Tuning Linux network performance network configuration file details
Summary In Tuning Linux Network Performance, we introduced the use of three network tuning test tools for Route, NetStat, TCPDUMP and its implementable features. This article we will focus on the content of the network configuration file, help you read these files.
Source: Reprinted from SEOUL Author: Yao Ye WOMAN AND Yang helped Green Red Cloud
In the Tuning Linux Network Performance Debug Tools, we introduced the use of three network tuning test tools for Route, NetStat, TCPDUMP and its implementable features. This article we will focus on the content of the network configuration file, help you read these files. /etc/modules.conf file This profile defines a variety of parameter information that needs to be loaded at startup, which mainly focuses on the configuration of the NIC. In order to reduce problems that may occur at start-up, the Linux kernel does not automatically detect multiple network cards. For systems that do not drive the network card to the kernel but as a module dynamic load, if you need to install multiple blocks, you should do a corresponding configuration in the "Modules.conf" file. If the device driver is compiled into a module (the module of the kernel): For the PCI device, the module will automatically detect all devices installed on the system; for the ISA card, you need to provide the module to the module to know where the module knows where Look for this card, which is available in "/etc/conf.modules". For example, we have two ISA bus 3C509 cards, one IO address is 0x300, and the other is 0x320. Edit the "Modules.conf" file as follows:
Alias Eth0 3C509 Alias Eth1 3C509 Options 3C509 IO = 0x300, 0x320 For the PCI card, only the alias command is required to associate Ethn and the appropriate drive module name, and the IO address of the PCI card will be automatically detected. For the PCI card, edit the "modules.conf" file is as follows:
Alias Eth0 3C905 Alias Eth1 3C905 If the driver has been compiled into the kernel: The PCI detection program when the system starts will automatically find all related network cards. The ISA card can generally be automatically detected, but in some cases, the ISA card still needs to do the following configuration: In "/etc/lilo.conf", the configuration information is added, and the method is to start the parameters through the LILO program. The information is transmitted to the kernel. For the ISA card, edit the "lilo.conf" file, add the following:
Append = "ether =" 0, 0, eth0 ether = "0, 0, eth1" / etc / sysconfig / network-scripts / ifcfg-ethn file In Redhat, the configuration file of the system network device is saved "/ etc / sysconfig Under the / network-scripts directory, IFCFG-ETH0 includes configuration information of the first block, IFCFG-Eth1 contains configuration information of the second block of network cards. If you want to manually modify the network address or add a new network interface on a new interface You can be implemented by modifying the corresponding file (ifcfg-ethn) or created a new file.
Device = name name indicates the name of the physical device iPaddr = addr addr indicates that the IP address of the card is named Netmask = Mask Mask indicates that the network mask network = addr addr indicates that the network address Broadcast = addr addr indicates the broadcast address onboot = yes / no startup Whether to activate the card None: No launch protocol bootp: Using the Bootp Protocol DHCP: Using the DHCP Protocol UserctL = YES / NO Allows Non-root User Control This device /etc/resolv.conf file This file is made by the domain name parser (RESOLER, one According to the host name parsing the library of IP addresses, examples are as follows: Search DomainName.com Nameserver 208.164.186.1 Nameserver 208.164.186.2 "Search DomainName.com" means that when a host name does not include a full domain name, After the host name, add the suffix of DomainName.com; "Nameserver" means that the host specified by this address is dominated by the domain name. The domain name server is queried in the order that appears in the file. /etc/host.conf file This file specifies how to resolve the host name. Linux gets the IP address corresponding to the host name by the parser library. Here is an example of "/etc/host.conf":
ORDER BIND, HOSTS MULTI ON OSPOOF ON "Order Bind, Hosts" Specifies the hostname query order, which is specified to use DNS first to resolve domain names, then query "/ etc / hosts" file (or opposite). "Multi On" Specifies whether the host specified in the "/ etc / hosts" file can have multiple addresses, and the host with multiple IP addresses is generally referred to as a pocket host. "Nospook ON" means that the server is not allowed to deceive the server. IP spoof is a means of attacking system security, and the trust of other computers is achieved by implying IP addresses to other computers. / etc / hosts file When the machine is started, the machine needs to query some hostnames to the IP address before you can query DNS. These matching information is stored in the / etc / hosts file. In the case of a domain name server, all network programs on the system are queried by querying the file to parse the IP address corresponding to a host name. Here is an example of a "/ etc / hosts" file:
IP address hostname alias 127.0.0.1 localhost Gate.openarch.com 208.164.186.1 Gate.openarch.com Gate ............................................. The leftmost list is the host IP information, a middle one is the host name. Any back column is the alias of the host. Once the machine's network configuration file is configured, you should restart the network to make the modification take effect. Use the following command to restart the network: /etc/rc.d/init.d/network restart. The /etc/inetd.conf file is well known that as a server, the more service port is open, the more difficult system security stability is guaranteed. So the server that provides a specific service should be allowed to provide an essential port with the service, and the service that is not related to the server service is closed, such as a machine as a WWW and FTP servers, which should only open 80 and 25 ports, and will Other unrelated services such as: Finger Auth et al. To reduce system vulnerabilities.
And inetd, also called "Super Server", which is the daemon of some network requests that calls the corresponding service process based on the network request to process the connection request. inetd.conf is an inetd configuration file. The inetd.conf file tells the inetD to listen to which network port is started for each port. Using the Linux system in any network environment, the first thing to do is to understand which services needed to provide the server. Unwanted services should be banned, it is best to uninstall, so hackers have less opportunities to attack the system. Check out "/etc/inetd.conf" files to find out which services are available in inetd. Use the following notes (plus ## in a row), prohibit any unwanted services, and send an SIGHUP signal to the inetd process:
· Step 1: Change the permissions of the file to 600.
[root @ deskp] # chmod 600 /etc/inetd.conf
· Step 2: Confident, the owner of the file is root.
[root @ Deep] # stat /etc/inetd.conf
· Step 3: Edit "inetd.conf" file (vi /etc/inetd.conf), prohibit all unwanted services, such as: FTP, Telnet, Shell, Login, Exec, Talk, NTalk, IMAP, POP-2 , POP-3, Finger, Auth, and so on. If you think some services are useful, you can not prohibit these services.
· Step 4: After changing the "inetd.conf" file, don't forget to send an SIGHUP signal (killall -hup inetd) to the inetd process.
[root @ deep / root] # killall -hup inetd
· Step 5: In order to ensure the security of the "inetd.conf" file, you can set it with the chattr command to make it an indispensable. Setting the files into non-changing as long as the following command:
[root @ deep] # chattr I /etc/inetd.conf
The file of the "i" attribute cannot be changed: can not be deleted or renamed, the link to this file cannot be created, and the data cannot be written to this file. Only the system administrator can set and clear this property. If you want to change the inetd.conf file, you must first clear this not allowed to change the logo:
[root @ Deep] # chattr -i /etc/inetd.conf
However, for services such as Sendmail, Named, WWW, because they are not like finger, telnet, etc., when the INET daemon is launched, when the system is started, the system is running as the daemon. For RedHat Linux, a LinuxConfig command is provided, which can set whether to run related services at startup in the graphical interface. You can also initiate a service when you start, such as: [root @ deep] # chkconfig -level 35 named.
/etc/hosts.allow file
But for Telnet, FTP and other services, if it is turned off, it will be very inconvenient to the administrator needs remote management. Linux provides another more flexible and effective way to implement restrictions on service request users, so that on the basis of ensuring security, trusted users can use a variety of services. Linux provides a program called TCP Wrapper. In most published versions, this program is often default. With TCP Wrapper, you can limit some of the services mentioned earlier. And TCP Wrapper record files record all attempts to access your system. View the LOG of the program via the last command, the administrator can know who has or attempt to connect your system. In / etc directory, there are two files: hosts.deny hosts.allows You can specify which machines can use these services, which cannot be used.
/ etc / service file
The correspondence between port numbers and standard services has detailed definitions in RFC 1700 "Assigned NumBers".
/ etc / service "file enables the server and client program to convert the name of the service to the port number, which exists on each host, and its file name is" / etc / services ". Only" root "users There is only permission to modify this file, and in general this file is not necessary to modify, because this file already contains the port number corresponding to the common service, in order to improve security, we can add protection to this file Avoid no authorization deletion and change. To protect this file, you can use the following command:
[root @ deskp] # chattr I / etc / services
/ etc / securetty file
"/ Etc / securetty" file allows you to specify "root" users to log in from that TTY device. The login program (usually "/ bin / login") needs to read the "/ etc / securetty" file. Its format is that the listed TTY devices are allowed to log in, comment out or in this file is not allowed to log in.
/ etc / inittab file
Comment on a line in the file can disable the computer with Control-Alt-delete. This is very important if the server is not placing a safe place.
Edit the inittab file (vi / etc / inittab) take this line:
Ca :: ctrlatdel: / sbin / shutdown -t3 -r now
Change to:
#ca :: ctrlatdel: / sbin / shutdown -t3 -r Now
Use the following command to make a change in effect:
[root @ deep] # / sbin / init Q
/etc/rc.d/init.d/
The script under /etc/rc.d/init.d/ mainly contains the script program for the launch service. General users do not need to know the contents of the script file. So you should change the permissions of these script files.
[root @ deskp] # chmod -r 700 /etc/rc.d/init.d/*
This only root can read, write, and execute scripts in this directory.
summary
At this point, we have analyzed 11 network profiles in detail. With the above content, do you have fully understood these profiles and operate in being skilled?
In the next article, we will introduce the network performance tuning method.