System administration:Basic Linux Administration

What is a system administrator?

-System Admin Tasks and Duties:

-Install systems (including clients/servers): hardware, software and o.s.

-Upgrade systems: hardware, software and o.s.

-Backups

-Start/stop system (reboot)

Other duties:

- Create accounts (add/delete), account management

- Job scheduling

- Security

- Performance monitoring and tuning

- Disk space management (formatting, partitions, quotas)

- Writing/modifying scripts (perl, shell, C, etc..)

- Running specialized services/servers (email server, web server, DNS etc..)

- Problem resolution

Last duties:

•      Training (others and oneself)

•      Fixing Bugs

•      Automate Tasks

•      Maintain system files

•      Analysis of logs/systems, collect stats, reports

•      Planning and Recommendations

•      Work with vendors, customers

•      Research New Technologies

Task of Linux Admin:

-        managing hardware

-        managing the kernel

-        managing filesystems

-        managing user account

-        managing network and security

-        managing backup/installation/archiving

File System in Linux:

• Built-in hierarchical file structure
• Common directories

-     /bin : essential command binaries which may be used by the system administrator and by ordinary users, required for system boot

-        /boot : kernel image and configuration files used by boot loader

-        /dev : device files

-        /etc : host-specific configuration files

-        /home: user home directories

-        /lib: essential shared lib and kernel modules

-        /mnt : mount point for temporarily mounting files system such as those on a CDROM or floppy disk

-        /opt : add-on application software packages

-        /root : the root user’s home directory

-        /sbin : system binaries, essential for system administration, but not for system boot

-        /tmp : location of temporary files

-        /usr : secondary hierarchy, intended as sharable, read-only data

-        /var : variable data such as spool directories & log file 

• in unix, a filesystem is some device that is formatted to store files. It can be found on hard drives, floppies, CD-ROMs and others
• the exact format and means the files are stored are not important;
• based on second extended filesystem, ext2fs
• provide a common interface for all filesystem types that it recognizes 

• In Linux 7.2, ext2 is the default file system

-        Require check for consistency (e2fsck) when system is not properly shut down

-        Ext => ext2 =>ext3

-        Support 256 char filenames, 4 Tbyte max filesize

-        Others MS-Dos, FAT32, NTFS, ISO9660

• Starting from Linux 7.3, ext3 is the default file system

-        Provide stronger data integrity in event of unclean shutdown

-        Check for consistency is needed only on rare hardware failure

-        Higher throughput, as it is optimizes hard drive head motion

-        Provide easy transition from ext2 to ext3

-        other common filesystem are MS-DOS (FAT32, NTFS, ISO9660)

Creating user account:

w  manage users and group accounts and related system files

w  passwd and group

ü  user account information is stored in /etc/passwd

-        each line in /etc/passwd contain a username, password, UID, GID, user’s name, home directory and default shell

ü  group information is stored in /etc/group

-        each line in /etc/group contain a group name, group password,  GID and group member list

w  to prevent users from obtaining encrypted passwords from passwd and group, shadow files are implemented

w  encrypted passwords are moved to a new file, which is readable only by root

w  the shadow file for /etc/passwd is /etc/shadow

w  the shadow file for /etc/group is /etc/gshadow

w  Three methods

ü  modify the files directly, not recommended

-        Login in as root

w  Create a record for the user in /etc/passwd

w  Set the user’s password

w  Specify a login shell for the user

w  Create a home directory for the user

ü  Use command line

-        useradd [-D] [-g default_group] [-b default_home] [-s default_shell]

-        Donald:x:503:503:unka Donald: home/donald:/bin/bash

ü  Alternatively, use GUI (most recommended)

Configuration files:

w  bash uses a number of configuration to set its operating environment when it starts

w  /etc/profile:

-        system wide initiation files, execute during log in, contains environment variables, such as initial PATH, and startup program

w  /etc/bashrc:

-        system wide initiation files for a user, contains alias

Who use the files?

w  There are 3 sets of permissions for every file or directory -- owner, group, and others

-        The owner permissions are for the owner of the file or directory

-        The group permissions are for everyone in the group

-        Others: The global permissions are for anyone

w  What is the command to see the permission and who own the files?

w  answer: ls -l

w  r -- file can be read

w  w -- file can be written and modified

w  x -- file can be executed (if it is a program)

w  chmod is a standard command that allows you to change the permissions of a file or directory.

w  There are two arguments for chmod:

-        the permissions : based on numbers

w  1 stands for execute.
2 stands for write.
4 stands for read.

-        the file/directory name. The permission argument for chmod.

w  chmod 777 lab2file will allow EVERYBODY full access to read, write and execute.

w  chmod 644 lab2file will all the owner (you) read and write access, the group read access, and everybody else (world) read access too.

w  chmod 700 lab2file will give yourself full access while giving everybody 

Setting up a secure system:

w  There are some very basic things that you have to do in order to secure your system

w  Shutting down the redundant services

-        You have to disable all network daemons (services) that are not needed by the system

-        Any network port that is listening for connections can be vulnerable to attacks due to probable exploits against running daemon

-        To find out the ports that are opened type:   # netstat -an

w  Looking in /etc/services or by passing -p to netstat we can tell which service is running per port

w  Check each port that looks like unnecessary

w  Examples vulnerable services:

-        telnetd, sendmail, ftpd: Send clear passwords through the web. Instead of telnet use ssh

w  Shutting down services involves editing the appropriate files on your system

w  On RedHat based systems daemons are started by scripts in the /etc/rc.d/init.d directory

w  Depending on the runlevel each daemon/services in linked to the appropriate rcX.d directory where 0<X<6

w  What to have in mind all the time:

-        Never use simple passwords. Try to make them complex by mixing letters,symbols and numbers

-        Do NOT work on the root account unless absolutely necessary

-        Do not ignore the log files

-        Update your system in a regular basis

Tcp wrapper configuration:

w  A simple and effective way to protect the system

w  TCP Wrappers “wrap” a service access (e.g. apache web server)monitoring the connections to it and refusing unauthorised sites

w  It is used in conjunction with inetd and xinetd

w  It's a good way to control the access to services that do not provide any native access control mechanism

w  TCP Wrapper is the first thing encounter when a connection is established with a service protected by the wrapper

w  TCP Wrapper is responsible for determining whether the connection comes from a source host that it is allowed to do so

w  Depending on whether you are using TCP Wrappers with inetd or xinetd there are two different approaches

w  If the system is using the inetd daemon you have to edit the /etc/inetd.conf file to use the TCP wrapper

w  Using TCP wrappers requires just a small change to /etc/inetd.conf

w  E.g. for the finger daemon

finger stream tcp nowait root /usr/sbin/in.fingerd in.fingerd

has to be changed to:

finger stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.fingerd

This cause the tcpd command, representing the TCP wrapper, to be executed instead of the in.fingerd and protect the daemon

w  xinetd is the replacement of inetd adopted by some distros

w  In most cases xinetd has built-in support for TCP wrappers

w  You need to modify the TCP wrapper configuration files (/etc/hosts.allow, /etc/hosts.deny)

w  /etc/hosts.allow and /etc/hosts.deny specify the access rules that are applied in daemon protection

w  When a TCP wrapper is invoked it obtains the IP address of the connecting host and its hostname

w  If the IP of the host is specified in the /etc/hosts.allow then access is permitted to the daemon/service

w  If no match is found, the /etc/hosts.deny is consulted. If the IP is described there then the connection is closed

w  If no much exists both of the files then access is granted

w  The syntax of those two files is simple

w  Each file contains a set of rules

w  General rule form:

daemon_list : client_list : shell_command

where daemon_list is comma separated list of daemons to which the rule applies, the client_list is comma separated list of the hostnames or IP addresses where the rule applies and shell_command is optional, specifying the command to be executed when rule matches

w  Example rules:

1. /etc/hosts.deny

ALL:ALL   # Deny everything from everywhere

In case that nothing is specified in the /etc/hosts.allow then this rule will refuse connection to any service by anyone

2. /etc/hosts.deny

ALL: ALL EXCEPT localhost

3. /etc/hosts.allow

in.fingerd: ALL

Categories: linux, system administration