Services (file, print, remote access, database, etc.) are provided by server programs on your host. Modern servers make a copy of themselves for each request to that service. So at any given moment you may see several instances of a server running, or none at all, depending on how many requests for that service are currently being handled by that server. Running servers you don't need waste memory and CPU cycles, enough to have a user-noticeable effect on system performance.
For this project you are to disable some services (enabled by default during the installation) and to enable the following services on your classroom computer:
httpdtelnetvsftpdhelloservice
There are two types of servers, stand-alone servers such
as web, database, and mail servers,
and on-demand servers such as telnet.
The difference between these two types of services is that a
stand-alone server is always on
once enabled.
This makes for much faster responses to web page or database
requests, since it takes these servers several seconds to start up
each time.
A program (client or server) that is always on is called a
daemon
(pronounced either as DAY-mən
or DEE-mən
),
after the Greek term for a person's attendant spirit
.
(A demon
would be an evil spirit.)
Always-on servers historically are enabled or disabled in sets called
run-levels which are identified by a number.
Changing run-levels will turn off some servers and turn on others.
Your system has a default run-level entered
when you boot up;
for Fedora this is run-level 5
.
On the other hand once services such as telnet are
enabled, a server is started on-demand for each request
received.
Services such as telnet and FTP can start up quickly
so there is no need to have them running all the time.
Such services are managed by a single (always on) super
server called
(or xinetd
on older systems).
Note that on-demand servers can't be manually started and stopped like
stand-alone servers.
All you can do is enable/disable them, so they are ready to start or not
when the next request arrives.
This is done by configuring the inetdsuper
server.
Make sure you keep an accurate system journal of any and all changes you make to your system! You will need to turn this in, along with the answers to the questions asked below.
It should be noted that some students may have firewalls running on
their systems that would prevent access to some services.
However the default firewall will still allow access from
localhost to any service running on that host,
so you can ignore any firewall issues (for now).
Also the default file and directory permissions should be fine.
However other security sub-systems may block access that you will need to manage or turn off. These include TCP Wrappers, SELinux, and possibly PAM.
Answer the following questions and perform the following tasks:
root:
chkconfig --list > ~/service-report.txt
Examine this report.
Which services are running in
your default run-level (usually 5)?
ps -ef and compare
this output to the service-report.txt output
created in the previous step.
Determine which services that are enabled for the current
run-level are actually running.
Why are there services which are
enabled that don't appear to be running now?
chkconfig service report without errors.
Hint:
Run the following commands as root:
cd /etc/init.d
for i in *
do
chkconfig --list $i
done
If some service reports an error, it means that although the
service is present and available, chkconfig can't
control it.
(Note
and some other files in that
directory don't actually represent services, so an error message
on those files is normal.)
To fix this is usually just a matter of running the command:
functions
chkconfig --add name-of-service
If that doesn't work you may need to add the special
init script comments, containing the
chkconfig tags.
What changes (if any) did you need
to make?
system-config-services.
This should give a brief description of each service when you click
on its name.
Stop each service you don't think you are using.
Which services did you stop?
(Note that on non-Red Hat systems you may not have these
commands available.
However there will always be some equivalent command.
may be found instead on
many systems.)
ntsysv
bluetooth server from the command line? bluetooth server from run-level 3,
using the Linux command line tool chkconfig?
isdn service from run-level 3, using standard
Unix/Linux command line utilities such as cp,
mv, rm, ln, etc.,
and not using any GUI tools or command-line tools such as
chkconfig? diff command to compare these two
reports.
Whenever you make changes to services, you can generate a new
report, and compare it to the previous one.
The diff output is useful to include in your system
journal.
What changes are shown
by diff? httpd)
web service:
/etc/httpd/logs/error_log
and the system central log file in /var/log/messages,
and examine the output of a ps -ef listing.
What Apache related message(s) did you
see in the logs?
What Apache related processes are now running? Mozilla and
point to the URL http://localhost/.
What do you see from this URL?
(Make sure you have the correct URL including the trailing
slash!) 3.
What file(s) changed as a result?
(Hint: See the find command tip.)
ln,
enable Apache in run-level 5 as well.
Exactly what command did you use?
telnet network
service:
rpm -q telnet-serveryum install telnet-serverxinetd
as well. xinetd (even though
some files exist in the directory /etc/xinetd.d).
Re-run chkconfig --list and
system-config-services.
What has changed now that
there are on-demand services installed? /etc/init.d you won't find any script
to control the telnet service.
Why not?
Where will you find the configuration file for telnet? vi edit the appropriate file(s) in
/etc/xinetd.d to enable this service.
What file(s) did you edit and what
change(s) did you make?
(Hint: see man xinetd and man xinetd.conf.) xinetd service.
Exactly what command(s) did you use?
ps -ef and examine the
output.
What do you see related to
telnet?
Compare this answer with your answer from question in part
A.2 above.
Does the output agree with what you
expected to see? xinetd server uses TCP
Wrappers
to control access policies.
Edit (or create) the file /etc/hosts.deny to contain
this line:
ALL: ALL
Verify telnet is no longer working. Then examine the system log file. What error message(s) was produced by the telnet attempt?
/etc/hosts.allow
to only permit telnet access from the 10.142.80.0/24
network (that is, IP address 10.142.80.0
with a mask of 255.255.255.0)
and from localhost (or 127.0.0.1).
Verify telnet is working again.
What changes did you make?
(Hints: In the hosts.allow file you need to use
the filename (or pathname) of the telnet daemon.
The actual name of the telnet server (daemon) can be seen by
examining the /etc/xinetd.d/telnet file.
Also see the man page for the hosts.allow file.) /etc/hosts.allow
file to allow ALL services from localhost.
What changes (if any) did you have to
make? At one time FTP was a very vital service on the Internet. Today a lot of files can be found and downloaded using HTTP from a web page. But FTP hasn't gone away.
FTP has low security, as everything is send across the network in plain text (unencrypted) form. For upload configurations, web sites, and work documents, the secure variant sFTP (secure FTP) is preferred. However anonymous FTP is still useful and used.
For this part we will enable vsftpd
(the very secure FTP daemon).
This server can be configured to either run stand-alone
or on-demand.
For this project we will enable vsftpd
to run as a stand-alone service (which is the default).
vsftpd
server on your system. FTP user home from
/var/ftp/var/ftp/pub/var/ftp/pub
(so you can test your anonymous FTP site):
echo 'it works' > /var/ftp/pub/foo.txt chmod a+r /var/ftp/pub/foo.txt
(Make sure the file is readable by everyone.)
/etc/vsftpd/vsftpd.conf
to change the default behavior of the FTP server.
For example you can add:
ftpd_banner=Welcome to the Kaos.coop FTP service!See the comments in that file, and man page for
vsftpd.conf to see what can be changed.
Make a backup copy of the original first!
What changes did you make?
(Use diff command to show.) vsftpd service.
Check logs for any errors.
What log messages were generated (and in
which log files)?
[auser@localhost ~]$ ftp localhost
Use username
or anonymous
for the anonymous user.
By default any password you enter will be accepted, but you must
enter one.
ftp
If this fails to work, what could be
blocking access?
(Hint: Maybe something you did earlier in part C blocks access
to services?)
What did you do (the exact steps) to allow
access to this service (if blocked)?
(You can show a diff listing to indicate the changes
you made.)
help, dir, ls, pwd,
get foo.txt, and to exit, bye
What directory does pwd
show as the current directory?
What files can you see? root!)
getenforce command.
If so, then run (as root) the
setenforce 0 command
to switch to permissive mode.
Now try to log in again.
(In the security course you will learn how to configure SELinux for
this, but for our class it is better to switch it to permissive
mode.
To make the change permanent edit the file
/etc/selinux/config and set the mode from:
SELINUX=enforcing
to:
SELINUX=permissive
Note!
For security reasons modern systems
won't allow you to connect as root, only as a regular
user (or sometimes as an anonymous user such as for
FTP).
pwd and ls this time? chroot
protection for (some) users, you may need to edit the
vsftpd.conf file.
You should start by reading the comments in that file.
If that doesn't help try reading the man page.
Remember that to access services from other hosts have
security issues and may involve configuring the firewall,
TCP wrappers (hosts.allow/deny), or PAM.
(None of this should be necessary for this project.)
what changes, if any, did you make?
/usr/local/bin/hellod#!/bin/sh - echo 'Hello, World!'
/etc/xinetd.d/hello so your new
helloservice can be started on demand. Our new service should listen on port number TCP/9333. (This is a currently unassigned port, according to the master list of port number assignments by the IANA.) The file should have the following contents:
# default: off
# description: Demo service that runs a shell script to say hello, world!
service hello
{
disable = no
socket_type = stream
type = UNLISTED
port = 9333
wait = no
user = nobody
server = /usr/local/bin/hellod
}
xinetd service to make it read the new
configuration.
Check the log file for any messages from xinetd.
What messages resulted from reloading
xinetd?
If any errors were noted, fix them and repeat.
What errors (if any) were found and what
did you do to resolve them?
nc localhost 9333
If you don't have nc installed, you can install
the nc package with yum.
nc
is the Linux name of the netcat
utility.
(Or you can use telnet instead of nc.)
What was the result (output) of running this command?
If this fails to work, what could be
blocking access?
(Hint: Maybe something you did earlier in part C blocks access
to services?)
What did you do (the exact steps) to allow
access to this service (if blocked)?
(You can show a diff listing to indicate the changes
you made.)
Once fixed retry the command.
lsof -inetstat -lA inetlsof lists each process listening, so ports
such as TCP/80 will be listed multiple times,
and netstat won't list on-demand services (just
the super-server xinetd).
Perhaps the simplest way is to run (as root)
the command
nmap -sSU -p 0-65535 localhost
How many ports are open?
What are the meanings of the options to the nmap
command used?
/etc/servicesThe answers to the questions above and the portion of your system journal describing the steps you have taken to enable these services.
You can submit your project as email to . Please see your syllabus for more information about submitting projects.