Facultat d'Informtica de Barcelona Univ. Politcnica de Catalunya - - PowerPoint PPT Presentation
Facultat d'Informtica de Barcelona Univ. Politcnica de Catalunya Administraci de Sistemes Operatius Network services
Knowledge
Main elements in a network Main network services and protocols
Superserver, portmapper, DNS, FTP, WWW, e-mail
Habilities
Services configuration
Superserver DNS FTP WWW E-mail
Local area networks (LAN)
RS-232 Ethernet Token ring FDDI (optical fiber)
Wide area networks (WAN)
Gigabit ethernet, and 10GbE Frame relay X-25 ATM
Each network has its own link protocol ... and we have TCP/IP on top
Modem Ethernet Token ring Gigabit ethernet ATM Frame relay X-25
IP Network classes
Class A (0)
1.0.0.0 - 127.0.0.0 7 network bits, 24 host bits (16 milions of hosts - 2)
Class B (10)
128.0.0.0 - 191.255.0.0 16 network bits (16K-2 networks), 16 host bits (64K-2
Class C (110)
192.0.0.0 - 223.255.255.0 24 network bits (2M-2 networks), 8 host bits (254 hosts in
Network classes
Class D: multicast addresses (1110)
224.0.0.0 - 240.0.0.0
Class E: reserved for future use (11110)
240.0.0.0 - 248.0.0.0
Class F
248.0.0.0 - 252.0.0.0
Class G
252.0.0.0 - 254.0.0.0
IP addresses with special meanings
0.0.0.0: this host 0.host: host on this network 127.anything: loopback (not seen in the network) 255.255.255.255: LAN broadcast network.255: broadcast at the specified network Private addresses (intranet only):
10.0.0.0 - 10.255.255.255: 1 class A network 172.16.0.0 - 172.31.255.255: 16 class B networks 192.168.0.0 - 192.168.255.255: 255 class C networks
Usually the number of machines in the same network is
Class A and B addresses are underutilized
Subnetting: use a portion of the host address to extend
Can use an arbitrary number of bits, not byte-aligned
10 bits subnet
6 bits host
IANA: Internet Assigned Numbers Authority
www.iana.org
Regional Internet Registries (RIRs)
ARIN: American Registry for Internet Numbers
www.arin.net
RIPE NCC: Europe, Middle East and Central Asia
www.ripe.net
Internet Service Providers (ISPs) ESNIC: www.nic.es
Domains at “.es”
Subnets usually represent the physical structure of the
An office, room, floor... An ethernet host is only accessible to the hosts connected
Same cable
Gateway: host connected to serveral networks, with the
149.76. 12.4
149.76. 12.5 149.76. 13.40 149.76. 13.43 149.76.12.1 149.76.13.1
Gateway
Determine where a message has to be sent given its
The router selects the output path given the routing tables
Association between a target IP address with a network
eth2 eth1 eth0
Privileged ports: 0 - 1023
Assigned by the IANA Only a privileged user (root) can start services on them
Registered ports: 1024 - 49151
Registered within IANA to avoid collisions Registry of the usual services associated to the ports
/etc/services
Dynamic ports: 49152 - 65535
Used in temporary connections
Answers to requests
Relates services with port numbers
DB accessed by several programs (netstat, ... ) servicename port/protocol
echo 7/tcp echo 7/udp systat 11/tcp users systat 11/udp users ftp-data 20/tcp ftp-data 20/udp # 21 is registered to ftp, but also used by fsp ftp 21/tcp ftp 21/udp fsp fspd ssh 22/tcp ssh 22/udp telnet 23/tcp telnet 23/udp # 24 - private mail system smtp 25/tcp mail smtp 25/udp mail domain 53/tcp domain 53/udp http 80/tcp www www-http http 80/udp www www-http
A router translates internal IP addresses for his own one
Allows to use a private IP address, keeping connectivity
The router records all outgoing connections, and relates
Outgoing connection:
192.168.1.25 (port 1085) -> 212.106.192.142 (1085)
Inbound communication:
212.106.192.142 (1085) -> 192.168.1.25 (1085)
Internal addresses are not visible from outside
Only the router can be attacked
Network security depends on router security and good
Internal machines can not offer services to Internet
Except when Port Address Translation (PAT) is enabled
Impact on network performance
All Internet connections go through the router Each packet requires a certain CPU time
Some services can not be used on NAT
When they have incoming connections
FTP, IRC, Netmeeting...
Indicate to the router implementing NAT that some
Mapping router ports to ports in a local machine
Ports 22,25,80 Ports 25,80 Port 22
Server that determines which communications can be
Typically works at link level
Does not know the application It can keep state
Allows related connections and inbound connections
Firewalls are supplementary elements enforcing system
Their use can just offer a false idea of security
Other aspects related to security cannot be relaxed
Other security tools in the local network and servers are
Connexion oriented
The servers keeps session state Increased performance Low fault tolerance
Non-connexion oriented
No session state
There are no sessions
Requests must be self-contained
Client requests must carry all the information needed, as
Increased fault tolerance
Primary
Keeps the main copy of the information
In case of divergency, the service relies on the primary
One for each service
Secondary
Keep copies of the information
Updated periodically to/from the primary server Several for each service Allow load balancing Can be used as backup in case the primary server fails
cache servers (and/or proxies)
Keep copies of the most-used information Several for each service are possible
Performance benefits
They can incorporate tasks related to security, filtering,
An active service uses resources, even when it is not
For services that are used not so often...
telnet, ftp, ssh...
Superserver listens to all active ports, and activates the
Receives the request Starts the server associated Transfers the request to it
Limitations
It cannot keep information among connections Process creation overhead
not really important when the service is started sporadically
Especifies the services listened by the superserver
Service (port) to be listen to (in /etc/services) Protocol User/group Binary to execute to start the service Arguments ( arg0 = process name, ... )
# If you make changes to this file, either reboot your machine or send the # inetd a HUP signal: Do a "ps x" as root and look up the pid of inetd. Then do a "kill -HUP <pid of inetd>". # The inetd will re-read this file whenever it gets that signal. # <service_name> <sock_type> <proto> <flags> <user> <server_path> <args> # # The first 4 services are really only used for debugging purposes, so # we comment them out since they can otherwise be used for some nasty # denial-of-service attacks. If you need them, uncomment them. # echo stream tcp nowait root internal # discard stream tcp nowait root internal ...
Services typically started by inetd
# File Transfer Protocol (FTP) server: #ftp stream tcp nowait root /usr/sbin/tcpd proftpd # Telnet server: #telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd # The comsat daemon notifies the user of new mail when biff is set to y: comsat dgram udp wait root /usr/sbin/tcpd in.comsat # Shell, login, exec and talk are BSD protocols #shell stream tcp nowait root /usr/sbin/tcpd in.rshd -L #login stream tcp nowait root /usr/sbin/tcpd in.rlogind # POP and IMAP mail servers # # Post Office Protocol version 3 (POP3) server: #pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popa3d # Internet Message Access Protocol (IMAP) server: #imap2 stream tcp nowait root /usr/sbin/tcpd imapd # Tftp service is provided primarily for booting. Most sites # run this only on machines acting as "boot servers." # tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot -r blksize
Remote execution of routines
Identified by a service and request numbers
RPC servers
Implement a set of remote routines Listen to a dynamic port
Portmapper
Registers the RPC servers
Associates port number with the server routines
Needed by other services
NFS, NIS...
All state is kept in main memory In case of failure, all RPC servers must be restarted also All RPC servers are registered in the portmapper when
Portmapper
Translates machine names to IP addresses
Hostname -> IP address IP address -> hostname
Dificulties
High number of machines connected to Internet!! High number of changes in machines and names
Solution
Hierarchical distribution of the information
Domains
Domain authority is delegated to the domain itself
Authority is delegated
Each domain administers its own server Root servers are known to all domains Domain server known to the domain Iterative name resolution
www.google.com
“www.google.com?” “.com”
“www.google?” “.google”
internic.net iana.org alldomains.com NS3.GOOGLE.COM 216.239.36.10 ...
Convenient use of caches (cache servers)
High temporal locality
Avoid repeating the same search again and again
High spatial locality
Avoid continuously visiting the root servers Reduce the number of steps in an iterative search
DNS can be used for load balancing of other services
Add several IP address for the same hostname
Each answer replies with a different IP address
Round Robin, “geografical” criteria...
Example
www.google.com, from different locations
;; ANSWER SECTION: www.google.com. 693 IN CNAME www.l.google.com. www.l.google.com. 93 IN A 66.249.85.104 www.l.google.com. 93 IN A 66.249.85.99 ;; ANSWER SECTION: www.google.com. 900 IN CNAME www.l.google.com. www.l.google.com. 300 IN A 64.233.161.99 www.l.google.com. 300 IN A 64.233.161.104 www.l.google.com. 300 IN A 64.233.161.147
/etc/host.conf
Indicates where hostnames are searched, and the search
/etc/hosts
Translations for local machines
/etc/resolv.conf
Domains that should be automatically searched, and IP addresses of the local domain DNS servers
/etc/named.conf
Defines...
DNS domains IP address ranges
Indicates whether a machine has the primary, a secondary
Files giving direct translation
Name.domain -> IP address 1 file for each administered domain
Files giving reverse translation
IP address -> name.domain 1 file for each IP address range
SOA (Start of Authority)
Serial number (to record information updates) Times for retry and update of information Expiration time Minimum TTL (time-to-live)
A – Direct translation
Hostname -> IP address
romeu IN A 147.83.32.4
CNAME – alias name
hostname -> alias_hostname
romeu IN CNAME lp_romeu
PTR – reverse translation
IP address -> DNS hostname
4 IN PTR romeu.ac.upc.edu.
NS – domain delegation
DNS domain -> server IP address
ac IN NS 147.83.32.3
MX - mail exchanger
DNS domain -> mail server IP address
ac IN MX 147.83.33.10
And others...
HINFO, WKS,...
domain “ac.upc.edu”, as a primary server
directory “/var/named”; // query-source address * port 53; }; zone “ac.upc.edu” IN { type master; file “ac.zone”; allow-update { none; }; }; zone “3.168.192.in-addr.arpa” IN { type master; file “3.168.192.zone”; allow-update { none; }; };
Domain “ac.upc.edu”
$TTL 86400 @ 1D IN SOA pcxavim.ac.upc.edu. root.pcxavim.ac.upc.edu. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS @ pcxavim 1D IN A 192.168.3.1 pcxavim2 1D IN A 192.168.3.250 ; laptop1 1D IN CNAME pcxavim laptop2 1D IN CNAME pcxavim2
... ... 1D IN NS @ 1 1D IN PTR pcxavim.ac.upc.edu. 250 1D IN PTR pcxavim2.ac.upc.edu.
In groups, discuss
We have 3 servers (server1, server2 i server3) with these
server1 IN A 123.123.123.1 server2 IN A 123.123.123.2 server3 IN A 123.123.123.3
We want to add the following service hostnames:
www in server1 (server2 is the www backup) ftp in server1 and server2 ingoing/outgoing e-mail in server3
Which new records would you add?
whois domain
Retrieves contact information about the domain
dig [@server] request
Requests DNS records Several parameters can be controlled
Server, record type, recursive/iterative resolution...
Provides the records associated with the request
Can provide debugging information
Automates the distribution of network information to
IP address to be used Current network location
The machine can be unknown by DHCP
Guest machines accessing an organization It is assumed that having the ability to connect the
MAC-level access control can be implemented
IP addresses are obtained from address sets defined by the
Usually the DHCP server supports BOOTP
Internet Bootstrap Protocol Provides information for a machine to boot properly
Boot file (amb size), operating system DNS domain name, domain name servers Host name, IP address, and network mask List of gateways Root directory for the OS ...
Example
ddns-update-style none; subnet 192.168.3.0 netmask 255.255.255.0 { range 192.168.3.9 192.168.3.250; default-lease-time 28800 ; max-lease-time 57600;
} host pcxavim2 { hardware ethernet 00:03:47:B8:69:62; # fixed-address 192.168.3.2; }
It is possible to update the DNS records when DHCP
ddns-update-style interim; key DHCP_UPDATER { algorithm HMAC-MD5.SIG-ALG.REG.INT; secret pRP5FapFoJ95JEL06sv4PQ==; }; zone ac.upc.edu. { primary 192.168.3.1; key DHCP_UPDATER; }
key DHCP_UPDATER { ... /* Same algorithm and secreta key */ }; zone ac.upc.edu. { type master; file “ac.zone”; allow-update { key DHCP_UPDATER; }; }; ...
In group, discuss
How can we correctly implement DHCP when the server
Which kind of problems do we need to solve? Are they already implemented in DHCP?
Data transfer service Non-connection oriented
Clients have no state in the server Each request is self-contained
Even that, it uses TCP!!
http 2.x protocol /etc/httpd/httpd.conf
Execution as a non-privileged user Parallelism through processes/threads
Several concurrent requests Process/thread number configurable
Specific configuration options at directory level Virtual domains
Separation by IP address Separation by DNS name (http v1.1)
Data transfer service Connection oriented
Control connection
Remembers the state between requests
cwd/put/get
Data connection
active / passive
New connection for each file transfer
Different for each server
wu-ftpd, proftd,vsftpd...
/etc/ftpusers
Lists users that can NOT access the machine by FTP
root
Option chroot <directory>
Anonymous FTP Changes the file system root for the server process only,
Avoids access to the full file system Basic commands must be available in <directory>
/etc, /bin ls, ...
It can be useful for regular users
Elements composing the e-mail subsystem
MUA - Mail User Agent
User aplication to read/write e-mail
MSA - Mail Submission Agent
Aplication that transfers e-mail from the client to the MTA It checks for errors before the mail is sent to the Internet
MTA - Mail Transport Agent
Aplication relaying the e-mail across machines
Delivery Agent
Aplication on the target machine that saves the e-mail on the
Mailbox: file or database storing the mail
Access Agent
Aplication allowing the user to access his/her mail
MUA MUA MUA MSA MTA MTA DA DA
MUA
AA/MUA
POP SMTP IMAP SMTP SSMTP
Envelop
Destination of the e-mail (user mail address) Source of the e-mail (user mail address) Usually not visible to users
Headers
Collection of message properties
Sent date Origin, destination
They can be different from the ones in the envelop!
List of hosts through which the e-mail has passed
Message body
ASCII text (7 bits)
E-mail reception
Accessing a local mailbox Accessing a remote mailbox (Access Agent)
POP
E-mail transmission from the server to a local mailbox
IMAP
Access to the remote mailbox
Sending e-mail
SMTP server
Sending e-mail - sendmail
Messages sent directly to the receiver
Local user destination: finds the MX record in DNS
usuari@est.fib.upc.edu
Otherwise, sent through a mail relay
There is no direct access to the receiver
Receiving e-mail
E-mails saved locally
POP, IMAP to the same server
Mail relay to an external server
POP, IMAP to a remote server
E-mail aliases allow...
Redirect e-mails to another destination
Possibly in a different machine
Users with several names
root, www, postmaster, webmaster -> usuari@machine
Store the e-mails into a file
spam: /dev/null
Send e-mail to a program
autoftp: “| /usr/bin/ftpserver”
Define mailing lists
But there are better ways to do it
Majordomo, Mailman, ListProc, SmartList, ...
E-mail aliases
Defined in /etc/aliases or /etc/mail/aliases Compiled with
$ newaliases
Command execution in aliases
Smrsh execution environment
Restricted shell for sendmail Only commands in specific directories can be executed
/etc/smrsh or /usr/adm/sm.bin
User authentication
E-mail servers do not ask for username and password by
SASL can be added
Envelops may be false/incorrect on purpose
SPAM...
E-mail relays
The server will always try to send the e-mail to the
Open Relays -> SPAM
E-mail confidentiality
E-mails travel with no encryption (plain text)
TLS (SSL) is only between MUA and MTA MTA-MTA transfers use no encryption
Users are responsible of any encryption PGP - Pretty Good Privacy
For message encryption User signature check Based on public key algorithms
Installing e-mail filters
Anti-spam
Spamassasin, gray lists, black lists, ...
Anti-virus
Clam AV, Amavis, f-prot, ...
In group
We have installed a spam filter... whenever an e-mail with
And what would be the appropriate action for an e-mail
Allows users to access the incoming mailbox Transfers the e-mails to the local machine User authentication with no encryption
pop3s works encrypted on top of SSL
Allow users manage their mailbox Remote management User authentication
Allows encryption
imaps on top of SSL
Replaces the old rsh/rlogin and telnet services Adds security
User authentication based on RSA or DSA
User clients sign the session identifier with private key The server uses the public key (.ssh/authorized_keys) to
Password-based authentication can also be used
Encrypts the information sent through the connection
Confidentiality: 3DES, Blowfish... Integrity: hmac-md5...
The server executes the command or the user command-
With the user's credentials
Transparent session
When the characteristics of the connection do not require
Useful for binary data transfers
Login session
Can include TCP and/or X11 forwarding
DISPLAY=hostname:10.0
In group
Secure shell allows to implement secure data transfers
How would you implement secure copy and secure file
Offers remote authentication for users
Allows to configure a user DB with...
Name Password Different properties
Includes accounting of login time for each user Other servers/devices use it to authenticate users
routers dial-ups
Allows to access files in a remote machine
Keeps the semantics of the local file system
Transparent to the user
Implemented on top of RPC's
The remote directory is seen as if it were local
Convenient to have same UIDs in both remote and local
File systems keep UIDs, not usernames
Automatic translation of UID's
Special users
Root, nobody
Options
no_root_squash, root can su to any user! all_squash, all remote users become nobody
Less access privileges
Nobody itself can be redefined according to /etc/passwd
anonuid=UID,anongid=GID
/etc/exports
Exported directory Authorized machines + flags
rw, ro root_squash, no_root_squash
Allows to export...
Files Printers
Access control at the level of each user
Username and password authentification
Not based on the UID, but in the username Password transmission
Plain text/encrypted
Access control at the level of machines
Cannot set different permissions depending on the
Can be implemented using different resource names, each
Lightweight Directory Access Protocol
Allows to access DB with user information
Username, password...
In directory service format (X.500) Offers a mechanism to authenticate users
/etc/passwd, /etc/shadow, /etc/group... ... can be downloaded into the LDAP DB
It can be integrated into the system, so that the regular