LPI Linux Certification in a Nutshell (75 page)

Read LPI Linux Certification in a Nutshell Online

Authors: Adam Haeder; Stephen Addison Schneiter; Bruno Gomes Pessanha; James Stanger

Tags: #Reference:Computers

BOOK: LPI Linux Certification in a Nutshell

5.3Mb size Format: txt, pdf, ePub

Read Book Download Book

Networking Fundamentals

Objective 109.1: Fundamentals of Internet Protocols

Addressing and masks

An address mask separates the network portion from
the host portion of the 32-bit IP address.
Class A addresses have 8 bits of network address and 24 bits
of host address.
Class B addresses have 16 bits of network address and 16
bits of host address.
Class C addresses have 24 bits of network address and 8 bits
of host address.
Subnets can be defined using the defined “class” schemes or
using a locally defined split of network/host bits.
The all-zero and all-ones addresses are reserved on all
subnets for the network and broadcast addresses,
respectively. This implies that the maximum number of hosts on a
network with
nbits in the host portion
of the address is 2
ⁿ–2. For example, a
class C network has 8 bits in the host portion. Therefore, it can
have a maximum of 2
⁸–2=254
hosts.

Protocols

TCP/IP is a name representing a larger suite of network
protocols. Some network protocols maintain a constant connection,
whereas others do not.

IP: The Internet Protocol is the fundamental building
block of the Internet. It is used by other protocols.
ICMP: This connectionless messaging protocol uses IP. It
is used for flow control, detection of unreachable destinations,
redirecting routes, and checking remote hosts (the
ping
utility).
UDP: The User Datagram Protocol is a connectionless
transport agent. It is used by applications such as DNS and
NFS.
TCP: The Transmission Control Protocol is a
connection-oriented transport agent. It is used by applications
such as FTP and Telnet.
PPP: The Point-to-Point Protocol is used over serial
lines, including modems.

TCP/IP services

Inbound network requests to a host include a
port number
.
Ports are assigned to specific programs. Definitions are
stored in
/etc/services
.
Ports 1–1023 are
privileged ports, owned by superuser
processes.

TCP/IP utilities

ftp
implements the File
Transfer Protocol client for the exchange of files to and from
remote hosts.
The
ssh
client program
implements a secure shell session to a remote host.
A web browser, such as Firefox, implements an
http
connection to a remote
http
server.
ping
sends ICMP echo requests
to a remote host to verify functionality.
dig
obtains information from
DNS servers.
traceroute
attempts to display
the route over which packets must travel to a remote host.
fwhois
queries a
whois
database to determine the owner of a
domain or IP
address
.

Objective 109.2: Basic Network Configuration

The
ifconfig
command is used to both
view information about an interface in addition to changing the
network configuration of an interface.
The program
dhclient
will query the local
network for IP addressing information over
dhcp
and use this information to configure the settings for an
interface.
The command
route
will display
the path that packets will take when they leave the system. It is
also used to manually add routes.

Objective 109.3: Basic Network Troubleshooting

Interfaces are configured through a number of
configuration files.
/etc/hostname
contains the assigned
hostname for the system.
/etc/networks
sets up equivalence between
addresses and names for entire
networks
.
The
host
command returns DNS
information.
The
hostname
,
domainname
, and
dnsdomainname
commands set or
display the current host, domain, or node name.
The
netstat
command displays network
connections, routing tables, interface statistics, masquerade
connections, and multicast memberships.

Objective 109.4: Configuring Client Side DNS

/etc/hosts
contains static
mappings between IP addresses and names.
/etc/nsswitch.conf
directs system library
functions to specific nameserver methods such as local files, DNS,
and NIS.
/etc/host.conf
controls name resolution
for older libraries.
/etc/host.conf
is rarely used and is
replaced by
/etc/nsswitch.conf
.
/etc/resolv.conf
contains information to
direct the resolver to DNS servers.

Security

Objective 110.1: Perform Security Administration Tasks

find
can perform searches for
file attributes such as SUID using the
-perm
option.
The
chage
command is used to maintain
password aging on user accounts.
The
nmap
program can be used to port
scan local or remote systems for open ports.
The
sudo
command is used to give
elevated privileges to a defined set of users for a limited command
set. The configuration file is
/etc/sudoers
.
The
ulimit
command is used to
view and modify limits placed on users. The superuser maintains user
limits in the file
/etc/security/limits.conf
.
Hard limits are limits that users cannot exceed, whereas soft
limits are limits that users can exceed temporarily by calling the
ulimit
program.

Objective 110.2: Set Up Host Security

TCP wrappers

Configuring TCP wrappers (
tcpd
) using
/etc/hosts.allow
and
/etc/hosts.deny
can enhance security for
daemons controlled by
inetd
or
xinetd
.
tcpd
is often configured to deny access
to all systems for all services (a blanket deny), and then
specific systems are specified for legitimate access to services
(limited allow).
tcpd
logs using syslog, commonly to
/var/log/secure
.

Shadow passwords

Enabling the use of
shadow
passwords
can enhance local security by making
encrypted passwords harder to steal.
The use of shadow passwords causes the removal of password
information from the publicly readable
passwd
file and places it in
shadow
, readable only
by root.
A similar system is implemented for shadow groups, using the
gshadow
file.

Objective 110.3: Securing Data with Encryption

The best way to communicate securely between two Linux
systems is via SSH. SSH can be run either as a command line, opening
up a shell into another system, or as a wrapper around other
TCP-based applications.
SSH supports multiple authentication schemes, including
standard username/password and
/files/05/01/27/f050127/public/private key authentication.
The command
ssh-keygen –t dsa
will create
a /files/05/01/27/f050127/public/private keypair. The keys are stored as
~/.ssh/id_dsa
(private key) and
~/.ssh/id_dsa.pub
(public key).
Placing a copy of your public key in the file
~/.ssh/authorized_keys2
on a remote machine
will allow you to perform passwordless, key-based authentication
with that machine.
The command
gpg --gen-key
will create a
/files/05/01/27/f050127/public/private key pair to use with the Gnu Privacy Guard (GPG).
These keys will be stored in
~/.gnupg/
.
To encrypt a file with another user’s public key, you
must:
- Import the user’s public key into your keyring:
  gpg --import bobskey.asc
- Use that key to encrypt a file:
  gpg –e –u “My
  Name” –r “Bobs Name” /tmp/filename.txt

Index

A note on the digital index

A link in an index entry is displayed as the section title in which that entry appears. Because some sections have multiple index markers, it is not unusual for an entry to have several links to the same section. Clicking on any link will take you directly to the place in the text in which the marker appears.

Symbols