Linux Services

Linux DHCP Server

 DHCP is an IP address dynamically
assigned from DHCP server.
 PC client will most likely get its IP
address at boot time from the home
router instead
 The DHCP server RPM's filename
usually starts with the word dhcp
followed by a version number
 dhcp-3.0.1rc14-1.i386.rpm.

2
 The /etc/dhcpd.conf File
 When DHCP starts, it reads the file
/etc/dhcpd.conf.
 The standard DHCP RPM package doesn't
automatically install a /etc/dhcpd.conf file, but
a sample copy of dhcpd.conf is in the following
directory
 /usr/share/doc/dhcp-<version-number>/dhcpd.conf.sample

3
/etc/dhcpd.conf example file
ddns-update-style interim;
ignore client-updates;

subnet 172.27.21.0 netmask 255.255.255.0 {

# --- default gateway

option routers 172.27.21.254;
option subnet-mask 255.255.255.0;

option nis-domain "cp.su.ac.th";

option domain-name "cp.su.ac.th";
option domain-name-servers 202.28.72.66;
option domain-name-servers 202.44.135.9;
option time-offset -18000; # Eastern Standard Time

# option netbios-node-type 2;

range dynamic-bootp 172.27.21.200 172.27.21.250;

default-lease-time 21600;
max-lease-time 43200;

}
}
4
How to get DHCP started
 Use the chkconfig command to get DHCP
configured to start at boot:

[root@bigboy tmp]# chkconfig dhcpd on

 Use the service command to instruct the

/etc/init.d/dhcpd script to start/stop/restart DHCP
after booting

[root@bigboy tmp]# service dhcpd start

[root@bigboy tmp]# service dhcpd stop
[root@bigboy tmp]# service dhcpd restart

5
SAMBA
 Samba is a suite of utilities that
allows your Linux server to share
files and other resources, such as
printers, with Windows clients.

6
Get SMB started
 Configure Samba to start at boot time using the
chkconfig command:
[root@bigboy tmp]# chkconfig smb on
 Start/stop/restart Samba after boot time using
the smb initialization script as in the examples
below:
[root@bigboy tmp]# service smb start
[root@bigboy tmp]# service smb stop
[root@bigboy tmp]# service smb restart

 Note: Unlike many Linux packages, Samba does

not need to be restarted after changes have been
made to its configuration file, as it is read after
the receipt of every client request.
7
The Samba Configuration File
The /etc/samba/smb.conf file is the main configuration

Section Description
[global] General Samba configuration parameters

[printers] Used for configuring printers

[homes] Defines treatment of user logins

[netlogon] A share for storing logon scripts.

(Not created by default.)

[profile] A share for storing domain logon information such as "favorites" and
desktop icons.
(Not created by default.)

8
Samba's SWAT web interface
 SWAT, Samba's web based configuration
tool to enables smb.conf file without
needing to remember all the formatting.
 Each SWAT screen is actually a form that
covers a separate section of the smb.conf
file into which admin fill in the desired
parameters, each parameter box has its
own online help

9
Samba SWAT Main Menu

10
 Basic SWAT Setup
 Root must always remember that SWAT
edits the smb.conf file but also strips out
any comments that may have manually
entered into it beforehand.
 The original Samba smb.conf file has
many worthwhile comments in it, you
should save a copy as a reference before
proceeding with SWAT.
 For example, you could save the original file
with the name /etc/samba/smb.conf.original

[root@tmp]# cp /etc/samba/smb.conf /etc/samba/smb.conf.original

11
Basic SWAT Setup
 The enabling and disabling, starting and
stopping of SWAT is controlled by xinetd
via a configuration file named
/etc/xinetd.d/swat
service swat
{
port = 901
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = no
only_from = localhost
}

12
Basic SWAT Setup
 The disable parameter must be set to no to accept
connections. This can automatically be switched
between yes and no.
 The default configuration only allows SWAT web
access from the VGA console only as user root on
port 901 with the Linux root password.
 This means root have to enter "http://127.0.0.1:901"
in browser to get the login screen.
 root can make SWAT accessible from other servers
by adding IP address entries to the only_from
parameter of the SWAT configuration file.
 An example of an entry to allow connections only
from 192.168.1.3 and localhost.

only_from = localhost 192.168.1.3

13
Controlling SWAT
 Same as all xinetd-controlled applications,
the chkconfig command automatically
modifies the disable field accordingly in
the configuration file and activates the
change.
 Before SWAT can be used, the xinetd
program which controls it must be
activated in advance.
 You can start/stop/restart xinetd after
boot time using the xinetd initialization

14
xinetd Programs
 Many network enabled Linux applications
do not rely on themselves to provide
restricted access or bind to a particular
TCP port
 instead they often offload a lot of this
work to a program suite made just for
this purpose, xinetd
 The xinetd RPM is installed by default in
Fedora Linux and uses /etc/xinetd.conf as
its main configuration file

15
Controlling xinetd
 The starting and stopping of the xinetd daemon is
controlled by the by scripts in the /etc/init.d
directory and it is behavior at boot time is
controlled by chkconfig.
 You can start/stop/restart xinetd after booting by
using the following commands:
[root@bigboy tmp]# service xinetd start
[root@bigboy tmp]# service xinetd stop
[root@bigboy tmp]# service xinetd restart

 To get xinetd configured to start at boot you can

use the chkconfig command.
[root@bigboy tmp]# chkconfig xinetd on

16
Controlling xinetd-Managed Applications
 Xinetd-managed applications all store
their configuration files in the
/etc/xinetd.d directory.
 Each configuration file has a disable
statement that can set to yes or no. This
governs whether xinetd is allowed to start
them or not.
 You don't have to edit these files to
activate or deactivate the application. The
chkconfig command does that
automatically will also stops or starts the
application accordingly too
17
Telnet
 Telnet is a program that allows users to log into
server and get a command prompt just as if they
were logged into the VGA console.
 The Telnet server RPM is installed and disabled by
default on Fedora Linux.
 One of the disadvantages of Telnet is that the
data is sent as clear text.
 A more secure method for remote logins would be
via Secure Shell (SSH) which uses varying
degrees of encryption.
 The older Telnet application remains popular.
Many network devices don't have SSH clients,
making telnet the only means of accessing other
devices and servers from them

18
Installing The Telnet Server Software
 Older versions of RedHat had the Telnet
server installed by default. Fedora Linux
does not
 you will have to install it yourself.
 Most Linux software products are
available in a precompiled package
format. Downloading and installing
packages
 When searching for the file, the Telnet
server RPM's filename usually starts with
the word "telnet-server" followed by a
version number as in telnet-server-0.17-
28.i386.rpm.
19
Setting Up A Telnet Server
 To set up a Telnet server use the
chkconfig command to activate Telnet.
[root@bigboy tmp]# chkconfig telnet on

 Use the chkconfig command to deactivate

telnet, even after the next reboot.
[root@bigboy tmp]# chkconfig telnet off

20
Let Telnet Listen On Another TCP Port
 Letting telnet run on an alternate TCP
port does not encrypt the traffic, but it
makes it less likely to be detected as
telnet traffic.
 Remember that this is not a foolproof
strategy; good port scanning programs
can detect telnet and other applications
running on alternative ports.

21
Let Telnet Listen On Another TCP Port

1. Edit /etc/services file and add an entry

for a new service. Call it stelnet.
# Local services
stelnet 7777/tcp # "secure" telnet

2. Copy the telnet configuration file

called /etc/xinetd.d/telnet and call it
/etc/xinetd.d/stelnet:
[root@bigboy tmp]# cp /etc/xinetd.d/telnet /etc/xinetd.d/stelnet

22
 Let Telnet Listen On Another TCP Port
3. Edit the new /etc/xinetd.d/stelnet file. Make the new service
stelnet and add a port statement for TCP port 7777.
# default: on
# description: The telnet server serves telnet sessions
# unencrypted username/password pairs for authentication.
service stelnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
port = 7777
}

4. Use chkconfig to activate stelnet.

[root@bigboy tmp]# chkconfig stelnet on
23
Let Telnet Allow Connections From
Trusted Addresses
 Root can restrict telnet logins access to individual
remote servers by using the only_from keyword
in the telnet configuration file.
 Add a list of trusted servers to the
/etc/xinetd.d/telnet file separated by spaces:
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
only_from = 192.168.1.100 127.0.0.1 192.168.1.200
}

 Restart telnet by
# chkconfig telnet off
# chkconfig telnet on 24
Linux FTP
 The File Transfer Protocol (FTP) is used as
one of the most common means of
copying files between servers over the
Internet.
 Most web based download sites use the
built in FTP capabilities of web browsers
and therefore most server oriented
operating systems usually include an FTP
server application as part of the software
suite.
 Fedora linux ftp sever using default Very
Secure FTP Daemon (VSFTPD) package
25
FTP overview
 FTP relies on a pair of TCP ports to
get the job done. It operates in two
connection channels
 FTP Control Channel, TCP Port 21: All
commands send and the ftp server's
responses to those commands will go
over the control connection.
 FTP Data Channel, TCP Port 20: This
port is used for all subsequent data
transfers between the client and server.

26
How To Get VSFTPD Started
 With Fedora, Redhat, Ubunbtu and Debian You
can start, stop, or restart VSFTPD after booting
by using these commands:
[root@bigboy tmp]# /etc/init.d/vsftpd start
[root@bigboy tmp]# /etc/init.d/vsftpd stop
[root@bigboy tmp]# /etc/init.d/vsftpd restart

 With Redhat / Fedora you can configure VSFTPD

to start at boot you can use the chkconfig
command.

[root@bigboy tmp]# chkconfig vsftpd on

27
The Apache Web Server
 Apache is probably the most popular
Linux-based Web server application in
use.
 When searching for the file, the Redhat /
Fedora Apache RPM package's filename
usually starts with the word httpd
followed by a version number, as in
httpd-2.0.48-1.2.rpm

28
Get Apache started
 Use the chkconfig command to configure Apache
to start at boot:

[root@bigboy tmp]# chkconfig httpd on

 Use the httpd<code> init script in the

<code>/etc/init.d directory to start,stop, and
restart Apache after booting:

[root@bigboy tmp]# /etc/init.d/httpd start

[root@bigboy tmp]# /etc/init.d/httpd stop
[root@bigboy tmp]# /etc/init.d/httpd restart

29
General Configuration Steps
 The configuration file used by Apache
is /etc/httpd/conf/httpd.conf in Redhat /
Fedora distributions
 /etc/apache*/httpd.conf in Debian /
Ubuntu distributions.
 As for most Linux applications, you must
restart Apache before changes to this
configuration file take effect

30
Where To Put Web Pages
 All the statements that define the features of
each web site are grouped together inside their
own <VirtualHost> section, or container, in the
httpd.conf file.
 The most commonly used statements, or
directives, inside a <VirtualHost> container are:
 servername: Defines the name of the website
managed by the <VirtualHost> container. This is
needed in named virtual hosting only, as I'll explain
soon.
 DocumentRoot: Defines the directory in which the
web pages for the site can be found.

31
Where To Put Web Pages
 By default, Apache searches the
DocumentRoot directory for an index, or
home, page named index.html.
 Example, if a servername of www.my-site.com
with a DocumentRoot directory of
/home/www/site1/
Apache displays the contents of the file
/home/www/site1/index.html when someone
enter http://www.my-site.com in his browser.

32
The Default File Location
 By default, Apache expects to find all its
web page files in the “/var/www/html/”
directory with a generic DocumentRoot
statement at the beginning of httpd.conf
 Apache will display Web page files as long
as they are world readable, all the files
and subdirectories in DocumentRoot
should have the correct permissions
 Change the permissions on the /home/www
directory to 755, which allows all users,
including the Apache's httpd daemon, to read
the files inside.
33
Named Virtual Hosting
 Apache allow to make Web server host more than
one site per IP address by using Apache's named
virtual hosting feature.
 Use the NameVirtualHost directive in the
/etc/httpd/conf/httpd.conf file to tell Apache
which IP addresses will participate in this feature.
 The <VirtualHost> containers in the file then tell
Apache where it should look for the Web pages
used on each Web site.
 Admin must specify the IP address for which each
<VirtualHost> container applies.

34
Named Virtual Hosting Example
ServerName localhost
NameVirtualHost 97.158.253.26

<VirtualHost *>
DocumentRoot /home/www/site1
</VirtualHost>

<VirtualHost 97.158.253.26>
DocumentRoot /home/www/site2
ServerName www.my-site.com
ServerAlias my-site.com, www.my-cool-site.com
</VirtualHost>

<VirtualHost 97.158.253.26>
DocumentRoot /home/www/site3
ServerName www.test-site.com
</VirtualHost>

<VirtualHost 97.158.253.26>
DocumentRoot /home/www/site4
ServerName www.another-site.com
</VirtualHost>
35
Protect Web Page Directories With
Passwords

 Use Apache's htpasswd password utility to

create username/password combinations
independent of system login password for
Web page access.
 Specify the location of the password file,
and if it does not yet exist, should include
a -c, or create, switch on the command
line.
 Placing the file in /etc/httpd/conf
directory, away from the DocumentRoot
tree where Web users could possibly view
it.

36
 htpasswd Example

[root@bigboy tmp]# htpasswd -c /etc/httpd/conf/.htpasswd peter

New password:
Re-type new password:
Adding password for user peter
[root@bigboy tmp]#

[root@bigboy tmp]# htpasswd /etc/httpd/conf/.htpasswd paul

New password:
Re-type new password:
Adding password for user paul
[root@bigboy tmp]#

37
Protect Web Page Directories With
Passwords

 Make the .htpasswd file readable by all

users.
[root@bigboy tmp]# chmod 644 /etc/httpd/conf/.htpasswd
 Create a .htaccess file in the directory to
which you want password control with
these entries.
AuthUserFile /etc/httpd/conf/.htpasswd
AuthGroupFile /dev/null
AuthName EnterPassword
AuthType Basic
require user peter

38
Protect Web Page Directories With
Passwords
 Set the correct file protections on new .htaccess
file in the directory /home/www.
[root@bigboy tmp]# chmod 644 /home/www/.htaccess

 Make sure your /etc/httpd/conf/http.conf file has

an AllowOverride statement in a <Directory>
directive for any directory in the tree above
/home/www.
 In this example below, all directories below
/var/www/ require password authorization.
<Directory /home/www/*>
AllowOverride AuthConfig
</Directory>

39
Protect Web Page Directories With
Passwords

 Make sure that a <VirtualHost> directive

that defines access to /home/www or
another directory higher up in the tree.
<VirtualHost *>
ServerName 97.158.253.26
DocumentRoot /home/www
</VirtualHost>

 Restart Apache

40
Linux firewall
 Linux uses “iptable” for firewall
solutions
 A router that will use NAT and port
forwarding to both protect home
network and have another web server
on home network while sharing the
public IP address of firewall

41
iptable Features
 Integration with the Linux kernel with the
capability of loading iptables-specific
kernel modules designed for improved
speed and reliability.
 Stateful packet inspection. This means
that the firewall keeps track of each
connection passing through it and in
certain cases will view the contents of
data flows in an attempt to anticipate the
next action of certain protocols.
 Filtering packets based on a MAC address
and the values of the flags in the TCP
header.
42
iptable Features
 System logging that provides the option
of adjusting the level of detail of the
reporting.
 Network address translation.
 Support for transparent integration with
such Web proxy programs as Squid.
 A rate limiting feature that helps iptables
block some types of denial of service
(DoS) attacks

43
Start iptable
 Start iptable with:
[root@bigboy tmp]# service iptables start
[root@bigboy tmp]# service iptables stop
[root@bigboy tmp]# service iptables restart
 Sample of iptable command
iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p TCP \
--sport 1024:65535 --dport 80 -j ACCEPT

 iptables is being configured to allow the firewall to

accept TCP packets for routing when they enter on
interface eth0 from any IP address and are destined
for an IP address of 192.168.1.58 that is reachable
via interface eth1.
 The source port is in the range 1024 to 65535 and
the destination port is port 80
44
Secure Remote Logins
 OpenSSH, which provides a number of
ways to create encrypted remote terminal
and file transfer connections between
clients and servers.
 The OpenSSH Secure Copy (SCP) and
Secure FTP (SFTP) programs are secure
replacements for FTP,
 Secure Shell (SSH) is often used as a
stealthy alternative to TELNET

45
Starting OpenSSH
 OpenSSH is installed by default during
Linux installations
 SSH and SCP are part of the same
application, they share the same
configuration file and are governed by the
same /etc/init.d/sshd startup script
 configure SSH to start at boot by using
the chkconfig command when running
Fedora

[root@bigboy tmp]# chkconfig sshd on

46
The /etc/ssh/sshd_config File
 The SSH configuration file is called
/etc/ssh/sshd_config. By default SSH listens on all
NICs and uses TCP port 22.
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1

#ListenAddress 0.0.0.0
#ListenAddress ::

 start, stop, and restart SSH with service comand

47
Other Linux services
 NTP
 Sendmail
 DNS
 MRTG
 Network File System (NFS)
 Etc.

48