Linux Network Administrator Manual (1)
2000-07-28 13:32
Publisher: NetBull Readings: 8588
Translation: Zhao Wei
Chapter 1 Network Introduction
1.1 history
The idea of connecting the net is probably the same as the telecommunications business itself. Considering the stone era of people's lives, the drum may have been used to deliver a message between people. Harm Club Caveman A wants to invite caveman B to make a game of mutual stones, but they live too far between them, and the B can hear A drums. So what can a? He can 1) Where to go to B, 2) Use a bigger drum, or 3) ask C, C live in the middle of them, to deliver messages. This last way is called connected.
Of course, we have made great progress than our ancestors' original hobbies and equipment. Now, through a large number of cables, such as fiber optic, microwave, and so on, we use computer to make a dialogue between Saturday football games. [1] Next, we will involve implementing the above means and methods, but do not consider the cable, no part of the football is considered.
In this manual, we will discuss two types of networks: UUCP-based, based on TCP / IP. This is some protocol sets and software packages, which provide methods for transmitting data between two computers. In this chapter, we will consider these two network types and discuss their basic principles.
We define the network is a collection of communication between hosts (HOSTS), which often relies on some dedicated (specified) host services, ie relay data between participants. The host is usually a computer, but it is not necessarily; or the X-terminal or intelligent printer can be used as a host. A small number of host aggregates is also known as the site.
There is no language or code, and communication is not possible. In a computer network, these languages are commonly referred to as a protocol (Protocols). However, here you don't have to care about how the agreement is developed, but to, for example, considering the highly formulated behavior code noticed when meeting the governor. Similarly, the protocol used in the computer network is just a very stringent rule used by the exchange messages between two or more hosts.
1.2 UUCP network
UUCP is an abbreviation for UNIX-to-UNIX COPY. Just starting it as a package, used to transfer files on the serial line to determine the time of these transmission, and start the execution of the program on the remote site. Since its first implementation at the end of the 1970s, it has already changed great changes, but the services provided are still very simple. His main applications are still in a dial-based network based wide area network.
UUCP is a communication between the Bell Labs first developed in 1977 for communication between their UNIX development sites. In the mid-1978, this network has been connected to more than 80 sites. It is applied to run email and remote printing. However, this system is mainly used to distribute new software and debugging procedures. [2] Today, uucp is no longer limited to this environment. There are free and commercial transplanted versions on many types, including TOS, including Amigaos, DOS, Atari.
One of the main disadvantages of the UUCP network is its low bandwidth. On the one hand, telephone equipment has a strict limit on maximum transmission rate. On the other hand, the UUCP link rarely has a fixed connection; but the host dialing on the rule time interval is connected to each other. Therefore, most of the time is a mail message stored on some host disks on a UUCP network, waiting for the next connection.
Despite these limits, there are still many UUCP networks around the world running, mainly by computer amateur enthusiasts, which provide network access to private users with a suitable price. The main reason for UUCP is: It is extremely inexpensive than connecting your computer to a large INTERNET cable. In order to make your computer become a UUCP node, you only have a MODEM, a running UUCP program, as well as other UUCP nodes for your emails and news. 1.2.1 How to use uucp
The concept of UUCP is very simple: just like its name, it is basically copying the file from one host to the other, but it also allows a certain operation on the remote host.
Suppose your machine allows you to access the virtual host called Swim and let it perform the LPR print command for you. Then you can order the following line to print this book on Swim: [3]
$ uux -r swim! lpr! netunte.dvi
This makes UUX to schedule a job (JOB). UUX is a command in the UUCP group. This job consists of an input file NetGuide.dvi, and a request to feed the file to the LPR. The -r flag tells UUX to access the remote system immediately, but store the job until a connection is established. This is called spooling (printing).
Another feature of UUCP is that it allows for several host forwarding operations and files, if they cooperate. Assume that Swim in the above example has a UUCP link, and a large number of application documents are saved in Groucho. In order to download the file tripwire-1.0.tar.gz to your site, you can send it.
$ uucp -mr swim! Groucho! ~ / security / tripwire-1.0.tar.gz
Trip.tgz
The job created will request SWIM to get the file from Groucho, and send the file to your site, where uucp will save the file as Trip.tgz and notify you through the file arrived by the file. This will be completed in three steps. First, your site will send the job to SWIM. This file is downloaded when the next SWIM is established with Groucho. The final step is the actual transmission from SWIM to your site.
At present, the most important service provided by the UUCP network is email and news. We will discuss this later, so we only give a summary introduction.
Email - Abbreviation Email - Allows you to exchange messages on remote hosts without actually know how to access these hosts. Control a message from your site arriving at the destination site is completely completed by the mail processing system. In a UUCP environment, the message is typically transmitted by executing the RMAIL command on a neired host, and transmits the recipient's address and mail message to Rmail. Then Rmail will forward messages to another host until the message arrives at the host. We will discuss in detail in Chapter 13.
News can most appropriately describe a class of distributed electronic bulletin systems. In most cases, this term refers to USENET NEWS, which is until the most famous estimate of 120,000 - Participation sites from a news exchange network. The origin of UseNet dates back to 1979. At that time, after the new UNIX-V7 version released, three graduate students have a universal information exchange in UNIX groups. They organized some scripts, which became the first network news system. In 1980, this network was connected to Duke, UNC and PHS networks in Northern Carolinna. From this derived, the USENET eventually gave up. Although it is initially a UUCP-based network, it is no longer limited to single types of networks.
The basic unit of information is an article, which may be sent to the hierarchy of newsgroups dedicated to a particular topic. Most sites only receive a collection of all newsgroups, and all news groups transmit average of 60MB per day. In the world of UUCP, News is usually collected from the requesting group and packaged into several batches, and then transmitted by a UUCP link. These batch articles were sent to the receiving site and were sent there to the RNEWS command to open these batch packets and further processing.
Finally, for many documentation sites for public access to public Internet access, UUCP is also a way to choose from. You can usually use them: Use UUCP dial-up to log in, and download files from the public access document area. The login name / password of these passenger accounts is usually UUCP / NUUCP or some other similar.
1.3 TCP / IP network
Although uucp may be a choice of cheap dial-up link, there is still a lot of situations, in which case this storage - forwarding technology proves that it is not flexible, for example in the LAN (LANS) under. This is usually composed of a few machines located in the same building, even in the same layer, which are connected to each other to provide a similar working environment. Typically, you will share files on these hosts or run distributed applications on different machines.
These tasks require a completely different networking pathway. All data is broken down into smaller blocks (packets package, packets), which are immediately forwarded to the destination host and recombine. Instead of being forwarded with a job script. Such networks are called packets [packet-switched "network. From other aspects, this allows interactive applications to be run on the network. Of course, the consideration given has greatly added software complexity.
This system --- is not necessarily the host --- the solution used is the famous TCP / IP. In this section, we will look at its basic concept.
1.3.1 TCP / IP network introduction
The origins of TCP / IP can be traced to research programs supported by the 1975 US DARPA (Defense Advanced Research Projects Agency Defense ". That is a testive network, ARPANET, after successful, in 1975, transferred normally.
In 1983, the new TCP / IP protocol group was adopted as a standard, and all hosts in the network must use it. When the Arpanet finally grows to the Internet (Arpanet itself stops in 1990), TCP / IP's use has spread to the Internet other than the Internet. The most important thing is that the local area network, but as ISDN is like the fast digital telephone device of ISDN, it will be applied to the transmission of dial-up Internet access.
In the TCP / IP discussion throughout the following sections, as a concrete example of viewing, we will consider the Groucho Marx University (GMU) situated in Fredland, most of which run their own local area network, some of the department sharing A local area network, some have several local area networks. They are interconnected and connected to the Internet via a high-speed link.
Suppose your machine is connected to the LAN in the Mathematics, and assumes that your machine is named ERDOS. In order to access a host called Guark, you type the following command:
$ rlogin Quark.physics
Welcome to the Physics Department At GMU
(TTYQ2) login:
In the prompt, enter your login name, if it is Andres, as well as your password. At this time, you entered the QUARK's shell, where you can type various commands like it is on the system's console. After you exit the shell, you will return it to your own machine's prompt. You just use the instant, interactive application provided by TCP / IP: Remote login. When you log in into Quark, you will also want to run a X11-based application, like a function plot program, or a PostScript preview. In order to let this program know that you want to display the window on your host screen, you must set the Display environment variable:
$ export display = Erdos.maths: 0.0
If you are now running your app, it will contact your X server instead of QUARK, and display all of its windows on your screen. Of course, this requires X11 running on Erdos. The point here is that TCP / IP allows Quark and Erdos to transfer X11 packets back and forth, and give you an illusion, as if you are only on a single system. Here, the network is almost transparent.
Another important application of the TCP / IP network is NFS, which represents the Network File System. This is another transparent use of the form of a network because it basically allows you to load directory hierarchical structures directly on other hosts, so they are like local file systems. For example, all users' login owners may be on a central server machine, all other hosts on the LAN can load this directory from it. The effect of this is that the user can log in to any machine and will find itself in the same home directory. Similarly, applications (such as TEX) that require a large amount of disk space only on one machine, and export these directories to other machines. We will discuss NFS again in Chapter 11.
Of course, these are just what you can do on the TCP / IP network. This possibility is almost unlimited.
We now discuss the principle of TCP / IP work. You need to know these to understand how to configure your machine. We will first start from the analysis hardware, and then slowly in depth.
1.3.2 Ethernet
The hardware types widely used in the local area network are well known Ethernets. It consists of a host through a connector with a single cable, a three-way head or transceiver connected. Simple Ethernet installed is not expensive, and its network transmission rate reaches 10m per second, which basically explains why it is so popular.
Ethernet can be divided into three categories, called Thick, Thick (Thin), and Twisted Pair, respectively. Both cables and cable Ethernet use coaxial cables, just different, different ways to connect with the host. The cable Ethernet uses a T-shaped "BNC" connect head, two-end cable, and a plug in the back of the computer. The Rough Ethernet needs a small hole on the cable and uses a "vampire three-way head" connection transitioner. Thus, one or more hosts can be connected to the transceiver. The length of the cable and the thickness of the cable can be used by 200 meters and 500 meters, so they are also known as 10Base-2 and 10Base-5, respectively. The twisted pair uses a cable made of two copper wires, which is the kind of use in ordinary telephone devices, but there is usually another hardware. It is also well known in 10BASE-T.
Although a host is brought into a coarse Ethernet, it is gone, but the network will not be disconnected. To add a host to the cable Ethernet device, you have to interrupt the network service for a few minutes because you need to cut the cable to access a connective head.
Many people prefer thin cable Ethernet, because it is very cheap: PC network card is only $ 50, and there are only a few cents per meter per meter. However, for large-scale installation, the cable Ethernet is more suitable. For example, the GMU mathematics system is used by a thick cable, so it does not need to interrupt the network when adding a host on the Internet. One of the shortcomings of Ethernet technology is its limited cable length, which hinders it in except for local networks. However, several Ethernet segments can be connected to each other using repeaters, bridges, or routers. The repeater simply simply copies between two or more network segments, so all network segments that are connected together will exhibit an Ethernet. Due to the time limit requirements, there is no more than four network segments between any two hosts on the network. Bridges and routers are very complicated. They analyze the input data and only forward data when the receiving host is not in local Ethernet.
The operation of the Ethernet is like a bus system, on which one host can send a maximum length of 1500 bytes (or frame frames) to another host on the same Ethernet. The host is addressed by a six-byte address. This address is cured in the firmware on the Ethernet board. These addresses are typically written in the form of two hexadecimal numbers in colon, just like format aa: bb: cc: Dd: EE: FF.
The frame sent by a site, all other sites can be seen, but only the destination host picks up and processes the frame. If the two sites tried to send simultaneously, collision [Conflict] (COLLISION) will occur. The way to solve this problem is that both sites are sent to send and try to send again after a while.
1.3.3 Other hardware classes
In large-scale equipment, such as Groucho Marx University, Ethernet is usually not uniquely used. At the University of Groucho Marx, the local area networks of each department are connected to the Campus Trade Network, which is the fiber optics cable running FDDI (fiber distributed data interface Fiber Distributed Data Interface). FDDI uses a completely different way to transmit data, which basically includes sending a token to the surrounding, only allowing a token to send a token. The main advantage of FDDI is that it is up to 100Mbps transmission rate, and the maximum length of the cable is up to 200km.
For long-distance network connections, different types of devices are often used, which are based on standards named X.25. Many so-called public data networks, such as Tymnet of the United States, Germany's Datex-P provides this service. X.25 requires a special hardware, ie packet combination / division (Packet assembler / disassembler) or PAD. X.25 defines a set of its own network protocol, but it is often used to connect the network running TCP / IP and other protocols. Since IP packets cannot be simply mapped to X.25 (vice versa), IP packets are only simply packaged into the X.25 packet to transmit online.
Amateur radio enthusiasts often use their own set of devices to connect computers; called packet radio (Packet Radio) or amateur radio network (HAM RADIO). The protocol used by the packet wireless network is called AX.25, which is derived from X.25.
Other techniques include using slow but inexpensive dial-up serial lines. These require additional protocols for transmitting packets, such as SLIP or PPP, which will be discussed below.
1.3.4 Internet protocol
Of course, you won't want your network connection to be limited to an Ethernet network. Ideally, you want to use a network regardless of whether it is running on what hardware, no matter how many subunits consists of. For example, a large-scale network device like the University of Groucho Marx, you usually have several independent Ethernet networks that connect to some ways. There are two Ethernet Ethernet in GMU, mathematics: one is a network of probatated and postgraduate fast machines, and the other is a network of student's slow machine. Both networks have been connected to the FDDI campus backbone. This connection is processed by a dedicated host called gateway, which is processed by a packet that is copied and transmitted between two Ethernet networks and the optical cable. For example, if you are in mathematics and want to access the QUARK on the Physics LAN on your machine, the network connection software cannot directly send the packet to the quark because it is not in the same Ethernet. Therefore, it must rely on the gateway as a forwarder. Then, the gateway (gives it to Sophus) Use the main network to forward these packets to the NIELS gateway of the physical system, and pass the packet to the destination machine by Niels. The data between Erdos and QUARK is shown in Figure 1.1 (apologized to Guy L. Stele).
Figure 1.1 Sending a datagram from Erdos to Quark.
Such guidance data to the remote host is called routing or routing, and the packet is often referred to as DataGrams at this time. In order to make things simple, the Datasheet exchange is managed by a single protocol that is independent of the hardware used by the hardware used, or the Internet protocol. In the second chapter, we will describe the IP and routing methods in detail.
The main benefit of IP is that it converts physically different networks into a significantly similar network. This is called Internetworking, and the "post network" is called an internet (Internet). Note here Note The subtle difference of the AN Internet and the Internet. The latter is an official name that is specifically referred to as the global interconnection network.
Of course, IP also requires a hardware independent addressing scheme. This is done by assigning a 32-bit value for each host, this 32-bit value is called IP-Address. An IP address is usually represented by four decimal numbers, each decimal number represents an 8-bit portion, separated by point. For example, the Guark host may have an IP address of 0x954c0c04, which can be written into 149.76.12.4. This format is also known as the Dotted Quad representation.
You will notice that we have three different address types: first there is a host name like Quark, and then we have IP addresses, and finally have hardware addresses, such as the 6-byte Ethernet address. These types of addresses should be matched in some way, so that when you type rlogin QUARK, the network software gives the QUARK IP address; and when IP sends any data to the physical system, it will be some kind. Find the Ethernet address with the specified IP address. This is some confusing.
Here we no longer discuss in depth, and will be discussed in the second chapter. It is now enough to remember the meaning of these steps of addressing. For the operation of the hostname image to the IP address, the HostName Resolution is called, and the operation of the IP address image to the hardware address is called address resolution (Address Resolution) .
1.3.5 IP on the serial line
On serial lines, a "actual" standard well known as SLIP or serial line IP is often used. A modification of SLIP is called CSLIP, or a compressed SLIP for compression of IP headers to take advantage of the low bandwidth provided by the serial line to achieve better performance. [4] Another different serial line protocol is PPP, or point-to-point protocol. PPP has more features than SLIP, including a link negotiation step. However, it is better than the main advantage of SLIP lies in that it is not limited to transmitting IP datagrams, but is designed to transmit any type of datagram. 1.3.6 Transmission Control Protocol (Transmission Control Protocol)
Of course, transfer the datagram from a host to another. If you log in into Quark, you want to have a reliable connection between the Rlogin process on your ERDOS and the Shell process on the QUARK. In this way, the sender must decompose the transmission and response information to decompose the component group, and the recipient recombines the received packet to a character stream. This looks very trivial, but in which many subtle tasks are included.
An important thing to know about IP is that it is not reliable. Assuming that there are ten people on your Ethernet to start downloading the latest version of Xfree86 from the GMU's FTP server. The amount of traffic generated thereby may be too much for gateway processing capabilities, because it is too slow, and there is not much memory. If you happen to QUARK now, the gateway SOPHUS is just running out of the buffer space, so it cannot be forwarded. IP solutions to this problem simply discards this packet. This packet is completely lost. Therefore, check the integrity of the data, and retransmit the data is the responsibility of the host that communicates when encountered an error.
This is done by another protocol, TCP, or Transmission Control Protocol, which has established a reliable service over the IP. The basic feature of TCP is that it uses IP to give you a simple connection between your host process and the remote host process, so you don't have to care about how your data is, which router is transmitted. A TCP connection operation is substantially like a bidirectional pipe, both of which can be read and write. You can imagine it into a telephone dialogue.
TCP is an IP address of two associated hosts and a value called port (port) to identify one end (tail) end. The port can be seen as an additional point for the network connection. If we exquisite the example of the phone, we can compare the IP address to the region code (corresponding to the city's code), and make the port value as local code (corresponding to someone's phone number).
In the example of rlogin, the client application (rlogin) opens a port on ERDOS and connects to port 513 on the QUARK, which is the Rlogind server is always listening. This creates a TCP connection. Use this connection, RLogind execute the license program and then generate the shell process. The standard input and output of the shell are redirected to the TCP connection, so any characters you typed on your machine will be given the shell by the TCP stream as a standard input.
1.3.7 User Data News Agreement (User DataGram Protocol)
Of course, TCP is not the only user protocol in the TCP / IP network. Although it is suitable as an application like Rlogin, the total overhead used to prevent it from being used in applications like NFS. Instead, NFS is called UDP, or User DataGram Protocol. As TCP, UDP also allows an application to connect to a service on a remote machine, but it does not establish a connection for this. Instead, you can use it to send a single packet to the destination service - just as its name is expressed. Suppose you will load the NFS server, Galois, and the TEX directory structure on your machine, and you want to view the document describing how to use the LaTex. You launched the editor, the editor first reads the entire file. However, it takes a long time to establish a TCP connection, transfer file, and release the connection again. Instead, a request is sent to Galois, and Galois sends this file in a few UDP packets, which is very fast. However, UDP is the loss and bad grouping of the packet. This depends on the application - herein refers to NFS-to process.
1.3.8 About port
The port can be seen as an accessory of the network connection. If an application wants to provide a service, it will attach itself to a port and wait for the customer's arrival (this is also called listening on the port). Customers who want to use this service allocate a port on their local host and connect it to the port of the service of the remote host.
An important feature of the port is that once a connection is established between the client and the server, another copy of the server is attached to the server port and listens for other customers. This allowance, for example, several concurrent remote login operations on the same host use port 513. TCP can distinguish between these connections because they all come from different ports or hosts. For example, you log in to QUARK twice from Erdos, then the first RLogin customer will use local port 1023 and the second port 1022. However, both will be connected to the same port 513 on the QUARK.
This example shows the use of ports as a gather point, where the client contacts a specified port to obtain a given service. In order to let customers know the correct port number, the two system administrators must reach an agreement on these port number allocations. For widespread use services, such as rlogin, these values must be centrally managed. This is managed by the IETF (or internet engineering task group Internet engineering task force), which periodically publishes an RFC of the value-assigned value (Assigned Numbers). In this, it describes the port number assigned to well-known services, and others. Linux uses a file to image service to the number, this file is / etc / service. It will be described in the SERVICES AND protocols files section.
Although TCP and UDP connections are dependent on ports, these values do not conflict. This means that, for example, the port 513 of the TCP is different from the port 513 of the UDP. In fact, these ports are access points for two different services, such as Rlogin (TCP) and RWHO (UDP).
1.3.9 Socket (Socket) library
In UNIX operating systems, software to perform all of the above tasks and protocols is usually part of the kernel, or in the kernel. The most common programming interface in the world is Berkeley Socket Library. [Translator Note: Socket is the socket, nest, hole] This name is a popular metaphor, which is to be a plug than a socket and will be connected to a port. It provides (Bind (2)) call to specify a remote host, a transport protocol, and a service that can connect or listen to the service (using Connect (2), Listen (2), and Accept (2)). Anyway, this socket is still more common because it not only provides a TCP / IP class (AF_INET socket), but also provides classes that handle internal connections within the local machine (AF_UNIX socket ). Some sockets can also handle other classes, like XNS (Xerox Networking System) protocols, or X.25. In the Linux system, the socket is in the standard libc c-library. Currently, it only supports AF_INET and AF_UNIX socket, but it has been incorporated into Novell's network protocol, so it will eventually be added to such a class or several sockets.
1.4 Linux network
As a result of the cooperation efforts of the world's programming, if there is no global network system to compile Linux, it is impossible. Therefore, in the early days of development, there are several people who have started to provide network capabilities, which is not surprising. Almost start, a UUCP implementation is running on Linux, and starting to work based on TCP / IP network work in the fall of 1992, then Ross Biro and others have created today's NET-1 and well-known networks. achieve.
In May 1993, after Ross stopped development activities, Fred Van Kempen started a new implementation, rewriting the main part of the code. This continuous effort is well known in NET-2. The first public release version, NET-2D was prepared in summer in 1992 (part of the 0.99.10 core), and from there, there are several people's maintenance and expansion, it is worth mentioning Alan Cox. The Net-2deGugged is formed. After a lot of debugging and many improvements to the code, he renamed Net-3 after Linux1.0. This is currently included in the network code version in the official kernel release.
NET-3 gives a large number of Ethernet card devices, SLIP (for transmitting network information on a serial line) device driver, and PLIP (for parallelline) device drivers. Using NET-3, Linux has a very good TCP / IP implementation in the local area network environment, showing that its performance is comparable to some commercial PC UNIX at normal runtime. The development of the development has been facing stability and reliability running on the Internet host.
In addition to these features, there are some ongoing plan projects to enhance the versatility of Linux. A PPP (point-to-point protocol, another method for network transmission on the serial line) driver, is currently in the beta test phase, a HAM radio AX.25 driver is in the Alpha test phase. The Alan Cox also completed the Novell's IPX protocol driver, but the research works with Novell-compatible network suite is not carried out, because Novell is unwilling to provide the required documentation. Another very hopeful promise is Samba, a free UNIX NetBIOS server, manufactured by Andrew Tridgell. [5] 1.4.1 Different development directions
At present, FRED is continuing to develop work and is working in Net-2e, which is a very streamlined network design characteristic. While writing this book, NET-2E is still a beta software. The most worth noting that NET-2E is incorporated into DDI, Device Driver Interface. DDI provides a unified access and configuration method for all network devices and protocols.
There is also a TCP / IP implementation comes from Matthias Urlichs, and he has compiled an ISDN driver for Linux and FreeBSD. Here, he integrates some BSD network code to the Linux kernel.
However, it can be predicted that NET-3 will be stagnant here. The ALAN is currently performing the implementation of the AX.25 protocol for amateur radio enthusiasts. There is no doubt that "modular" "Modularity" that still needs to be developed will bring new impact on the network code. Modularization allows you to add drivers to the kernel during runtime.
Although these different network implementations have tried to provide the same services, there is a big difference between the kernel and equipment layers. Therefore, you cannot use NET-2D or NET-3 tools to configure a system running the NET-2e kernel, and it will not. This can only be applied to commands with kernels; applications and universal network commands, such as rlogin or telnet, can be run on any of them.
However, you don't have to worry about these different network versions. Unless you participate in actual development activities, you don't have to worry about running that version of TCP / IP code. The official kernel release always has a network tool that is compatible with network code in the kernel.
1.4.2 Where to get the code
The latest version of Linux network code can be obtained by anonymous FTP of each site. The official site of NET-3 is SunAcm.swan.ack.uk, and its mirror is in the System / Network / SunAcm of SunSite.unc.edu. The latest Net-2E patch tools and execution code are available in ftp.aris.com. Matthias UrlicHs derived from the BSD network code can be obtained from FTP.IRA.UKA.DE / PUB / System / Linux / NetBSD.
The latest kernels can be used in nic.funet.fi / pub / OS / Linux / People / Linux; SunSite and TSX-11.Mit.edu have this directory.
1.5 Maintaining your system
Throughout this book, we will mainly involve installation and configuration issues. However, managing to do more - after setting up a service, you also need to make it. For most of these questions, you only need little maintenance, and for some issues, like Mail and News, you need to perform routine tasks to keep your system up to date. We will discuss these tasks in later chapters.
The minimum maintenance is periodically checking the system and whether the log files of each application have errors and abnormal events. Typically, you need to write a few lines of managed shell scripts and run them from CRON. Some main applications are issued, such as SMAIL or C News, with such scripts, you only need to modify them to accommodate your needs and preferences. Your output of any CRON job should be mated to an administrator account. By default, many applications will send an error report, applying a statistical value, or an outline of the log file to the root account. This only makes sense when you often log in with root; a better way is to forward root messages into your personal account, see the description method of setting the mail alias in Chapter 14.
However, no matter how you have carefully configured your site, Murphy law confirms that some problems will eventually expose. Therefore, maintaining a system means that there will be complaints. Typically, people will expect the system administrator to get in contact with Email through root, but there are other addresses, which are commonly used to contact people responsible for maintaining a certain aspect. For example, complaints about the wrong mail configuration often post to Postmaster; news system issues can be reported to NewsMaster or UseNet. The host to HostMaster should be redirected to the host basic network service and the DNS name service (if running the name server).
1.5.1 system security
Another very important aspect of system management in the network environment is to protect your system and users from intruders. Carelessly managed systems Many attack targets with malicious people: the scope of attacks from guessing the password to Ethernet audition, resulting in damage from the forged mail message to the data loss or user permission. When discussing related aspects, we will discuss some special issues, as well as some common prevention measures against them.
This section will discuss some examples and basic techniques for system security. Of course, the theme covered cannot be detailed to all security issues you might have to face; they are only illustrated by the problems that may encounter. Therefore, reading a good book related to security is absolutely necessary, especially in a connected system. Simon Garfinkel's "Practical UNIX Security" (see [spaf93]) is extremely recommended.
System security begins in good system management. This includes checking all important files and directory ownership and permissions, monitoring the use of privileged accounts, and more. For example, a COPS program will check your file system and unusual permissions and exceptions for commonly used profiles. It can also use a set of passwords to force users to follow certain rules to make them difficult to guess. For example, the shadow password set requires at least five characters, and contains cases and numbers.
When a service can be accessed on the network, it is sure to give it "minimum authority", which means that you don't allow it to do things that don't work for it during design. For example, only if they really need it, you should make the program setUID to root or some other privileged account. Similarly, if you want to use a service to use only a very limited application, don't hesitate to configure it as much as possible under the conditions allowed by your specific application. For example, if you want to allow a diskless host to boot from your machine, you must provide TFTP (Trivial File Service) so that they can download basic profiles from the / boot directory. However, if they are not restricted, TFTP allows any users in the world to download any readable files from your system. If this is not what you want, why not limit the TFTP service can only access the / boot directory? [6]
The same idea, you may also want users from some hosts to limit certain services, such as users from your local network. In Chapter 9, we will introduce TCPD, which will do this for a variety of web applications. Another important point is to avoid running "dangerous" software. Of course, any software you use may be very dangerous, because the software may have errors, and smart people may take advantage of it to get access to your system. This happens, and there is no complete protection for this. This problem also affects free software and commercial software products. [7] However, programs that require special permissions are more dangerous than other programs, as any vulnerability may bring a strong consequence. [8] If you install the setuid program for the purpose of the network, you have to be double careful, don't miss anything on the document, so you don't accidentally build a safe crack.
No matter how you are careful, you can never rule out your prevention. Therefore, the invaders must be perceived as soon as possible. Checking the system log file is a good start, however, the intruder will also be the same intelligence, will delete any obvious traces of his or her left. However, there is a tool like TripWire [9], which allows you to check important system files to discover whether their content or permissions are changed. TripWire calculates a variety of strong inspections in these files and stores in a database. The check and and compare check and comparison with the store are recalculated during operation.
1.6 Outlook
The following chapters will involve the configuration of the TCP / IP network, and the operation of some major programs. We will discuss IP in Chapter 2 before starting to edit files. If you have already known IP routing, how is the address resolution, you can skip this chapter.
Chapter 3 discusses the most basic configuration issues. For example, like building a kernel and set your Ethernet card. The configuration of the serial port is discussed in an independent chapter because its discussion is not only suitable for TCP / IP networks, but also related to UUCP.
Chapter 5 helps you set your machine for TCP / IP networks. It includes only the installation prompts for the independent host of the loopback, and the installation prompts connected to the host of the Ethernet. It will also introduce some useful tools to test and debug your installation settings. The next chapter will discuss how to configure host name resolution and explain how to install a name server.
The next two chapters focus on the configuration and use of SLIP and PPP, respectively. Chapter 7 explains how to establish a SLIP connection and give a reference for a detailed tool DIP. This tool allows you to automatically operate most of the necessary steps. Chapter 8 covers the background processing program PPPD required for PPP and PPP.
Chapter 9 gives a short introduction to some important web applications, such as Rlogin, RCP, and more. This chapter also describes how the service is managed through inetd super, and how you can limit the security-related service to a set of credible hosts.
The next chapter discusses NIS, namely network information systems, and NFS, namely network file systems. NIS is a useful tool for information on distribution management of user passwords such as a local area network. NFS allows you to share file systems on several hosts in your network.
Chapter 12 gives a further introduction to Taylor UUCP management, Taylor UUCP is a free implementation of the UUCP component.
The remaining chapters of this book discusses in detail email and USENET NEWS. Chapter 13 describes the basic concepts of emails. What is the email address looks, and how the mail processing system is managed to send your message to the recipient.
Chapter 14 and Chapter 15 covers SMAIL and Sendmail settings, and two mail delivery agents you can use. This book has been introduced to both, because SMAIL is easy to install for beginners, while Sendmail is more flexible. Chapter 16 and Chapter 17 describes the method of news management in the useNet, and how you install and use C News, a popular software package that manages USEnet News. Chapter 18 briefly describes how to set up a NNTP background program for your local network to provide news reading access. Chapter 19 finally shows how to configure and maintain a wide variety of NEWSREADERS.
Comment
[1] The intention of the above words is still in Europe.
[2] Time does not change much.
[3] When using BASH, the GNU Bourne Again Shell, you may need to avoid using an exclamation mark, because BASH uses it as its historical characters.
[4] The SLIP is discussed in RFC-1055. The basic principles of head compression CSLIP are described in RFC-1144.
[5] NetBIOS is an agreement, like LanManager and Windows for Workgroups based on it.
[6] In Chapter 9, we will return to here.
[7] There is a commercial UNIX that you need to spend a lot of money, with a setuid-root shell script, using a simple standard trick, the script can allow users to get root privileges
[8] In 1988, the RTM worm made most Internet stagnations, and the part was by using some of the SENDMAIL programs. This vulnerability has long been repaired.
[9] There is Gene Kim and Gene Spafford.
Source: Linux Free Pigeon