Page 1 Red Hat Linux 7.2 The Official Red Hat Linux Reference Guide...
Page 2 ISBN: N/A Red Hat, Inc. 2600 Meridian Parkway Durham, NC 27713 USA +1 919 547 0012 (Voice) +1 919 547 0024 (FAX) 888 733 4281 (Voice) P.O. Box 13588 Research Triangle Park, NC 27709 USA © 2001 Red Hat, Inc. rhl-rg(EN)-7.2-Print-RHI (2001-08-30T12:53-0400) Copyright ©...
Page 3: Table Of Contents
Contents Red Hat Linux 7.2 Introduction .................. . ix Finding Appropriate Documentation ............ . ix Document Conventions.
Page 4 Differences in the Boot Process of Other Architectures ..... . 57 Chapter 4 The /proc Filesystem ..........59 A Virtual Filesystem .
Page 5 Chapter 8 Using Kerberos 5 on Red Hat Linux ....139 Why Use Kerberos? ............. . 139 Why Not Use Kerberos? .
Page 6 11.12 Tripwire and Email ..............179 11.13 Additional Resources ............180 Part III Network Services Reference ..
Page 7 15.7 OpenLDAP Daemons and Utilities..........252 15.8 Modules for Adding Extra Functionality to LDAP ......253 15.9 LDAP How To: A Quick Overview.
Page 8 CD-ROM Module Parameters ........... 312 SCSI parameters ..............315 Ethernet parameters ..
Page 9: Introduction
Section 0.1:Finding Appropriate Documentation Introduction Welcome to the Official Red Hat Linux Reference Guide. The Official Red Hat Linux Reference Guide contains useful information about your Red Hat Linux system. From fundamental concepts, such as the structure of the Red Hat Linux filesystem, to the finer points of system security and authentication control, we hope you will find this book to be a valuable resource.
Page 10 Introduction This type of user has never used any Linux (or Linux-like) operating system before or has had only limited exposure to Linux. They may or may not have experience using other operating systems (such as Windows). Is this you? If so, skip ahead to Documentation For First-Time Linux Users.
Page 11 Introduction to Linux Websites • http://www.redhat.com — On the Red Hat website, you will find links to the Linux Documen- tation Project (LDP), online versions of the Red Hat Linux manuals, FAQs (Frequently Asked Questions), a database which can help you find a Linux Users Group near you, technical informa- tion in the Red Hat Support Knowledge Base, and more.
Page 12 Introduction • linux.redhat.rpm — A good place to go if you are having trouble using RPM to accomplish particular objectives. Beginning Linux Books • Red Hat Linux for Dummies, 2nd Edition by Jon "maddog" Hall; IDG • Special Edition Using Red Hat Linux by Alan Simpson, John Ray and Neal Jamison; Que •...
Page 13: Document Conventions
Section 0.2:Document Conventions xiii Document Conventions When you read this manual, you will see that certain words are represented in different fonts, type- faces, sizes and weights. This highlighting is systematic; different words are represented in the same style to indicate their inclusion in a specific category. The types of words that are represented this way include the following: command Linux commands (and other operating system commands, when used) are represented this way.
Page 14 Introduction [Ctrl]-[Alt]-[Backspace] key combination will restart the X Window System. text found on a GUI interface A title, word or phrase found on a GUI interface screen or window will be shown in this style. When you see text shown in this style, it is being used to identify a particular GUI screen or an element on a GUI screen (e.g., text associated with a checkbox or field).
Page 15 Section 0.2:Document Conventions A prompt, which is a computer’s way of signifying that it is ready for you to input something, will be shown in this style. Examples: [stephen@maturin stephen]$ leopard login: user input Text that the user has to type, either on the command line, or into a text box on a GUI screen, is displayed in this style.
Page 16: Using The Mouse
Introduction CAUTION Do not do routine tasks as root — use a regular user account unless you need to use the root account to administer your system. WARNING If you choose not to partition manually, a server installation will remove all existing partitions on all installed hard drives.
Page 17: Sign Up For Support
Under the Brim: The Official Red Hat E-Newsletter — Every month, get the latest news and product information directly from Red Hat. To sign up, go to http://www.redhat.com/apps/activate/. You will find your Product ID on a black, red, and white card in your Official Red Hat Linux box.
Page 18 xviii Introduction The Red Hat Documentation Team...
Page 19: Part I System Reference
Part I System Reference...
Page 21: Chapter 1 Filesystem Structure
Section 1.2:Overview of Filesystem Hierarchy Standard (FHS) 1 Filesystem Structure 1.1 Why Share a Common Structure? An operating system’s filesystem structure is its most basic level of organization. Almost all of the ways an operating system interacts with its users, applications, and security model are dependent upon the way it stores its files on a primary storage device (normally a hard disk drive).
Page 22 Chapter 1:Filesystem Structure The current FHS document is the authoritative reference to any FHS-compliant filesystem, but the standard leaves many areas undefined or extensible. In this section, we provide an overview of the standard and a description of the parts of the filesystem not covered by the standard. The complete standard is available at: http://www.pathname.com/fhs Compliance with the standard means many things, but the two most important are compatibility with...
Page 23 Section 1.2:Overview of Filesystem Hierarchy Standard (FHS) The /opt Directory The /opt directory provides an area for usually large, static application software packages to be stored. For packages that wish to avoid putting their files throughout the filesystem, /opt provides a logical and predictable organizational system under that package’s directory.
Page 24 Chapter 1:Filesystem Structure reboot, route, shutdown, swapoff, swapon, update The /usr Directory The /usr directory is for files that can be shared across a whole site. The /usr directory usually has its own partition, and it should be mountable read-only. The following directories should be sub- directories of /usr: /usr |- bin...
Page 25 Section 1.2:Overview of Filesystem Hierarchy Standard (FHS) |- bin |- doc |- etc |- games |- include |- lib |- libexec |- sbin |- share |- src The /var Directory Since the FHS requires that you be able to mount /usr read-only, any programs that write log files or need spool or lock directories should probably write them to the /var directory.
Page 26: Special Red Hat Linux File Locations
Chapter 1:Filesystem Structure |- news |- rwho |- samba |- slrnpull |- squid |- up2date |- uucp |- uucppublic |- vbox |- voice |- tmp |- www |- yp System log files such as messages and lastlog go in /var/log. The /var/lib/rpm direc- tory also contains the RPM system databases.
Page 27: Chapter 2 Users And Groups
While you can use useradd to create a new user from the shell prompt, a popular way to manage users and groups is through redhat-config-users (see the Official Red Hat Linux Customization Guide for more information).
Page 28 Chapter 2:Users and Groups User Home Directory Shell /var/spool/lpd sync /sbin /bin/sync shutdown /sbin /sbin/shutdown halt /sbin /sbin/halt mail /var/spool/mail news /var/spool/news uucp /var/spool/uucp operator /root games /usr/games gopher /usr/lib/gopher- data /var/ftp nobody apache /var/www named /var/named piranha /etc/sysconfig/ha amanda var/lib/amanda/ ident /sbin/nologin...
Page 29: Standard Groups
Section 2.3:Standard Groups User Home Directory Shell rpcuser /var/lib/nfs junkbust /etc/junkbuster /var/gdm squid /dev/null /var/spool/squid nscd /var/lib/rpm mailman /var/mailman radvd postgres /var/lib/pgsql 2.3 Standard Groups In Table 2–2, Standard Groups, you will find the standard groups as set up by the installation process (as seen in the /etc/group file).
Page 30 Chapter 2:Users and Groups Group Members root wheel mail mail news news uucp uucp games gopher nobody users piranha piranha ident ident floppy utmp slocate pppusers popusers slipusers postgres postgres nscd nscd...
Page 31: User Private Groups
Section 2.4:User Private Groups Group Members mailnull mailnull rpcusers apache apache squid squid named named junkbust junkbust mysql mysql mailman mailman ldap ldap 2.4 User Private Groups Red Hat Linux uses a user private group (UPG) scheme, which makes UNIX groups easier to use. The UPG scheme does not add or change anything in the standard UNIX way of handling groups;...
Page 32 You can add a user to a group using redhat-config-users (see the Official Red Hat Linux Customiza- tion Guide), or if you prefer to use the command line, use the /usr/sbin/groupadd group- name command to create a group.
Page 33: Shadow Utilities
Section 2.5:Shadow Utilities to associate the contents of the directory with the emacs group and add the proper users to the group: /usr/bin/gpasswd -a < username > emacs • To allow the users to actually create files in the directory you enter: chmod 775 /usr/lib/emacs/site-lisp •...
Page 34 Chapter 2:Users and Groups The shadow-utils package contains a number of utilities that support: • Conversion from normal to shadow passwords and back (pwconv, pwunconv) • Verification of the password, group, and associated shadow files (pwck, grpck) • Industry-standard methods of adding, deleting and modifying user accounts (useradd, user- mod, and userdel) •...
Page 35: Chapter 3 Boot Process, Init, And Shutdown
Section 3.2:Behind the Scenes of the Boot Process 3 Boot Process, Init, and Shutdown This chapter contains information on what happens when you boot or shut down your Red Hat Linux system. Note This chapter focuses on LILO, the default boot loader for Red Hat Linux 7.1 and earlier versions.
Page 36 Chapter 3:Boot Process, Init, and Shutdown and is always available for use. The BIOS provides the lowest level interface to peripheral devices and controls the first step of the boot process. The BIOS tests the system, looks for and checks peripherals, and then looks for a drive to use to boot the system.
Page 37 Section 3.2:Behind the Scenes of the Boot Process boot=/dev/hda map=/boot/map install=/boot/boot.b prompt timeout=50 message=/boot/message lba32 default=linux image=/boot/vmlinuz-2.4.0-0.43.6 label=linux initrd=/boot/initrd-2.4.0-0.43.6.img read-only root=/dev/hda5 other=/dev/hda1 label=dos This example shows a system configured to boot two operating systems: Red Hat Linux and DOS. Here is a deeper look at a few of the lines of this file (your /etc/lilo.conf may look a little different): •...
Page 38 Chapter 3:Boot Process, Init, and Shutdown • image=/boot/vmlinuz-2.4.0-0.43.6 specifies the linux kernel to boot with this par- ticular boot option. • label=linux names the operating system option in the LILO screen. In this case, it also is the name that is referred to by the default line. •...
Page 39 Section 3.2:Behind the Scenes of the Boot Process When init starts, it becomes the parent or grandparent of all of the processes that start up automati- cally on your Red Hat Linux system. First, it runs the /etc/rc.d/rc.sysinit script, which sets your path, starts swapping, checks the filesystems, and so on.
Page 40 Chapter 3:Boot Process, Init, and Shutdown in a particular order so that they start in that order. You can change the order in which the services start up or are killed by changing the name of the symbolic link that refers to the script that actually starts or kills the service.
Page 41 Section 3.2:Behind the Scenes of the Boot Process S06reconfig -> ../init.d/reconfig S08ipchains -> ../init.d/ipchains S10network -> ../init.d/network S12syslog -> ../init.d/syslog S13portmap -> ../init.d/portmap S14nfslock -> ../init.d/nfslock S18autofs -> ../init.d/autofs S20random -> ../init.d/random S25netfs -> ../init.d/netfs S26apmd -> ../init.d/apmd S35identd -> ../init.d/identd S40atd ->...
Page 42 Chapter 3:Boot Process, Init, and Shutdown initiates a login process for that user. This allows users to authenticate themselves to the system and begin to use it. Also, /etc/inittab tells init how it should handle a user hitting at the con- [Ctrl] [Alt] [Delete]...
Page 43: Sysconfig Information
Section 3.3:Sysconfig Information • rc.sysinit handles most of the boot loader’s processes and then runs rc.serial (if it ex- ists) • init runs all the scripts for the default runlevel • init runs /etc/rc.d/rc.local The default runlevel is decided in /etc/inittab. You should have a line close to the top like: id:3:initdefault: The default runlevel is 3 in this example, the number after the first colon.
Page 44 Chapter 3:Boot Process, Init, and Shutdown • authconfig • cipe • clock • desktop • firewall • harddisks • hwconf • i18n • init • ipchains • iptables • irda • keyboard • kudzu • mouse • network • pcmcia •...
Page 45 Section 3.3:Sysconfig Information /etc/sysconfig/apmd The /etc/sysconfig/apmd file is used by apmd as a configuration for what things to start/stop/change on suspend or resume. It is set up to turn on or off apmd during startup, depending on whether your hardware supports Advanced Power Management (APM) or if you choose not to use it.
Page 46 Chapter 3:Boot Process, Init, and Shutdown • UTC= <value> , where <value> is one of the following boolean values: – true — Indicates that the clock is set to Universal Time. Any other value indicates that it is set to local time. •...
Page 47 Section 3.3:Sysconfig Information • Multiple_IO=16, where a setting of 16 allows for multiple sectors per I/O interrupt. When enabled, this feature reduces operating system overhead by 30-50%. Use with caution. • EIDE_32BIT=3 enables (E)IDE 32-bit I/O support to an interface card. •...
Page 48 Chapter 3:Boot Process, Init, and Shutdown • SETCOLOR_FAILURE= <value> , where <value> sets the color to a color indicating failure. Defaults to ANSI sequences output by echo -e, setting the color to red. • SETCOLOR_WARNING= <value> , where <value> sets the color to a color indicating warning. Defaults to ANSI sequences output by echo -e, setting the color to yellow.
Page 49 Section 3.3:Sysconfig Information The following values may be used: • IRDA= <value> , where <value> is one of the following boolean values: – yes — irattach will be run, which periodically checks to see if anything is trying to connect to the infrared port, such as another notebook computer trying to make a network connection.
Page 50 Chapter 3:Boot Process, Init, and Shutdown • SAFE= <value> , where <value> is one of the following: – yes — kuzdu does a safe probe. – no — kuzdu does a normal probe. /etc/sysconfig/mouse The /etc/sysconfig/mouse file is used to specify information about the available mouse. The following values may be used: •...
Page 51 Section 3.3:Sysconfig Information /etc/sysconfig/network The /etc/sysconfig/network file is used to specify information about the desired network configuration. The following values may be used: • NETWORKING= <value> , where <value> is one of the following boolean values: – yes — Networking should be configured. –...
Page 52 Chapter 3:Boot Process, Init, and Shutdown • PCIC_OPTS= <value> , where <value> is the socket driver (i82365 or tcic) timing parame- ters. • CORE_OPTS= <value> , where <value> is the list of pcmcia_core options. • CARDMGR_OPTS= <value> , where <value> is the list of options for the PCMCIA cardmgr (such as -q for quiet mode;...
Page 53 Section 3.3:Sysconfig Information /etc/sysconfig/ups The /etc/sysconfig/ups file is used to specify information about any Uninterruptible Power Supplies (UPS) connected to your system. A UPS can be very valuable for a Red Hat Linux system because it gives you time to correctly shut down the system in the case of power interruption. The following values may be used: •...
Page 54: Init Runlevels
Chapter 3:Boot Process, Init, and Shutdown • VNCSERVERS= <value> , where <value> is set to something like "1:fred", to indicate that a VNC server should be started for user fred on display :1. User fred must have set a VNC password using vncpasswd before attempting to connect to the remote VNC server.
Page 55 Section 3.4:Init Runlevels them to quickly move in and out of their custom configuration without disturbing the normal set of features at the standard runlevels. If your machine gets into a state where it will not boot due to a bad /etc/inittab or will not let you log in because you have a corrupted /etc/passwd (or if you have simply forgotten your password), boot into single-user mode.
Page 56: Running Programs At Boot Time
Chapter 3:Boot Process, Init, and Shutdown 3.5 Running Programs at Boot Time The file /etc/rc.d/rc.local script is run by init at boot time, after all other initialization is complete, and whenever you change runlevels. You can add additional initialization commands here. For instance, you may want to start up additional daemons or initialize a printer.
Page 57: Differences In The Boot Process Of Other Architectures
Section 3.7:Differences in the Boot Process of Other Architectures 3.7 Differences in the Boot Process of Other Architectures Each computer architecture supported by Red Hat Linux boots the operating system in a different way. However, once the Red Hat Linux kernel begins booting and hands off the boot process to init, the same events happen on each architecture in exactly the same way.
Page 58 Chapter 3:Boot Process, Init, and Shutdown...
Page 59: Chapter 4 The /Proc Filesystem
Section 4.1:A Virtual Filesystem 4 The /proc Filesystem The /proc directory contains virtual files that are windows into the current state of the running Linux kernel. This allows the user to peer into a vast array of information, effectively providing them with the kernel’s point-of-view within the system.
Page 60 Chapter 4:The /proc Filesystem -r--r--r-- 1 root root 0 May 3 11:42 execdomains -r--r--r-- 1 root root 0 May 3 11:42 fb -r--r--r-- 1 root root 0 May 3 11:42 filesystems [root@bleach /]# The /proc virtual files exhibit some interesting qualities. First, most of them are 0 bytes in size. However, when the file is viewed, it likely contains quite a bit of information.
Page 61 Section 4.1:A Virtual Filesystem [root@bleach /]# cat /proc/cpuinfo processor : 0 vendor_id : GenuineIntel cpu family : 6 model model name : Celeron (Mendocino) stepping : 0 cpu MHz : 416.537 cache size : 128 KB fdiv_bug : no hlt_bug : no f00f_bug : no coma_bug : no...
Page 62: Top-Level Files In /Proc
Chapter 4:The /proc Filesystem 4.2 Top-Level Files in /proc Most of the files at the top-level of the /proc directory hold key pieces of information about the state of the Linux kernel and your system in general. It is important to remember that the content of the files in the /proc directory and its various sub- directories is entirely dependent on information concerning your system.
Page 63 Section 4.2:Top-Level Files in /proc When the same machine is unplugged from its power source and running on its own batteries for a few minutes, you will see the contents of the apm file change: 1.14 1.2 0x03 0x00 0x00 0x01 99% 1792 min In this state, the apm command yields readable information from this data: [ed@blink /]$ apm -v APM BIOS 1.2 (kernel driver 1.14)
Page 64 Chapter 4:The /proc Filesystem : yes fpu_exception : yes cpuid level : 2 : yes flags : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov bogomips : 666.82 Quite a bit of information is available here. Among the highlights: •...
Page 65 Section 4.2:Top-Level Files in /proc 162 raw 180 usb Block devices: 1 ramdisk 2 fd 3 ide0 9 md 22 ide1 The output from /proc/devices includes the major number and name of the device. Character devices are similar to block devices, except for two basic differences. First, block devices have a buffer available for requests sent to them, allowing them to order the re- quests before dealing with them.
Page 66 Chapter 4:The /proc Filesystem 0-255 Linux [kernel] Think of execution domains as a kind of "personality" of a particular operating system. Other bi- nary formats, such as Solaris, UnixWare, and FreeBSD, can be used with Linux. By changing the personality of a task running in Linux, a programmer can change the way the operating system treats particular system calls from a certain binary.
Page 67 Section 4.2:Top-Level Files in /proc XT-PIC keyboard XT-PIC cascade 80111 XT-PIC usb-uhci, eth0 XT-PIC 6107 XT-PIC PS/2 Mouse 60324 XT-PIC ide0 541741 XT-PIC ide1 NMI: ERR: For a multi-processor machine, this file may look slightly different: CPU0 CPU1 0: 1366814704 XT-PIC timer IO-APIC-edge...
Page 68 Chapter 4:The /proc Filesystem 00000000-0009fbff : System RAM 0009fc00-0009ffff : reserved 000a0000-000bffff : Video RAM area 000c0000-000c7fff : Video ROM 000f0000-000fffff : System ROM 00100000-03ffcfff : System RAM 00100000-002557df : Kernel code 002557e0-0026c80b : Kernel data 03ffd000-03ffefff : ACPI Tables 03fff000-03ffffff : ACPI Non-volatile Storage dc000000-dfffffff : S3 Inc.
Page 69 Section 4.2:Top-Level Files in /proc 4.2.12 /proc/isapnp This file lists Plug and Play (PnP) cards in ISA slots on the system. This is most often seen with sound cards but may include any number of devices. A /proc/isapnp file with Soundblaster entry in it looks similar to this: Card 1 ’CTL0070:Creative ViBRA16C PnP’...
Page 70 Chapter 4:The /proc Filesystem Do not try to cat or otherwise attempt to view this file. Its contents are designed to be examined by a debugger, such as gdb, the GNU Debugger. Only the root user has the rights to view this file. 4.2.14 /proc/kmsg This file is used to hold messages generated by the kernel.
Page 71 Section 4.2:Top-Level Files in /proc Each lock is assigned a unique number at the beginning of each line. The second column refers to the class of lock used, with FLOCK signifying the older-style UNIX file locks from a flock system call and POSIX representing the newer POSIX locks from the lockf system call.
Page 72 Chapter 4:The /proc Filesystem MemFree: 8108 kB MemShared: 0 kB Buffers: 117916 kB Cached: 47548 kB Active: 135300 kB Inact_dirty: 29276 kB Inact_clean: 888 kB Inact_target: 0 kB HighTotal: 0 kB HighFree: 0 kB LowTotal: 255576 kB LowFree: 8108 kB SwapTotal: 393552 kB SwapFree:...
Page 73 Section 4.2:Top-Level Files in /proc • LowTotal and LowFree — The total and free amount of memory, respectively, that is directly mapped into kernel space. The LowTotal value can vary based on the type of kernel used. • SwapTotal — The total amount of swap available, in kilobytes. •...
Page 74 Chapter 4:The /proc Filesystem none /dev/pts devpts rw 0 0 automount(pid696) /misc autofs rw 0 0 The output found here is similar to contents of /etc/mtab, except that /proc/mount can be more current. The first column specifies the device that is mounted, with the second column revealing the mount- point.
Page 75 Section 4.2:Top-Level Files in /proc • name — The name of the partition. 4.2.25 /proc/pci This file contains a full listing of every PCI device on your system. Depending on the number of PCI devices you have, /proc/pci can get rather long. An example from this file on a basic system looks similar to this: 0, device 0, function...
Page 76 Chapter 4:The /proc Filesystem 4.2.26 /proc/slabinfo This file gives information about memory usage on the slab level. Linux kernels greater than 2.2 use slab pools to manage memory above the page level. Commonly used objects have their own slab pools. The /proc/slabinfo file can be rather long, but it starts off similar to this: slabinfo - version: 1.1 kmem_cache...
Page 77 This files tells you the versions of the Linux kernel and gcc, as well as the version of Red Hat Linux installed on the system: Linux version 2.4.2-2 (root@porky.devel.redhat.com) (gcc version 2.96 20000731 (Red Hat Linux 7.1 2.96-79)) #1 Sun Apr 8 20:41:30 EDT 2001...
Page 78: Directories In /Proc
Chapter 4:The /proc Filesystem This information is used for a variety of purposes, including providing the version data at the standard login prompt. 4.3 Directories in /proc Common groups of information concerning the kernel is grouped into directories and sub-directories within /proc.
Page 79 Section 4.3:Directories in /proc • environ — Gives a list of the environment variables for the process. The environment variable is given in all upper-case characters, and the value is in lower-case characters. • exe — A link to the executable of this process. •...
Page 80 Chapter 4:The /proc Filesystem Number of pages that are shared Number of pages are code Number of pages of data/stack Number of pages of library Number of dirty pages • status — Provides the status of the process in a form that is much more readable than stat or statm.
Page 81 Section 4.3:Directories in /proc 4.3.2 /proc/bus This directory contains information specific to the various busses available on the system. So, for example, on a standard system containing ISA, PCI, and USB busses, current data on each of these busses is available in its directory under /proc/bus. The contents of the sub-directories and files available varies greatly on the precise configuration of your system.
Page 82 Chapter 4:The /proc Filesystem A common file found here is rtc, which provides output from the driver for the system’s Real Time Clock (RTC), the device that keeps the time while the system is switched off. Sample output from /proc/driver/rtc looks like this: rtc_time : 18:06:33 rtc_date : 2001-05-08 rtc_epoch : 1900...
Page 83 Section 4.3:Directories in /proc DMA enabled: UDMA enabled: UDMA enabled: UDMA Navigating into the directory for an IDE channel, such as ide0 for the first channel, provides addi- tional information. The channel file provides the channel number, while the model tells you the bus type for the channel (such as pci).
Page 84 Chapter 4:The /proc Filesystem max_kb_per_request multcount nice1 nowerr number pio_mode write-only slow unmaskirq using_dma 4.3.6 /proc/irq This directory is used to set IRQ to CPU affinity, which allows you to connect a particular IRQ to only one CPU. Alternatively, you can exclude a CPU from handling any IRQs. Each IRQ has its own directory, allowing for each IRQ to be configured different from any other.
Page 85 Section 4.3:Directories in /proc input ACCEPT 1 0 93537 0 12626171 forward ACCEPT 1 0 0 0 0 output ACCEPT 1 0 14270 0 3796697 • ip_masquerade — Provides a table of masquerading information. • ip_mr_cache — List of the multicast routing cache. •...
Page 86 Chapter 4:The /proc Filesystem Attached devices: Host: scsi1 Channel: 00 Id: 05 Lun: 00 Vendor: NEC Model: CD-ROM DRIVE:466 Rev: 1.06 Type: CD-ROM ANSI SCSI revision: 02 Host: scsi1 Channel: 00 Id: 06 Lun: 00 Vendor: ARCHIVE Model: Python 04106-XXX Rev: 7350 Type: Sequential-Access ANSI SCSI revision: 02...
Page 87 Section 4.3:Directories in /proc Ultra Enable Flags: 0x0020 Tag Queue Enable Flags: 0x0000 Ordered Queue Tag Flags: 0x0000 Default Tag Queue Depth: 8 Tagged Queue By Device array for aic7xxx host instance 1: {255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255} Actual queue depth per device for aic7xxx host instance 1: {1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1} Statistics: (scsi1:0:5:0)
Page 88 Chapter 4:The /proc Filesystem WARNING Never attempt to tweak your kernel’s settings on a production system us- ing the various files in the /proc/sys directory. Occasionally, chang- ing a setting may render the kernel unstable, requiring a reboot of the system.
Page 89 Section 4.3:Directories in /proc or restarting a system, syncing all mounted filesystems, or dumping important information to your console. This feature is most useful when using a development kernel or if you are experiencing system freezes. For more information on the System Request Key, refer to /usr/src/linux- 2.4/Documentation/sysrq.txt.
Page 90 Chapter 4:The /proc Filesystem Can write CD-R: Can write CD-RW: 0 Can read DVD: Can write DVD-R: 0 Can write DVD-RAM: 0 This file can be quickly scanned to discover the qualities of an unknown CD-ROM, at least in the eyes of the kernel.
Page 91 Section 4.3:Directories in /proc • super-max — Controls the maximum number of superblocks available. • super-nr — Displays the current number of superblocks in use. /proc/sys/kernel This directory contains a variety of different configuration files that directly affect the operation of the kernel.
Page 92 Chapter 4:The /proc Filesystem • msgmnb — Sets the maximum number of bytes in a single message queue. By default, 16384. • msgmni — Sets the maximum number of message queue identifiers. By default, 16. • osrelease — Lists the Linux kernel release number. This file can only be altered by changing the kernel source and recompiling.
Page 93 Section 4.3:Directories in /proc • rtsig-nr — The current number of POSIX realtime signals queued by the kernel. • sem — This file configures semaphore settings within the kernel. A semaphore is a System V IPC object that is used to control utilization of a particular process. •...
Page 94 Chapter 4:The /proc Filesystem The idea is that an attacker could bombard your system with requests that generate errors and fill up your logs or require all of your system’s resources to handle error logging. The settings in message_burst and message_cost are designed to be modified based on your system’s acceptable risk versus the need for comprehensive logging.
Page 95 Section 4.3:Directories in /proc • ip_forward — Permits interfaces on the system to forward packets to one other. By default, this file is set to 0 to disable forwarding, but setting this file to 1 will enable forwarding. • ip_local_port_range — Specifies the range of ports to be used by TCP or UDP when a local port is needed.
Page 96 Chapter 4:The /proc Filesystem • buffermem — Allows you to control the percentage amount of total system memory to be used for buffer memory. Typical output for this file looks like this: The first and last values set the minimum and maximum percentage of memory to be used as buffer memory, respectively.
Page 97 Section 4.3:Directories in /proc • pagetable_cache — Controls the number of page tables that are cached on a per-processor basis. The first and second values relate to the minimum and maximum number of page tables to set aside, respectively. Additional information on these various files can be found in /usr/src/linux-2.4/Documen- tation/sysctl/vm.txt.
Page 98: Using Sysctl
Chapter 4:The /proc Filesystem Registered line disciplines are stored in the ldiscs file, with detailed information available in the ldisc directory. 4.4 Using sysctl Setting kernel parameters in the /proc/sys directory need not be a manual process or one that required echoing values into a virtual file, hoping they are correct.
Page 99 Section 4.5:Additional Resources comprehensive guide to this information. Rather, you should definitely investigate additional sources of information about /proc before tweaking your kernel. 4.5.1 Installed Documentation Most of the best /proc documentation is probably already available on your system. • /usr/src/linux-2.4/Documentation/filesystems/proc.txt —...
Page 100 Chapter 4:The /proc Filesystem...
Page 101: Chapter 5 Grub
Section 5.1:Defining GRUB 5 GRUB Before Red Hat Linux can start up on your system, it must be told to boot by special instructions placed on a boot loader, code that exists on your primary hard drive or other media device that knows how to start the Linux kernel.
Page 102 Chapter 5:GRUB The primary boot loader must exist in the very small space allocated for the MBR, which is less than 512 bytes. Therefore, the only thing the primary boot loader accomplishes is loading the secondary boot loader, due to the fact that there is not enough space in the MBR for anything else. Loading the secondary boot loader, commonly called Stage 2.
Page 103 Section 5.1:Defining GRUB 5.1.2 GRUB Features GRUB contains a number of features that make it preferable to other available boot loaders. These are some of the most important: • GRUB provides a true command-based, pre-OS environment on x86 machines to allow maximum flexibility in loading operating systems with certain options or gathering information about the system.
Page 104: Terminology
Chapter 5:GRUB 5.1.3 Installing GRUB If during the Red Hat Linux installation process you did not install GRUB, here is how you can install it and make it your default boot loader. Note If you are already using LILO as your boot loader, you do not have to remove it in order to use GRUB.
Page 105 Section 5.2:Terminology Note Remember that GRUB’s numbering system for devices starts at 0, and not 1. This is one of the most common mistakes made by new GRUB users. The <partition-number> relates to the number of a specific partition on that device. Like the <bios-device-number>...
Page 106: Interfaces
Chapter 5:GRUB This blocklist tells GRUB to use a file that starts at the first block on the partition and uses blocks 0 through 49, 99 through 124, and 199. Knowing how to write blocklists is useful when using GRUB to load operating systems that use chain loading, such as Microsoft Windows.
Page 107: Commands
Section 5.4:Commands From the menu interface, you can also press the key to edit the highlighted menu entry’s commands or the key to move to a command line interface. 5.3.2 Menu Entry Editor Interface To get to this interface, you must press the key from the menu interface.
Page 108 Chapter 5:GRUB The following list gives the most useful commands: • boot — Boots the operating system or chain loader that has been previously specified and loaded. • chainloader <file-name> — Loads the specified file as a chain loader. To grab the file at the first sector of the specified partition, you can use +1 as the file’s name.
Page 109: The Menu Configuration File
Section 5.5:The Menu Configuration File kernel when it loads should be on hda5, the fifth partition on the first IDE hard drive. Multiple options may be placed after this option, if you need them. • root <device-and-partition> — Configures GRUB’s root partition to be the particular device and partition, such as (hd0,0), and mounts the partition so that files can be read.
Page 110: Additional Resources
Chapter 5:GRUB • splashimage — Specifies the location of the splash screen image to be used when GRUB boots. • title — Sets a title to be used with a particular group of commands used to load an operating system. The # character can be used to place comments in the menu configuration file.
Page 111 — The original GRUB documentation before the project was handed off to the Free Software Foundation for further development. • http://www.redhat.com/mirrors/LDP/HOWTO/mini/Multiboot-with-GRUB.html — Investigates various uses for GRUB, including booting operating systems other than Linux. • http://www.linuxgazette.com/issue64/kohli.html — An introductory article discussing the con- figuration of GRUB on your system from scratch, including an overview of GRUB command line options.
Page 112 Chapter 5:GRUB...
Page 113: Servers And Clients
Section 6.1:The Power of X 6 X Servers and Clients While the heart of Red Hat Linux is the kernel, for workstation users, the X environment is the face of the operating system. The kernel provides the engine for everything that happens, managing processes and resources virtually unseen.
Page 114: The Xfree86 Server
Chapter 6:X Servers and Clients CAUTION Xconfigurator should not be used to configure XFree86 while the X server is currently active. If your system defaults to starting up directly into X (runlevel 5), you should switch to runlevel 3 prior to running Xconfig- urator.
Page 115 Section 6.2:The XFree86 Server The /etc/X11 directory heirarchy contains all of the configuration files for the various com- ponents that make up the X Window System. This includes configuration files for the X server itself, the font server (xfs), xdm, and many other base components. Display managers such as gdm and kdm, as well as various window managers, and other X tools also store their configu- ration in this heirarchy.
Page 116 Chapter 6:X Servers and Clients Each section begins with a Section " <section-name> " line and ends with an EndSection line. Within each of the sections, you will find several lines containing an option name and at least one option value, occasionally seen in quotes. Given the similarities between the two types of config- uration files, the following list explores the most useful sections of an XFree86 version 4 file and the roles of various popular settings.
Page 117 Section 6.2:The XFree86 Server Files Points the XFree86 server to specific files that are used when it starts. These files contain in- formation about particular services needed by the server. The most common options include: • FontPath — Sets the locations where the XFree86 server can find fonts. Different fixed paths to directories holding font files can be placed here, separated by commas.
Page 118 Chapter 6:X Servers and Clients Refers to the type of monitor used by the system. There may be several Monitor sections, one for each monitor in use with the machine, with one Monitor section as the minimum. WARNING Be careful when manually editing values in the options of the Mon- itor section.
Page 119 Section 6.2:The XFree86 Server • DefaultDepth — Tells the Screen section the default color depth to try, in bits. 8 is the default, 16 provides thousands of colors, and 32 displays millions of colors. • Device — Signifies the name of the Device section to use with this Screen section. •...
Page 120: Desktop Environments And Window Managers
Chapter 6:X Servers and Clients For more information, refer to the XF86Config man page which contains a comprehensive list of detailed options. To review the current configuration of your XFree86 server, type the xset -q command. This will provide you with information about your keyboard, pointer, screen saver, and font paths. 6.3 Desktop Environments and Window Managers The configuration of an XFree86 server is useless until accessed by an X client that will use it to display a program using the hardware controlled by the X server.
Page 121: Runlevels
Section 6.4:Runlevels • WindowMaker — The fully-featured GNU window manager designed to emulate the look and feel of the NEXTSTEP environment. These window managers can be run as individual X clients to gain a better sense of their differ- ences. Type the xinit <path-to-window-manager> command, where <path-to-win- dow-manager>...
Page 122 Chapter 6:X Servers and Clients provide any services utilized by most users. Runlevel 5 is similar to 3, except that it automatically starts X and provides a graphical login screen. Many workstation users prefer this method, because it never forces them to see a command prompt. The default runlevel used when your system boots can be found in the /etc/inittab file.
Page 123 Section 6.4:Runlevels the .Xclients-default file. If .Xclients does not exist in the user’s home directory, the standard /etc/X11/init/Xclients script attempts to start another desktop environment, try- ing GNOME first and then KDE. If a desktop environment cannot be found by this point, Xclients cycles through a list of window managers to find the one to start, after attempting the default window manager listed in the .wm_style file in the user’s home directory.
Page 124: Fonts
Chapter 6:X Servers and Clients .xsession and .Xclients files in the user’s home directory to decide which desktop environ- ment to load. As a last resort, the /etc/X11/xinit/Xclients file is used to select a desktop environment or window manager to use in the same way as runlevel 3. When the user finishes an X session on the default display (:0) and logs out, the /etc/X11/xdm/TakeConsole script runs and reassigns ownership of the console to the root user.
Page 125 Section 6.5:Fonts • alternate-servers — Sets a list of alternate font servers to be used if this font server is not available. A comma must separate every font server in the list. • catalogue — An ordered list of font paths to use that contain the font files. A comma must follow every font path before a new font path can be started in the list.
Page 126: Additional Resources
Chapter 6:X Servers and Clients Create a font directory, such as /usr/share/fonts, and place the fonts inside that directory. Be sure to set the permissions correctly; it is only necessary that the files can be read, no other permissions are necessary. Type the chkfontpath --add <font-directory-path>...
Page 127 The DRI is the core hardware 3D acceleration component of XFree86, and their website proves various resources that may prove helpful. • http://www.redhat.com/mirrors/LDP/HOWTO/XFree86-HOWTO — A HOWTO document de- tailing the manual installation and custom configuration of XFree86. • http://www.gnome.org — The home of the GNOME project, the default XFree86 desktop envi- ronment in Red Hat Linux.
Page 128 Chapter 6:X Servers and Clients • The New XFree86 by Bill Ball; Prima Publishing — Provides a good, overall look at XFree86 and its relationship with the popular desktop environments, such as GNOME and KDE. • Beginning GTK+ and GNOME by Peter Wright; Wrox Press, Inc. — Introduces programmers to the GNOME architecture, showing them how to get started with GTK+.
Page 129: Part Ii Security Reference
Part II Security Reference...
Page 131: Chapter 7 Pluggable Authentication Modules (Pam)
Section 7.2:PAM Configuration Files 7 Pluggable Authentication Modules (PAM) Programs that give privileges to users must properly authenticate (verify the identity of) each user. When you log in to a system, you provide your username and password, and the login process uses the username and password to authenticate the login —...
Page 132 Chapter 7:Pluggable Authentication Modules (PAM) Each application (or service, as applications designed to be used by many users are commonly known) has its own file. Each line in the file has five elements: service name, module type, control flag, module path, and arguments. 7.2.1 PAM Service Names The service name of every PAM-enabled application is the name of its configuration file in /etc/pam.d.
Page 133 Section 7.2:PAM Configuration Files Before someone is allowed to rlogin, PAM verifies that the /etc/nologin file does not exist, that they are not trying to log in remotely as root over an unencrypted network connection, and that any environmental variables can be loaded. Then, a successful rhosts authentication is performed before the connection is allowed.
Page 134 Chapter 7:Pluggable Authentication Modules (PAM) • sufficient flagged modules checks are ignored if they fail. But, if a sufficient flagged module is successfully checked and no required flagged modules above it have failed, then no other modules of this module type are checked and this module type is considered to have successfully been checked as a whole.
Page 135 Section 7.2:PAM Configuration Files #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_unix.so shadow nullok auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_unix.so shadow nullok use_authtok session required /lib/security/pam_unix.so The first line is a comment (any line starting with a character is a comment).
Page 136 Chapter 7:Pluggable Authentication Modules (PAM) The seventh line specifies that if the login program changes the user’s password, it should use the pam_unix.so module to do so. (This will happen only if an auth module has determined that the password needs to be changed — for example, if a shadow password has expired.) session required /lib/security/pam_unix.so...
Page 137: Shadow Passwords
Section 7.4:Using rlogin, rsh, and rexec with PAM Fifth, if pam_rhosts_auth.so has failed to authenticate the user, the pam_stack.so module performs normal password authentication, and is passed the service=system-auth argument. Note If you do not want to prompt for a password when the securetty check fails and determines that the user is trying to login as root remotely, you can change the pam_securetty.so module from required to requi- site.
Page 138: Additional Resources
Chapter 7:Pluggable Authentication Modules (PAM) rexec rlogin To allow root to log in using these tools via telnet (an even worse idea but necessary in some environments), add a few more lines: pts/0 pts/1 7.5 Additional Resources Much more information about PAM is available than what is covered in this chapter. Various additional sources of information exist and will prove invaluable in helping to configure and use PAM on your system.
Page 139: Chapter 8 Using Kerberos 5 On Red Hat Linux
Section 8.2:Why Not Use Kerberos? 8 Using Kerberos 5 on Red Hat Linux Kerberos is a secure system for providing network authentication services. Authentication means: • The identities of entities on the network are verified. • Traffic on the network is from the source who claims to have sent it. Kerberos uses passwords to verify the identity of users, and these passwords are never sent over the network in an unencrypted form.
Page 140: Kerberos Terminology
Chapter 8:Using Kerberos 5 on Red Hat Linux • For an application to use Kerberos, its source must be modified to make the appropriate calls into the Kerberos libraries. For some applications, this may require too much programming effort. For other applications, changes must be made to the protocol used between network servers and their clients.
Page 141: How Kerberos Works
Section 8.4:How Kerberos Works A file that includes an unencrypted list of principals and their keys. Servers retrieve the keys they need from keytab files instead of using kinit. The default keytab file is /etc/krb5.keytab. The kadmind command is the only service that uses any other file (it uses /var/kerberos/krb5kdc/kadm5.keytab).
Page 142 Chapter 8:Using Kerberos 5 on Red Hat Linux On a "normal" network which uses passwords to authenticate users, when a user requests a network service that requires authentication, the user is prompted to type in their password. The password is transmitted in plaintext over the network, and access to the network service is granted.
Page 143: Kerberos And Pam
Section 8.6:Additional Resources 8.5 Kerberos and PAM Currently, kerberized services do not make use of Pluggable Authentication Modules (PAM) at all — a kerberized server bypasses PAM completely. Applications that use PAM can make use of Kerberos for password checking if the pam_krb5 module (provided in the pam_krb5 package) is installed. The pam_krb5 package contains sample configuration files that will allow services like login and gdm to authenticate users and obtain initial credentials using their passwords.
Page 144 Chapter 8:Using Kerberos 5 on Red Hat Linux Kerberos-style authentication system. The conversational style of the discussion make this a good starting place for people who are completely unfamiliar with Kerberos. • http://www.ornl.gov/~jar/HowToKerb.html — Practical advice on kerberizing your network.
Page 145: Chapter 9 Tcp Wrappers And Xinetd
Section 9.1:Purpose of TCP Wrappers 9 TCP Wrappers and xinetd Controlling access to network services can be a challenge. Firewalls are useful for controlling access in and out of a particular network, but they can be difficult to configure. TCP wrappers and xinetd control access to services by hostname and IP addresses.
Page 146: Host-Based Access Control Lists
Chapter 9:TCP Wrappers and xinetd 9.2 Host-Based Access Control Lists Host-based access for services that use TCP wrappers is controlled by two files: hosts.allow and hosts.deny. These files, located in the /etc directory, use a simple format to control access by particular systems or users to certain services on a server.
Page 147 Section 9.2:Host-Based Access Control Lists If your list of hostnames that may access a particular service is too long or is difficult to control within host.allow or hosts.deny, you can also specify the full path to a file (such as /etc/tel- net.hosts.deny).
Page 148 Chapter 9:TCP Wrappers and xinetd Note Organizationally, it usually makes more sense to use EXCEPT operators spar- ingly, choosing instead to place the exceptions to the rule in the other access control file. This allows all administrators to quickly scan the appropriate files to see what hosts should be allowed or denied access to which services, without having to work through various EXCEPT operators and work out the appropriate logic.
Page 149 Section 9.2:Host-Based Access Control Lists Various expansions containing specific information about the client, server, and process involved are available to the shell commands: • %a — The client’s IP address. • %A — The server’s IP address. • %c — Various types of client information, such as the username and hostname, or the username and IP address.
Page 150: Access Control Using Xinetd
Chapter 9:TCP Wrappers and xinetd 9.3 Access Control Using xinetd The benefits offered by TCP wrappers are only multiplied when the libwrap.a library is used in conjunction with xinetd, a super-daemon that provides additional access, logging, binding, redirec- tion and resource utilization control. Red Hat Linux configures a variety of popular network services to be used with xinetd, includ- ing FTP, IMAP, POP, and telnet.
Page 151 Section 9.3:Access Control Using xinetd • log_on_success — Lets xinetd know what to log if the connection is successful. By de- fault, the remote host’s IP address and the process ID of server processing the request are recorded. • log_on_failure — Tells xinetd what to log if the connection fails or is not allowed. The log_on_success and log_on_failure settings in /etc/xinetd.conf are often added to by each of the different services, meaning that successful and failed connections by each service will usually log more than what is indicated here.
Page 152 Chapter 9:TCP Wrappers and xinetd wait = no user = root server = /usr/sbin/in.ftpd server_args = -l -a log_on_success += DURATION USERID log_on_failure += USERID nice = 10 disable = yes The first line defines the service’s name that is being configured. Then, the lines within the brackets contain a variety of different settings that define how this service is supposed to be started and used.
Page 153 Section 9.3:Access Control Using xinetd The following options are supported in the xinetd files to control host access: • only_from — Allows the hosts specified to use the service. • no_access — Blocks these hosts from using this service. • access_times —...
Page 154 Chapter 9:TCP Wrappers and xinetd to access the service. This is particularly useful for systems with multiple network adapters and using multiple IP addresses, such as machines being used as firewalls, with one network adapter facing the Internet and the other connected to an internal network. Attackers attempting to connect for a specific service, such as Telnet or FTP, via the Internet connection may be blocked from connecting to the service while internal users may connect to the service via the NIC connected to the internal network.
Page 155: Additional Resources
Section 9.4:Additional Resources This feature is particularly useful for users with broadband connections and only one fixed IP address. When using Network Address Translation (NAT), the systems behind the gateway machine, which are using internal-only IP addresses, are not available from outside the gateway system. However, when certain services controlled by xinetd are configured with the bind and redirect options, the gateway machine can act as a type of proxy between outside systems and a particular internal machine configured to provide the service.
Page 156 Chapter 9:TCP Wrappers and xinetd...
Page 157: Chapter 10 Ssh Protocol
Section 10.1:Introduction 10 SSH Protocol This chapter covers the benefits of the SSH™ protocol, the sequence of events that occur when a secure connection is made to a remote system, the different layers of SSH, and methods to ensure SSH is used by users connecting to your system. Common methods for remotely logging into another system through a shell (telnet, rlogin, or rsh) or copying files between hosts (ftp or rcp) do not encrypt data that is sent over the connection between the client and the server, and should be avoided.
Page 158: Event Sequence Of An Ssh Connection
Chapter 10:SSH Protocol The OpenSSH packages require the OpenSSL package (openssl). OpenSSL installs several impor- tant cryptographic libraries that help OpenSSH provide encrypted communications. You must install the openssl package before installing any OpenSSH packages. A large number of client and server programs can use the SSH protocol, including many open source and freely available applications.
Page 159 Section 10.2:Event Sequence of an SSH Connection Next, with a secure connection to the server in place, the client authenticates itself to the server without worrying that the authentication information may be compromised. OpenSSH on Red Hat Linux uses DSA or RSA keys and version 2.0 of the SSH protocol for authentication by default. Finally, with the client authenticated to the server, several different services can be safely and se- curely used through the connection, such as an interactive shell session, X11 applications, and tun- neled TCP/IP ports.
Page 160: Layers Of Ssh Security
Chapter 10:SSH Protocol 10.3 Layers of SSH Security The SSH protocol allows any client and server programs built to the protocol’s specifications to com- municate securely and be used interchangeably. Two different varieties of SSH currently exist. SSH version 1 contains several patented encryption algorithms (however, several of these patents have expired) and a security hole that potentially allows for data to be inserted into the data stream.
Page 161 Section 10.3:Layers of SSH Security CAUTION The host key verification method used by OpenSSH is not perfect. An at- tacker could masquerade as the server during the initial contact, as the lo- cal system would not necessarily know the difference between the intended server and the attacker at that point.
Page 162: Openssh Configuration Files
Chapter 10:SSH Protocol Both clients and servers can create a new channel, with each channel being assigned a different number at each end. When one side attempts to open a new channel, that side’s number for the channel is sent along with the request.
Page 163: More Than A Secure Shell
Section 10.5:More Than a Secure Shell • ssh_host_rsa_key.pub — The RSA public key used by sshd for version 2 of the SSH protocol. User-specific SSH configuration information is stored in the user’s home directory within the .ssh subdirectory: • authorized_keys2 — The file that holds a list of "authorized" public keys. If a connecting user can prove that they know the private key which corresponds to any of these, then they are authenticated.
Page 164 Chapter 10:SSH Protocol As you might imagine, X11 forwarding can be very useful. For example, you can use X11 forward- ing to create a secure, interactive session with the up2date GUI on the server to selectively update packages (if you have the necessary Red Hat Network packages installed on the server). To do this, simply connect to the server using ssh and type: up2date You will be asked to supply the root password for the server.
Page 165: Requiring Ssh For Remote Connections
Section 10.6:Requiring SSH for Remote Connections If mail.domain.com is not running an SSH server daemon but you can log in via SSH to a machine near it, perhaps through a firewall, you can still use SSH to secure the part of the POP connection that occurs over public networks.
Page 166 Chapter 10:SSH Protocol /usr/sbin/serviceconf 235 Within serviceconf, you can disable services from starting up by deselecting them. The [Space- toggles a service between being active or inactive. At a minimum, you should deselect telnet, bar] rsh, ftp, and rlogin. When finished, select the button to save your serviceconf changes.
Page 167: Chapter 11 Installing And Configuring Tripwire
Section 11.1:How to Use Tripwire 11 Installing and Configuring Tripwire Tripwire software can help to ensure the integrity of critical system files and directories by identifying all changes made to them. Tripwire configuration options include the ability to receive alerts via email if particular files are altered and automated integrity checking via a cron job.
Page 168 Chapter 11:Installing and Configuring Tripwire Figure 11–1 How to Use Tripwire The following steps should be taken to properly install, use and maintain Tripwire:...
Page 169: Installation Instructions
Section 11.2:Installation Instructions Install Tripwire and customize the policy file — If not already done, install the tripwire RPM (see Section 11.2.1, RPM Installation Instructions). Then, customize the sample configuration (/etc/tripwire/twcfg.txt) and policy (/etc/tripwire/twpol.txt) files and run the configuration script (/etc/tripwire/twinstall.sh). For more information, see Sec- tion 11.2.2, Post-Installation Instructions.
Page 170 Chapter 11:Installing and Configuring Tripwire Locate the RedHat/RPMS directory on the Red Hat Linux 7.2 CD-ROM. Locate the tripwire binary RPM by typing ls -l tripwire* in the RedHat/RPMS directory. Type rpm -Uvh <name> (where <name> is the name of the Tripwire RPM found in step 2) After installing the tripwire RPM, follow the post-installation instructions outlined below.
Page 171: File Locations
Section 11.3:File Locations files, and signing these files. See Section 11.6, Selecting Passphrases for more information on setting passphrases. Note Once encoded and signed, the configuration file (/etc/trip- wire/tw.cfg) and policy file (/etc/tripwire/tw.pol) generated by running the /etc/tripwire/twinstall.sh script should not be renamed or moved. Initialize the Tripwire database file by issuing the /usr/sbin/tripwire --init com- mand at the command line.
Page 172: Tripwire Components
Chapter 11:Installing and Configuring Tripwire 11.4 Tripwire Components The Tripwire policy file is a text file containing comments, rules, directives, and variables. This file dictates the way Tripwire checks your system. Each rule in the policy file specifies a system object to be monitored.
Page 173: Selecting Passphrases
Section 11.6:Selecting Passphrases Locate the default policy file at /etc/tripwire/twpol.txt. An example policy file (located at /usr/share/doc/tripwire- <version-number> /policyguide.txt) is included to help you learn the policy language. Read the example policy file for instructions on how to edit the default policy file.
Page 174: Initializing The Database
Chapter 11:Installing and Configuring Tripwire CAUTION Store the passphrases in a secure location. There is no way to decrypt a signed file if you forget your passphrase. If you forget the passphrases, the files are unusable and you will have to run the configuration script again, which also reinitializes the Tripwire database.
Page 175 Section 11.9:Printing Reports /usr/sbin/twprint -m r --twrfile /var/lib/tripwire/report/ <name> .twr The -m r option in the command tells twprint to decode a Tripwire report. The --twrfile option tells twprint to use a specific Tripwire report file. The name of the Tripwire report that you want to see includes the name of the host that Tripwire checked to generate the report, plus the creation date and time.
Page 176 Chapter 11:Installing and Configuring Tripwire 11.9.1 Using twprint to View the Tripwire Database You can also use twprint to view the entire database or information about selected files in the Tripwire database. This is useful for seeing just how much information Tripwire is tracking on your system.
Page 177: Updating The Database After An Integrity Check
Section 11.10:Updating the Database after an Integrity Check -rwxr-xr-x root (0) 405576 Thu Dec 7 22:35:05 2000 To see information about a particular file that Tripwire is tracking, such as /etc/hosts, type a different twprint command: /usr/sbin/twprint -m d --print-dbfile /etc/hosts The result will look similar to this: Object name: /etc/hosts...
Page 178: Updating The Policy File
Chapter 11:Installing and Configuring Tripwire All proposed updates to the Tripwire database start with a [x] before the file name. If you want to specifically exclude a valid violation from being added to the Tripwire database, remove the x from the box.
Page 179: Tripwire And Email
Section 11.12:Tripwire and Email resulting report. See Section 11.8, Running an Integrity Check and Section 11.9, Printing Reports for specific instructions on these points. 11.11.1 Signing the Configuration File The text file with the configuration file changes (commonly /etc/tripwire/twcfg.txt) must be signed to replace the /etc/tripwire/tw.cfg and be used by Tripwire when it runs its in- tegrity check.
Page 180: Additional Resources
Chapter 11:Installing and Configuring Tripwire 11.12.1 Sending Test Email Messages To make sure that Tripwire’s email notification configuration can actually send email correctly, use the following command: /usr/sbin/tripwire --test --email your@email.address A test email will immediately be sent to the email address by the tripwire program. 11.13 Additional Resources Tripwire can do more than what is covered in this chapter.
Page 181: Part Iii Network Services Reference
Part III Network Services Reference...
Page 183: Chapter 12 Network Scripts
Section 12.1:Interface Configuration Files 12 Network Scripts Using Red Hat Linux, all network communications occur between interfaces, which are networking devices connected to the system, configured in a particular way, and utilizing at least one protocol to exchange data with other systems. The different types of interfaces that exist are as varied as the de- vices that support them, such as network interface cards (NICs —...
Page 184 Chapter 12:Network Scripts The values required in an interface configuration file can change based on other values. For example, the ifcfg-eth0 file for an interface utilizing DHCP looks quite a bit different, due to the fact that IP information is now provided by the DHCP server: DEVICE=eth0 BOOTPROTO=dhcp ONBOOT=yes...
Page 185 Section 12.1:Interface Configuration Files A local loopback interface is often used in testing, as well as a variety of applications that require an IP address pointing back to the same system. Any data sent to the loopback device is immediately returned to the host’s network layer.
Page 186 Chapter 12:Network Scripts – yes — This interface will allow pppd to initiate a connection when someone attempts to use – no — A connection must be manually established for this interface. • IDLETIMEOUT= <value> , where <value> is number of seconds of idle activity before the interface will disconnect itself.
Page 187: Interface Control Scripts
The easiest way to create alias and clone interface configuration files is to use the GUI-based Network Configurator (redhat-config-network) tool. 12.2 Interface Control Scripts The interface control scripts control bringing up (activating) and down (deactivating) interface con- nections.
Page 188 Chapter 12:Network Scripts The two primary interface control scripts in the /etc/sysconfig/network-scripts direc- tory, ifdown and ifup, are symbolic links to the scripts in the /sbin directory. When either of these scripts are called, they accept a value of the interface to be used, such as: [root@bleach network-scripts]# ifup eth0 Determining IP information for eth0...
Page 189: Network Functions
Section 12.3:Network Functions In order to bring a particular interface up or down properly, these scripts may call one another to provide a certain type of functionality. In addition, other scripts will find their way into the /etc/syscon- fig/network-scripts directory as software is installed that requires a new type of interface. Be aware that removing or modifying these scripts can cause various interface connections to act strangely or fail, as these scripts tend to rely on each other.
Page 190 Chapter 12:Network Scripts...
Page 191: Chapter 13 Apache
Apache 13 Apache The Apache product includes software developed by the Apache Software Foundation ( http://www.apache.org). The Apache HTTP server is a robust and commercial-grade open source Web server used by the major- ity of websites on the Internet. The Red Hat Linux distribution includes Apache, as well as a number of additional modules which are designed to enhance the functionality of the server and add strong encryption capabilities.
Page 192: Default Modules
Chapter 13:Apache Note We do not include FrontPage extensions. The Microsoft™ license prohibits the inclusion of the extensions in a third party product. To find out more about FrontPage extensions, refer to http://www.rtr.com/fpsupport/. 13.1 Default Modules Apache is distributed with a number of modules. By default the following modules are installed and enabled with the Apache package on Red Hat Linux: mod_vhost_alias mod_env...
Page 193: Starting And Stopping Httpd
Section 13.2:Starting and Stopping httpd mod_define mod_auth_dbm mod_auth_db mod_digest mod_proxy mod_cern_meta mod_usertrack mod_example mod_unique_id The following modules are available by installing additional packages: mod_ssl mod_auth_any mod_auth_mysql mod_auth_pgsql mod_bandwidth mod_dav mod_perl mod_php4 mod_put mod_python mod_roaming mod_throttle 13.2 Starting and Stopping httpd During the installation process, a Bourne shell script named httpd was saved in /etc/rc.d/init.d.
Page 194: Configuration Directives In Httpd.conf
Chapter 13:Apache If you just finished editing something in your httpd.conf file, you do not need to explicitly stop and start your server. Instead, you may use the reload command. When you use reload, you will not need to type in your password. Your password will remain cached across reloads, but it will not be cached between stops and starts.
Page 195 Section 13.3:Configuration Directives in httpd.conf 13.3.1 ServerType Your ServerType must be set to standalone. By default, your Web server is set to Server- Type standalone. ServerType standalone means that the server is started once and then that server handles all of the connections.
Page 196 Chapter 13:Apache 13.3.8 Timeout Timeout defines, in seconds, the amount of time that your server will wait for receipts and trans- missions during communications. Specifically, Timeout defines how long your server will wait to receive a GET request, how long it will wait to receive TCP packets on a POST or PUT request and how long it will wait between ACKs responding to TCP packets.
Page 197 Section 13.3:Configuration Directives in httpd.conf Your server’s default MinSpareServers is 5; your server’s default MaxSpareServers is 20. These default settings should be appropriate in most situations. You should not increase the MinS- pareServers to a large number. Doing so will create a heavy processing load on your server even when traffic is light.
Page 198 Chapter 13:Apache 13.3.18 LoadModule LoadModule is used to load in Dynamic Shared Object (DSO) modules. More information on the Apache’s DSO support, including exactly how to use the LoadModule directive, can be found in Section 13.4, Adding Modules to Your Server. Note, the order of the modules is important, so do not move them around.
Page 199 Section 13.3:Configuration Directives in httpd.conf directives are in effect, your server listens at all of those ports. See the description of the Listen directive for more information about Listen. The Port command is also used to specify the port number used to construct a canonical name for your server.
Page 200 Chapter 13:Apache 13.3.27 ServerName You can use ServerName to set a hostname for your server which is different from your host’s real name. For example, you might want to use www.your_domain.com when your server’s real name is actually foo.your_domain.com. Note that the ServerName must be a valid Domain Name Service (DNS) name that you have the right to use (do not just make something up).
Page 201 Section 13.3:Configuration Directives in httpd.conf <Directory /home/my_cgi_directory> Options +ExecCGI </Directory> To allow CGI script execution in /home/my_cgi_directory, you will need to take a few extra steps besides setting ExecCGI. You will also need to have the AddHandler directive uncommented to identify files with the .cgi extension as CGI scripts. See Section 13.3.65, AddHandler for instructions on setting AddHandler.
Page 202 Chapter 13:Apache 13.3.32 Order The Order directive simply controls the order in which allow and deny directives are evaluated. Your server is configured to evaluate the Allow directives before the deny directives for your Doc- umentRoot directory. 13.3.33 Allow Allow specifies which requester can access a given directory. The requester can be all, a domain name, an IP address, a partial IP address, a network/netmask pair, etc.
Page 203 Section 13.3:Configuration Directives in httpd.conf is index.html index.htm index.shtml index.php index.php4 index.php3 in- dex.cgi. The server will try to find any one of these files, and will return the first one it finds. If it does not find any of these files and Options Indexes is set for that directory, the server will generate and return a listing, in HTML format, of the subdirectories and files in the directory.
Page 204 Chapter 13:Apache 13.3.42 IfModule <IfModule> and </IfModule> tags surround directives that are conditional. The directives con- tained within the IfModule tags are processed under one of two conditions. The directives are processed if the module contained within the starting <IfModule> tag is loaded in to the Apache server.
Page 205 Section 13.3:Configuration Directives in httpd.conf The error log is a good place to look if your Web server generates any errors or fails, and you are not sure what happened. 13.3.45 LogLevel LogLevel sets how verbose the error messages in the error logs will be. LogLevel can be set (from least verbose to most verbose) to emerg, alert, crit, error, warn, notice, info or debug.
Page 206 Chapter 13:Apache The HTTP status code which was returned to the browser or client. bytes The size of the document. referer This can give the URL of the Web page which linked to the the current request. user-agent This gives the name of the browser or client making the request. 13.3.48 ServerSignature The ServerSignature directive adds a line containing the Apache server version and the ServerName of the serving host to any server-generated documents (for example, error...
Page 207 Section 13.3:Configuration Directives in httpd.conf 13.3.51 Redirect When a Web page is moved, Redirect can be used to map the old URL to a new URL. The format is as follows: Redirect / path /foo.html http:// new_domain / path /foo.html So, if an HTTP request is received for a page which used to be found at http://your_do- main/path/foo.html, the server will send back the new URL (http://new_domain/path/foo.html) to the client, which should attempt to fetch the document from the new URL.
Page 208 Chapter 13:Apache 13.3.54 AddIconByType This directive names icons which will be displayed next to files with MIME types in server generated directory listings. For example, your server is set to show the icon text.gif next to files with a mime-type of "text," in server generated directory listings. 13.3.55 AddIcon AddIcon tells the server which icon to show in server generated directory listings for certain file types or for files with certain extensions.
Page 209 Section 13.3:Configuration Directives in httpd.conf 13.3.60 IndexIgnore IndexIgnore lists file extensions, partial filenames, wildcard expressions or full filenames. The Web server will not include any files which match any of those parameters in server generated directory listings. 13.3.61 AddEncoding AddEncoding names filename extensions which should specify a particular encoding type. Ad- dEncoding can also be used to instruct some browsers (not all) to uncompress certain files as they are downloaded.
Page 210 Chapter 13:Apache AddHandler cgi-script .cgi You will have to uncomment the line. Then Apache will execute CGI scripts for files ending in .cgi, even if they are outside of the ScriptAlias, which is set by default to locate your /cgi-bin/ directory in /var/www/cgi-bin/.
Page 211 Section 13.3:Configuration Directives in httpd.conf problems and also to disable keepalives and HTTP header flushes for browsers that are known to have problems with those actions. 13.3.71 Location <Location> and </Location> tags allow you to specify access control based on the URL. The next use of Location tags is located within IfModule mod_perl.c tags.
Page 212 Chapter 13:Apache #LoadModule put_module modules/mod_put.so #AddModule mod_put.c If you want to allow people connecting from your domain to see server status reports, you should uncomment the next section of directives: #<Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from .your_domain.com #</Location>...
Page 213 Section 13.3:Configuration Directives in httpd.conf 13.3.73 ProxyVia The ProxyVia command controls whether or not an HTTP Via: header line is sent along with re- quests or replies which go through the Apache proxy server. The Via: header will show the hostname if ProxyVia is set to On, the hostname and Apache version for Full, any Via: lines will be passed along unchanged for Off, and Via: lines will be removed for Block.
Page 214 Chapter 13:Apache Note You cannot use name-based virtual hosts with your secure server. Any name- based virtual hosts you set up will only work with non-secure HTTP connec- tions and not with SSL connections. You cannot use name-based virtual hosts with your secure server because the SSL handshake (when the browser accepts the secure Web server’s au- thenticating certificate) occurs before the HTTP request which identifies the correct name-based virtual host.
Page 215: Adding Modules To Your Server
Section 13.4:Adding Modules to Your Server For more information on SSL directives, please point your browser to http://your_do- main/manual/mod/mod_ssl/. More information on SSL directives is also available at http://www.modssl.org/docs/2.7/ssl_reference.html, a chapter in a Web document about mod_ssl by Ralf Engelschall. The same document, the mod_ssl User Manual, begins at http://www.modssl.org/docs/2.7/ and is a great reference source for mod_ssl and for Web cryptogra- phy in general.
Page 216 Chapter 13:Apache #LoadModule mime_magic_module modules/mod_mime_magic.so Most of the lines are not commented out, indicating that each associated module was compiled in and is loaded in by default. The first line is commented out, which means that the corresponding module (mmap_static_module) was compiled in but not loaded. To make Apache load an unloaded module, first uncomment the corresponding LoadModule line.
Page 217 Section 13.4:Adding Modules to Your Server any compiler and/or linker flags. If you need more information on APXS, please see the Apache documentation at http://httpd.apache.org/docs/dso.html. Once you have compiled your module using APXS, put your module into /usr/lib/apache. Then your module needs both a LoadModule line and an AddModule line in the httpd.conf file, just as described previously for Apache’s own modules.
Page 218: Using Virtual Hosts
Chapter 13:Apache 13.5 Using Virtual Hosts WARNING If you plan to use the Apache Configuration Tool, a GUI utility provided with Red Hat Linux, you may not edit your Apache Web server’s httpd.conf configuration file. Conversely, if you want to edit httpd.conf by hand, do not use the Apache Configuration Tool.
Page 219 Section 13.5:Using Virtual Hosts The configuration directives for your secure server are contained within virtual host tags in the httpd.conf file. If you need to change something about the configuration of your secure server, you will need to change the configuration directives inside virtual host tags in the httpd.conf file. If you want to enable certain features (for example, server side includes) for your secure server, they will need to be enabled within the virtual host tags that define your secure server.
Page 220 Chapter 13:Apache To create a virtual host, you will need to alter the virtual host lines, provided as an example, in httpd.conf, or create your own virtual host section. (Remember that name-based virtual hosts will not work with your secure server — you will need to use IP address-based virtual hosts if you need SSL-enabled virtual hosts.
Page 221: Additional Resources
Section 13.6:Additional Resources Underneath the Listen lines in httpd.conf, add a line like the following, which will instruct your Web server to listen on port 12331: Listen 12331 You must restart httpd to start a new virtual host. See Section 13.2, Starting and Stopping httpd for instructions on how to start and stop httpd.
Page 222 Chapter 13:Apache • Apache Server Unleashed by Richard Bowen, et al; SAMS BOOKS Rich Bowen and Ken Coar’s book aspires to be the definitive encyclopedic source for Apache. • Apache Pocket Reference by Andrew Ford, Gigi Estabrook; O’Reilly Apache Pocket Reference by Andrew Ford is the latest addition to the O’Reilly Pocket Reference series with sixteen other titles to its name.
Page 223: Chapter 14 Berkeley Internet Name Domain (Bind)
Section 14.1:Introduction to DNS and BIND 14 Berkeley Internet Name Domain (BIND) Today, the Internet and almost all local networks depend upon a working and reliable Domain Name Service (DNS), which is used to resolve names of systems into IP addresses and vice versa. In order to facilitate DNS on your network, a nameserver is required to translate these names into the IP addresses necessary to make the connection.
Page 224 Chapter 14:Berkeley Internet Name Domain (BIND) 14.1.1 Zones On the Internet, the FQDN of a host can be broken down into different sections, and these sections are organized in a hierarchy much like a tree, with a main trunk, primary branches, secondary branches, and so forth.
Page 225: Bind Configuration Files
Section 14.2:BIND Configuration Files time, usually specified by the retrieved zone record, for quicker resolution for other DNS clients after the first resolution. • forwarding — Forwards requests to a specific list of nameservers to be resolved. If none of the specified nameservers can perform the resolution, the process stops and the resolution fails.
Page 226 Chapter 14:Berkeley Internet Name Domain (BIND) Figure 14–2 Sample organization of /etc/named.conf <statement-1> [" <statement-1-name> "] [ <statement-1-class> ] { <option-1> ; <option-2> ; <option-N> ; <statement-2> [" <statement-2-name> "] [ <statement-2-class> ] { <option-1> ; <option-2> ; <option-N> ; <statement-N>...
Page 227 Section 14.2:BIND Configuration Files Figure 14–3 Example of acl statements in use acl black-hats { 10.0.2.0/24; 192.168.0.0/24; acl red-hats { 10.0.1.0/24; options { blackhole { black-hats; }; allow-query { red-hats; }; allow-recursion { red-hats; }; This named.conf contains two access control lists (black-hats and red-hats. •...
Page 228 Chapter 14:Berkeley Internet Name Domain (BIND) By default, named logs standard messages to the syslog daemon, which places them in /var/log/messages as its default. This occurs due to the fact that several standard channels are built into BIND with various severity levels, such as one that handles informational logging messages (default_syslog) and another that specifically handles debugging messages (default_debug).
Page 229 Section 14.2:BIND Configuration Files Figure 14–4 Example of listen-on option options { listen-on { 10.0.1.1; }; In this way, only requests that arrive from the network interface serving the private network (10.0.1.1) will be accepted. – notify — Controls whether named notifies the slave servers when a zone is updated. The default is yes, but you can set this to no, to prevent slaves from being notified, or explicit, to only notify servers in an also-notify list.
Page 230 Chapter 14:Berkeley Internet Name Domain (BIND) • zone " <zone-name> " — Specifies particular zones for which this nameserver is authorita- tive. The zone statement is primarily used to specify the file containing the zone’s configuration and pass certain options about that zone to named that override other global option statements used in /etc/named.conf.
Page 231 Section 14.2:BIND Configuration Files master — Designates this nameserver as authoritative for this zone. A zone should be set as the master type if you have the zone’s configuration files on this system. slave — Designates this nameserver as a slave server for this zone, telling named to request the zone’s configuration files from the master nameserver’s IP address for that zone.
Page 232 Chapter 14:Berkeley Internet Name Domain (BIND) 14.2.2 Zone Files Zone files, which contain information about a particular namespace, are stored in the named working directory. By default, this is /var/named. Each zone file is named according to the file option data in the zone statement, usually in a way that relates to the domain in question and identifies the file as containing zone data, such as example.com.zone.
Page 233 Section 14.2:BIND Configuration Files • $TTL — Sets the default Time to Live (TTL) value for the zone. This is the number, in seconds, given to nameservers that tells how long the zone’s resource records should continue to be valid. A resource record can contains its own TTL value, which would override this directive.
Page 234 Chapter 14:Berkeley Internet Name Domain (BIND) CNAME server1 • MX — Mail eXchange record, which tells where mail sent to a particular namespace controlled by this zone should go. Figure 14–11 Sample MX record configuration <preference-value> <email-server-name> In Figure 14–11, Sample MX record configuration, the <preference-value> allows you to numerically rank the email servers you would prefer to receive email for this namespace, giving preference to some email systems over others.
Page 235 Section 14.2:BIND Configuration Files • SOA — Start Of Authority record, proclaiming important authoritative information about the namespace to the nameserver. Located after the directives, an SOA record is the first resource record in a zone file. Figure 14–15 Sample SOA record configuration <primary-name-server>...
Page 236 Chapter 14:Berkeley Internet Name Domain (BIND) Seconds Other Time Units 3600 10800 21600 43200 86400 259200 604800 The following example demonstrates how a basic SOA resource record might look. Figure 14–16 Example SOA records dns1.domain.com. hostmaster.domain.com. ( 2001062501 ; serial 21600 ;...
Page 237 Section 14.2:BIND Configuration Files mail2.domain.com. 10.0.1.5 server1 10.0.1.5 server2 10.0.1.7 dns1 10.0.1.2 dns2 10.0.1.3 CNAME server1 mail CNAME server1 mail2 CNAME server2 CNAME server2 In this example, standard directives and SOA values are used. The authoritative nameservers are set to be dns1.domain.com and dns2.domain.com, which have A records that tie them to 10.0.1.2 and 10.0.1.3, respectively.
Page 238: Using Rndc
Chapter 14:Berkeley Internet Name Domain (BIND) $TTL 86400 dns1.domain.com. hostmaster.domain.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day dns1.domain.com.
Page 239 Section 14.3:Using rndc 14.3.1 Configuration Files Before attempting to use the rndc command, verify that the proper configuration lines are in place in the necessary files. Most likely, your configuration files are not properly set if you run rndc and see a message that states: rndc: connect: connection refused /etc/named.conf...
Page 240 Chapter 14:Berkeley Internet Name Domain (BIND) Figure 14–23 Sample options statement in /etc/rndc.conf options { default-server localhost; default-key " <key-name> "; Optionally, the rndc command can be told to use a default key when accessing a particular server, as seen in Figure 14–24, Sample server statement in /etc/rndc.conf . Figure 14–24 Sample server statement in /etc/rndc.conf server localhost { "...
Page 241: Bind Advanced Features
Section 14.4:BIND Advanced Features Figure 14–26 Structure of a rndc command rndc <options> <command> <command-options> The <options> area is not required, and you do not have to use <command-options> unless the command requires them. When executing rndc on a properly configured localhost, the following commands are available: •...
Page 242 Chapter 14:Berkeley Internet Name Domain (BIND) features that, when properly configured and utilized, allow for a more secure and efficient DNS ser- vice. CAUTION Some of these advanced features, such as DNSSEC, TSIG, and IXFR, should only be used in network environments with nameservers that support the features.
Page 243: Common Mistakes To Avoid
Section 14.5:Common Mistakes to Avoid 14.4.3 Security BIND supports a number of different methods to protect the updating and transfer of zones, on both master and slave nameservers: • DNSSEC — Short for DNS SECurity, this feature allows for zones to be cryptographically signed with a zone key.
Page 244: Additional Resources
Chapter 14:Berkeley Internet Name Domain (BIND) An omitted semi-colon or unclosed ellipse section will cause named to refuse to start. • Remember to place dots ( . ) in zone files after all FQDNs and omit them on hostnames. The dot symbolizes that the name given is full and complete. If the dot is omitted, then named will place the name of the zone or the $ORIGIN value after the name to complete it.
Page 245 PDF version of the BIND 9 Administrator Reference Manual. • http://www.redhat.com/mirrors/LDP/HOWTO/DNS-HOWTO.html — Covers the use of BIND as a resolving, caching nameserver or the configuration of various zone files necessary to serve as the primary nameserver for a domain.
Page 246 Chapter 14:Berkeley Internet Name Domain (BIND)
Page 247: Chapter 15 Lightweight Directory Access Protocol (Ldap)
Section 15.2:Pros and Cons of LDAP 15 Lightweight Directory Access Protocol (LDAP) 15.1 What is LDAP? LDAP (Lightweight Directory Access Protocol) is a proposed open standard for accessing global or local directory services over a network and/or the Internet. A directory, in this sense, is very much like a phone book.
Page 248: Uses For Ldap
Chapter 15:Lightweight Directory Access Protocol (LDAP) Other LDAP benefits include its ease of implementation (compared to X.500) and its well-defined Ap- plication Programming Interface (API), which means that the number of LDAP-enabled applications and LDAP gateways should increase in the future. On the negative side, if you want to use LDAP, you will need LDAP-enabled applications or the ability to use LDAP gateways.
Page 249: Ldap Terminology
Section 15.5:OpenLDAP 2.0 Enhancements 15.4 LDAP Terminology An entry is one unit in an LDAP directory. An entry is identified or referenced by its unique Distin- guished Name (DN). An entry has attributes, which are pieces of information directly associated with the entry. For ex- ample, an organization could be an LDAP entry.
Page 250: Openldap Files
Chapter 15:Lightweight Directory Access Protocol (LDAP) • LDAPv3 Support — Now works with SASL, TLS, and SSL, among other improvements, in full compliance with RFC 2251-2256; many of the changes since LDAPv2 are aimed to help make LDAP a much more secure protocol. •...
Page 251 Section 15.6:OpenLDAP Files to something like: rootdn "cn=root, dc=redhat, dc=com" rootdn "cn=ldapmanager, dc=my_organization, dc=org" Change the rootpw line from: rootpw secret to something like rootpw {crypt}s4L9sOIJo4kBM In the above example, you are using an encrypted root password, which is a much better idea than leaving a plain text root password in the slapd.conf file.
Page 252: Openldap Daemons And Utilities
Chapter 15:Lightweight Directory Access Protocol (LDAP) CAUTION You should not modify any of the schema items defined in the schema files installed by OpenLDAP. You can extend the schema used by OpenLDAP to support additional attribute types and object classes using the default schema files as a guide. To do this, create a local.schema file in the /etc/openldap/schema directory.
Page 253: Modules For Adding Extra Functionality To Ldap
Section 15.8:Modules for Adding Extra Functionality to LDAP • ldapdelete — Deletes entries from an LDAP directory, accepting input via a file or a shell prompt. With the exception of ldapsearch, each of these utilities is much more easily used by referencing a file with the changes to be made rather than typing the commands one after the other.
Page 254: Ldap How To: A Quick Overview
Refer to either the Quick Start Guide at the OpenLDAP site ( http://www.openldap.org/doc/ad- min/quickstart.html — start at "Edit the configuration file" since the LDAP files are already in- stalled) or see the LDAP Linux HOWTO ( http://www.redhat.com/mirrors/LDP/HOWTO/LDAP- HOWTO.html) for instructions on using LDAP on your system. Both of these documents cover the rest of these steps in more detail.
Page 255 Section 15.10:Configuring Your System to Authenticate Using OpenLDAP than is provided here. Please refer to the references provided in Section 15.11, Additional Resources for more information. 15.10.1 Install the Necessary LDAP Packages First, you should make sure that the appropriate packages are installed on both the LDAP server and the LDAP client machines.
Page 256 Chapter 15:Lightweight Directory Access Protocol (LDAP) 15.10.3 Migrate Your Old Authentication Information to LDAP Format The /usr/share/openldap/migration directory contains a set of shell and Perl scripts for migrating your old authentication information into LDAP format. (You must have Perl installed on your system to use these scripts.) First, you’ll need to modify the migrate_common.ph file so that it reflects your domain.
Page 257: Additional Resources
"robust, commercial-grade, fully featured, and open source LDAP suite of applications and de- velopment tools." • http://www.redhat.com/mirrors/LDP/HOWTO/LDAP-HOWTO.html — LDAP Linux HOWTO document, covering the installation through authentication and logging. • http://www.padl.com — Developers of nss_ldap and pam_ldap, among other useful LDAP tools.
Page 258 Chapter 15:Lightweight Directory Access Protocol (LDAP) 15.11.3 Related Books • Implementing LDAP by Mark Wilcox; Wrox Press, Inc. • Understanding and Deploying LDAP Directory Services by Tim Howes et al.; Macmillan Tech- nical Publishing...
Page 259: Chapter 16 Email
Section 16.1:Protocols 16 Email Email is one of the most widely used services on the Internet. Red Hat Linux offers many ways for you to utilize email, whether you are a desktop user or a system administrator. This chapter looks at popular email protocols that are in use today and various programs designed to accomplish different types of tasks when dealing with email.
Page 260 Chapter 16:Email The imap package in Red Hat Linux allows users to connect to your system and receive their email using IMAP. Secure IMAP connections are supported through Secure Socket Layer (SSL) technology built into the imapd daemon, allowing it to use the /usr/share/ssl/certs/imapd.pem cer- tificate file.
Page 261 Section 16.1:Protocols • KPOP — POP3 with Kerberos authentication. See Chapter 8, Using Kerberos 5 on Red Hat Linux for more information concerning Kerberos authentication. • RPOP — POP3 with RPOP authentication, which utilizes an ID issued per user, similar to a password, to authenticate POP requests.
Page 262: Different Types Of Email Programs
Chapter 16:Email answers with a 250 line containing the various SMTP extensions it supports. Then, the connecting server can use the supported extensions as it wishes to accomplish the goals of the communication. One noticeable extension concerns the addition of SMTP Authentication through the AUTH command as outlined in RFC-2554.
Page 263: Sendmail
Section 16.3:Sendmail complicated. In addition, due to problems from spam, use of a particular MTA is usually restricted by the MTA’s own configuration or network access to the system running it. Many of the larger and more complex MUAs can also be used to send email. However, this action should not be confused with the actions of a true MTA.
Page 264 Chapter 16:Email of a mail message file from one host to another didn’t take place until 1972, where email began to to be moved by FTP over the NCP network protocol. This easier method of communication quickly became popular, even to the point where it made up most of ARPANET’s traffic in less than a year. However, a lack of standardization between competing protocols made email much harder to send from some systems, and this continued until the ARPANET standardized on TCP/IP in 1982.
Page 265 Section 16.3:Sendmail edit the /etc/mail/sendmail.mc file and use the included m4 macro processor to create a new /etc/sendmail.cf (after backing up the original /etc/sendmail.cf, of course). More information on configuring Sendmail can be found in Section 16.3.4, Common Sendmail Configuration Changes. Various Sendmail configuration files are installed in /etc/mail including: •...
Page 266 Chapter 16:Email from the /etc/sendmail.cf you backed up to the new /etc/sendmail.cf file. After creat- ing a new /etc/sendmail.cf, you must restart Sendmail to make it take effect. The easiest way to do this is to type the service sendmail restart command as root. By default, the m4 macro processor is installed with Sendmail.
Page 267 Section 16.3:Sendmail 16.3.5 Stopping Spam with Sendmail Email spam can be defined as unnecessary and unwanted email received by a user that probably does not know the sender and never requested the communication. It is a very disruptive, costly, and wide- spread abuse of Internet communication standards.
Page 268: Fetchmail
Chapter 16:Email LDAP server to look up a particular email address from a common corporate directory by a user’s last name. In this kind of implementation, LDAP is largely separate from Sendmail, with LDAP storing the hierarchical user information and Sendmail only being given the result of LDAP queries in pre- addressed email messages.
Page 269 Section 16.4:Fetchmail Before attempting to use Fetchmail, be sure that it is installed on your system. If it is not, you can install it using the fetchmail RPM on the Red Hat Linux CD-ROMs. Fetchmail is configured for each user through the use of a .fetchmailrc file in the user’s home directory.
Page 270 Chapter 16:Email A sample .fetchmailrc file looks like this: Figure 16–6 Example of a basic .fetchmailrc file set postmaster "user1" set bouncemail poll pop.domain.com proto pop3 user ’user1’ there with password ’secret’ is user1 here poll mail.domain2.com user ’user5’ there with password ’secret2’ is user1 here user ’user7’...
Page 271 Section 16.4:Fetchmail • postmaster — Gives Fetchmail a local user to send mail to in case of delivery problems. • syslog — Tells Fetchmail to start logging error and status messages in the system’s log file. By default, this is /var/log/maillog. Server Options Place server options on their own line in .fetchmailrc after a poll or skip action.
Page 272 Chapter 16:Email • postconnect " <command> " — Tells Fetchmail to execute the specified command after re- trieving messages for this user. • ssl — Allows Fetchmail to collect the message via an encrypted SSL connection, if the server supports this. •...
Page 273: Procmail
Section 16.5:Procmail • -l <max-number-bytes> — Tells Fetchmail to not download any messages over a particular size and leave them on the remote email server. • --quit — Quits the Fetchmail daemon process. More commands and .fetchmailrc options can be found on the fetchmail man page. 16.5 Procmail Procmail allows you to filter email as it is received from a remote email server, or placed in your spool file on a local or remote email server.
Page 274 Chapter 16:Email 16.5.1 Procmail Configuration Procmail configuration files, most notably the user’s .procmailrc, contain important environmen- tal variables. These variables tell Procmail which messages to sort, what to do with the messages that do not match any recipes, and so on. These environmental variables usually appear in the .procmailrc file at the beginning, in the fol- lowing format, each on their own line: Figure 16–7 Structure of an environmental variable line...
Page 275 Section 16.5:Procmail • MAILDIR — Sets the current working directory for Procmail. If set, all other Procmail paths are relative to this directory. • ORGMAIL — Specifies the original mailbox, or another place to put the messages if they cannot be placed in the default or recipe-required location.
Page 276 Chapter 16:Email * <special-condition-character> <condition-2> * <special-condition-character> <condition-N> <special-action-character><action-to-perform> The first two characters in a Procmail recipe are a colon and a zero. Various flags can optionally be placed after the zero to control what Procmail does when processing this recipe. A colon after the <flags>...
Page 277 Section 16.5:Procmail To ensure that the action on this last previous matching recipe was successfully completed before allowing a match on the current recipe, use the a flag instead. • B — Parse the body of the message and look for matching conditions. •...
Page 278 Chapter 16:Email Special Conditions and Actions Particular characters used before Procmail recipe conditions and actions change the way they are in- terpreted. The following characters may be used after the * character at the beginning of a recipe’s condition line: •...
Page 279 Section 16.5:Procmail The first line starts the recipe by specifying that a local lockfile is to be created but does not specify a name, leaving Procmail to use the destination filename and the LOCKEXT to name it. No condition is specified, so every message will match this recipe and, therefore, will be placed in the single spool file called new-mail.spool, located within the directory specified by the MAILDIR environment variable.
Page 280: Security
Chapter 16:Email Any messages sent from the tux-lug@domain.com mailing list will be placed in the tuxlug mailbox automatically for your MUA. Note that the condition in this example will match the message if it has the mailing list’s email address on the From, CC, or To lines. Procmail can also be used to block spam, although this is not a good long-term solution for junk mail.
Page 281 Section 16.6:Security 16.6.1 Secure Email Clients Thankfully, most Linux MUAs designed to check email on remote servers support SSL to encrypt messages as they are sent back and forth over the network. In order to use SSL when retrieving email, it must be enabled on the email client and server.
Page 282: Additional Resources
Chapter 16:Email changing to the /usr/share/ssl/certs directory and running the make imapd.pem com- mand. Then, set the imaps service to start at the proper runlevels and restart xinetd to enable the service. You can also use the ipop3 package bundled with Red Hat Linux to provide SSL encryption on its own without stunnel.
Page 283 • http://www.redhat.com/mirrors/LDP/HOWTO/Mail-User-HOWTO — Looks at email from the user’s perspective, investigates various popular email client applications, and gives an introduction to topics such as aliases, forwarding, auto-replying, mailing lists, mail filters, and spam.
Page 284 Chapter 16:Email • Internet Email Protocols: A Developer’s Guide by Kevin Johnson; Addison-Wesley Publishing Company — Provides a very thorough review of major email protocols and the security they pro- vide. • Managing IMAP by Dianna Mullet and Kevin Mullet; O’Reilly & Associates — Details the steps required to configure an IMAP server.
Page 285: Chapter 17 Network File System (Nfs)
Section 17.1:Methodology 17 Network File System (NFS) NFS (Network File System) exists to allow remote hosts to mount partitions on a particular system and use them as though they were local filesystems. This allows files to be organized in a central location, while providing the functionality of allowing authorized users continuous access to them.
Page 286 Chapter 17:Network File System (NFS) NFS version 2 uses the User Datagram Protocol (UDP) to provide a stateless network connection between the client and server. (NFS version 3 can use UDP or TCP running over an IP.) The stateless UDP connection minimizes network traffic, as the NFS server sends the client a cookie after the client is authorized to access the shared volume.
Page 287: Nfs Server Configuration Files
Section 17.2:NFS Server Configuration Files RPC daemons to be affected by a particular access control rule. The man pages for rpc.mountd and rpc.statd contain information regarding the precise syntax of these rules. portmap Status As portmap provides the coordination between RPC services and the port numbers utilized to com- municate with them, it is useful to be able to get a picture of the current RPC services using portmap when troubleshooting.
Page 288 Chapter 17:Network File System (NFS) rpc.mountd and rpc.nfsd the information necessary to allow the remote mounting of a filesystem by an authorized host. The exportfs command allows you to selectively export or unexport directories without restarting the various NFS services. When exportfs is passed the proper options, the filesystems to be ex- ported are written to /var/lib/nfs/xtab.
Page 289 Section 17.2:NFS Server Configuration Files must be separated by space characters. Options for each of the hosts must be placed in parentheses directly after the host identifier, without any spaces separating the host and the first parenthesis. In its simplest form, /etc/exports only needs to know the directory to be exported and the hosts permitted to utilize it: /some/directory bob.domain.com /another/exported/directory 192.168.0.3...
Page 290 Chapter 17:Network File System (NFS) When specifying hosts to be allowed to use a particular exported filesystem, a variety of methods can be used, including: • single host — Where one particular host is specified with a fully qualified domain name, host- name, or IP address.
Page 291: Nfs Client Configuration Files
Section 17.3:NFS Client Configuration Files 17.3 NFS Client Configuration Files Any NFS share made available by a server can be mounted using various methods. Of course, the share can be manually mounted, using themount command, to acquire the exported filesystem at a particular mount point.
Page 292 Chapter 17:Network File System (NFS) stops in designated runlevels, the mount configurations in the various files can be automatically im- plemented. In order to use autofs, you must have the autofs RPM installed on your system. The autofs configuration files are arranged in a parent-child relationship. A main configuration file (/etc/auto.master) refers mount points on your system that are linked to a particular map type, which take the form of other configuration files, programs, NIS maps, and other less common mount methods.
Page 293: Securing Nfs
Section 17.4:Securing NFS 17.3.3 Common NFS Mount Options Beyond mounting a filesystem via NFS on a remote host, a number of different options may be speci- fied at the time of the mount that can make it easier to use. These options can be utilized with manual mount commands, /etc/fstab settings, and autofs, and other mounting methods.
Page 294 Chapter 17:Network File System (NFS) The following points should be considered when exporting NFS filesystems on a server or mounting them on a client. Doing so will minimize NFS security risks and better protect your data and equip- ment. 17.4.1 Host Access NFS controls who can mount an exported filesystem based on the host making the mount request, not the user that will utilize the filesystem.
Page 295: Additional Resources
Section 17.5:Additional Resources 17.5 Additional Resources Administering an NFS server can be a challenge. Many options, including quite a few not mentioned in this chapter, are available for exporting NFS filesystems or mounting them as a client. Consult these sources of information for more details. 17.5.1 Installed Documentation •...
Page 296 Chapter 17:Network File System (NFS)
Page 297: Chapter 18 Firewalling With Iptables
Section 18.1:Packet Filtering 18 Firewalling with iptables The Linux kernel contains advanced tools for packet filtering, the process of controlling network packets as they attempt to enter, move through, and exit your system. Pre-2.4 kernels contained the ability to manipulate packets using ipchains which used lists of rules that apply to packets at each step of the filtering process.
Page 298: Differences Between Iptables And Ipchains
Chapter 18:Firewalling with iptables from or going to a particular IP address or set of addresses when using a particular protocol and net- work service. Regardless of their destination, when packets match a particular rule on one of the rule lists, they are designated for a particular target, or action to be applied to them.
Page 299: Options Used In Iptables Commands
Section 18.3:Options Used in iptables Commands • Order matters when placing options in a chain rule. Previously, with ipchains, it did not matter very much how you ordered the rule options when typing the rule. The iptables command is a bit pickier about where some options may go. For example, you must now specify the source or destination port after the protocol (ICMP, TCP, or UDP) to be used in a chain’s rule.
Page 300 Chapter 18:Firewalling with iptables iptables [-t <table-name> ] <command> <chain-name> <parameter-1> <option-1> <parameter-n> <option-n> In this example, the <table-name> option allows the user to select a table other than the default filter table to use with the command. The <command> option is the center of the command, dic- tating a specific action to perform, such as appending or deleting a rule from a particular chain, which is specified by the <chain-name>...
Page 301 Section 18.3:Options Used in iptables Commands • -h — Provides a list of helpful command structures, as well as a quick summary of command parameters and options. • -I — Inserts a rule in a chain at a particular point. Assign a number to the rule to be inserted and iptables will put it there.
Page 302 Chapter 18:Firewalling with iptables • -d Sets the destination hostname, IP address, or network of a packet that will match the rule. When matching a network, you can use two different methods for signifying the netmasks, such as 192.168.0.0/255.255.255.0 or 192.168.0.0/24. •...
Page 303 Section 18.3:Options Used in iptables Commands 18.3.5 Match Options Different network protocols provide specialized matching options which may be set in specific ways to match a particular packet using that protocol. Of course, the protocol must first be specified in the iptables command, such as using -p tcp <protocol-name>...
Page 304 Chapter 18:Firewalling with iptables • --tcp-option Attempts to match with TCP-specific options that can be set within a particular packet. This match option can also be reversed with the exclamation point character (!). UDP Protocol These match options are available for the UDP protocol (-p udp): •...
Page 305 Section 18.3:Options Used in iptables Commands • --limit-burst — Sets a limit on the number of packets able to match a rule at one time. This option should be used in conjunction with the --limit option, and it accepts a number to set the burst threshold.
Page 306 Chapter 18:Firewalling with iptables • QUEUE — The packet is queued for handling in userspace, where something else (a user or an application, for instance) can do something with it. • RETURN — Stops checking the packet against rules in the current chain. If the packet with a RETURN target matches a rule in a chain called from another chain, the packet is returned to the first chain to resume rule checking where it left off.
Page 307: Storing Iptables Information
Section 18.4:Storing iptables Information 18.3.7 Listing Options The default list command, iptables -L, provides a very basic overview of the defualt filter table’s current rile chains. Additional options exist that provide more information and arrange that informa- tion in specific ways: •...
Page 308: Additional Resources
Chapter 18:Firewalling with iptables 18.5 Additional Resources Packet filtering and iptables are complex subjects. Additional information can be helpful in pro- viding alternative viewpoints and methods for controlling network traffic on your system. 18.5.1 Installed Documentation • The iptables man page contains a comprehensive description of various commands, parame- ters, and other options that assist in the addition of new tables and construction of chain rules.
Page 309: Part Iv
Part IV Appendixes...
Page 311: Appendix A General Parameters And Modules
General Parameters and Modules A General Parameters and Modules This appendix is provided to illustrate some of the possible parameters that may be needed by certain drivers for particular hardware devices. In most cases, these additional parameters are unnecessary, since the kernel may already be able to use the device without them. You should only use the settings provided in this appendix if you are having trouble getting Red Hat Linux to use a particular device or you need to override the system’s default parameters for the device.
Page 312: Specifying Module Parameters
Appendix A:General Parameters and Modules A.1 Specifying Module Parameters If you are providing parameters upon loading a module, you can usually specify them using one of two different methods: • Specify a full set of parameters in one statement. For example, the parameter cdu31=0x340,0 could be used with a Sony CDU 31 or 33 at port 340 with no IRQ.
Page 313 Section A.2:CD-ROM Module Parameters In the following tables, most modules listed without any parameters can either be auto-probed to find the hardware or they require you to manually change settings in the module source code and recompile. Table A–1 Hardware Parameters Hardware Module Parameters...
Page 314 Appendix A:General Parameters and Modules Hardware Module Parameters Sanyo CDR-H94A sjcd=io_port OR sjcd_base=io_port sjcd.o Sony CDU-535 & 531 (some sonycd535.o sonycd535=io_port Procomm drives) Here are some examples of these modules in use: Table A–2 Hardware Parameters Configuration Examples Configuration Example ATAPI CD-ROM, jumpered as master on the hdc=cdrom second IDE channel...
Page 315 Section A.3:SCSI parameters A.3 SCSI parameters Table A–3 SCSI Parameters Hardware Module Parameters Adaptec 28xx, R9xx, 39xx aic7xxx.o 3ware Storage Controller 3w-xxxx.o NCR53c810/820/720, 53c7,8xx.o NCR53c700/710/700-66 AM53/79C974 (PC-SCSI) AM53C974.o Driver Most Buslogic (now Mylex) BusLogic.o cards with "BT" part number Mylex DAC960 RAID Controller DAC960.o MCR53c406a-based SCSI NCR53c406a.o a100u2w.o...
Page 316 Appendix A:General Parameters and Modules Hardware Module Parameters Adaptec AHA-274x, aic7xxx.o AHA-284x, AHA-29xx, AHA-394x, AHA-398x, AHA-274x, AHA-274xT, AHA-2842, AHA-2910B, AHA-2920C, AHA-2930/U/U2, AHA-2940/W/U/UW/AU/, U2W/U2/U2B/, U2BOEM, AHA-2944D/WD/UD/UWD, AHA-2950U2/W/B, AHA-3940/U/W/UW/, AUW/U2W/U2B, AHA- 3950U2D, AHA-3985/U/W/UW, AIC-777x, AIC-785x, AIC-786x, AIC-787x, AIC-788x , AIC-789x, AIC-3860 ACARD ATP870U PCI SCSI atp870u.o Controller Compaq Smart Array 5300...
Page 317 Section A.3:SCSI parameters Hardware Module Parameters eata.o DTP SCSI host adapters (EATA/DMA) PM2011B/9X ISA, PM2021A/9X ISA, PM2012A, PM2012B, PM2022A/9X EISA, PM2122A/9X, PM2322A/9X, SmartRAID PM3021, PM3222, PM3224 DTP SCSI Adapters PM2011, eata_dma.o PM2021, PM2041, PM3021, PM2012B, PM2022, PM2122, PM2322, PM2042, PM3122, PM3222, PM3332, PM2024, PM2124, PM2044, PM2144, PM3224, PM3334...
Page 318 Appendix A:General Parameters and Modules Hardware Module Parameters NCR SCSI controllers ncr53c8xx.o ncr53c8xx=option1:value1,op- with 810/810A/815/ tion2:value2,… OR 825/825A/860/875/876/895 ncr53c8xx="option1:value1 chipsets option2:value2…" Pro Audio Spectrum/Studio 16 pas16.o PCI-2000 IntelliCache pci2000.o PCI-2220I EIDE RAID pci2220i.o ppa.o IOMEGA PPA3 parallel port SCSI host adapter Perceptive Solutions PSI-240I psi240i.o EIDE...
Page 319 Section A.4:Ethernet parameters Hardware Module Parameters UltraStor 14F/34F (not 24F) u14-34f.o UltraStor 14F, 24F, and 34F ultrastor.o WD7000 Series wd7000.o Here are some examples of these modules in use: Table A–4 SCSI Parameters Configuration Examples Configuration Example Adaptec AHA1522 at port 330, IRQ 11, SCSI aha152x=0x330,11,7 ID 7 Adaptec AHA1542 at port 330...
Page 320 Appendix A:General Parameters and Modules Hardware Module Parameters 3Com EtherLink PCI 3c59x.o III/XL Vortex (3c590, 3c592, 3c595, 3c597) Boomerang (3c900, 3c905, 3c595) RTL8139, SMC EZ Card 8139too.o Fast Ethernet RealTek cards using 8139too.o RTL8129 or RTL8139 Fast Ethernet chipsets Apricot 82596 82596.o Ansel Communications ac3200.o...
Page 321 Section A.4:Ethernet parameters Hardware Module Parameters D-Link DE-600 Ethernet de600.o Pocket Adapter D-Link DE-620 Ethernet de620.o Pocket Adapter DIGITAL DEPCA & depca.o depca=io_port,IRQ OR depca EtherWORKS DEPCA, io=io_port irq=IRQ DE100, DE101, DE200 Turbo, DE201Turbo DE202 Turbo TP/BNC, DE210, DE422 EISA Digi Intl.
Page 322 Appendix A:General Parameters and Modules Hardware Module Parameters ICL EtherTeam 16i/32 eth16i=io_port,IRQ OR eth16i eth16i.o EISA ioaddr=io_port IRQ=IRQ EtherWORKS 3 (DE203, ewrk3.o ewrk=io_port,IRQ OR ewrk DE204 and DE205) io=io_port irq=IRQ A Packet Engines GNIC-II hamachi.o Gigabit HP PCLAN/plus hp-plus.o hp-plus=io_port,IRQ OR hp-plus io=io_port irq=IRQ HP LAN Ethernet hp.o...
Page 323 Section A.4:Ethernet parameters Hardware Module Parameters MiCom-Interlan NI5010 ni5010.o NI5210 card (i82586 ni52.o ni52=io_port,IRQ OR ni52 Ethernet chip) io=io_port irq=IRQ NI6510 Ethernet ni65.o AMD PCnet32 and AMD pcnet32.o PCnetPCI SysKonnect SK-98XX sk98lin.o Gigabit smc-ultra.o SMC Ultra and SMC smc-ultra=io_port,IRQ OR EtherEZ ISA ethercard smc-ultra io=io_port irq=IRQ (8K, 83c790)
Page 324 Appendix A:General Parameters and Modules Hardware Module Parameters VIA Rhine PCI Fast via-rhine.o Ethernet cards with either the VIA VT86c100A Rhine-II PCI or 3043 Rhine-I D-Link DFE-930-TX PCI 10/100 AT&T GIS (nee NCR) wavelan.o wavelan=[IRQ,0],io_port,NWID WaveLan ISA Card WD8003 and wd.o wd=io_port,IRQ,mem, mem_end WD8013-compatible...
Page 325 (for ISA cards) or simply add one alias line for each card (for PCI cards). For additional information about using more than one Ethernet card, see the Linux Ethernet-HOWTO at http://www.redhat.com/mirrors/LDP/HOWTO/Ethernet-HOWTO.html.
Page 326 Appendix A:General Parameters and Modules...
Page 327 Index Index reloading ........193 restarting ........193 running without security....218 server status reports ...... 212 access control ....... 146 starting ........193 AccessConfig stopping ........193 Apache configuration directive ..
Page 328 Index configuration files ..... 239 AddEncoding......209 /etc/named.conf ....239 AddHandler......209 /etc/rndc.conf....239 AddIcon......... 208 sample zone statements ....231 AddIconByEncoding....207 AddIconByType ...... 208 BindAddress Apache configuration directive ..
Page 329 Index LockFile ....... 195 DefaultIcon LogFormat ......205 Apache configuration directive ..208 LogLevel ....... 205 DefaultType MaxClients......197 Apache configuration directive ..203 MaxKeepAliveRequests ..196 Deny MaxRequestsPerChild .... 197 Apache configuration directive ..
Page 330 Index Procmail ........273 mouse ........50 protocols ........259 network........51 IMAP........259 pcmcia ........51 POP........260 rawdevices......52 SMTP ........261 sendmail ..
Page 331 Index structure Apache configuration directive ..204 books ........21 HTTP put ........211 virtual ........59 httpd.conf FrontPage ........192 ( See configuration directives, Apache ) Group IfDefine Apache configuration directive ..199 Apache configuration directive ..
Page 332 Index Apache configuration directive ..196 Apache configuration directive ..198 KeepAliveTimeout Location Apache configuration directive ..196 Apache configuration directive ..211 Kerberos ........139 LockFile additional resources...... 143 Apache configuration directive ..195 installed documentation ..
Page 333 Index your own ....... 216 non-secure Web server defualt........192 disabling ........219 ntsysv ........55 ( See Mail Transfer Agent ) ( See Mail User Agent ) objects, dynamically shared ( See DSOs ) OpenLDAP .....
Page 334 Index shadow ........137 mdstat ........71 meminfo........71 PidFile Apache configuration directive ..195 misc........73 Pluggable Authentication Modules modules........73 ( See PAM ) mounting........59 mounts .....
Page 335 Index programs security running at boot time ...... 56 configuring ....... 214 proxy server ......212–213 Kerberos ........139 running Apache without ....218 ProxyRequests Apache configuration directive ..212 Sendmail........263 additional resources.
Page 336 Index configuration files......162 access control......146 introduction......157–158 operators ....... 147 layers ........160 patterns......... 146 protocol ......157, 160 shell commands ....... 148 authentication..
Page 337 Index after editing httpd.conf ..... 194 window managers......120 error log........205 TypesConfig Apache configuration directive ..203 ( See XFree86 ) boot process ......101 UseCanonicalName Apache configuration directive ..203 XFree86.

This manual is also suitable for:

Linux 7.2

Red Hat LINUX 7.2 Reference Manual

Introduction

Part I System Reference

Chapter 1 Filesystem Structure

Chapter 2 Users and Groups

Chapter 3 Boot Process, Init, and Shutdown

Chapter 4 The /Proc Filesystem

Chapter 5 GRUB

Chapter 6 Servers and Clients

Part II Security Reference

Chapter 7 Pluggable Authentication Modules (PAM)

Chapter 8 Using Kerberos 5 on Red hat Linux

Chapter 9 TCP Wrappers and Xinetd

Chapter 10 SSH Protocol

Chapter 11 Installing and Configuring Tripwire

Part III Network Services Reference

Chapter 12 Network Scripts

Chapter 13 Apache

Chapter 14 Berkeley Internet Name Domain (BIND)

Chapter 15 Lightweight Directory Access Protocol (LDAP)

Chapter 16 Email

Chapter 17 Network File System (NFS)

Chapter 18 Firewalling with Iptables

Part IV

Appendix A General Parameters and Modules

Quick Links

Related Manuals for Red Hat LINUX 7.2

Summary of Contents for Red Hat LINUX 7.2

This manual is also suitable for:

Table of Contents