most of them also include an editor, and address-book functionality Go Back • added functionalities available: threaded sorting, mail filtering, role- playing, text searching etc. Full Screen Close Quit
  21. 21. MUTT and PINE Home Page • MUTT Title Page – Supports color terminal, MIME, threaded sorting mode. – a powerful mail client which is extremely configurable through the configuration file, typically .muttrc • Pine Page 21 of 82 – another powerful mail client which is configurable through menu- based setup as well as config file Go Back – one unique feature of Pine is it’s support for roles: different user Full Screen profiles based on a set of conditions Close Quit
  22. 22. Home Page Mail Transport Agents Title Page • Different MTAs differ in the features they offer, flexibility of config- uration, and ease of usage/administration • the important ones are Sendmail, Exim and Qmail • since mail server configuration is complex, they all come with tools Page 22 of 82 to manage the configuration Go Back • all of these are capable handling bulk emails Full Screen Close Quit
  23. 23. Home Page Sendmail Title Page • Sendmail is believed to be one of the most complex softwares ever written, the proof of which is the sendmail configuration file sendmail.cf • but fortunately, there are tools to generate the configuration using Page 23 of 82 predefined macros • moreover, there are many sensible defaults which need not be Go Back tweaked unless needed Full Screen Close Quit
  24. 24. Sendmail functionalities • accepting/making SMTP connections (over network/locally) Home Page • local mail delivery Title Page • mail relaying • many user database options • access control for relaying, receiving, delivery on per-user, per-host or per-domain basis Page 24 of 82 • support for spam-blocking from a list of spam sites which is retrieved automatically Go Back • range of operations on mails Full Screen • support for many security enhancements • can be combined with other mail-processing softwares for even more Close functionality- e.g with procmail for powerful mail filtering Quit
  25. 25. Sendmail Configuration Home Page • Sendmail Files: Title Page – /etc/mail: default configuration directory – /etc/aliases contains the aliases source listing – /etc/sendmail.mc sendmail macro configuration file – /etc/mail/sendmail.cw list of domains for which to ac- cept mails for Page 25 of 82 – /etc/mail/access.txt sendmail access configuration file Go Back – /var/spool/mqueue/ contains the mail files till they are not delivered Full Screen – /var/spool/mail/username contains the user’s mailbox Close Quit
  26. 26. Sendmail Configuration (contd . . . ) Home Page • Typical steps in Sendmail configuration are: – The sendmail.mc macro configuration file is the starting point Title Page for sendmail configuration – Utilities like sendmailconfig even help you to generate the sendmail.mc file – edit this file to put any additional features, if needed – edit the access.txt file to define access control rules, if you Page 26 of 82 want access control – generate the access.db file by running makedb utility Go Back • Maintaining user aliases Full Screen – edit the aliases file /etc/aliases Close – run newaliases to generate the aliases database Quit
  27. 27. Home Page Title Page Sendmail Utilities • mailq prints the list of entries in mail queue • mailstats displays the current mail statistics Page 27 of 82 • makemap builds desired databases from source file Go Back Full Screen Close Quit
  28. 28. Home Page Fetchmail Title Page • Fetchmail is a very useful mail-retrieval and forwarding utility • it fetches mail from remote mail-servers and forwards it to your local (client) machine’s delivery system • it can also be run in a daemon mode to repeatedly poll one or more remote mailboxes at a specified interval Page 28 of 82 • if fetches mail from remote server using POP or IMAP protocols Go Back • can also be useful as a message transfer agent for sites which refuse SMTP transactions Full Screen Close Quit
  29. 29. Home Page How it works Title Page • Fetchmail connects to the specified servers using the specified proto- cols, authenticates itself using the username/password specified, and retrieves mail • it normally delivers mail via SMTP to port 25 on the machine it is running on(localhost) Page 29 of 82 • the mail is then delivered locally via the local system’s MDA Go Back • If no port 25 listener is available, it can also use that MDA for local delivery directly Full Screen Close Quit
  30. 30. Home Page Title Page Fetchmail configuration • /etc/fetchmail.conf is the config file for fetchmail run in daemon mode • ˜/.fetchmailrc is the config file for user-level fetchmail config- Page 30 of 82 uration • Fetchmailconf is the GUI-based utility to create/modify these files Go Back Full Screen Close Quit
  31. 31. Home Page Mail Message Format Title Page • A mail message consists of a Mail header and a Mail body separated by a blank line • The header contains, amongst other things, – Source address of the mail Page 31 of 82 – Destination address of the mail – Subject line Go Back – Date the mail was sent Full Screen Close Quit
  32. 32. Home Page Procmail-The email filter Title Page • it’s a powerful mail processor with lots of features • it is typically used as a mail filter that receives the mail when it arrives for the particular user • it can also be used as local mail delivery agent Page 32 of 82 • its operation is defined by filter rules referred to as recipes Go Back • there are great variety of things that can be done with these recipes! Full Screen Close Quit
  33. 33. Procmail Configuration Home Page • Procmail recipes Title Page – a typical recipe can have the form: :0 * $ˆTo:.*mpls.uu.net.* /home/myname/mail/mpls – procmail goes through the recipes one-by-one from top to bottom to decide on the action to take on the mail Page 33 of 82 • create a .procmailrc file consisting of recipes you want: Go Back • generally, mails have to be diverted to the procmail program through .forward mechanism: put the following line in the Full Screen .forward file in you home-directory: "| /usr/bin/procmail" Close Quit
  34. 34. Home Page Mail Notifiers Title Page • Notifiers are the programs that inform the user of an incoming mail • Notifier requires two programs: – biff - Allows the comsat service to be turned on and off. Page 34 of 82 – comsat - Notifies the user of new mail. Go Back • many other X-based mail notifiers like xbiff, gbuffy are available Full Screen Close Quit
  35. 35. Home Page Mailbox formats Title Page • mbox - Mailbox format, puts each mailbox into a directory of files. • BABYL - An old mail system. • MMDF - The simplest. Older and crude. Page 35 of 82 • MH - Mailbox format, puts each mailbox into a directory of files. Go Back • qmail Full Screen Close Quit
  36. 36. Internet Mail Access Protocol(IMAP) Home Page • IMAP stands for Internet Message Access Protocol Title Page • It is a method of accessing electronic mail remotely • Key features of IMAP are: – allows message access and management from more than one computer Page 36 of 82 – allows access without reliance on less efficient file access proto- cols. Go Back – provide support for “online”, “offline”, and “disconnected” ac- cess modes. Full Screen – support for concurrent access to shared mailboxes. Close Quit
  37. 37. Post Office Protocol(POP) Home Page • typically used to allow a workstation to retrieve mail that the server Title Page is holding for it • IMAP v/s POP – IMAP is an online protocol whereas POP is an off-line protocol – POP has a minimum use of connect time – POP uses lesser server resources than POP Page 37 of 82 – IMAP provides access to your inbox from different computers Go Back – IMAP has Faster start-up time, as only message headings are transferred initially Full Screen – IMAP is supposed be a functional superset of POP Close Quit
  38. 38. Home Page Title Page Firewalls and Proxies Page 38 of 82 Go Back Full Screen Close Quit
  39. 39. What are Firewalls? Home Page • According to “Firewall-HOWTO” Title Page – “Internet firewalls are intended to keep the flames of Internet hell out of your private LAN” – Or, “to keep the members of your Lan PURE and chaste by deny- ing them access the all the evil Internet temptations • Firewalls are used: Page 39 of 82 – For securing the network, or Go Back – For securing your own system, i.e for dialup users or on insecure LANs Full Screen – and to keep people(employees/children) in or, to keep a watch on insiders’ net access. Close Quit
  40. 40. Home Page Filtering Firewalls Title Page • Work at the network level (TCP and IP layers) • Transparent to the users • Data packets filtered based on their type, source/destination ad- dress,and port numbers Page 40 of 82 • Can be achieved efficiently, thus with less latency • No scope for user identification/passwords Go Back • The only user identity is the IP address Full Screen Close Quit
  41. 41. Home Page Proxy Servers Title Page • “Proxies” on behalf of the client machine behind the firewall • Finer control and monitoring of the network traffic that goes through (or isn’t allowed to go through!) • Some proxies also cache data for bandwidth efficiency Page 41 of 82 • Not transparent to the users: i.e, users need to modify application Go Back settings to access services outside network boundry Full Screen Close Quit
  42. 42. Home Page Proxy Servers (contd . . . ) Title Page • Application Proxies – work at application layer. e.g: web(HTTP) proxy – user authentication through variety of means – can even filter “inappropriate” words or viruses Page 42 of 82 • SOCKS proxies Go Back – Work at Sockets level, in a manner similar to filtering proxies – Do not provide as much functionality as application proxies Full Screen Close Quit
  43. 43. Firewall Location Home Page Title Page Page 43 of 82 Go Back Full Screen Close Quit
  44. 44. Home Page Running the Filtering Firewall Title Page • Hardware required: – any standard PC, config depending on the load expected, from a 486 to P-II – More than one network cards, if you want to forward packets also • Software: Page 44 of 82 – linux kernel 2.2 and above, with firewalling features compiled in Go Back (most default kernels now a days have these!) – the iptables (or ipchains for 2.2.X linux kernels) package Full Screen Close Quit
  45. 45. Home Page Title Page Preparing the system • Select/compile the kernel with firewalling features • Configure the network interfaces Page 45 of 82 • Optional: turn on IP forwarding (if you need it) Go Back Full Screen Close Quit
  46. 46. Home Page IPTABLES Title Page • IPTABLES: a combination of kernel and user-space utilities to man- age packet filter from user-space • IPTABLES consists of tables, one of them is “filter” • Tables consist of chains, which are lists of rules Page 46 of 82 • There are three in-built chains in the “filter” table: Go Back – INPUT, OUTPUT, FORWARD Full Screen Close Quit
  47. 47. Chains Diagram Home Page Title Page Page 47 of 82 Go Back Full Screen Close Quit
  48. 48. Operations on chains Home Page • Creating a new chain: # iptables -N my chain Title Page • Deleting a new chain: # iptables -X my chain • Flushing a chain(deleting all rules from the chain): # iptables -F OUTPUT • Listing a chain: Page 48 of 82 # iptables -L INPUT Go Back • Resetting the counters: #iptables -Z FORWARD Full Screen • Setting Policy(for in-built chains only): can be either ACCEPT or DROP Close # iptables -P FORWARD DROP Quit
  49. 49. Home Page Title Page Rules • A rule specifies a set of conditions the packet must meet, and what to do if it meets them (a ‘target’) Page 49 of 82 Go Back Full Screen Close Quit
  50. 50. Home Page Operations on a single rule Title Page • Append or Delete: # iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT # iptables -D INPUT -s 192.168.0.0/16 Page 50 of 82 -j ACCEPT Go Back • Insert or Replace: apply to a position in the rule-list Full Screen Close Quit
  51. 51. Filtering Specification • Specifying Source and Destination IP address Home Page – can specify host/domainname, address, or address/netmask # iptables -A FORWARD -s 192.168.1.0/24 Title Page -j ACCEPT • Specifying inversion – many flags can be preceded by ! to indicate inversion (NOT) # iptables -A FORWARD -s ! 192.168.2.0/24 Page 51 of 82 -j DROP Go Back • Specifying Protocol • protocol can be specified with the -p flag: common values are TCP, Full Screen UDP and ICMP Close # iptables -A FORWARD -d 192.168.1.0/24 -p ICMP -j ACCEPT Quit
  52. 52. Filtering Specification (contd . . . ) Home Page • TCP Extensions: if -p TCP is specified, following extensions are available: Title Page – --tcp-flags : # iptables -A FORWARD -i ppp0 -p tcp --tcp-flags SYN,SRT, ACK SYN -j DROP – --sport : Page 52 of 82 specifies a single TCP port or a range of ports as source Go Back # iptables -A INPUT -p tcp --sport 20 -j ACCEPT Full Screen – --dport : specifies destination port, similar to sport Close Quit
  53. 53. Home Page Filtering Specification (contd . . . ) Title Page • Specifying an Interface – -i flag specifies the incoming interface, -o specifies outgoing interface to match Only FORWARD chain has both input and output interface Page 53 of 82 # iptables -A INPUT -i ppp0 -s 192.168.0.0/16 Go Back -j DROP Full Screen Close Quit
  54. 54. Home Page Title Page Target Specification: specifying the action on the packet • Target of a Rule can be: – one of the two simple built-in targets: DROP and ACCEPT Page 54 of 82 – a user-defined chain: packet begins traversing rules in that user- defined chain Go Back Full Screen Close Quit
  55. 55. General tips Home Page • Since firewalls are the exposed part of your network to the outside Title Page world, – run as few services as you can on the firewall system – avoid keeping normal user accounts on the system – always keep the softwares/kernel updated/patched on the firewall Page 55 of 82 – run sanity checks on the firewall routinely • IPtables etc are not complete firewalls! they can break your network Go Back • traffic: if the services on your system are limited, consider Full Screen application-level filtering to make your life easier. Close Quit
  56. 56. Notes Home Page • netfilter is a set of hooks inside the linux 2.4.x kernel’s network stack Title Page which allows kernel modules to register callback functions called ev- ery time a network packet traverses one of those hooks. • iptables is a generic table structure for the definition of rulesets.Each rule within an IP table consists out of a number of classifiers (matches) and one connected action (target). Page 56 of 82 • netfilter, iptables and the connection tracking as well as the NAT sub- Go Back systems together build the whole framework. • What should be the order of rules in the table? Order is important: Full Screen action is taken based on the first rule that matches. Close Quit
  57. 57. Home Page Title Page Proxy Servers Page 57 of 82 Go Back Full Screen Close Quit
  58. 58. Home Page Why use Proxy Servers ? Title Page • Security, crossing firewalls • access control policies • efficient use of resources due to caching • junk content filtering Page 58 of 82 • accounting Go Back • load balancing Full Screen Close Quit
  59. 59. Home Page Squid Title Page • Squid is a high-performance proxy caching server for web clients, supporting FTP and HTTP data objects among others • Squid consists of – A main server program squid Page 59 of 82 – A Domain Name System lookup program dnsserver Go Back – Some optional programs for performing authentication etc Full Screen Close Quit
  60. 60. Home Page Squid Configuration Title Page • Squid configuration needs to define the addresses (IP address + port) for every relevant server and gateway. • A Squid daemon program will need to communicate with – Local or remote web servers Page 60 of 82 – Other Cache servers – Clients (desktop browsers or gateways) Go Back • Subsequent sections cover the important configuration options Full Screen Close Quit
  61. 61. Configuration (contd...) Home Page • http port – This tag name is used to specify the socket address where squid Title Page will listen for HTTP client requests. – default value is 3128 – Usage: http port port • cache mem Page 61 of 82 – Specifies the ideal amount of memory used for caching Go Back – Default value is 8 MB Full Screen – usage: cache mem 1 GB Close Quit
  62. 62. Proxy Access Control Home Page • http access Title Page – Allowing or denying http access based on defined access lists – If none of the “access” lines cause a match, the default is the opposite of the last line in the list e.g if the last line is deny, then the default is to allow and vice- versa – Examples Page 62 of 82 ∗ http access allow manager localhost Go Back http access deny manager http access deny !Safe ports Full Screen http access deny CONNECT !SSL ports http access deny all Close Quit
  63. 63. Home Page Configuration (contd...) Title Page • acl • Usage: acl aclname acltype string1 ... This is used for defining an access List • acltype: proxy auth Page 63 of 82 – User authentication via external process. It requires an exter- Go Back nal authentication program to check username/password combi- nation Full Screen Close Quit
  64. 64. Home Page Title Page FTP Page 64 of 82 Go Back Full Screen Close Quit
  65. 65. Home Page Title Page ftp: File Transfer Protocol FTP provides means for file transfers over the network. It also has support for managing files on remote machine and user authentication. On the re- mote host, a server program, typically called ftpd needs to be running, while on the user end, any ftp client program needs to be run The commands for ftp operations, which are supported by both ftp clients Page 65 of 82 and servers, are specified by the ftp protocol, which is an Internet Stan- dard Go Back Full Screen Close Quit
  66. 66. ftp Commands Home Page • binary Title Page Set the file transfer type to support binary mode transfer. • bye terminate the FTP session with the remote server and exit ftp. • cd Page 66 of 82 Change the working directory on the remote machine to remote- Go Back directory • ls [remote-directory] Print a listing of the contents of Full Screen remote-directory on the remote machine Close Quit
  67. 67. ftp Commands(contd . . . ) Home Page • get remote-file [local-file] Retrieve the remote-file Title Page and store it on the local machine • put local-file [remote-file] Store a local file on the remote machine. • mget remote-files Expand the remote-files on the remote ma- Page 67 of 82 chine and do a get for each file name thus produced. • mput local-files Similar to mget, for uploading files Go Back • Aborting a file transfer: To abort a file transfer, use the terminal in- Full Screen terrupt key (usually Ctrl C). Close Quit
  68. 68. Home Page FTP clients Title Page • command-based simple ftp client: ftp • a command-based ftp client with more features: ncftp • most browsers, using the FTP URL syntax Page 68 of 82 e.g ftp://username@hostname/path/to/directory • file/URL retrieval programs: e.g wget Go Back Full Screen Close Quit
  69. 69. Home Page FTP server Title Page • ftp daemon (server) is the program which listens for ftp requests and executes ftp commands on remote machines • it can be run standalone or from the INETD superserver • ftp servers also support anonymous ftp, which is for public distribu- Page 69 of 82 tion of files without user authentication Go Back • examples of ftp daemon programs: proftpd, wu-ftpd Full Screen Close Quit
  70. 70. proftpd server Home Page • configuration files – /etc/proftpd.conf is the ftpd configuration file. One can Title Page specify maximum number of concurrent connections, authentica- tion options and per-directory permissions among other things – /etc/ftpusers is the file which lists who are not allowed ftp access • Anonymous ftp: Page 70 of 82 – /var/ftp/ or /home/ftp are the typical locations for the Go Back anonymous ftp directory – since the anonymous users are not authenticated, they are re- Full Screen stricted to this directory tree only – they don’t have access to full set of ftp commands Close Quit
  71. 71. Home Page Secure File Transfer Program Title Page • sftp (secure ftp) is an interactive file transfer program, which provides functionality similar to ftp • it operates on top of the ssh transport, which means that the commu- nication is encrypted • it also provides other features of ssh, such as public key authentica- Page 71 of 82 tion and compression. Go Back • sftp Example $ stfp ajanshu@storage.it.iitb.ac.in Full Screen Close Quit
  72. 72. Home Page Title Page Secure Shell (SSH) Page 72 of 82 Go Back Full Screen Close Quit
  73. 73. Home Page Secure Shell (SSH) Title Page • ssh is a program for logging into a remote machine and executing commands on it • provides secure encrypted communication between two trusted/untrusted hosts • even X11 connections and arbitrary TCP/IP ports can be forwarded Page 73 of 82 on the secure channel provided by ssh Go Back • it provides functionality similar to rsh/rlogin, but in a secure way • example- for remote login: $ ssh hetanshu@it.iitb.ac.in Full Screen Close Quit
  74. 74. SSH Authentication Home Page • Host-based authentication: logging in is permitted if Title Page – the remote hostname is listed in /etc/hosts.equiv or /etc/ssh/shosts.equiv (on the remote machine where login is attempted) – and the usernames are the same on both sides • RSA-based Host authentication: Page 74 of 82 login is permitted similar to previous case, but only if the remote Go Back host’s key can be varified by the server • CAUTION: host-based authentication is inherently insecure, and Full Screen should be avoided as a generel rule! Close Quit
  75. 75. Home Page SSH Authentication (contd . . . ) Title Page • User Authentication: – Public-Key authentication ∗ based on public-key cryptography: ∗ there is a pair of complimentary keys for encryption and de- cryption respectively Page 75 of 82 ∗ it not possible (in realistic time, actually) to derive the decryp- tion key from the encryption key Go Back ∗ only the user has the private key, and the server has access to public key Full Screen Close Quit
  76. 76. Home Page Title Page File SHaring Page 76 of 82 Go Back Full Screen Close Quit
  77. 77. Home Page File-Sharing Title Page • Two important file-sharing protocols: SMB and NFS – SMB is the protocol for MS-Windows file sharing – “samba” is the package for using SMB on GNU/Linux – SMB also allows other services like printing etc. Page 77 of 82 – smbd and nmbd are the daemon programs to share resources – smbclient and smbmount are used to use SMB shares Go Back – NFS is the protocol for Network filesystem Full Screen Close Quit
  78. 78. Home Page Title Page Misc Utilities Page 78 of 82 Go Back Full Screen Close Quit
  79. 79. Useful Tools Home Page • finger - user information lookup program #finger foo Title Page #finger foo@bar • talk - talk to another user #talk foo #talk foo@domain.com Page 79 of 82 Go Back • telnet - user interface to communicate with another host using TEL- NET protocol. Full Screen #telnet [domain name] Close Quit
  80. 80. Resources Home Page • manpages and documentation for all packages discussed Title Page • Email: – Mail-Administrator-HOWTO – Sendmail Installation and Operation Guide • DNS and BIND – DNS-HOWTO Page 80 of 82 – Bind Operations Guide Go Back • Firewalls Full Screen – Firewall-HOWTO – Packet-Filtering HOWTO Close Quit
  81. 81. Home Page Title Page Thanks.. Page 81 of 82 Go Back Full Screen Close Quit
  82. 82. Home Page Title Page Page 82 of 82 Go Back Full Screen Close Quit

×