NETWORK

ADMINISTRATI
SUB CODE: KS_C_FC-592
9TH SEM M.SC. (CA & IT)

ON
 • HTTP
SERVICES
• MAIL
SERVICES
• PROXY
UNIT 3: SERVER
• OPEN SSH
• AUTHENTICAT
ION
CONFIGURATI
ON.
  Linux distributions provide several web
servers for use on your system.
 The primary web server is Apache.
HTTP SERVICES  It is a
 very powerful,
 stable, and
 easy-to-configure system.
  Apache Web Server
 The Apache web server is a full-featured
free HTTP (web) server developed and
maintained by the Apache Server Project.
 The server software includes
HTTP SERVICES
 the server daemon
 Configuration files,
 management tools and
 documentation
  Linux Apache Installation
 Your Linux distribution will normally
provide you with the option of installing the
Apache web server during your initial
installation of your Linux system.
HTTP SERVICES  All the necessary directories and
configuration files are automatically
generated for you.
 Then, whenever you run Linux, your
system is already a fully functional website.
  Every time you start your system, the web
server will also start up, running
continuously.
 On most distributions, the directory
reserved for your website data files is
HTTP SERVICES /var/www/html.
 Place your web pages in this directory. Your
system is already configured to operate as a
web server.
 Once your website is connected to a
network, remote users can access it.
  Starting and Stopping the Web Server
 On most systems, Apache is installed as a
standalone server, continually running.
HTTP SERVICES
 With init scripts, your system automatically
starts up the web server daemon, invoking it
whenever you start your system.
  On Red Hat, Fedora, SUSE, and similar
distributions, you can use the chkconfig
command to set the runlevels at which the
httpd server will start, creating links in
HTTP SERVICES appropriate runlevel directories.
 Thefollowing command will set up the web
server (httpd) to start up at runlevels 3 and
5:
chkconfig --level 35 httpd on
HTTP SERVICES
 A service script for the web server called
httpd is in the /etc/rc.d/init.d directory.
HTTP SERVICES  You can use the service command to start
and stop the httpd server manually:
service httpd start.
  Apachealso provides a control tool called
apachectl (Apache control) for managing
your web server.
 With apachectl, you can start, stop, and
HTTP SERVICES restart the server from the command line.
 The apachectl command takes several
arguments: start to start the server, stop to
stop it, restart to shut down and restart the
server.
  To check your web server, start your web
browser and enter the Internet domain name
address of your system.
HTTP SERVICES  For the system turtle.mytrek.com, the user
enters http://turtle.mytrek.com.
 This should display the home page you
placed in your web root directory.
  Once you have your server running, you
can check its performance with the ab
benchmarking tool.
 ab shows you how many requests at a time
your server can handle.
HTTP SERVICES  Options include
 -v, which enables you to control the level of
detail displayed;
 -n, which specifies the number of requests
to handle (default is 1); and
 -t, which specifies a time limit.
  Connection and request timing is handled
by Timeout, KeepAlive, MaxKeepAlive,
and KeepAliveTimeout directives.
 Timeout is the time in seconds after which
HTTP SERVICES the web server times out a send or receive
request.
 KeepAlive allows persistent connections,
several requests from a client on the same
connection. This is turned off by default.
  KeepAliveRequests sets the maximum
number of requests on a persistent
connection.
 KeepAliveTimeout is the time that a given
connection to a client is kept open to
HTTP SERVICES receive more requests from that client.
 The Listen directive will bind the server to
a specific port or IP address.
 By default this is port 80.
Listen 80
 3.2
MAIL
SERVICES
  Mail servers provide Internet users with
electronic mail services.
 They have their own TCP/IP protocols such
as the
 Simple Mail Transfer Protocol (SMTP),
 Post Office Protocol (POP), and
MAIL SERVICES
 Internet Mail Access Protocol (IMAP).
MAIL SERVICES
  Ateach stage, a different type of operation
takes place using different agents
(programs).
MAIL SERVICES A mail user agent (MUA) is a mail client
program. With an MUA, a user composes a
mail message and sends it.
  Then a mail transfer agent (MTA)
transports the messages over the Internet.
MTAs are mail servers that use SMTP to
send messages across the Internet from one
mail server to another.
MAIL SERVICES  OnLinux and Unix systems, the commonly
used MTA is Sendmail, a mail server
daemon that constantly checks for incoming
messages from other mail servers and sends
outgoing messages to appropriate servers.
  Incoming messages received by a mail
server are distributed to a user by mail
MAIL SERVICES delivery agents (MDAs). Most Linux
systems use procmail as their MDA.
  Mail Transport Agents
 Many Linux distributions will automatically
install and configure either Sendmail or
Postfix for you.
 You can send and receive messages
between local users using Sendmail or
MAIL SERVICES Postfix.
 You can also set up your Linux system to
run a POP server.
 POP servers hold users’ mail until they log
in to access their messages, instead of
having mail sent to their hosts directly.
  Received Mail: MX Records
 A mail address consists of a username and a
host address.
MAIL SERVICES  Ittranslates the hostname into an IP address
and use the IP address to locate the host
system.
 Mail messages operate nearly the same way.
  However, the host specified in the mail
address may not be the host to which
delivery should actually be made.
 For example, mail addressed to the
MAIL SERVICES rabbit.mytrek.com host may actually be
delivered to the turtle.mytrek.com host.
 turtle.mytrek.com may be running a POP
mail server that users on rabbit.mytrek.com
can access to read their mail.
  Such mail servers are associated with
different hosts by mail exchange records,
known as MX records, in a network’s DNS
configuration.
MAIL SERVICES  When mail is received in a network, the
network’s DNS configuration is first
checked for MX records to determine if the
mail is to be delivered to a host different
from that in the mail message address.
  For example, the following MX record says
that any mail for the rabbit.mytrek.com
host is to be delivered to the
MAIL SERVICES turtle.mytrek.com host; turtle.mytrek.com
is the mail exchanger for
rabbit.mytrek.com:

rabbit.mytrek.com. IN MX 0 turtle.mytrek.com.
  Postfix: Postfix is a fast, secure, and
flexible MTA designed to replace Sendmail
while maintaining as much compatibility as
possible.
 Postfix was created with security in mind,
treating all incoming mail as potential
MAIL SERVICES security risks.
 Postfix uses many of the same Sendmail
directories and files, letting Sendmail
clients interact seamlessly with Postfix
servers.
 Postfix is also easier than Sendmail to
configure.
  Postfix Commands
 Several Postfix commands allow you to
manage your server tasks.
 sendmail: sends messages.
 mailq: to display the status of your mail
MAIL SERVICES queues.
 newaliases: takes mail aliases listed in
the aliases files and stores them in a
database file that can be used by Postfix.
 postmap: command is used to maintain
various database files used by Postfix (alias
file, access file)
  Postfix Configuration: main.cf
 Postfixconfiguration is handled by setting
parameters in its configuration file, main.cf.
A default /etc/postfix/main.cf file is
installed with Postfix, with most of the
MAIL SERVICES essential configuration values already set.
 Parameter names tend to be user friendly.
 For example, directory locations are
specified by parameters ending in the term
directory (queue_directory,
daemon_directory )
  Defaults are already implemented for most
parameters. For example, defaults are set
for particular resource controls, such as
message size, time limits, and the number
of allowed messages per queue.
MAIL SERVICES  You can edit the main.cf file to change the
parameter values to meet your own needs.
 After making any changes, you need only to
reload the configuration using the postfix
reload command:
postfix reload
  Network Parameters
 Youwill most likely need to set several
network parameters.
 To ease this process, Postfix defines
parameters that hold key network
MAIL SERVICES information, such as myhostname, which
holds the hostname of your system, and
mydomain, which holds the domain name
of your network.
myhostname=turtle.mytrek.com
mydomain=mytrek.com
  The myorigin parameter specifies the
origin address for email sent by the server.
 By default, this is set to the value of the
MAIL SERVICES parameter myhostname, as shown here.
Note that a $ precedes the myhostname
variable to evaluate it.
myorigin=$myhostname
  POP and IMAP Server:
 Theprotocols Internet Mail Access Protocol
MAIL SERVICES (IMAP) and Post Office Protocol (POP)
allow a remote server to hold mail for users
who can then fetch their mail from it when
they are ready.
  Unlike procmail, which delivers mail
messages directly to a user account on a
Linux system, the IMAP and POP protocols
hold mail until a user accesses an account
MAIL SERVICES on the IMAP or POP server.
 The servers then transfer any received
messages to the user’s local mailbox.
 Red Hat Linux and Fedora install Dovecot
as both its IMAP and POP servers.
  Unlike the POP servers,
 IMAP servers retain user mail messages.
Users can even save their mail on the IMAP
mail server.
MAIL SERVICES  IMAP allows users to set up multiple
folders on their mail server in which they
can organize their mail. IMAP also supports
the use of shared folders to which several
users can access mail on a given topic.
  Dovecot:
 Dovecot is a combination IMAP and POP
server.
 Using its own indexing methods, Dovecot
MAIL SERVICES
is able to handle a great deal of email
traffic.
 Itfeatures support for SSL, along with
numerous authentication methods.
  Configuration options are placed in
/etc/dovecot.conf.
 These are some basic settings to configure:
 protocols: This can be set to imap and
MAIL SERVICES
pop, as well as imaps and pops for
SSLencrypted connections.
 listen: These can be set to IPv4 or IPv6
protocols; IPv6 is set by default.
  auth default section: This section holds
your default authentication options.
 mechanism in auth section (plain by
default): digest-MD5 and cran-MD5 are
MAIL SERVICES supported, but they are not needed if you
are using SSL.
 passwd in auth section
mail_location: The default mail
storage method and location.
 3.3
PROXY
SERVER
  Proxy servers operate as an
intermediary between a local network
and services available on a larger one
such as the Internet.
PROXY SERVER  Requests from local clients for web
services can be handled by the proxy
server, speeding transactions as well as
controlling access.
  Proxy servers maintain current copies of
commonly accessed web pages, speeding
web access times by eliminating the need
PROXY SERVER to access the original site constantly.
 They also perform security functions,
protecting servers from unauthorized
access.
  Squid is a free, open source, proxy-
caching server for web clients, designed
to speed Internet access and provide
security controls for web servers.
 It implements a proxy-caching service
PROXY SERVER for web clients that caches web pages as
users make requests.
 Copies of web pages accessed by users
are kept in the Squid cache, and as
requests are made, Squid checks to see if
it has a current copy.
  If Squid does have a current copy, it
returns the copy from its cache instead of
querying the original site.
 If it does not have a current copy, it will
retrieve one from the original site.
PROXY SERVER  Replacement algorithms periodically
replace old objects in the cache.
 In this way, web browsers can then use
the local Squid cache as a proxy HTTP
server.
PROXY SERVER
  Squid currently handles web pages
supporting the HTTP, FTP, and SSL
protocols (Squid cannot be used with
FTP clients), each with an associated
default port.
PROXY SERVER  It also supports ICP (Internet Cache
Protocol), HTCP (Hypertext Caching
Protocol) for web caching, and SNMP
(Simple Network Management Protocol)
for providing status information.
  Configuring Client Browsers
 Squid supports both standard proxy
caches and transparent caches.
 With a standard proxy cache, users will
PROXY SERVER need to configure their browsers to
specifically access the Squid server.
A transparent cache, on the other hand,
requires no browser configuration by
users.
  With a standard proxy cache, users need
to specify their proxy server in their web
browser configuration.
 Forthis they will need the IP address of
the host running the Squid proxy server
PROXY SERVER & the port no.
 Proxies usually make use of port 3128.
 To configure use of a proxy server
running on the local sample network,
you enter the following.
192.168.0.1 3128
  On Linux or Unix systems, localhosts
can set the http_proxy and ftp_proxy
shell variables to configure access by
browsers.
 Place these definitions in
your .bash_profile or /etc/profile file
PROXY SERVER http_proxy=192.168.0.1:3128
ftp proxy=192.168.0.1:3128
export http_proxy ftp_proxy
 Alternatively, you can use the proxy’s
URL.
http_proxy=http://
turtle.mytrek.com:3128
  The squid.conf File
 The Squid configuration file is
squid.conf, located in the /etc/squid
directory. In the /etc/squid/squid.conf
file, you set general options such as ports
PROXY SERVER used, security options controlling access
to the server, and cache options for
configuring caching operations.
 You can use a backup version called
/etc/squid/squid.conf.default to restore
your original defaults.
  Entries consist of tags that specify
different attributes.
 Foreg. maximum_object_size and
maximum_object set limits on
PROXY SERVER objects transferred.
maximum_object_size 4096 KB
 As a proxy, Squid will use certain ports
for specific services, such as port 3128
for HTTP services.
  Default port numbers are already set for
Squid.
 If you need to use other ports, you can
PROXY SERVER set them in the /etc/squid/squid.conf file.
 The following entry shows how you set
the web browser port:
http_port 3128
 3.4
OPEN SSH
  To protect remote connections from
hosts outside your network,
transmissions can be encrypted.
 For Linux systems, you can use the
OPEN SSH Secure Shell (SSH) suite of programs to
encrypt and authenticate transmissions,
preventing them from being read or
modified by anyone else, as well
confirming the identity of the sender.
  The SSH programs are meant to replace
remote tools such as rsh and rcp, which
perform no encryption and include
security risks such as transmitting
passwords in clear text.
OPEN SSH  The Secure Shell: OpenSSH
 Although a firewall can protect a
network from attempts to break into it
from the outside, the problem of securing
legitimate communications to the
network from outside sources still exists.
  Such connections could be monitored,
and information such as passwords and
user IDs used when the user logs in to
your network could be copied.
OPEN SSH  One solution is to use SSH for remote
logins.
 SSH encrypts any communications
between the remote user and a system on
your network.
  Two different implementations of SSH
currently use what are, in effect, two
different and incompatible protocols.
 Thefirst version of SSH, known as
SSH1 (original SSH protocol).
 Version 2.0, known as SSH2, uses a
OPEN SSH completely rewritten version of the SSH
protocol.
A free & open source version is
developed and maintained by the
OpenSSH project.
 OpenSSH is the version supplied with
most Linux distributions.
  SSH Encryption and Authentication:
 SSH secures connections by both
authenticating users and encrypting their
transmissions.
 The authentication process is handled
OPEN SSH
with public-key encryption.
 Once authenticated, transmissions are
encrypted by a cipher agreed upon by the
SSH server and client for use in a
particular session.
  Currently, SSH can deal with the following kinds of attacks:
IP spoofing: where a remote host sends out packets that pretend to come
from another, trusted host
OPEN SSH

IP source routing: where a host can pretend an IP packet comes from
another, trusted host
DNS spoofing: where an attacker forges name server records
Interception of clear-text passwords and other data by intermediate hosts
Manipulation of data by people in control of intermediate hosts
Attacks based on listening to X authentication data and spoofed connections
to the X11 server.
  Creating SSH Keys with ssh-
keygen
 You create your public and private keys
using the ssh-keygen command.
 You need to specify the kind of
OPEN SSH encryption you want to use (DSA /
RSA).
 For example:
ssh-keygen -t rsa
 The ssh-keygen command prompts you
for a passphrase.
  ssh
 With ssh, you can remotely log in from a
local client to a remote system on your
network operating as the SSH server.
OPEN SSH  You enter the ssh command with the
address of the remote host, followed by a
-l option and the login name (username)
of the remote account you are logging in
to.
  The following example logs in to the aleina
user account on the rabbit.mytrek.com
host:
ssh rabbit.mytrek.com -l
aleina
 You can also use the username:
OPEN SSH ssh aleian@rabbit.mytrek.com
 The following listing shows how the user
george accesses the cecelia account on
turtle.mytrek.com:
[george@turtle george]$ ssh turtle.mytrek.com -l
cecelia
cecelia@turtle.mytrek.com's password:
[cecelia@turtle cecelia]$
  Port Forwarding (Tunneling)
 If,for some reason, you can connect to a
secure host only by going through an
insecure host, ssh provides a feature
called port forwarding.
OPEN SSH  With port forwarding, you can secure the
insecure segment of your connection.
 This sets up a direct connection between
the local host and the remote host,
through the intermediary insecure host.
  Toforward a port on the remote system to a
port on your local system, use ssh with the
-R option.
OPEN SSH  Inthe following example, port 22 on the
local system is connected to port 23 on the
rabbit.mytrek.com remote system:
ssh -R 22:rabbit.mytrek.com:23
  Toforward a port on your local system to a
port on a remote system, use the ssh –L
option.
OPEN SSH  Inthe following example, port 22 on the
local system is connected to port 23 on the
rabbit.mytrek.com remote system:
ssh -L 22:rabbit.mytrek.com:23
  SSH Configuration
 The SSH configuration file for each user is
in their .ssh/config file.
 The following example allows access from
larisa at turtle.mytrek.com and uses
OPEN SSH Blowfish encryption for transmissions:
Host turtle.mytrek.com
User larisa
Compression no
Cipher blowfish
  Tospecify global options that apply to any
host you connect to, create a HOST entry
with the asterisk as its host, HOST *.
 Thisentry must be placed at the end of the
configuration file.
OPEN SSH
Host *
FallBackToRsh yes
KeepAlive no
Cipher idea