Title:
Red hat linux internet server
Personal Author:
Publication Information:
Indianapolis, Ind. : Wiley Publishing, 2003
ISBN:
9780764547881
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010048112 | QA76.76.O63 S46 2003 | Open Access Book | Book | Searching... |
Searching... | 30000010049583 | QA76.76.O63 S46 2003 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
* Red Hat Linux X Internet Server takes the reader through all of the steps of setting up an Internet server using the Red Hat Linux operating system.
* It begins by describing Red Hat Linux networking basics, two example networks and the basics of DSL Internet connections, firewalls and troubleshooting in Part 1.This sets the foundation for all subsequent examples and provides readers with problem solving tools.
* Part 2 describes how to construct and manage a secure web server that is connected to a database. Part 3 shows the reader how to construct basic Internet services such as DNS, sendmail, FTP and Samba. Part 4 deals with advanced management techniques.
* The final part describes how to secure your network and servers. This part goes beyond the average coverage by showing advanced as well as basic security techniques and tools.
ABOUT THE CD-ROM
The CD-ROM has an open-source high-availability system/server created by the author and appropriate GPL server and security software.
Author Notes
Paul G. Sery works for Sandia National Laboratories, in Albuquerque, New Mexico, where he designs and manages several networks for the Computer Science Research Institute
Jay Beale is the founder and president of JJB Security Consulting
Table of Contents
| Preface | p. vii |
| Acknowledgments | p. x |
| Part I Building a Linux Network | |
| Chapter 1 Introducing the Example Networks | p. 3 |
| Introducing the Sample Networks | p. 3 |
| Direct Connect to Internet (DCI) | p. 4 |
| DMZ to Internet (DMZI) | p. 5 |
| Explaining Server Functions | p. 6 |
| Understanding the DCI configuration | p. 9 |
| Introducing the DMZI configuration | p. 10 |
| Adding Subnets to Both Networks | p. 11 |
| Chapter 2 Configuring Red Hat Linux Networking | p. 15 |
| Introducing the Internet Protocol | p. 16 |
| Networking and the OSI network model | p. 16 |
| Introducing the Transport layer protocols | p. 17 |
| Explaining Network Layer Protocols (IP Routing) | p. 18 |
| Examining the Physical Link Protocols (Ethernet Frames) | p. 19 |
| Looking at the Network Layout of a Red Hat Linux System | p. 20 |
| Important network configuration files | p. 20 |
| Important applications and scripts | p. 24 |
| arp/rarp | p. 24 |
| ifconfig | p. 25 |
| netstat | p. 26 |
| nmap | p. 26 |
| ping | p. 26 |
| redhat-config-network-druid/redhat-config-network-cmd | p. 27 |
| route | p. 27 |
| sysctl | p. 28 |
| tcpdump | p. 29 |
| modprobe | p. 30 |
| Configuring One or More NICs | p. 30 |
| Example 1 Configuring a single NIC | p. 30 |
| Example 2 Configuring dual NICs (dual homed) | p. 35 |
| Example 3 Configuring a Red Hat Linux router | p. 37 |
| Chapter 3 Connecting to the Internet via DSL | p. 43 |
| Introducing DSL Technology | p. 44 |
| Understanding DSL Terminology | p. 48 |
| General terms | p. 49 |
| Types of DSL service | p. 52 |
| Creating Your DSL Internet Connection | p. 54 |
| Obtaining a DSL Internet connection | p. 54 |
| Physically connecting your DSL modem | p. 54 |
| Configuring your DSL provider's equipment | p. 56 |
| Basic Troubleshooting Hints | p. 62 |
| Chapter 4 Building a Firewall | p. 67 |
| Introducing Firewalls | p. 67 |
| Packet filtering firewalls | p. 68 |
| Proxy firewalls | p. 68 |
| Hybrid firewalls | p. 69 |
| Understanding IP NAT or masquerading | p. 69 |
| Understanding how a packet flows through the Internet | p. 70 |
| Introducing stateful IP packet filters (Netfilter/iptables) | p. 73 |
| Building the Firewall | p. 79 |
| Protecting the networks with a simple rule set | p. 79 |
| Tightening the firewall with custom chains | p. 86 |
| Allowing External Connections via Secure Shell | p. 92 |
| Configuring the SSH server | p. 94 |
| Modifying the firewall server (atlas) to allow SSH | p. 98 |
| Managing Your Firewall | p. 98 |
| Chapter 5 Introducing Basic Troubleshooting | p. 101 |
| Troubleshooting with the Fault Tree | p. 102 |
| Troubleshooting Linux Networking | p. 103 |
| Is the power turned on? | p. 103 |
| Has your network cabling been compromised? | p. 103 |
| Is your network switch or hub configured correctly? | p. 104 |
| Is your network adapter configured correctly? | p. 105 |
| Troubleshooting Your DSL Connection | p. 111 |
| Checking your DSL modem/router configuration | p. 112 |
| Checking your DSL provider configuration | p. 113 |
| Checking your ISP configuration | p. 114 |
| Troubleshooting Your Firewall/Gateway | p. 114 |
| Checking your Red Hat Linux networking configuration | p. 115 |
| Checking your gateway routes and IP forwarding | p. 116 |
| Checking your firewall scripts | p. 117 |
| Checking your kernel modules and flags | p. 118 |
| Using network sniffing tools | p. 118 |
| Using Additional Information | p. 120 |
| Part II Building a World Wide Web Server | |
| Chapter 6 Configuring a Basic Apache Server | p. 125 |
| Introducing the HTML and HTTP Protocols | p. 125 |
| Presenting the HTTP protocol | p. 125 |
| Introducing the HTML standard (HTML is not a protocol) | p. 126 |
| Exploring the Apache Web Server | p. 131 |
| Introducing the Apache configuration directives | p. 132 |
| Introducing the Apache configuration file | p. 132 |
| Creating a Basic Web Site | p. 141 |
| Installing the Apache Web server | p. 142 |
| Configuring the Apache Web server | p. 142 |
| Controlling the Apache Web server | p. 147 |
| Accessing the Apache Web server | p. 147 |
| Controlling access to the Web server with .htaccess and .htpasswd | p. 147 |
| Developing a Virtual Web Site | p. 149 |
| Using SSL with Apache | p. 151 |
| Installing mod_ssl package | p. 152 |
| SSL's negotiation and certificates | p. 152 |
| Certificate Authorities | p. 153 |
| Setting up Apache for HTTPS with SSL | p. 153 |
| Making CA-signed Certificates | p. 154 |
| Troubleshooting | p. 156 |
| Inspect the Linux system logs | p. 156 |
| Inspect the Apache logs | p. 157 |
| Connect locally | p. 157 |
| Check your Apache configuration | p. 158 |
| Use a simplified httpd.conf, if possible | p. 158 |
| Add new directives incrementally | p. 158 |
| Chapter 7 Connecting a Database to the Web Server | p. 161 |
| Introducing SQL | p. 161 |
| Installing and Configuring MySQL | p. 163 |
| Accessing the SQL Server | p. 165 |
| Creating a database | p. 165 |
| Using the MySQL database | p. 167 |
| Interacting with the SQL Server by Using Scripts | p. 169 |
| Displaying MySQL database data | p. 169 |
| Inserting data into a MySQL database | p. 173 |
| Modifying MySQL database data | p. 175 |
| Using a CGI script to access a SQL database via a Web browser | p. 179 |
| Securing Your MySQL Database | p. 185 |
| Chapter 8 Building a Simple Audio Streaming Server | p. 187 |
| Introducing Streaming Technology | p. 187 |
| Introducing the Xiph.org Foundation | p. 188 |
| Serving MP3 Streams with Icecast Version 1 | p. 189 |
| Installing and Configuring Icecast | p. 190 |
| Installing and Configuring Ices | p. 192 |
| Serving Up MP3 Streams | p. 193 |
| Serving Ogg Vorbis Streams with Icecast Version 2 | p. 195 |
| Streaming Ogg Vorbis Locally | p. 196 |
| Streaming Ogg Vorbis on the Internet | p. 200 |
| Summarizing the Icecast2 and Ices2 Configuration Files | p. 201 |
| Troubleshooting | p. 213 |
| Part III Providing Basic Internet Services | |
| Chapter 9 Building a Domain Name Server | p. 219 |
| Introducing Domain Name Service (DNS) | p. 219 |
| Domains | p. 220 |
| Zones | p. 220 |
| Authoritative name servers | p. 221 |
| Understanding client name resolution | p. 222 |
| Following a sample name service request | p. 222 |
| Understanding Resource Records | p. 225 |
| Using Start Of Authority (SOA) resource records | p. 226 |
| Defining azone resource records | p. 227 |
| Introducing bind configuration statements and parameters | p. 228 |
| Introducing the /var/named/ configuration files | p. 230 |
| Configuring a Basic DNS Server | p. 231 |
| Configuring a primary name server | p. 231 |
| Configuring a secondary name server | p. 237 |
| Adding Security Measures | p. 237 |
| Using ACLs | p. 238 |
| Using Transfer Signatures | p. 239 |
| Running named in a chroot environment | p. 240 |
| Starting and stopping the name server | p. 241 |
| Creating Multiple Zone Files | p. 242 |
| Configuring a Split-Domain DNS Server | p. 245 |
| Configuring the Split-Domain private name server | p. 246 |
| Configuring the Split-Domain DMZ name server | p. 247 |
| Troubleshooting | p. 249 |
| named-checkzone | p. 249 |
| named-checkconf | p. 249 |
| dig | p. 250 |
| host | p. 250 |
| tcpdump | p. 251 |
| Chapter 10 Creating an SMTP E-mail Server | p. 253 |
| A Little Mailer Theory | p. 253 |
| Compatibility | p. 254 |
| Performance | p. 254 |
| Making use of it all | p. 255 |
| Understanding Mail Queues | p. 255 |
| Understanding Configuration Parameters | p. 255 |
| Parameter Information and Syntax | p. 256 |
| Values | p. 256 |
| Files | p. 256 |
| Databases and Tables | p. 256 |
| Handling Unsolicited Commercial E-mail | p. 257 |
| Examining Important Parameters in main.cf | p. 257 |
| queue_directory | p. 257 |
| command_directory | p. 257 |
| daemon_directory | p. 258 |
| mail_owner | p. 258 |
| default_privs | p. 258 |
| myhostname | p. 258 |
| mydomain | p. 259 |
| myorigin | p. 259 |
| inet_interfaces | p. 259 |
| mydestination | p. 259 |
| local_recipient_maps | p. 260 |
| masquerade_domains | p. 260 |
| masquerade_exceptions | p. 260 |
| local_transport | p. 260 |
| alias_maps | p. 261 |
| alias_database | p. 261 |
| home_mailbox | p. 261 |
| mail_spool_directory | p. 261 |
| mailbox_command | p. 261 |
| mailbox_transport | p. 262 |
| fallback_transport | p. 262 |
| luser_relay | p. 262 |
| smtpd_recipient_limit | p. 263 |
| smtpd_timeout | p. 263 |
| mynetworks_style | p. 263 |
| mynetworks | p. 263 |
| allow_untrusted_routing | p. 264 |
| maps_rbl_domains | p. 264 |
| smtpd_client_restrictions | p. 264 |
| smtpd_sender_restrictions | p. 264 |
| smtpd_recipient_restrictions | p. 265 |
| smtpd_helo_required | p. 265 |
| smtpd_helo_restrictions | p. 265 |
| smtpd_delay_reject | p. 266 |
| strict_rfc821_envelopes | p. 266 |
| header_checks | p. 266 |
| body_checks | p. 266 |
| message_size_limit | p. 266 |
| relay_domains | p. 267 |
| mynetworks | p. 267 |
| smtpd_banner | p. 267 |
| local_destination_concurrency_limit | p. 267 |
| default_destination_concurrency_limit | p. 268 |
| debug_peer_list | p. 268 |
| debug_peer_level | p. 268 |
| debugger_command | p. 268 |
| disable_vrfy_command | p. 268 |
| Setting Up Important Files | p. 269 |
| Setting up master.cf | p. 269 |
| Setting up the aliases file | p. 269 |
| Setting up the virtual file | p. 269 |
| Setting up the canonical file | p. 270 |
| Setting p the access file | p. 270 |
| Using Commands to Process Datafiles | p. 270 |
| Understanding E-mail Server Terminology | p. 271 |
| Mail User Agents | p. 271 |
| Message stores | p. 272 |
| Mail Transport Agents | p. 272 |
| Message headers | p. 272 |
| Envelopes | p. 272 |
| Sample Configurations | p. 273 |
| Example 1 Sending mail | p. 273 |
| Example 2 Accepting e-mail for multiple domains | p. 274 |
| Example 3 Postfix-Style virtual domains | p. 275 |
| Forwarding from virtual address to virtual address | p. 275 |
| Example 4 Verifying DNS settings for e-mail | p. 277 |
| Example 5 Directing all mail through a central mail hub | p. 285 |
| Example 6 Acting as a mail hub | p. 286 |
| Example 7 Reducing unwanted e-mail | p. 286 |
| Spamassassin basics | p. 288 |
| Chapter 11 Configuring FTP | p. 291 |
| Introducing the FTP Protocol | p. 291 |
| Introducing Washington University FTP (WU-FTP) | p. 293 |
| Installing WU-FTP | p. 293 |
| Introducing the WU-FTP/xinetd configuration file | p. 295 |
| Introducing the ftpaccess configuration file | p. 296 |
| Introducing the ftpconversions file | p. 301 |
| Configuring a Real Mode FTP Server | p. 302 |
| Configuring Guest Accounts | p. 302 |
| Configuring Anonymous Accounts | p. 304 |
| Configuring for Anonymous logins | p. 304 |
| Configuring for anonymous uploads | p. 305 |
| Troubleshooting the WU-FTP Server | p. 308 |
| Conducting general purpose checks | p. 308 |
| Troubleshooting Guest FTP logins | p. 311 |
| Troubleshooting Anonymous FTP logins | p. 313 |
| Chapter 12 Configuring Samba | p. 315 |
| Introducing Samba | p. 315 |
| Examining the smb.conf syntax | p. 317 |
| Examining the smb.conf parameters | p. 317 |
| Examining the smb.conf Structure | p. 317 |
| Learning Samba by Example | p. 319 |
| Configuring Samba to use encrypted passwords | p. 319 |
| Creating Samba shares | p. 323 |
| Accessing an individual user's home directory | p. 323 |
| Introducing Linux and Samba permissions | p. 324 |
| Exporting a service to two or more users | p. 329 |
| Using Samba's macro capability | p. 331 |
| Adding network printers by using Linux and Samba | p. 333 |
| Introducing SWAT | p. 338 |
| Troubleshooting | p. 339 |
| Part IV Managing Your Linux Servers | |
| Chapter 13 Automating Network Backups | p. 343 |
| Introducing AMANDA | p. 344 |
| Understanding AMANDA | p. 344 |
| Introducing the AMANDA server and client | p. 344 |
| Introducing the network services | p. 346 |
| Introducing the configuration files | p. 347 |
| Introducing AMANDA utilities | p. 348 |
| Using AMANDA | p. 350 |
| Building a minimalist backup system | p. 351 |
| Building a simple backup system | p. 353 |
| Automating your backups | p. 359 |
| Troubleshooting | p. 360 |
| Chapter 14 Increasing the Reliability of a Linux Server | p. 363 |
| Locating Single Points of Failure | p. 363 |
| Using the Ext3 Journaling File System | p. 364 |
| Using RAID to Increase Reliability | p. 367 |
| Introducing software RAID | p. 368 |
| Implementing Software RAID | p. 370 |
| Creating a High Availability Linux Cluster | p. 373 |
| Understanding how HA works | p. 373 |
| Exploring HA fail-over modes | p. 374 |
| Creating a simple HA Linux cluster | p. 374 |
| Testing the Heartbeat | p. 377 |
| Part V Increasing Security | |
| Chapter 15 Introducing Basic Server Security | p. 383 |
| Understanding the Threat to Security | p. 383 |
| Going Beyond the Patch | p. 384 |
| Identifying Your Attackers | p. 386 |
| Categorizing attackers | p. 386 |
| Thinking about the Attacks | p. 387 |
| Considering a Defense | p. 390 |
| Chapter 16 Introducing Secure System Administration | p. 399 |
| Sysadmin and the Security Officer | p. 399 |
| Auto-Updating, Patching, and Caveats | p. 400 |
| Production and Development Environments | p. 402 |
| Auto-updating, Caveats, and a Red Hat Solution | p. 404 |
| Minimizing, Standardizing, and Simplifying | p. 405 |
| Embracing minimization | p. 406 |
| The Three Cardinal Virtues | p. 408 |
| Monitoring and Secure Remote Administration | p. 409 |
| Central Management Systems | p. 411 |
| Status Monitoring | p. 412 |
| Chapter 17 Hardening the System | p. 415 |
| Understanding System Hardening | p. 415 |
| Hardening the system manually | p. 417 |
| Stopping or removing unnecessary programs | p. 417 |
| Recapping the Linux startup process | p. 419 |
| Returning to the network daemon audit | p. 425 |
| Hardening the system automatically with Bastille Linux | p. 439 |
| Account Security module | p. 439 |
| Boot Security module | p. 440 |
| Configure Miscellaneous PAM Settings module | p. 440 |
| Deactivate Miscellaneous Daemons module | p. 440 |
| Disable User Tools module | p. 441 |
| File Permissions module | p. 441 |
| Logging module | p. 441 |
| Printing module | p. 442 |
| Secure inetd/xinetd module | p. 442 |
| tmpdir Protection module | p. 442 |
| Apache module | p. 442 |
| BIND (DNS) module | p. 443 |
| FTP module | p. 443 |
| sendmail (E-Mail) module | p. 443 |
| Firewall module | p. 444 |
| Port Scan Attack Detector (PSAD) module | p. 444 |
| Chapter 18 Introducing Simple Intrusion Detection Systems | p. 445 |
| Examining Network vs. Host-Based Intrusion Detection | p. 445 |
| Defining the Scope of Responsibility | p. 446 |
| Your responsibilities | p. 446 |
| Responsibility equals authority | p. 448 |
| Reviewing Useful Network Concepts | p. 449 |
| Packets | p. 449 |
| IP addresses | p. 450 |
| Ports | p. 453 |
| ICMP | p. 457 |
| UDP | p. 457 |
| TCP | p. 457 |
| Probes and threats | p. 459 |
| Devising a Defensive Network Configuration | p. 461 |
| Router filtering and firewalls | p. 461 |
| Ingress/egress filtering | p. 462 |
| DMZ | p. 462 |
| Bastion Hosts | p. 462 |
| Dedicated servers | p. 462 |
| Designing an ID Strategy | p. 463 |
| Setting the Rules | p. 464 |
| Intrusion detectors don't detect intrusions | p. 464 |
| Positive specifications--things that are bad | p. 464 |
| Negative specifications--things that are not good | p. 465 |
| Heuristic anomaly detection--The Holy Grail | p. 465 |
| Our Example NIDS--Snort | p. 466 |
| Description and History (current version: 1.8.6) | p. 466 |
| Overview of Snort Function (selected command-line options) | p. 466 |
| Chapter 19 Log Monitoring and Incident Response | p. 471 |
| Reading Your System Logs | p. 471 |
| Logging | p. 472 |
| Application logging | p. 473 |
| System logging | p. 474 |
| Hybrid logging | p. 475 |
| Syslog | p. 475 |
| Performing Selector Actions | p. 476 |
| Selector fields, facilities, and priorities | p. 476 |
| Destinations | p. 478 |
| Using Logs | p. 479 |
| Direct examination | p. 480 |
| Log parsing tools | p. 480 |
| egrep--fast and dirty | p. 481 |
| Report generation | p. 483 |
| Log monitoring tools | p. 487 |
| Managing Event Responses | p. 488 |
| Panic is bad, think ahead | p. 488 |
| Thinking ahead means policy | p. 488 |
| Appendix A What's Stored at www.wiley.com? | p. 491 |
| Appendix B Configuring a Dial-up Internet Connection | p. 495 |
| Appendix C Automating Your Server Configuration | p. 505 |
| Appendix D Using DHCP | p. 513 |
| Index | p. 517 |
