jeudi 29 janvier 2015

System administration:Basic Linux Administration

What is a system administrator?


-System Admin Tasks and Duties:
-Install systems (including clients/servers): hardware, software and o.s.
-Upgrade systems: hardware, software and o.s.
-Backups
-Start/stop system (reboot)

Other duties:

- Create accounts (add/delete), account management
- Job scheduling
- Security
- Performance monitoring and tuning
- Disk space management (formatting, partitions, quotas)
- Writing/modifying scripts (perl, shell, C, etc..)
- Running specialized services/servers (email server, web server, DNS etc..)
- Problem resolution

Last duties:

      Training (others and oneself)
      Fixing Bugs
      Automate Tasks
      Maintain system files
      Analysis of logs/systems, collect stats, reports
      Planning and Recommendations
      Work with vendors, customers
      Research New Technologies

Task of Linux Admin:

-        managing hardware
-        managing the kernel
-        managing filesystems
-        managing user account
-        managing network and security
-        managing backup/installation/archiving


File System in Linux:

  • Built-in hierarchical file structure
  • Common directories
-     /bin : essential command binaries which may be used by the system administrator and by ordinary users, required for system boot
-        /boot : kernel image and configuration files used by boot loader
-        /dev : device files
-        /etc : host-specific configuration files
-        /home: user home directories
-        /lib: essential shared lib and kernel modules
-        /mnt : mount point for temporarily mounting files system such as those on a CDROM or floppy disk
-        /opt : add-on application software packages
-        /root : the root user’s home directory
-        /sbin : system binaries, essential for system administration, but not for system boot
-        /tmp : location of temporary files
-        /usr : secondary hierarchy, intended as sharable, read-only data
-        /var : variable data such as spool directories & log file 

  • in unix, a filesystem is some device that is formatted to store files. It can be found on hard drives, floppies, CD-ROMs and others
  • the exact format and means the files are stored are not important;
  • based on second extended filesystem, ext2fs
  • provide a common interface for all filesystem types that it recognizes 
  • In Linux 7.2, ext2 is the default file system
-        Require check for consistency (e2fsck) when system is not properly shut down
-        Ext => ext2 =>ext3
-        Support 256 char filenames, 4 Tbyte max filesize
-        Others MS-Dos, FAT32, NTFS, ISO9660
  • Starting from Linux 7.3, ext3 is the default file system
-        Provide stronger data integrity in event of unclean shutdown
-        Check for consistency is needed only on rare hardware failure
-        Higher throughput, as it is optimizes hard drive head motion
-        Provide easy transition from ext2 to ext3
-        other common filesystem are MS-DOS (FAT32, NTFS, ISO9660)

Creating user account:

w  manage users and group accounts and related system files
w  passwd and group
ü  user account information is stored in /etc/passwd
-        each line in /etc/passwd contain a username, password, UID, GID, user’s name, home directory and default shell
ü  group information is stored in /etc/group
-        each line in /etc/group contain a group name, group password,  GID and group member list
w  to prevent users from obtaining encrypted passwords from passwd and group, shadow files are implemented
w  encrypted passwords are moved to a new file, which is readable only by root
w  the shadow file for /etc/passwd is /etc/shadow
w  the shadow file for /etc/group is /etc/gshadow
w  Three methods
ü  modify the files directly, not recommended
-        Login in as root
w  Create a record for the user in /etc/passwd
w  Set the user’s password
w  Specify a login shell for the user
w  Create a home directory for the user
ü  Use command line
-        useradd [-D] [-g default_group] [-b default_home] [-s default_shell]
-        Donald:x:503:503:unka Donald: home/donald:/bin/bash
ü  Alternatively, use GUI (most recommended)

Configuration files:

w  bash uses a number of configuration to set its operating environment when it starts
w  /etc/profile:
-        system wide initiation files, execute during log in, contains environment variables, such as initial PATH, and startup program
w  /etc/bashrc:
-        system wide initiation files for a user, contains alias

Who use the files?

w  There are 3 sets of permissions for every file or directory -- owner, group, and others
-        The owner permissions are for the owner of the file or directory
-        The group permissions are for everyone in the group
-        Others: The global permissions are for anyone
w  What is the command to see the permission and who own the files?
w  answer: ls -l
w  r -- file can be read
w  w -- file can be written and modified
w  x -- file can be executed (if it is a program)
w  chmod is a standard command that allows you to change the permissions of a file or directory.
w  There are two arguments for chmod:
-        the permissions : based on numbers
w  1 stands for execute.
2 stands for write.
4 stands for read.
-        the file/directory name. The permission argument for chmod.
w  chmod 777 lab2file will allow EVERYBODY full access to read, write and execute.
w  chmod 644 lab2file will all the owner (you) read and write access, the group read access, and everybody else (world) read access too.
w  chmod 700 lab2file will give yourself full access while giving everybody 

Setting up a secure system:

w  There are some very basic things that you have to do in order to secure your system
w  Shutting down the redundant services
-        You have to disable all network daemons (services) that are not needed by the system
-        Any network port that is listening for connections can be vulnerable to attacks due to probable exploits against running daemon
-        To find out the ports that are opened type:   # netstat -an
w  Looking in /etc/services or by passing -p to netstat we can tell which service is running per port
w  Check each port that looks like unnecessary
w  Examples vulnerable services:
-        telnetd, sendmail, ftpd: Send clear passwords through the web. Instead of telnet use ssh
w  Shutting down services involves editing the appropriate files on your system
w  On RedHat based systems daemons are started by scripts in the /etc/rc.d/init.d directory
w  Depending on the runlevel each daemon/services in linked to the appropriate rcX.d directory where 0<X<6
w  What to have in mind all the time:
-        Never use simple passwords. Try to make them complex by mixing letters,symbols and numbers
-        Do NOT work on the root account unless absolutely necessary
-        Do not ignore the log files
-        Update your system in a regular basis

Tcp wrapper configuration:

w  A simple and effective way to protect the system
w  TCP Wrappers “wrap” a service access (e.g. apache web server)monitoring the connections to it and refusing unauthorised sites
w  It is used in conjunction with inetd and xinetd
w  It's a good way to control the access to services that do not provide any native access control mechanism
w  TCP Wrapper is the first thing encounter when a connection is established with a service protected by the wrapper
w  TCP Wrapper is responsible for determining whether the connection comes from a source host that it is allowed to do so
w  Depending on whether you are using TCP Wrappers with inetd or xinetd there are two different approaches
w  If the system is using the inetd daemon you have to edit the /etc/inetd.conf file to use the TCP wrapper
w  Using TCP wrappers requires just a small change to /etc/inetd.conf
w  E.g. for the finger daemon
finger stream tcp nowait root /usr/sbin/in.fingerd in.fingerd
has to be changed to:
finger stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.fingerd
This cause the tcpd command, representing the TCP wrapper, to be executed instead of the in.fingerd and protect the daemon
w  xinetd is the replacement of inetd adopted by some distros
w  In most cases xinetd has built-in support for TCP wrappers
w  You need to modify the TCP wrapper configuration files (/etc/hosts.allow, /etc/hosts.deny)
w  /etc/hosts.allow and /etc/hosts.deny specify the access rules that are applied in daemon protection
w  When a TCP wrapper is invoked it obtains the IP address of the connecting host and its hostname
w  If the IP of the host is specified in the /etc/hosts.allow then access is permitted to the daemon/service
w  If no match is found, the /etc/hosts.deny is consulted. If the IP is described there then the connection is closed
w  If no much exists both of the files then access is granted
w  The syntax of those two files is simple
w  Each file contains a set of rules
w  General rule form:
daemon_list : client_list : shell_command
where daemon_list is comma separated list of daemons to which the rule applies, the client_list is comma separated list of the hostnames or IP addresses where the rule applies and shell_command is optional, specifying the command to be executed when rule matches
w  Example rules:
1. /etc/hosts.deny
ALL:ALL   # Deny everything from everywhere
In case that nothing is specified in the /etc/hosts.allow then this rule will refuse connection to any service by anyone
2. /etc/hosts.deny
ALL: ALL EXCEPT localhost
3. /etc/hosts.allow
in.fingerd: ALL