Facultat d'Informàtica de Barcelona

Univ. Politècnica de Catalunya

Administració de Sistemes Operatius

Network services

������������ �������� �� �� ������������ �������

Topics

� 1. Introduction to OS administration� 2. Installation of the OS� 3. Users management� 4. Applications management� 5. System monitoring� 6. Maintenance of the file system� 7. Local services� 8. Network services� 9. Protection and security

Objectives

� Knowledge

� Main elements in a network

� Main network services and protocols

� Superserver, portmapper, DNS, FTP, WWW, e-mail

� Habilities� Services configuration

� Superserver� DNS� FTP� WWW� E-mail

Transmission systems

� Local area networks (LAN)� RS-232

� Ethernet

� Token ring

� FDDI (optical fiber)

� Wide area networks (WAN)� Gigabit ethernet, and 10GbE

� Frame relay

� X-25

� ATM

Protocols

� Each network has its own link protocol� ... and we have TCP/IP on top

� Modem

� Ethernet

� Token ring

� Gigabit ethernet

� ATM

� Frame relay

� X-25

IP networks and hosts

� IP Network classes� Class A (0)

� 1.0.0.0 - 127.0.0.0� 7 network bits, 24 host bits (16 milions of hosts - 2)

� Class B (10)� 128.0.0.0 - 191.255.0.0� 16 network bits (16K-2 networks), 16 host bits (64K-2

hosts)

� Class C (110)� 192.0.0.0 - 223.255.255.0� 24 network bits (2M-2 networks), 8 host bits (254 hosts in

each subnetwork)

IP networks and hosts

� Network classes� Class D: multicast addresses (1110)

� 224.0.0.0 - 240.0.0.0

� Class E: reserved for future use (11110)� 240.0.0.0 - 248.0.0.0

� Class F� 248.0.0.0 - 252.0.0.0

� Class G� 252.0.0.0 - 254.0.0.0

IP networks and hosts

� IP addresses with special meanings� 0.0.0.0: this host

� 0.host: host on this network

� 127.anything: loopback (not seen in the network)

� 255.255.255.255: LAN broadcast

� network.255: broadcast at the specified network

� Private addresses (intranet only):� 10.0.0.0 - 10.255.255.255: 1 class A network� 172.16.0.0 - 172.31.255.255: 16 class B networks� 192.168.0.0 - 192.168.255.255: 255 class C networks

Subnetting

� Usually the number of machines in the same network is

under 100� Class A and B addresses are underutilized

� Subnetting: use a portion of the host address to extend

the network address� Can use an arbitrary number of bits, not byte-aligned

149 76 12 4

149 76 12 4

256*256 hosts

10 bits

subnet

2^10 = 1024 subnets

de 2^6 = 64 hosts

6 bits

host

IP address management

� IANA: Internet Assigned Numbers Authority� www.iana.org

� Regional Internet Registries (RIRs)� ARIN: American Registry for Internet Numbers

� www.arin.net

� RIPE NCC: Europe, Middle East and Central Asia� www.ripe.net

� Internet Service Providers (ISPs)� ESNIC: www.nic.es

� Domains at “.es”

Gateways

� Subnets usually represent the physical structure of the

network� An office, room, floor... � An ethernet host is only accessible to the hosts connected

into the same subnet� Same cable

� Gateway: host connected to serveral networks, with the

hability to transfer information across them

149.76.

12.4149.76.

12.5

149.76.

13.40

149.76.

13.43

149.76.12.1

149.76.13.1Gateway

Routing

� Determine where a message has to be sent given its

destination address� The router selects the output path given the routing tables

� Association between a target IP address with a network

interface

149.76.

12.4

149.76.

12.5

149.76.

13.40

149.76.

13.43

192.45.

2.87

192.45.

2.93... ...

...

eth2 eth1

eth0

IP port classification

� Privileged ports: 0 - 1023� Assigned by the IANA

� Only a privileged user (root) can start services on them

� Registered ports: 1024 - 49151� Registered within IANA to avoid collisions

� Registry of the usual services associated to the ports� /etc/services

� Dynamic ports: 49152 - 65535� Used in temporary connections

� Answers to requests

/etc/services

� Relates services with port numbers� DB accessed by several programs (netstat, ... )

� servicename port/protocol aliaslist

echo 7/tcp

echo 7/udp

systat 11/tcp users

systat 11/udp users

ftp-data 20/tcp

ftp-data 20/udp

# 21 is registered to ftp, but also used by fsp

ftp 21/tcp

ftp 21/udp fsp fspd

ssh 22/tcp

ssh 22/udp

telnet 23/tcp

telnet 23/udp

# 24 - private mail system

smtp 25/tcp mail

smtp 25/udp mail

domain 53/tcp

domain 53/udp

http 80/tcp www www-http

http 80/udp www www-http

Network Address Translation (NAT)

� A router translates internal IP addresses for his own one� Allows to use a private IP address, keeping connectivity

with the Internet

� The router records all outgoing connections, and relates

them to the inbound communications� Outgoing connection:

� 192.168.1.25 (port 1085) -> 212.106.192.142 (1085)

� Inbound communication:� 212.106.192.142 (1085) -> 192.168.1.25 (1085)

NAT, side effects

� Internal addresses are not visible from outside� Only the router can be attacked

� Network security depends on router security and good

maintenance

� Internal machines can not offer services to Internet� Except when Port Address Translation (PAT) is enabled

� Impact on network performance� All Internet connections go through the router

� Each packet requires a certain CPU time

� Some services can not be used on NAT� When they have incoming connections

� FTP, IRC, Netmeeting...

Port Address Translation (PAT)

� Indicate to the router implementing NAT that some

incoming connections must be redirected to internal

machines � Mapping router ports to ports in a local machine

212.16.13.84

192.168.12.1Internet

192.168.

12.4

192.168.

12.5 ...

Ports 22,25,80

Ports 25,80 Port 22

Firewalls

� Server that determines which communications can be

established between two networks� Typically works at link level

� Does not know the application

� It can keep state� Allows related connections and inbound connections

Firewall

(Firewall == security) ?

� Firewalls are supplementary elements enforcing system

security� Their use can just offer a false idea of security

� Other aspects related to security cannot be relaxed

because of the use of a firewall

� Other security tools in the local network and servers are

still necessary

Server types (type of services)

� Connexion oriented

� The servers keeps session state

� Increased performance

� Low fault tolerance

� Non-connexion oriented� No session state

� There are no sessions

� Requests must be self-contained� Client requests must carry all the information needed, as

there is no session

� Increased fault tolerance

Server types (authoritative)

� Primary

� Keeps the main copy of the information� In case of divergency, the service relies on the primary

server

� One for each service

� Secondary� Keep copies of the information

� Updated periodically to/from the primary server� Several for each service� Allow load balancing� Can be used as backup in case the primary server fails

Server types (authoritative)

� cache servers (and/or proxies)

� Keep copies of the most-used information

� Several for each service are possible� Performance benefits

� They can incorporate tasks related to security, filtering,

log...

Superserver (inetd)

� An active service uses resources, even when it is not

being used� For services that are used not so often...

� telnet, ftp, ssh...� Superserver listens to all active ports, and activates the

service only when necessary� Receives the request� Starts the server associated� Transfers the request to it

� Limitations� It cannot keep information among connections� Process creation overhead

� not really important when the service is started sporadically

/etc/inetd.conf

� Especifies the services listened by the superserver

� Service (port) to be listen to (in /etc/services)

� Protocol

� User/group

� Binary to execute to start the service

� Arguments ( arg0 = process name, ... )

# If you make changes to this file, either reboot your machine or send the

# inetd a HUP signal: Do a "ps x" as root and look up the pid of inetd. Then do a "kill -HUP <pid of inetd>".

# The inetd will re-read this file whenever it gets that signal.

# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>

#

# The first 4 services are really only used for debugging purposes, so

# we comment them out since they can otherwise be used for some nasty

# denial-of-service attacks. If you need them, uncomment them.

# echo stream tcp nowait root internal

# discard stream tcp nowait root internal

...

/etc/inetd.conf

� Services typically started by inetd

# File Transfer Protocol (FTP) server:

#ftp stream tcp nowait root /usr/sbin/tcpd proftpd

# Telnet server:

#telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

# The comsat daemon notifies the user of new mail when biff is set to y:

comsat dgram udp wait root /usr/sbin/tcpd in.comsat

# Shell, login, exec and talk are BSD protocols

#shell stream tcp nowait root /usr/sbin/tcpd in.rshd -L

#login stream tcp nowait root /usr/sbin/tcpd in.rlogind

# POP and IMAP mail servers

#

# Post Office Protocol version 3 (POP3) server:

#pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popa3d

# Internet Message Access Protocol (IMAP) server:

#imap2 stream tcp nowait root /usr/sbin/tcpd imapd

# Tftp service is provided primarily for booting. Most sites

# run this only on machines acting as "boot servers."

# tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot -r blksize

Remote Procedure Calls (RPC)

� Remote execution of routines� Identified by a service and request numbers

� RPC servers� Implement a set of remote routines

� Listen to a dynamic port

� Portmapper� Registers the RPC servers

� Associates port number with the server routines

� Needed by other services� NFS, NIS...

Portmapper

� All state is kept in main memory� In case of failure, all RPC servers must be restarted also� All RPC servers are registered in the portmapper when

started

Client

Portmapper

Server

Register service

(num, port)

Request service (num)

Port

RPC

Result

Domain Name System (DNS)

� Translates machine names to IP addresses� Hostname -> IP address

� IP address -> hostname

� Dificulties� High number of machines connected to Internet!!

� High number of changes in machines and names

� Solution� Hierarchical distribution of the information

� Domains

� Domain authority is delegated to the domain itself

DNS: how it works

� Authority is delegated� Each domain administers its own server

� Root servers are known to all domains

� Domain server known to the domain

� Iterative name resolution

PCDNS

server

/etc/resolv.conf

www.google.com

a.root-

servers

b.root-

servers ...“www.google.com?”

“.com”

.com

“www.google?”

“.google”

.google

“www?”

“www”

internic.net

iana.org

alldomains.com

NS3.GOOGLE.COM

216.239.36.10

...DNS: RFCs 1034/1035

DNS: service efficiency

� Convenient use of caches (cache servers)� High temporal locality

� Avoid repeating the same search again and again

� High spatial locality� Avoid continuously visiting the root servers � Reduce the number of steps in an iterative search

DNS: service efficiency

� DNS can be used for load balancing of other services� Add several IP address for the same hostname

� Each answer replies with a different IP address� Round Robin, “geografical” criteria...

� Example� www.google.com, from different locations

;; ANSWER SECTION:

www.google.com. 693 IN CNAME www.l.google.com.

www.l.google.com. 93 IN A 66.249.85.104

www.l.google.com. 93 IN A 66.249.85.99

;; ANSWER SECTION:

www.google.com. 900 IN CNAME www.l.google.com.

www.l.google.com. 300 IN A 64.233.161.99

www.l.google.com. 300 IN A 64.233.161.104

www.l.google.com. 300 IN A 64.233.161.147

DNS client configuration

� /etc/host.conf� Indicates where hostnames are searched, and the search

order

� /etc/hosts� Translations for local machines

� /etc/resolv.conf� Domains that should be automatically searched, and

� IP addresses of the local domain DNS servers

DNS server configuration

� /etc/named.conf

� Defines...

� DNS domains

� IP address ranges

� Indicates whether a machine has the primary, a secondary

or a cache server

� Files giving direct translation

� Name.domain -> IP address

� 1 file for each administered domain

� Files giving reverse translation� IP address -> name.domain

� 1 file for each IP address range

DNS record types

� SOA (Start of Authority)� Serial number (to record information updates)

� Times for retry and update of information

� Expiration time

� Minimum TTL (time-to-live)

DNS record types

� A – Direct translation� Hostname -> IP address

� romeu IN A 147.83.32.4

� CNAME – alias name� hostname -> alias_hostname

� romeu IN CNAME lp_romeu

� PTR – reverse translation� IP address -> DNS hostname

� 4 IN PTR romeu.ac.upc.edu.

DNS record types

� NS – domain delegation� DNS domain -> server IP address

� ac IN NS 147.83.32.3

� MX - mail exchanger� DNS domain -> mail server IP address

� ac IN MX 147.83.33.10

� And others...� HINFO, WKS,...

DNS configuration example

� domain “ac.upc.edu”, as a primary server

/etc/named.conf

options {

directory “/var/named”;

// query-source address * port 53;

};

zone “ac.upc.edu” IN {

type master;

file “ac.zone”;

allow-update { none; };

};

zone “3.168.192.in-addr.arpa” IN {

type master;

file “3.168.192.zone”;

allow-update { none; };

};

DNS configuration example

� Domain “ac.upc.edu”

/var/named/ac.zone

$TTL 86400

@ 1D IN SOA pcxavim.ac.upc.edu. root.pcxavim.ac.upc.edu. (

42 ; serial

3H ; refresh

15M ; retry

1W ; expiry

1D ) ; minimum

1D IN NS @

pcxavim 1D IN A 192.168.3.1

pcxavim2 1D IN A 192.168.3.250

;

laptop1 1D IN CNAME pcxavim

laptop2 1D IN CNAME pcxavim2

/var/named/3.168.192.zone...

...

1D IN NS @

1 1D IN PTR pcxavim.ac.upc.edu.

250 1D IN PTR pcxavim2.ac.upc.edu.

Activity

� In groups, discuss� We have 3 servers (server1, server2 i server3) with these

records� server1 IN A 123.123.123.1� server2 IN A 123.123.123.2� server3 IN A 123.123.123.3

� We want to add the following service hostnames:� www in server1 (server2 is the www backup)� ftp in server1 and server2� ingoing/outgoing e-mail in server3

� Which new records would you add?

DNS-related tools

� whois domain� Retrieves contact information about the domain

� dig [@server] request� Requests DNS records

� Several parameters can be controlled� Server, record type, recursive/iterative resolution...

� Provides the records associated with the request� Can provide debugging information

Dynamic Host Configuration (DHCP)

� Automates the distribution of network information to

hosts� IP address to be used

� Current network location

� The machine can be unknown by DHCP � Guest machines accessing an organization

� It is assumed that having the ability to connect the

machine authorizes the user to access the network� MAC-level access control can be implemented

� IP addresses are obtained from address sets defined by the

administrator

Dynamic Host Configuration (DHCP)

� Usually the DHCP server supports BOOTP� Internet Bootstrap Protocol

� Provides information for a machine to boot properly� Boot file (amb size), operating system� DNS domain name, domain name servers� Host name, IP address, and network mask� List of gateways� Root directory for the OS� ...

Dynamic Host Configuration (DHCP)

� Example/etc/dhcpd.conf

ddns-update-style none;

subnet 192.168.3.0 netmask 255.255.255.0 {

range 192.168.3.9 192.168.3.250;

default-lease-time 28800 ; max-lease-time 57600;

option subnet-mask 255.255.255.0;

option broadcast-address 192.168.3.255;

option routers 192.168.3.1;

option domain-name-servers 192.168.3.1;

option domain-name "ac.upc.edu";

}

host pcxavim2 {

hardware ethernet 00:03:47:B8:69:62;

# fixed-address 192.168.3.2;

}

To ifconfig

To route

Into

/etc/resolv.conf

DHCP: RFC 2131

Dynamic Host Configuration (DHCP)

� It is possible to update the DNS records when DHCP

assigns a new IP address

dhcpdDNS

server

(named)

update zone “ac.upc.edu”

update zone “3.168.192...”

/etc/dhcpd.conf

ddns-update-style interim;

key DHCP_UPDATER {

algorithm HMAC-MD5.SIG-ALG.REG.INT;

secret pRP5FapFoJ95JEL06sv4PQ==;

};

zone ac.upc.edu. {

primary 192.168.3.1;

key DHCP_UPDATER;

}

/etc/named.conf

key DHCP_UPDATER {

... /* Same algorithm and secreta key */

};

zone ac.upc.edu. {

type master;

file “ac.zone”;

allow-update { key DHCP_UPDATER; };

};

...

Activity

� In group, discuss� How can we correctly implement DHCP when the server

machine can suffer failures? � Which kind of problems do we need to solve?� Are they already implemented in DHCP?

Hypertext Transfer Protocol (HTTP)

� Data transfer service� Non-connection oriented

� Clients have no state in the server

� Each request is self-contained

� Even that, it uses TCP!!

Client

httpd

connect/accept

GET /path/to/file

<file contents>

HTTP/1: RFC 2616

Apache Web Server (httpd 2.x)

� http 2.x protocol� /etc/httpd/httpd.conf

� Execution as a non-privileged user

� Parallelism through processes/threads� Several concurrent requests� Process/thread number configurable

� Specific configuration options at directory level

� Virtual domains� Separation by IP address� Separation by DNS name (http v1.1)

File Transfer Protocol (FTP)

� Data transfer service� Connection oriented

� Control connection� Remembers the state between requests

� cwd/put/get

� Data connection � active / passive

� New connection for each file transfer

Client

ftpd

Command

<ok / error>

Data connection

FTP: RFC 959

FTP configuration

� Different for each server� wu-ftpd, proftd,vsftpd...

� /etc/ftpusers� Lists users that can NOT access the machine by FTP

� root

� Option chroot <directory> � Anonymous FTP

� Changes the file system root for the server process only,

onto the given directory� Avoids access to the full file system� Basic commands must be available in <directory>

� /etc, /bin

� ls, ...

� It can be useful for regular users

Simple Mail Transfer Protocol (SMTP)� Elements composing the e-mail subsystem

� MUA - Mail User Agent

� User aplication to read/write e-mail

� MSA - Mail Submission Agent

� Aplication that transfers e-mail from the client to the MTA

� It checks for errors before the mail is sent to the Internet

� MTA - Mail Transport Agent

� Aplication relaying the e-mail across machines

� Delivery Agent

� Aplication on the target machine that saves the e-mail on the

user mailbox

� Mailbox: file or database storing the mail

� Access Agent

� Aplication allowing the user to access his/her mail

Components of SMTP

outlook

mail

mutt

sendmail

sendmail/

ssmtp

Internet

postfix

procmail

mail.local

mbox

MUA

MUA

MUA

MSA

MTA

MTA

DA

DA

mail

MUA

mutt

AA/MUA

Inet POP

SMTP

IMAP

SMTP

SSMTP

SMTP: RFC 821

Contents of an e-mail� Envelop

� Destination of the e-mail (user mail address)

� Source of the e-mail (user mail address)

� Usually not visible to users

� Headers

� Collection of message properties

� Sent date

� Origin, destination

� They can be different from the ones in the envelop!

� List of hosts through which the e-mail has passed

� Message body

� ASCII text (7 bits)

E-mail client configuration

� E-mail reception� Accessing a local mailbox

� Accessing a remote mailbox (Access Agent)� POP

� E-mail transmission from the server to a local mailbox

� IMAP� Access to the remote mailbox

� Sending e-mail� SMTP server

E-mail server configuration

� Sending e-mail - sendmail� Messages sent directly to the receiver

� Local user destination: finds the MX record in DNS� usuari@est.fib.upc.edu

� Otherwise, sent through a mail relay� There is no direct access to the receiver

� Receiving e-mail� E-mails saved locally

� POP, IMAP to the same server

� Mail relay to an external server� POP, IMAP to a remote server

E-mail server configuration

� E-mail aliases allow...� Redirect e-mails to another destination

� Possibly in a different machine

� Users with several names� root, www, postmaster, webmaster -> usuari@machine

� Store the e-mails into a file� spam: /dev/null

� Send e-mail to a program� autoftp: “| /usr/bin/ftpserver”

� Define mailing lists� But there are better ways to do it

� Majordomo, Mailman, ListProc, SmartList, ...

E-mail server configuration

� E-mail aliases� Defined in /etc/aliases or /etc/mail/aliases

� Compiled with � $ newaliases

� Command execution in aliases� Smrsh execution environment

� Restricted shell for sendmail� Only commands in specific directories can be executed

� /etc/smrsh or /usr/adm/sm.bin

Security configuration

� User authentication� E-mail servers do not ask for username and password by

default� SASL can be added

� Envelops may be false/incorrect on purpose� SPAM...

� E-mail relays� The server will always try to send the e-mail to the

destination� Open Relays -> SPAM

Security considerations

� E-mail confidentiality� E-mails travel with no encryption (plain text)

� TLS (SSL) is only between MUA and MTA� MTA-MTA transfers use no encryption

� Users are responsible of any encryption

� PGP - Pretty Good Privacy� For message encryption � User signature check� Based on public key algorithms

Security considerations

� Installing e-mail filters� Anti-spam

� Spamassasin, gray lists, black lists, ...

� Anti-virus� Clam AV, Amavis, f-prot, ...

Activity

� In group� We have installed a spam filter... whenever an e-mail with

such characteristic is detected, which will be the action

taken?

� And what would be the appropriate action for an e-mail

containing a virus?

Post Office Protocol (POP)

� Allows users to access the incoming mailbox� Transfers the e-mails to the local machine� User authentication with no encryption

� pop3s works encrypted on top of SSL

POP3: RFC 1939

Internet Message Access (IMAP)

� Allow users manage their mailbox� Remote management� User authentication

� Allows encryption

� imaps on top of SSL

IMAP: RFC 3501

Secure Shell

� Replaces the old rsh/rlogin and telnet services� Adds security

� User authentication based on RSA or DSA� User clients sign the session identifier with private key � The server uses the public key (.ssh/authorized_keys) to

check whether the signature is correct� Password-based authentication can also be used

� Encrypts the information sent through the connection� Confidentiality: 3DES, Blowfish...� Integrity: hmac-md5...

Secure Shell

� The server executes the command or the user command-

line interpreter� With the user's credentials

� Transparent session� When the characteristics of the connection do not require

the use of a pseudo-terminal

� Useful for binary data transfers

� Login session� Can include TCP and/or X11 forwarding

� DISPLAY=hostname:10.0

SSH: RFC 2434(?)

Activity

� In group� Secure shell allows to implement secure data transfers

� How would you implement secure copy and secure file

transfer on top of ssh?

Radius

� Offers remote authentication for users � Allows to configure a user DB with...

� Name� Password� Different properties

� Includes accounting of login time for each user

� Other servers/devices use it to authenticate users� routers� dial-ups

Network File System (NFS)

� Allows to access files in a remote machine� Keeps the semantics of the local file system

� Transparent to the user� Implemented on top of RPC's

Shared disk

NFS serverNFS client

OSOS

open/close

read/write

...

NFS protocol

Local disk

Mount remote NFS

� The remote directory is seen as if it were local

NFS client

OS

Local diskShared disk

NFS server

OS

/home

/

usr

home

Access permissions

� Convenient to have same UIDs in both remote and local

machines� File systems keep UIDs, not usernames

� Automatic translation of UID's� Special users

� Root, nobody

� Options� no_root_squash, root can su to any user!� all_squash, all remote users become nobody

� Less access privileges

� Nobody itself can be redefined according to /etc/passwd� anonuid=UID,anongid=GID

NFS server configuration

� /etc/exports� Exported directory

� Authorized machines + flags� rw, ro� root_squash, no_root_squash

# sample /etc/exports file

/ master(rw) trusty(rw,no_root_squash)

/projects proj*.local.domain(rw)

/usr *.local.domain(ro) @trustedgroup(rw)

/home/joe pc001(rw,all_squash,anonuid=150,anongid=100)

/pub (ro,insecure,all_squash)

SMB - Samba

� Allows to export...� Files

� Printers

� Access control at the level of each user� Username and password authentification

� Not based on the UID, but in the username� Password transmission

� Plain text/encrypted

� Access control at the level of machines� Cannot set different permissions depending on the

machine accessing the files� Can be implemented using different resource names, each

exported to the appropriate machines

LDAP

� Lightweight Directory Access Protocol� Allows to access DB with user information

� Username, password...

� In directory service format (X.500)

� Offers a mechanism to authenticate users� /etc/passwd, /etc/shadow, /etc/group...� ... can be downloaded into the LDAP DB

� It can be integrated into the system, so that the regular

commands can access it, in addition to the usual files