Linux Networking and Security Overview Home Page
G. Sivakumar Computer Science Department Indian Institute of Technology, Bombay Mumbai 400076, India
[email protected] http://www.cse.iitb.ac.in/∼siva
Title Page
Contents
JJ
II
J
I
Page 1 of 33
Outline of Talk • Internet and TCP/IP Overview
Go Back
• Basic Networking Utilities on Linux Full Screen
• Setting up Network Services on Linux • Network Security Threats and Defence Mechanisms
Close
Quit
Power of Networking Home Page
Title Page
Contents
JJ
II
J
I
Page 2 of 33
Go Back
Full Screen
Close
• Knowledge is Power • Issac Newton– “... stood on the shoulders of giants.” • ... • Internet vs. Physical Library
Quit
Home Page
Internet’s Growth and Charter
Title Page
Contents
JJ
II
J
I
Page 3 of 33
Go Back
Full Screen
Close
Quit
Information AnyTime, AnyWhere, AnyForm, AnyDevice, ... WebTone like DialTone
Home Page
Title Page
Contents
JJ
II
J
I
Page 4 of 33
Go Back
Full Screen
Close
Quit
What is a Computer Network?
So, what’s Internet? • A bottom-up collection (interconnection) of networks Home Page
Title Page
Contents
JJ
II
J
I
Page 5 of 33
Go Back
• TCP/IP is the only common factor Full Screen
• Bureaucracy-free, reliable, cheap • Decentralized, democratic, chaotic
Close
• Internet Society (www.isoc.org) • Internet Engineering Task Force (www.ietf.org)
Quit
How to Access Internet Home Page
Title Page
Contents
JJ
II
J
I
Page 6 of 33
Go Back
Full Screen
Close
Quit
Interfaces • Point to Point Link Home Page
Title Page
Contents
JJ
II
J
I
Page 7 of 33
Go Back
Full Screen
Close
Quit
– – – –
Modem and Telephone line Internal/External Speeds: 56 Kbps Standards: (V.32, V.32bis, V.fast)
• Shared Link (LAN) – – – –
Ethernet Card RJ45 connectors (twisted pair) or Wireless card Speeds: 10, 100, 1000 Mbps Standards: IEEE 802.3 (CSMA/CD)
IP Addresses • Logical Address at Network Layer (IP address) Home Page
Title Page
• Not a physical address (MAC address) • Network cards can be changed • Machine itself can be changed
Contents
• Analogy with Organizations JJ
II
J
I
– Dean, Research and Development (IP) – Prof. S. Suryanarayanan (MAC)
• Examples (32 bits grouped as 4 decimal numbers) Page 8 of 33
Go Back
Full Screen
– 202.54.11.3 – 192.168.103.37 – 712.11.345.13 not valid!
• One address per interface (not machine) • One machine can have many addresses (Cabinet posts!)
Close
Quit
Subnetting • How to assign PIN Codes? Home Page
Title Page
Contents
JJ
II
J
I
• Example (which way is better?) – Powai 400076 51234 – KMarg 400053 61801
• Why common prefix? (same LAN!) • Netmask (a way to define common prefix). • Divide 32 bits into 2 parts
Page 9 of 33
– Left part is Network Number – Right part is Host Number
• Where to draw the line? Go Back
Full Screen
Close
Quit
Subnetting Example Home Page
Title Page
Contents
JJ
II
J
I
Page 10 of 33
Go Back
Full Screen
Close
Quit
Direct Delivery of Datagrams Home Page
Title Page
Contents
JJ
II
J
I
Page 11 of 33
Go Back
Full Screen
Close
Quit
ARP, RARP, BOOTP • Address Resolution Protocol (ARP) [RFC 1010] Home Page
Title Page
– ARP request - Broadcast “who is a.b.c.d?” – ARP reply - Target alone fills ¡IP,Physical¿ – ARP cache arp -a • Reverse Address Resolution Protocol (RARP, RFC 906)
Contents
JJ
II
J
I
Page 12 of 33
Go Back
Full Screen
Close
Quit
– Diskless clients request RARP servevs – DHCP is dynamic allocation • BOOTP (RFC 1123)
– Like RARP, but at higher level (UDP) – Can return more info
Indirect Delivery of Datagrams Home Page
Title Page
Contents
JJ
II
J
I
Page 13 of 33
Go Back
Full Screen
Close
Quit
Domain Name Service (DNS) • Flat vs. Hierarchical Name Space Home Page
Title Page
Contents
JJ
II
J
I
Page 14 of 33
Go Back
Full Screen
Close
Quit
• How to find the name of K. R. Narayan’s cook? • Logical View of Internet
Home Page
Title Page
Configuring Networking on Linux Conceptual Steps
• Install Interface (modem/ethernet card). Contents
JJ
II
J
I
Page 15 of 33
Go Back
Full Screen
Close
Quit
• Ensure Kernel recognizes devices and load drivers. • Configure the IP information – – – –
Machine’s IP address Netmask (who else is on the LAN) Gateway (how to reach other IPs) Nameserver (how to map Names to IPs)
• Test out functionalities.
Config Files for IP Home Page
Title Page
Contents
JJ
II
J
I
Page 16 of 33
Go Back
Full Screen
Close
Quit
Front end utilities such as setup or netconfig help to do the following. • /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=static IPADDR=192.168.106.217 NETMASK=255.255.255.0 NETWORK=192.168.106.0 BROADCAST=192.168.106.255 ONBOOT=yes
• /etc/sysconfig/network NETWORKING=yes HOSTNAME=head-cc GATEWAY=192.168.106.129
Config Files for DNS • /etc/resolv.conf Home Page
Title Page
Contents
JJ
II
J
I
search iitb.ac.in nameserver 10.200.1.11 nameserver 144.16.108.173 nameserver 144.16.106.173
• /etc/hosts ## Internet host table ## 127.0.0.1 localhost 10.105.1.4 everest everest.cse.iitb.ac.in
• /etc/nsswitch.conf Page 17 of 33
Go Back
Full Screen
Close
Quit
... #hosts: hosts:
db files nisplus nis dns dns files
Networking Utilities- ifconfig Home Page
Title Page
Contents
JJ
II
$ /sbin/ifconfig -a eth0 Link encap:Ethernet HWaddr 00:06:5B:7C:9C:91 inet addr:192.168.106.217 Bcast:192.168.106.255 Mask:255. UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1381783 errors:0 dropped:0 overruns:184 frame:0 TX packets:232172 errors:0 dropped:0 overruns:0 carrier:5 collisions:25496 txqueuelen:100 RX bytes:129441452 (123.4 Mb) TX bytes:135053586 (128.7 Mb Interrupt:11 Base address:0xdc80 lo
J
I
Page 18 of 33
Go Back
Full Screen
Close
Quit
Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:282282 errors:0 dropped:0 overruns:0 frame:0 TX packets:282282 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:133612390 (127.4 Mb) TX bytes:133612390 (127.4 Mb
Useful Networking UtilitiesPing Brief Demos now (more in lab?). ping Home Page
Title Page
Contents
JJ
II
J
I
$ ping www.yahoo.com PING www.yahoo.akadns.net (64.58.76.179) from 192.168.106.217 : 56(84 64 bytes from www10.dcx.yahoo.com (64.58.76.179): icmp_seq=1 ttl=44 t 64 bytes from www10.dcx.yahoo.com (64.58.76.179): icmp_seq=2 ttl=44 t 64 bytes from www10.dcx.yahoo.com (64.58.76.179): icmp_seq=3 ttl=44 t
$ ping -s 2048 www.yahoo.com PING www.yahoo.akadns.net (64.58.76.179) from 192.168.106.217 : 2048( 2056 bytes from www10.dcx.yahoo.com (64.58.76.179): icmp_seq=1 ttl=44 2056 bytes from www10.dcx.yahoo.com (64.58.76.179): icmp_seq=2 ttl=44 2056 bytes from www10.dcx.yahoo.com (64.58.76.179): icmp_seq=3 ttl=44 2056 bytes from www10.dcx.yahoo.com (64.58.76.179): icmp_seq=4 ttl=44
Page 19 of 33
Go Back
Full Screen
Close
Quit
$ ping -vR www.yahoo.com PING www.yahoo.akadns.net (64.58.76.176) from 192.168.106.217 : 56(12 64 bytes from www7.dcx.yahoo.com (64.58.76.176): icmp_seq=1 ttl=235 t RR: 192.168.106.217 cc-580.iitb.ac.in (144.16.122.105) 144.16.108.100 garbo-vsnl-radio-out.iitb.ac.in (203.197.74.149) 203.197.31.153 203.197.33.137 vsb-lvsb-stm-1.Bbone.vsnl.net.in (202.54.2.189) TelecomItaliaMumbiNYC4.so-2-3-3.ar2.NYC2.gblx.net (64.211.60.250) loop0.ar2.NYC2.gblx.net (208.48.234.137)
Home Page
Useful Networking UtilitiesTraceroute traceroute
Title Page
Contents
JJ
II
J
I
Page 20 of 33
Go Back
Full Screen
Close
Quit
$ /usr/sbin/traceroute www.ibm.com traceroute: Warning: www.ibm.com has multiple addresses; using 129.42 traceroute to www.ibm.com (129.42.16.99), 30 hops max, 38 byte packet 1 192.168.106.129 (192.168.106.129) 22.072 ms 1.234 ms 0.581 ms 2 144.16.122.100 (144.16.122.100) 22.692 ms 2.007 ms 4.268 ms 3 garbo-vsnl-radio.iitb.ac.in (144.16.108.1) 24.364 ms 0.875 ms 4 router-vsnl-radio-ethernet.iitb.ac.in (203.197.74.129) 21.948 ms 5 203.197.31.154 (203.197.31.154) 22.560 ms 4.385 ms 2.570 ms 6 203.197.33.129 (203.197.33.129) 25.990 ms 2.821 ms 2.831 ms 7 lvsb-vsb-stm-1.Bbone.vsnl.net.in (202.54.2.190) 23.252 ms 2.895 8 if-4-0-0.bb5.NewYork.Teleglobe.net (64.86.90.137) 300.273 ms 29 ...
Nicer tool: mtr
Home Page
Useful Networking UtilitiesNetstat netstat
Title Page
Contents
JJ
II
J
I
Page 21 of 33
Go Back
Full Screen
Close
Quit
[siva@head-cc siva]$ netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window i 192.168.106.0 0.0.0.0 255.255.255.0 U 40 0 127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0.0.0.0 192.168.106.129 0.0.0.0 UG 40 0 [siva@head-cc siva]$ netstat -na | grep ESTABLISHED tcp 0 0 192.168.106.217:32877 10.105.1.14:22 E tcp 0 0 192.168.106.217:33313 10.105.5.10:22 E tcp 0 0 192.168.106.217:33386 10.105.1.14:993 E tcp 0 0 192.168.106.217:33060 144.16.108.32:22 E [siva@head-cc siva]$ netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP eth0 1500 0 1376600 0 0 184 231864 0 lo 16436 0 282282 0 0 0 282282 0
Home Page
Title Page
Contents
JJ
II
J
I
Page 22 of 33
Go Back
Full Screen
Close
Quit
$ netstat -s | head -40 Ip: 653209 total packets received 0 forwarded 0 incoming packets discarded 508651 incoming packets delivered 513994 requests sent out 12 reassemblies required 6 packets reassembled ok 12 fragments created Icmp: 171 ICMP messages received 1 input ICMP message failed. ICMP input histogram: destination unreachable: 22 timeout in transit: 123 echo replies: 26 5 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 5 Tcp: 618 active connections openings 52 passive connection openings 0 failed connection attempts 0 connection resets received 4 connections established 503680 segments received 512715 segments send out 94 segments retransmited 0 bad segments received. 187 resets sent Udp: 1090 packets received 5 packets to unknown port received.
TCP/IP Applications Home Page
Title Page
Contents
JJ
II
J
I
Page 23 of 33
Go Back
Full Screen
How to build applications on top of this?
• TCP (reliable stream) Close
• Sockets Quit
• Client-Server model
What is a Socket?
Analogy with Telephone Instrument, Number, Line Home Page
Title Page
Contents
JJ
II
J
I
Page 24 of 33
Go Back
Full Screen
Close
Quit
Example Applications
From /etc/services on Unix • Connection Oriented (TCP) Home Page
Client Server Port Mail smtpd 25 Telnet telnetd 23 FTP ftpd 20,21 WWW Browser httpd 80
Title Page
Contents
• Connectionless (UDP) JJ
II
J
I
Page 25 of 33
Go Back
Full Screen
Close
Quit
Client Server Port SNMP snmpd 161 NFS nfsd 2049
Daemon Processes smtpd, telnetd, ... How to start server processes? Home Page
• At boot time (/etc/rc*) • crontab, at
Title Page
• from terminal
Characteristics Contents
• Started once JJ
II
• Until system crash? • Event-driven
J
I
• Spawns other processes
Problems/Caution Page 26 of 33
• Close all files. Go Back
• Change to / (so umount is posible) • Background running (nohup)
Full Screen
Close
Quit
• Ignore Terminal I/O signals
Super-Server Process • inetd on Unix machines uses /etc/inetd.conf Home Page
Title Page
• Binds to all ports required • Selects incoming call to accept • Forks a copy and continues
Contents
Sample lines JJ
II
J
I
Page 27 of 33
Go Back
Full Screen
Close
Quit
ftp telnet
stream tcp stream tcp
nowait root /usr/sbin/tcpd nowait root /usr/sbin/tcpd
in.ftpd -l -a in.telnetd
For better security xinetd is used nowadays.
xinetd Extended Internet Services Daemon
• Has good access control machanisms • logging capabilities Home Page
Title Page
• Ability to make services available based on time, • can place limits on the number of servers that can be started • can redirect services to different ports and network interfaces (NIC) or even
Contents
JJ
II
J
I
Page 28 of 33
Go Back
Full Screen
Close
Quit
to a different server Do man 5 xinetd.conf for more details.
$ more /etc/xinetd.d/imap # default: off # description: The IMAP service allows remote users to access their m # an IMAP client such as Mutt, Pine, fetchmail, or Netsc # Communicator. service imap { disable = yes socket_type = stream wait = no user = root rlimit_as = 8M rlimit_cpu = 20 server = /usr/sbin/imapd log_on_success += HOST DURATION log_on_failure += HOST }
What services are running? chkconfig
Home Page
Title Page
Contents
JJ
II
J
I
Page 29 of 33
Go Back
Full Screen
Close
Quit
# chkconfig --list | head -40 ntpd 0:off 1:off 2:off 3:on 4:off 5:off 6:off syslog 0:off 1:off 2:on 3:on 4:on 5:on 6:off netfs 0:off 1:off 2:off 3:on 4:on 5:on 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off random 0:off 1:off 2:on 3:on 4:on 5:on 6:off rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off apmd 0:off 1:off 2:on 3:on 4:on 5:on 6:off atd 0:off 1:off 2:off 3:on 4:on 5:on 6:off gpm 0:off 1:off 2:on 3:on 4:on 5:on 6:off autofs 0:off 1:off 2:off 3:on 4:on 5:on 6:off irda 0:off 1:off 2:off 3:off 4:off 5:off 6:off isdn 0:off 1:off 2:on 3:on 4:on 5:on 6:off keytable 0:off 1:on 2:on 3:on 4:on 5:on 6:off kudzu 0:off 1:off 2:off 3:on 4:on 5:on 6:off sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off snmpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off snmptrapd 0:off 1:off 2:off 3:off 4:off 5:off 6:off sendmail 0:off 1:off 2:on 3:on 4:on 5:on 6:off iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off nfslock 0:off 1:off 2:off 3:on 4:on 5:on 6:off rhnsd 0:off 1:off 2:off 3:on 4:on 5:on 6:off pcmcia 0:off 1:off 2:on 3:on 4:on 5:on 6:off crond 0:off 1:off 2:on 3:on 4:on 5:on 6:off anacron 0:off 1:off 2:on 3:off 4:on 5:on 6:off xfs 0:off 1:off 2:on 3:on 4:on 5:on 6:off lpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off firstboot 0:off 1:off 2:off 3:off 4:off 5:on 6:off xinetd based services: chargen-udp: off chargen: off daytime-udp: off daytime: off echo-udp: off echo: off services: off servers: off
Vulnerabilities • Application Security – Buggy code – Buffer Overflows Home Page
Title Page
Contents
JJ
II
J
I
Page 30 of 33
Go Back
Full Screen
Close
Quit
• Host Security – Server side (multi-user/application) – Client side (virus)
• Transmission Security
Security Mechanisms • System Security: “Nothing bad happens to my computers and equipment” Home Page
Title Page
Contents
JJ
II
virus, trojan-horse, logic/time-bombs, ...
• Network Security: – Authentication Mechanisms “you are who you say you are” – Access Control Firewalls, Proxies “who can do what”
• Data Security: “for your eyes only” – Encryption, Digests, Signatures, ...
J
I
Page 31 of 33
Go Back
Full Screen
Close
Quit
Home Page
Title Page
Contents
JJ
II
J
I
Page 32 of 33
Go Back
Full Screen
Close
Quit
Network Security Mechanism Layers
Home Page
Title Page
Linux Network Security Utilities • ssh, sshd Secure Shell • iptables IP Tables (NAT- network address translation)
Contents
JJ
II
J
I
• Various proxy servers (squid) Vast topic for interested people. Some pointers..
• www.cerias.purdue.edu (Centre for Education and Research in Information Page 33 of 33
Assurance and Security)
• csrc.nist.gov (Computer Security Resources Clearinghouse) • www.vtcif.telstra.com.au/info/security.html
Go Back
Full Screen
Close
Quit
