Complete NSA Note
Complete NSA Note
com
What is a Network?
A network consists of two or more computers that are linked in order to share resources
(such as printers and CDs), exchange files, or allow electronic communications. The
computers on a network may be linked through cables, telephone lines, radio waves,
satellites, or infrared light beams.
You may also see references to a Metropolitan Area Networks (MAN), a Wireless LAN
(WLAN), or a Wireless WAN (WWAN).
Networking is just what it says; setting up a network where you can meet people working in
your field of interest. If you ask people around you if they know someone in the field you
are interested in, you will be surprised by the number of referrals you can get. Calling
someone at a company that you have a connection with through a friend makes it easier to
get your foot in the door of that company.
A Local Area Network (LAN) is a network that is confined to a relatively small area. It is
generally limited to a geographic area such as a writing lab, school, or building.
1
For more notes visit https://collegenote.pythonanywhere.com
Wide Area Networks (WANs) connect networks in larger geographic areas, such as Florida,
the United States, or the world. Dedicated transoceanic cabling or satellite uplinks may be
used to connect this type of global network.
Using a WAN, schools in Florida can communicate with places like Tokyo in a matter of
seconds, without paying enormous phone bills. Two users a half-world apart with
workstations equipped with microphones and a webcams might teleconference in real time.
A WAN is complicated. It uses multiplexers, bridges, and routers to connect local and
metropolitan networks to global communications networks like the Internet. To users,
however, a WAN will not appear to be much different than a LAN.
These networks provided the basis for the early ARPANET, which was the forerunner of the
modern Internet. The Advanced Research Projects Agency (ARPA) submitted the proposal for
the project on June 3, 1968 which was approved a few weeks later. This proposal entitled
“Resource Sharing Computer Networks” would allow ARPA not only the further sharing of
their data, but would allow them to further their research in a wide variety of military and
scientific fields. After being tested in four locations, the network spread and the new
protocols created for its use evolved into today’s World Wide Network.
In 1977, early PC-based Local Area Networks, or LANs (Local Area Networks) were spreading,
and while initially restricted to academics and hobbyists, they eventually found their way
into the workplace and in homes, although the explosion into the latter two arenas is a
relatively recent phenomenon. LAN variants also developed, including Metropolitan Area
Networks (MANs) to cover large areas such as a college campus, and Wide Area Networks
(WANs) for university-to-university communication. With the widespread use of computers
in the corporate world, the speed and convenience of using them to communicate and
transfer data has forever altered the landscape of how people conduct business.
Networks have have become an integral part of the corporate world. Ubiquitous computing
and Internet-capable cellular phones have allowed people to remain connected, even if the
2
For more notes visit https://collegenote.pythonanywhere.com
individual is away from a fully wired office environment. With the Internet, the daily
functions of corporate life have been mutated and improved, allowing for files, information,
and other information to be transmitted at near instant speeds. However, with it also comes
the simultaneous requirement to keep data and communications secure.
Market leaders
Much of the technological advances in networking come from a wide variety of sources, but
a number of companies continue to innovate and lead by providing the infrastructure and
necessary hardware. While Microsoft dominates the field of operating systems on
workstations and on many servers with Windows, the open source Apache Web server
provides the foundation for more Web servers than any competing product by a tremendous
margin. Numerous companies continue to develop and invent new technology, such as
hardware from Cisco Systems. Known for their routers and countless other products, they
also provide diverse wireless networking solutions through their Linksys brand. Other
networking market leaders include Nortel Networks, Novell, Lucent Technologies and Juniper
Networks.
While the initial concept behind networking computers was to see every person on the
planet being “wired”, the evolution of the technology aims to do just the opposite. Wireless
technologies are emerging as a popular, cable- free alternative to traditional wired networks.
By 2009, it is predicted that wearable computers – which will replace the personal digital
assistant or PDA – will be fully integrated in the workplace, with the ability to connect to
both wired and wireless networks. Other emerging technologies include smart appliances -
products that have enhanced capabilities and / or the ability to access the Internet, to fully
automated homes that have all appliances, heating and cooling systems, entertainment and
other home needs connected via a LAN. Recent drivers of networking trends include
VoiceOver Internet Protocol (VoIP) and convergence.
protocol
In information technology, a protocol is the special set of rules that end points in a
telecommunication connection use when they communicate. Protocols specify interactions
between the communicating entities.
Protocols exist at several levels in a telecommunication connection. For example, there are
protocols for the data interchange at the hardware device level and protocols for data
interchange at the application program level. In the standard model known as Open Systems
Interconnection (OSI), there are one or more protocols at each layer in the
telecommunication exchange that both ends of the exchange must recognize and observe.
Protocols are often described in an industry or international standard.
3
For more notes visit https://collegenote.pythonanywhere.com
• Transmission Control Protocol (TCP), which uses a set of rules to exchange messages
with other Internet points at the information packet level
• Internet Protocol (IP), which uses a set of rules to send and receive messages at the
Internet address level
• Additional protocols that include the Hypertext Transfer Protocol (HTTP) and File
Transfer Protocol (FTP), each with defined sets of rules to use with corresponding
programs elsewhere on the Internet
There are many other Internet protocols, such as the Border Gateway Protocol (BGP) and the
Dynamic Host Configuration Protocol (DHCP).
The word protocol comes from the Greek protocollon, meaning a leaf of paper glued to a
manuscript volume that describes the contents.
Standard Protocol
A standard protocol is a mandated, fixed procedure for completing a task. Often designated
by flow chart or spelled out in textual steps, standard protocol may be nationally recognized
or de facto--accepted, but not nationally recognized. There are as many types of standard
protocol as there are tasks associated with them.
1. Computer Communication
2. Medical Protocol
o Body fluid spills in the emergency room require that environmental specialists
follow specific protocol to clean up the mess so patients and hospital personnel
are not subjected to infection and viruses such as AIDS. Occupational Safety and
Health Administration clean-up protocol falls under the standard protocol
"Universal Precautions," while hospital clean-up policy may fall under de facto
standard protocol.
3. Decision-Making Protocol
4
For more notes visit https://collegenote.pythonanywhere.com
• Ethernet
• Local Talk
• Token Ring
• FDDI
• ATM
The OSI model, and any other network communication model, provides only a conceptual
framework for communication between computers, but the model itself does not provide
specific methods of communication. Actual communication is defined by various
communication protocols. In the context of data communication, a protocol is a formal set of
rules, conventions and data structure that governs how computers and other network
devices exchange information over a network. In other words, a protocol is a standard
procedure and format that two data communication devices must understand, accept and
use to be able to talk to each other.
In modern protocol design, protocols are "layered" according to the OSI 7 layer model or a
similar layered model. Layering is a design principle which divides the protocol design into a
number of smaller parts, each part accomplishing a particular sub-task and interacting with
the other parts of the protocol only in a small number of well-defined ways. Layering allows
the parts of a protocol to be designed and tested without a combinatorial explosion of cases,
keeping each design relatively simple. Layering also permits familiar protocols to be adapted
to unusual circumstances.
The header and/or trailer at each layer reflect the structure of the protocol. Detailed rules
and procedures of a protocol or protocol group are often defined by a lengthy document. For
example, IETF uses RFCs (Request for Comments) to define protocols and updates to the
protocols.
A wide variety of communication protocols exists. These protocols were defined by many
different standard organizations throughout the world and by technology vendors over years
of technology evolution and development. One of the most popular protocol suites is TCP/IP,
which is the heart of Internetworking communications. The IP, the Internet Protocol, is
responsible for exchanging information between routers so that the routers can select the
5
For more notes visit https://collegenote.pythonanywhere.com
proper path for network traffic, while TCP is responsible for ensuring the data packets are
transmitted across the network reliably and error free. LAN and WAN protocols are also
critical protocols in network communications. The LAN protocols suite is for the physical and
data link layers of communications over various LAN media such as Ethernet wires and
wireless radio waves. The WAN protocol suite is for the lowest three layers and defines
communication over various wide-area media, such as fiber optic and copper cables.
Network communication has slowly evolved. Today's new technologies are based on the
accumulation over years of technologies, which may be either still existing or obsolete.
Because of this, the protocols which define the network communication are highly
interrelated. Many protocols rely on others for operation. For example, many routing
protocols use other network protocols to exchange information between routers.
In addition to standards for individual protocols in transmission, there are now also interface
standards for different layers to talk to the ones above or below (usually operating system
specific). For example: Winsock and Berkeley sockets between layers 4 and 5; NDIS and ODI
between layers 2 and 3.
The protocols for data communication cover all areas as defined in the OSI model. However,
the OSI model is only loosely defined. A protocol may perform the functions of one or more
of the OSI layers, which introduces complexity to understanding protocols relevant to the
OSI 7 layer model. In real-world protocols, there is some argument as to where the
distinctions between layers are drawn; there is no one black and white answer.
To develop a complete technology that is useful for the industry, very often a group of
protocols is required in the same layer or across many different layers. Different protocols
often describe different aspects of a single communication; taken together, these form a
protocol suite. For example, Voice over IP (VOIP), a group of protocols developed by many
vendors and standard organizations, has many protocols across the 4 top layers in the OSI
model.
Protocols could be grouped into suites (or families, or stacks) by their technical functions, or
origin of the protocol introduction, or both. A protocol may belong to one or multiple
protocol suites, depending on how you categorize it. For example, the Gigabit Ethernet
protocol IEEE 802.3z is a LAN (Local Area Network) protocol and it can also be used in MAN
(Metropolitan Area Network) communications.
Most recent protocols are designed by the IETF for Internetworking communications and by
the IEEE for local area networking (LAN) and metropolitan area networking (MAN). The ITUT
contributes mostly to wide area networking (WAN) and telecommunications protocols. ISO
has its own suite of protocols for internetworking communications, which is mainly deployed
in European countries.
6
For more notes visit https://collegenote.pythonanywhere.com
OSI divides telecommunication into seven layers. The layers are in two groups. The upper
four layers are used whenever a message passes from or to a user. The lower three layers are
used when any message passes through the host computer. Messages intended for this
computer pass to the upper layers. Messages destined for some other host are not passed
up to the upper layers but are forwarded to another host. The seven layers are:
Layer 7: The application layer ...This is the layer at which communication partners are
identified, quality of service is identified, user authentication and privacy are considered,
and any constraints on data syntax are identified. (This layer is not the application itself,
although some applications may perform application layer functions.)
Layer 6: The presentation layer ...This is a layer, usually part of an operating system, that
converts incoming and outgoing data from one presentation format to another (for example,
7
For more notes visit https://collegenote.pythonanywhere.com
from a text stream into a popup window with the newly arrived text). Sometimes called the
syntax layer.
Layer 5: The session layer ...This layer sets up, coordinates, and terminates conversations,
exchanges, and dialogs between the applications at each end. It deals with session and
connection coordination.
Layer 4: The transport layer ...This layer manages the end-to-end control (for example,
determining whether all packets have arrived) and error-checking. It ensures complete data
transfer.
Layer 3: The network layer ...This layer handles the routing of the data (sending it in the
right direction to the right destination on outgoing transmissions and receiving incoming
transmissions at the packet level). The network layer does routing and forwarding.
Layer 2: The data-link layer ...This layer provides synchronization for the physical level and
does bit-stuffing for strings of 1's in excess of 5. It furnishes transmission protocol knowledge
and management.
Layer 1: The physical layer ...This layer conveys the bit stream through the network at the
electrical and mechanical level. It provides the hardware means of sending and receiving
data on a carrier.
The TCP/IP reference model, is based on a suite of protocols in which each protocol solves a
particular network communications problem. The TCP/IP model can be used in a
heterogeneous environment that has equipment from many different vendors. There are
four layers on the TCP/IP reference model.
Layers:
The internet layer is responsible for sending source packets from any network on the
internetwork and have them arrive at their destination regardless of the path they took. The
Internet Protocol (IP) is used in this layer and it provides the packet delivery service on which
the TCP/IP is based. The IP protocol implements a system of logical host addresses called IP
addresses. The IP addresses are used by the internet and higher layers to identify devices
and to perform internetwork routing.
The transport layer is responsible for the reliability, flow control, and error correction of data
being sent across the network. Its main protocol is called the transmission control protocol
(TCP). TCP provides reliable data delivery service with end-to-end error detection and
correction. User Datagram Protocol (UDP) is another protocol used which provides slow
overhead, connectionless datagram delivery service. UDP is unreliable but enhances
network throughput when error correction is not required at the host-to-host-layer. Both
protocols deliver data between the Application Layer and the Internet Layer. The users may
choose either best suited to their means.
This article is about TCP/IP model vs OSI model. It is meant to highlight the differences
between the two set standards of the industry. TCP/IP model and the OSI model have been
the two protocol suites on which the communication industry heavily relies on.
9
For more notes visit https://collegenote.pythonanywhere.com
Both TCP/IP model and OSI model work in a very similar fashion. But they do have very
subtle differences too. Knowing these differences is very crucial to learning computer
networking. This article will try to show the comparison between TCP/IP model and OSI
model.
Background
Advance research project agency (ARPA) created a OSI reference model so that they could
logically group the similarly working components of the network into various layers of the
protocol. But after the advent of the Internet, there arose the need for a streamlined
protocol suite, which would address the need of the ever-growing Internet. So the Defense
Advanced Research Project Agency (DARPA) decided to create the TCP/IP protocol suite. This
was going to address many, if not all the issues that had arisen with the OSI reference model.
TCP/IP is a suite of protocol which is named after its most significant pair of protocols. That is
Transmission Control Protocol and Internet Protocol. TCP/IP are made up of layers. Each layer
is responsible for a set of computer network related tasks. Every layer provides service to the
layer above it. In all, there are four layers in the TCP/IP reference model.
Application Layer: This is the topmost layer of the TCP/IP suite. This is responsible for coding
of the packet data.
Transport Layer: This layer monitors end-to-end path selections of the packets. It also
provides service to the application layer.
Internet Layer: This layer is responsible for sending packets through different networks.
Link Layer: It is the closest layer to the network hardware. It provides service to Internet
layer.
10
For more notes visit https://collegenote.pythonanywhere.com
In OSI reference model there seven layers of protocols. Again, in OSI reference model, each
layer provides services to the layer above it. There are in all seven layers of in OSI. They are
Physical Layer: It is the lower most layer of the OSI reference model. It is layer which is
responsible for direct interaction of the OSI model with hardware. The hardware provides
service to the physical layer and it provides service to the datalink layer.
Datalink Layer: There may be certain errors which may occur at the physical layer. If
possible, these errors are corrected by the datalink layer. The datalink layer provides the way
by which various entities can transfer the data to the network.
Network Layer: It does not allow the quality of the service to be degraded that was
requested by the transport layer. It is also responsible for data transfer sequence from
source to destination.
Transport Layer: The reliability of the data is ensured by the transport layer. It also
retransmits those data that fail to reach the destination.
Session Layer: The sessions layer is responsible for creating and terminating the connection.
Management of such a connection is taken care of by the sessions layer.
Presentation Layer: This layer is responsible for decoding the context (syntax and semantics)
of the higher level entities.
Application Layer: Whichever software application that implements socket programming will
communicate with this layer. This layer is closest to the user.
11
For more notes visit https://collegenote.pythonanywhere.com
The entire communication industry stands on the backbone of TCP/IP and OSI reference
model. It is very vital to learn the above differences, if anyone wants to be an expert in the
field of communication.
When you give a computer an IP address, you identify the network which it is a member of,
and give it an identification number within that network. A computer in a given network can
communicate with any other computer that is local to it (in the same network), provided
there is a way for information to pass between them (network cables, wireless network,
etc.).
This is where the default gateway comes in. A gateway is defined as a path out of the local
network to other remote networks. A gateway can be a number of things physically, such as
a DSL/cable router for your local network, a Windows server computer with multiple
network adaptors split between different networks, etc. Gateways must all share one thing
in common though. They are connected to at least 2 networks, and have the ability to pass
traffic between them.
The default gateway assigned to a network adaptor is sent all traffic that does not belong in
the local network. As an example of this, say you have a DSL Internet connection. When you
connect to the Internet, you are provided with a default gateway assigned by your service
provider. When you attempt to connect to a site on the Internet, the URL you type in (say
www.pcstats.com) is converted into an IP address by your Internet provider.
Since this address is not going to be in your local network, the network adaptor in your
computer forwards the request for the web page to its default gateway, your service
provider.
From that point, your request will be passed from network to network through the internet
until it reaches the local network of www.pcstats.com and the data needed to display the
web page starts its way back through the internet to your IP address.
12
For more notes visit https://collegenote.pythonanywhere.com
The first thing you should learn about networking is ip addresses. A server and a client
computer must have an ip address so that it can be reach in network environment.
Linux server can serves networking 365 days a year without any problem. It's a proof that
Linux is a very stable and secure network operating system when properly configured and
maintained. All that starts with setting up a network card and configure an ip address for the
server.
In CentOS, all the communication occurs between configured software interfaces and the
network devices connected to the System. all network configuration files for interfaces are
located in /etc/sysconfig/network-scripts/ .
13
For more notes visit https://collegenote.pythonanywhere.com
All these file work together to make various network devices work together.
1. /etc/hosts -> To resolve the hostnames that can’t be resolve any other way
2. /etc/resolv.conf -> Specifies the IP Address of the DNS server
3. /etc/sysconfig/network -> specifies routing and host information for all network
interfaces
4. /etc/sysconfig/network-scripts/ifcfg-<interface-name> -> For each network
interface, there is a corresponding interface configuration script
What is Switching ?
Networking concept has two basic concepts and they are Switching and Routing . They are
fundamental concepts in Networking, other topics like network security are based on these
concept. Routing and Switching are the base packet or data delivering methods in network and
each device like router , switch , hub , firewall , proxy , cash server, modem are using one of
these methods.
What is switching ?
When we are talking about the switching, the protocols and concepts are related to the layer 2
and data packets with in this layer that are called frame.
What is Switch?
As you know the switch refers to the device that can select one condition from 2 or more
conditions. For example an electrical switch can select 0 as turn off and select 1 for turn on.
Better switches have more choices than 2 conditions and because of this capacity, they are
bigger and bigger and also more expensive.
14
For more notes visit https://collegenote.pythonanywhere.com
In Networking there is a long history for switches. At first time the direct connection between
two or more computers used to make a network and such technology like 10base2, 10base5,
and 10base-T for cabling were used.
In those technologies, the base topology was BUS Technology and the most advanced of this
technology is HUB. A bus or data bus refers to the one link (shared link) between 2 or more
devices for sending and receiving data, and when a device wants to send data for another
device, this bus should be empty and none of devices should not use the bus. In figure below we
can see a logical view to a hub and the meaning of bus.
If PC1 wants to send data to PC3 , at first checks the bus condition to avoid collision (this is
collision detection) and if bus is empty then it will send the data for PC3. But actually it will
broadcast it on the bus and each device in this technology will receive the data , PC3 will take
the data with the hardware address that is on the frame .
The data packets in this layer called frame, and contains upper level data and in this layer the
source and destination address are called MAC addresses.
The MAC address is unique address (like FFFF.FFFF.FFFF) for each interface in network . PC1
creates a frame with destination MAC address of PC3 and , PC3 after receive checks the MAC
address .
The bad point in this technology is that all devices in the bus will receive data or listen to the
data .We can see this is a shared resource and in time one device just can use the bus and the
others are listener and the bandwidth is divided to the users .
15
For more notes visit https://collegenote.pythonanywhere.com
The switch has some different technology for connecting the devices . The base topology in
switches is Star and as like a hub all devices connected to the switch . But the basic difference is
that each port in switch can connect to another port in direct. In figure below we can see a
sample of switches:
PC1 ,PC2 ,PC3 , PC4 are connected to the switch and each of them has MAC address . PC1 and
PC3 have connection together and in this time also PC2 and PC4 are sending and receiving data
. The switch provides the connectivity and give them the real speed (For example if port speed is
100 mbps they can use this bandwidth ).
Switch knows that in each port what is the MAC address in other hand when a device connect to
the switch , switch in moment will find the MAC address and when a frame send for this MAC
address switch just give the frame to that port that have MAC address and other ports never
listen to the data. Yes the better security and data distribution . Switches check all the frames for
destination MAC .
Like a router for checking the destination IP addresses , in switch there is a MAC Table that
contains all MAC addresses that are active. For example this switch (in above figure) has at least
four MAC addresses in MAC table.
Switch has a CPU (at least ) and this CPU has a MAC address also , and this is the MAC address of
switch . Yes like routers they have address but in layer 2 .
This architecture is good , switch has MAC table and with this list will send data just to the
destination and not for other ports , this is meaning of filtering with switch.The operation is
running in hardware based CPU , this means frame forwarding or switching is a hardware
operation and in high speed . A company when creates a switch will say the switching capacity in
Gigabit per second(good rate ) or higher !!!!!!
These two switches are samples of good and famous brands in world with high capacity and
performance. Depend on the capacity and numbers of ports and design , switches have been
selecting . Cisco and Brocade
16
For more notes visit https://collegenote.pythonanywhere.com
We can connect the switches together with one or more ports and making the biggest
network. In figures below you can see simple diagrams of connectivity with switches .
17
For more notes visit https://collegenote.pythonanywhere.com
The basic standards for layer 2 is IEEE and the special standard for Ethernet is IEEE 802. This
standard contains details for wired and wireless , switching and VLAN s, STP,,....
Circuit Switching
Circuit switching is the most familiar technique used to build a communications network. It is
used for ordinary telephone calls. It allows communications equipment and circuits, to be
shared among users. Each user has sole access to a circuit (functionally equivalent to a pair
of copper wires) during network use. Consider communication between two points A and D
in a network. The connection between A and D is provided using (shared) links between two
other pieces of equipment, B and C.
Network use is initiated by a connection phase, during which a circuit is set up between
source and destination, and terminated by a disconnect phase. These phases, with
associated timings, are illustrated in the figure below.
18
For more notes visit https://collegenote.pythonanywhere.com
(Information flows in two directions. Information sent from the calling end is shown in pink and
information returned from the remote end is shown in blue)
After a user requests a circuit, the desired destination address must be communicated to the
local switching node (B). In a telephony network, this is achieved by dialing the number.
Node B receives the connection request and identifies a path to the destination (D) via an
intermediate node (C). This is followed by a circuit connection phase handled by the
switching nodes and initiated by allocating a free circuit to C (link BC), followed by
transmission of a call request signal from node B to node C. In turn, node C allocates a link
(CD) and the request is then passed to node D after a similar delay.
The circuit is then established and may be used. While it is available for use, resources (i.e. in
the intermediate equipment at B and C) and capacity on the links between the equipment
are dedicated to the use of the circuit.
Delays for setting up a circuit connection can be high, especially if ordinary telephone
equipment is used. Call setup time with conventional equipment is typically on the order of
5 to 25 seconds after completion of dialing. New fast circuit switching techniques can reduce
delays. Trade-offs between circuit switching and other types of switching depend strongly on
switching times.
19
For more notes visit https://collegenote.pythonanywhere.com
Packet switching
Packet switching is a digital networking communications method that groups all transmitted
data – regardless of content, type, or structure – into suitably sized blocks, called packets.
Packet switching features delivery of variable-bit-rate data streams (sequences of packets)
over a shared network. When traversing network adapters, switches, routers and other
network nodes, packets are buffered and queued, resulting in variable delay and throughput
depending on the traffic load in the network.
Packet switching contrasts with another principal networking paradigm, circuit switching, a
method which sets up a limited number of dedicated connections of constant bit rate and
constant delay between nodes for exclusive use during the communication session. In case
of traffic fees (as opposed to flat rate), for example in cellular communication services,
circuit switching is characterized by a fee per time unit of connection time, even when no
data is transferred, while packet switching is characterized by a fee per unit of information.
Two major packet switching modes exist; (1) connectionless packet switching, also known as
datagram switching, and (2) connection-oriented packet switching, also known as virtual
circuit switching. In the first case each packet includes complete addressing or routing
information. The packets are routed individually, sometimes resulting in different paths and
out-of-order delivery. In the second case a connection is defined and preallocated in each
involved node during a connection phase before any packet is transferred. The packets
include a connection identifier rather than address information, and are delivered in order.
See below.
Packet mode communication may be utilized with or without intermediate forwarding nodes
(packet switches or routers). In all packet mode communication, network resources are
managed by statistical multiplexing or dynamic bandwidth allocation in which a
communication channel is effectively divided into an arbitrary number of logical variablebit-
rate channels or data streams. Statistical multiplexing, packet switching and other storeand-
forward buffering introduces varying latency and throughput in the transmission. Each
logical stream consists of a sequence of packets, which normally are forwarded by the
multiplexers and intermediate network nodes asynchronously using first-in, first-out
buffering. Alternatively, the packets may be forwarded according to some scheduling
discipline for fair queuing, traffic shaping or for differentiated or guaranteed quality of
service, such as weighted fair queuing or leaky bucket. In case of a shared physical medium,
the packets may be delivered according to some packet-mode multiple access scheme.
Message switching
In telecommunications, message switching was the precursor of packet switching, where
messages were routed in their entirety, one hop at a time. It was first introduced by Leonard
Kleinrock in 1961. Message switching systems are nowadays mostly implemented over
packet-switched or circuit-switched data networks. Each message is treated as a separate
entity. Each message contains addressing information, and at each switch this information is
read and the transfer path to the next switch is decided. Depending on network conditions, a
20
For more notes visit https://collegenote.pythonanywhere.com
conversation of several messages may not be transferred over the same path. Each message
is stored (usually on hard drive due to RAM limitations) before being transmitted to the next
switch. Because of this it is also known as a 'store-and-forward' network. Email is a common
application for Message Switching. A delay in delivering email is allowed unlike real time
data transfer between two computers.
Examples:
Hop-by-hop Telex forwarding and UUCP are examples of message switching systems.
When this form of switching is used, no physical path is established in advance in between
sender and receiver. Instead, when the sender has a block of data to be sent, it is stored in
the first switching office (i.e. router) then forwarded later at one hop at a time. Each block is
received in its entity form, inspected for errors and then forwarded or re-transmitted.
A form of store-and-forward network. Data is transmitted into the network and stored in a
switch. The network transfers the data from switch to switch when it is convenient to do so,
as such the data is not transferred in real-time. Blocking can not occur, however, long delays
can happen. The source and destination terminal need not be compatible, since conversions
are done by the message switching networks.
A message switch is “transactional”. It can store data or change its format and bit rate, then
convert the data back to their original form or an entirely different form at the receive end.
Message switching multiplexes data from different sources onto a common facility. A
message switch is a one of the switching technology.
Routing
Routing is the process of selecting paths in a network along which to send network traffic.
Routing is performed for many kinds of networks, including the telephone network (circuit
switching), electronic data networks (such as the Internet), and transportation networks.
This article is concerned primarily with routing in electronic data networks using packet
switching technology.
In packet switching networks, routing directs packet forwarding, the transit of logically
addressed packets from their source toward their ultimate destination through intermediate
nodes, typically hardware devices called routers, bridges, gateways, firewalls, or switches.
General-purpose computers can also forward packets and perform routing, though they are
not specialized hardware and may suffer from limited performance. The routing process
usually directs forwarding on the basis of routing tables which maintain a record of the
routes to various network destinations. Thus, constructing routing tables, which are held in
21
For more notes visit https://collegenote.pythonanywhere.com
the router's memory, is very important for efficient routing. Most routing algorithms use
only one network path at a time, but multipath routing techniques enable the use of
multiple alternative paths.
Routing, in a more narrow sense of the term, is often contrasted with bridging in its
assumption that network addresses are structured and that similar addresses imply
proximity within the network. Because structured addresses allow a single routing table
entry to represent the route to a group of devices, structured addressing (routing, in the
narrow sense) outperforms unstructured addressing (bridging) in large networks, and has
become the dominant form of addressing on the Internet, though bridging is still widely
used within localized environments.
Routing schemes differ in their delivery semantics. Some of the routing schemes are
describes below:
Unicast
The term unicast is contrasted with the term broadcast which means transmitting the same
data to all possible destinations. Another multi-destination distribution method,
multicasting, sends data only to interested destinations by using special address
assignments.
Unicast messaging is used for all network processes in which a private or unique resource is
requested.
Certain network applications which are mass-distributed are too costly to be conducted with
unicast transmission since each network connection consumes computing resources on the
sending host and requires its own separate network bandwidth for transmission. Such
applications include streaming media of many forms. Internet radio stations using unicast
connections may have high bandwidth costs.
These terms are also used by streaming content providers' services. Unicast-based media
servers open and provide a stream for each unique user. Multicast-based servers can support
a larger audience by serving content simultaneously to multiple users. Multicast
22
For more notes visit https://collegenote.pythonanywhere.com
At the Data Link Layer, multicast describes one-to-many distribution such as Ethernet
multicast addressing, Asynchronous Transfer Mode (ATM) point-to-multipoint virtual circuits
(P2MP) or Infiniband multicast.
Broadcast
In telecommunication and information theory, broadcasting refers to a method of
transferring a message to all recipients simultaneously. Broadcasting can be performed as a
high level operation in a program, for example broadcasting Message Passing Interface, or it
may be a low level networking operation, for example broadcasting on Ethernet.
Not all network technologies support broadcast addressing; for example, neither X.25 nor
frame relay have broadcast capability, nor is there any form of Internet-wide broadcast.
Broadcasting is largely confined to local area network (LAN) technologies, most notably
23
For more notes visit https://collegenote.pythonanywhere.com
Ethernet and token ring, where the performance impact of broadcasting is not as large as it
would be in a wide area network.
The successor to Internet Protocol Version 4 (IPv4), IPv6 also does not implement the
broadcast method, so as to prevent disturbing all nodes in a network when only a few may
be interested in a particular service. Instead it relies on multicast addressing a conceptually
similar one-to-many routing methodology. However, multicasting limits the pool of receivers
to those that join a specific multicast receiver group.
Both Ethernet and IPv4 use an all-ones broadcast address to indicate a broadcast packet.
Token Ring uses a special value in the IEEE 802.2 control field.
Broadcasting may be abused to perform a DoS-attack. The attacker sends fake ping request
with the source IP-address of the victim computer. The victim computer is flooded by the
replies from all computers in the domain.
Anycast
From Wikipedia, the free encyclopedia
Anycast is a network addressing and routing methodology in which datagrams from a single
sender are routed to the topologically nearest node in a group of potential receivers all
identified by the same destination address.
24
For more notes visit https://collegenote.pythonanywhere.com
silently breaking any conversations that may be in progress at the time. These conditions are
typically referred to as a "pop switch". To correct for this issue, there have been proprietary
advancements within custom IP stacks which allow for healing of stateful protocols where it
is required. For this reason, anycast is generally used as a way to provide high availability and
load balancing for stateless services such as access to replicated data; for example, DNS
service is a distributed service over multiple geographically dispersed servers.
Switches operate at layer 2 of the OSI Model. A switch, also referred to as a multi-port
bridge, is able to determine where a packet should be sent by examining the MAC address
within the data link header of the packet (the MAC address is the hardware address of a
network adapter). A switch maintains a database of MAC addresses and what port they are
connected to.
Routers, on the other hand, operate at layer 3 of the OSI Model. A router is able to
determine where to send a packet using the Network ID within the Network layer header. It
then uses the routing table to determine the route to the destination host.
25
For more notes visit https://collegenote.pythonanywhere.com
Client applications are installed on a user's computer or workstation and interact with data and programs
on a server. Client applications are not the same as desktop applications because client applications must
interact with a server for full functionality. A common example of a client application is the video game
World of Warcraft. Users install a client application on their computers that allows them to log into a
server containing the game programming.
Businesses can use client server applications to cut down on overhead requirements for workstations.
Instead of installing hundreds of copies of a particular program, users log into the application server.
Client server applications have an easier time handling complex printing requirements, on-screen updates
and interface design. Client server applications have decreased security issues compared to web
applications. Web applications make it easy to keep the application updated, moving between multiple
computers, compatibility across different operating systems and initial deployment of the software.
The choice between client server applications and web applications usually depends on the needs of the
user or business. Third-party web applications provide a ready-made solution for quick deployment.
Some businesses prefer the customization available by producing client server applications.
Computers are needed in businesses of different sizes. Large computer setups that include networks and
mainframes are used in large businesses. A computer network used in these types of businesses has a
client-server architecture or two-tier architecture. The main purpose of this architecture is the division of
labor which is required in large organizations.
Server
In client-server environment, the server computer acts as the “brains” of the business. A very large
capacity computer is used as a server. There can be a mainframe also as it stores a wide variety of
functionalities and data.
Generally, applications and data files are stored on the server computer. Employee computers or
workstations access these applications and files across the network. For example, an employee can access
company’s data files stored on the server, from his/her client computer.
In some cases, employees may access only specific applications from their client machine. Application
server is the name given to this type of server. The client-server architecture is fully utilized in this type of
environment as employees have to login from their client machine in order to access the application
stored on the server. For example, these kinds of applications include graphic design programs,
spreadsheets and word processors. The client- server architecture is illustrated in each case.
1
For more notes visit https://collegenote.pythonanywhere.com
Apart from the storage medium, the server also acts as a processing power source. The client machines get
their processing power from this server source. By doing so, no extra hardware for the client is needed
and it utilizes greater processing power of the server.
Client
In client- server architecture, the client acts a smaller computer that is used by the employees of the
organization in order to perform their day-to-day activities. The employee uses the client computer in
order to access the data files or applications stored on the server machine.
The rights authorized to the client machine can be different. Some employees have the access to data files
of the organization while other may only access the applications present on the server.
Apart from using the applications and data files, the client machine can also utilize the processing power
of the server. In this case, the client computer is plugged-in to the server and the server machine handles
all the calculations. In this way, the large processing power of the server can be utilized without any
addition of hardware on the client side.
The best example of client- server architecture is WWW or World Wide Web. Here the client is the
browser installed on each computer and the information about different pages is stored on the server side
from which the client or the user can access it.
• Client is a smaller computer through which the information or application stored on the
server is accessed by the user whereas server is a powerful computer that stores the data
files and applications.
• In some cases, the client may utilize the greater processing power of the server machine.
• In some cases, the client side may have a better graphical user interface or GUI as
compared to the server side.
Press the power button on your system, and after few moments you see the Linux login prompt.The
following are the 6 high level stages of a typical Linux boot process.
2
For more notes visit https://collegenote.pythonanywhere.com
1. BIOS
2. MBR
3. GRUB
3
For more notes visit https://collegenote.pythonanywhere.com
• GRUB has the knowledge of the filesystem (the older Linux loader LILO didn’t understand
filesystem).
• Grub configuration file is /boot/grub/grub.conf (/etc/grub.conf is a link to this). The following is
sample grub.conf of CentOS.
#boot=/dev/sda
default=0 timeout=5
splashimage=(hd0,0)/boot/grub/splash.xpm.gz hiddenmenu
titleCentOS (2.6.18-194.el5PAE) root
(hd0,0)
kernel /boot/vmlinuz-2.6.18-194.el5PAE ro root=LABEL=/
initrd /boot/initrd-2.6.18-194.el5PAE.img
• As you notice from the above info, it contains kernel and initrd image.
• So, in simple terms GRUB just loads and executes Kernel and initrd images.
4. Kernel
5. Init
• Looks at the /etc/inittab file to decide the Linux run level. Following are the available run
levels
Runlevel Target Description
0 runlevel0.target, poweroff.target Halt
• Init identifies the default initlevel from /etc/inittab and uses that to load all appropriate program.
• Execute ‘grepinitdefault /etc/inittab’ on your system to identify the default run level
• If you want to get into trouble, you can set the default run level to 0 or 6. Since you know what 0
and 6 means, probably you might not do that.
4
For more notes visit https://collegenote.pythonanywhere.com
6. Runlevel programs
• When the Linux system is booting up, you might see various services getting started. For
example, it might say “starting sendmail …. OK”. Those are the runlevel programs, executed
from the run level directory as defined by your run level.
• Depending on your default init level setting, the system will execute the programs from one of the
following directories.
o Run level 0 – /etc/rc.d/rc0.d/ o
Run level 1 – /etc/rc.d/rc1.d/ o
Run level 2 – /etc/rc.d/rc2.d/ o
Run level 3 – /etc/rc.d/rc3.d/ o
Run level 4 – /etc/rc.d/rc4.d/ o
Run level 5 – /etc/rc.d/rc5.d/ o
Run level 6 – /etc/rc.d/rc6.d/
• Please note that there are also symbolic links available for these directory under /etc directly.
So, /etc/rc0.d is linked to /etc/rc.d/rc0.d.
• Under the /etc/rc.d/rc*.d/ directories, you would see programs that start with S and K.
• Programs starts with S are used during startup. S for startup.
• Programs starts with K are used during shutdown. K for kill.
• There are numbers right next to S and K in the program names. Those are the sequence number in
which the programs should be started or killed.
For example, S12syslog is to start the syslog deamon, which has the sequence number of 12. S80sendmail
is to start the sendmail daemon, which has the sequence number of 80. So, syslog program will be started
before sendmail.
In Linux, the flow of control during a boot is from BIOS, to boot loader, to kernel. The kernel then starts
the scheduler (to allow multi-tasking) and runs the first userland (i.e. outside kernel space) program Init
(which is mostly responsible to run startup scripts for each runlevel), at which point the kernel goes idle
unless called externally.
init (short for initialization) is a program for Unix-based computer operating systems that spawns all other
processes. It runs as a daemon and typically has PID 1. The boot loader starts the kernel and the kernel
starts init. If one were to delete init without a replacement, the system would encounter a kernel panic on
the next reboot.
Each user is associated with a unique numerical identification number called a user ID(UID). Likewise,
each group is associated with a group ID(GID). A user who creates a file is also the owner and group
owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the
5
For more notes visit https://collegenote.pythonanywhere.com
group, and everyone else. The file owner can be changed only by root, and access permissions can be
changed by both the root user and file owner.
-c 'comment' comment can be replaced with any string. This option is generally used to
specify the full name of a user.
-f days Number of days after the password expires until the account is disabled. If
0 is specified, the account is disabled immediately after the password
expires. If -1 is specified, the account is not be disabled after the
password expires.
-g group_name Group name or group number for the user's default group. The group
must exist prior to being specified here.
-G group_list List of additional (other than default) group names or group numbers,
separated by commas, of which the user is a member. The groups must
exist prior to being specified here.
-r Create a system account with a UID less than 500 and without a home
directory.
-s User's login shell, which defaults to /bin/bash.
-u uid User ID for the user, which must be unique and greater than 499.
6
For more notes visit https://collegenote.pythonanywhere.com
By default, the useradd command creates a locked user account. To unlock the account, run the
following command as root to assign a password:
passwdusername
-f, --force When used with -g gid and gid already exists, groupadd will
choose another unique gid for the group.
-g gid Group ID for the group, which must be unique and greater than 499.
-p, -password Use this encrypted password for the new group.
password
INETD
inetd (internet service daemon) is a super-serverdaemon on many Unix systems that manages
Internet services. First appearing in 4.3BSD[1], it is generally located at /usr/sbin/inetd.
Often called a super-server, inetd listens on designated ports used by Internet services
such as FTP, POP3, and telnet. When a TCP packet or UDP packet arrives with a particular
destination port number, inetd launches the appropriate server program to handle the connection.
For services that are not expected to run with high loads, this method uses memory more
efficiently, since the specific servers run only when needed. Furthermore, no network code is
required in the application-specific daemons, as inetd hooks the sockets directly to stdin, stdout
7
For more notes visit https://collegenote.pythonanywhere.com
and stderr of the spawned process. For protocols that have frequent traffic, such as HTTP and
POP3, a dedicated server that intercepts the traffic directly may be preferable.
inetd replacements
In recent years, because of the security limitations in the original design of inetd, it has been
replaced by xinetd, rlinetd, ucspi-tcp, and others in many systems. Distributions of Linux
especially have many options and Mac OS X (beginning with Mac OS X v10.2) uses xinetd. As
of version Mac OS X v10.4, Apple has merged the functionality of inetd into launchd.
The services provided by inetd can be omitted entirely. This is becoming more common where
machines are dedicated to a single function. For example, an HTTP server could be configured to
just run httpd and have no other ports open. A dedicated firewall could have no services started.
This reduces the load that services place on a system, because it means that network services –
such as telnet, File Transfer Protocol (FTP), and Simple Mail Transfer Protocol (SMTP) – can be
activated on demand rather than having to run continuously.
When a system initializes, the inetd daemon needs to determine its configuration information. To
do this, the daemon accesses two files – /etc/services and /etc/inetd.conf.
The /etc/services file contains a list of network services and the ports to which they map.
Network services have standard default ports on which client machines can find them. This
enables clients to connect to particular services. For instance, HTTP uses port 80, FTP uses port
21, and telnet uses port 23.
• servicename – The servicename field specifies the name of a network service. Typical
entries include telnet, File Transfer Protocol (FTP), and Post Office Protocol (POP).
• port/protocol – The port/protocol field identifies the number of the port and the protocol
– or communication standard – that a service uses. The protocol is usually Transmission
8
For more notes visit https://collegenote.pythonanywhere.com
Control Protocol (TCP) or User Datagram Protocol (UDP). Both port and protocol entries
should be included.
• aliases – The aliases field specifies any alternative names for a network service. For
instance, a common alias for www is HTTP. This field is optional.
• Comment – The comment field is an optional field in which you can enter any additional
information about a service.
e.g.
service-name port/protocol [aliases ...] [# comment]
pop2 109/tcp pop-2 postoffice # pop version
pop2 109/udp pop-2
pop3 110/tcp pop-3 postoffice # pop version 3
pop3 110/udp pop-3 postoffice
Another configuration file, /etc/inetd.conf, contains a list of network services that tell inetd
which ports to listen to and which server programs to run in response to service requests. Each
entry in the /etc/inetd.conf file consists of seven fields.
• service_name – The service_name field identifies a network service. The service name
should be listed as it is defined in the /etc/services file. Any internal service should be
given its official name.
• socket_type – The socket_type field identifies the type of port or virtual connection –
usually stream or dgram (datagram) – that a network service uses. TCP services use
stream and UDP services use dgram. Less common socket type values include raw, rdm,
and seqpacket.
• protocol – The protocol field identifies the communication standard that a network
service uses. Its value is usually TCP or UDP. This field should contain one of the
protocols listed in the /etc/protocols file and should match the protocol field of a service’s
entry in the /etc/services file.
• flags – The flags field specifies the behavior of inetd after it invokes a server in response
to a service request. Multithreaded TCP servers free the port after it starts and enable
inetd to invoke a new instance of the server to handle new requests. Single-threaded UDP
servers cannot free the port until the server has finished running. So you should always
set dgram sockets to wait and all other socket types to nowait.
• user – The user field identifies the user account under which a service must run. The
username should be defined in the /etc/passwd file and is often set to root. You can also
specify a group name by placing a dot between the user and group names.
• server_path - The server_path field contains the pathname of the server that the inetd
daemon must invoke when it receives a service request. In most cases, this field reads
/usr/sbin/tcpd, where tcpd is responsible for controlling access to network services. If the
network service is one of inetd’s local services, the entry for this field should also be local.
• arguments – The arguments field enables you to specify command-line arguments for
the server daemon. The first argument, argv[0], is the daemon name and is always
present, except in the case of internal services. If the server daemon is tcpd, an argument
must specify the name of the service that tcpd must invoke.
e.g.
9
For more notes visit https://collegenote.pythonanywhere.com
To do this, you can use the stop command and then the start command. Alternatively, you can use
either the restart or the reload commands. One drawback of the inetd daemon is that it needs to
load and initialize a new process before it can handle a new request. This slows down response
times.
So if a service has a high number of connections and requires high data processing, you should
run it as a standalone daemon rather than using inetd to invoke it. Suppose that you want inetd to
invoke the telnet service. Before you do this, you first need to check which inetd services are
currently enabled.
File System
In a computer, a file system (sometimes written filesystem) is the way in which files are named
and where they are placed logically for storage and retrieval. The DOS, Windows, OS/2,
Macintosh, and UNIX-based operating systems all have file systems in which files are placed
somewhere in a hierarchical (tree) structure. A file is placed in a directory (folder in Windows) or
subdirectory at the desired place in the tree structure.
File systems specify conventions for naming files. These conventions include the maximum
number of characters in a name, which characters can be used, and, in some systems, how long
the file name suffix can be. A file system also includes a format for specifying the path to a file
through the structure of directories.
Sometimes the term refers to the part of an operating system or an added-on program that
supports a file system as defined in (1). Examples of such add-on file systems include the
Network File System (NFS) and the Andrew file system (AFS).
In the specialized lingo of storage professionals, a file system is the hardware used for
nonvolatile storage , the software application that controls the hardware, and the architecture of
both the hardware and software
10
For more notes visit https://collegenote.pythonanywhere.com
Your hard drive can have various partitions which usually contains only one file system, such as
one file system housing the / file system or another containing the /home file system.
One file system per partition allows for the logical maintenance and management of differing file
systems.
Directory Structure:
Unix uses a hierarchical file system structure, much like an upside-down tree, with root (/) at the
base of the file system and all other directories spreading from there.
A UNIX filesystem is a collection of files and directories that has the following properties:
• It has a root directory (/) that contains other files and directories.
• Each file or directory is uniquely identified by its name, the directory in which it resides,
and a unique identifier, typically called an inode.
• By convention, the root directory has an inode number of 2 and the lost+found directory
has an inode number of 3. Inode numbers 0 and 1 are not used. File inode numbers can be
seen by specifying the -i option to ls command.
• It is self-contained. There are no dependencies between one filesystem and any other.
The directories have specific purposes and generally hold the same types of information for
easily locating files. Following are the directories that exist on the major versions of Unix:
Directory Description
This is the root directory which should contain only the directories needed at the
/
top level of the file structure.
/bin This is where the executable files are located. They are available to all user.
/dev These are device drivers.
Supervisor directory commands, configuration files, disk configuration files, valid
/etc
user lists, groups, ethernet, hosts, where to send critical messages.
/lib Contains shared library files and sometimes other kernel-related files.
/boot Contains files for booting the system.
11
For more notes visit https://collegenote.pythonanywhere.com
/home Contains the home directory for users and other accounts.
Used to mount other temporary file systems, such as cdrom and floppy for the
/mnt
CD-ROM drive and floppy diskette drive, respectively
Contains all processes marked as a file by process number or other information
/proc
that is dynamic to the system.
Disk quota
A disk quota is a limit set by a system administrator that restricts certain aspects of file system
usage on modern operating systems. The function of using disk quotas is to allocate limited disk
space in a reasonable way.
Disk quotas are typically implemented on a per-user or per-group basis. That is, a system
administrator defines a usage or file quota specific to a certain user or group.
In doing so, an administrator can prevent one user from consuming an entire file system’s
resource, or create a system of tiered access, whereby users can have different levels of
restriction. This is used, for example, by web hosting companies to provide different levels of
service based upon the needs and means of individual clients.
In most cases, quotas are also specific to individual file systems. Should an administrator want to
limit the usage of a specific user on all file systems, a separate quota would have to be specified
on each.
When a soft quota is violated, the system normally sends the user (and sometimes the
administrator as well) some sort of message. No further action is typically taken.
Some systems prevent disk write operations that would result in hard quota violations from
completing successfully, while others wait until the quota has been physically violated before
denying write requests. The user is typically notified through the failed write operation error
messages generated by the violating applications, while the administrator is almost always sent a
notification as well.
Disk quotas are supported by most modern operating systems, including Unix-like systems, such
as AIX (using JFS or JFS2 filesystem), Linux (using ext3, ext4, ext2, xfs (integrated support)
among other filesystems), Solaris (using UFS or ZFS), Microsoft Windows starting with
Windows 2000, Novell NetWare, VMS, and others. The method of administration for disk quotas
varies between each of these operating systems. Unix-like systems typically provide a quota
command for both administration and monitoring; graphical front-ends to the command
may also be used. Unix and Unix-like operating systems frequently feature a grace period where
users may violate their quota for a brief period of time. Windows 2000 and newer versions use
the "Quota" tab of the disk properties dialog. Other systems provide their own quota
management utilities.
12
For more notes visit https://collegenote.pythonanywhere.com
Types of quotas
There are two basic types of disk quotas. The first, known as a usage quota or block quota, limits
the amount of disk space that can be used. The second, known as a file quota or inode quota,
limits the number of files and directories that can be created.
In addition, administrators usually define a warning level, or soft quota, at which users are
informed they are nearing their limit, that is less than the effective limit, or hard quota. There
may also be a small grace interval, which allows users to temporarily violate their quotas by
certain amounts if necessary.
Job scheduler
A job scheduler is a program that enables an enterprise to schedule and, in some cases, monitor
computer "batch" jobs (units of work, such as the running of a payroll program). A job scheduler
can initiate and manage jobs automatically by processing prepared job control language
statements or through equivalent interaction with a human operator. Today's job schedulers
typically provide a graphical user interface and a single point of control for all the work in a
distributed network of computers.
Crontab
cron is the time-based job scheduler in Unix-like computer operating systems. cron enables users to
schedule jobs (commands or shell scripts) to run periodically at certain times or dates. It is commonly
used to automate system maintenance or administration, though its general-purpose nature means that
it can be used for other purposes, such as connecting to the Internet and downloading email.
13
For more notes visit https://collegenote.pythonanywhere.com
Cron is driven by a crontab (cron table) file, a configuration file that specifies shell commands to run
periodically on a given schedule. The crontab files are stored where the lists of jobs and other
instructions to the cron daemon are kept. Users can have their own individual crontab files and often
there is a system wide crontab file (usually in /etc or a subdirectory of /etc) which only system
administrators can edit.
Note: In Unix and other multitasking computer operating systems, a daemon ( /ˈdeɪmən/ or
/ˈdiːmən/)[1] is a computer program that runs as a backgroundprocess, rather than being under the direct
control of an interactive user. Typically daemon names end with the letter d: for example, syslogd is
the daemon that implements the system logging facility and sshd is a daemon that services incoming SSH
connections. Example -
The following line causes the user program test.pl – ostensibly a Perl script – to be run every two
hours, namely at midnight, 2am, 4am, 6am, 8am, and so on:
0*/2***/home/username/test.pl
There are several special predefined values which can be used to substitute the CRON
expression.
Entry Description Equivalent To
14
For more notes visit https://collegenote.pythonanywhere.com
does not - install from usr/ports/sysutils/anacron. Use man anacron to get more
infomation. Not discussed further.
3. Crontab is the method used to schedule tasks for the logged in user (more
information use man crontab). To add a task, a file of the following format must be
created:
SHELL=/path/to/shell
MAILTO=email-address
# if MAILTO="" (empty) mail is suppressed
HOME=/path/to/somewhere (normally /var/log) min
hour date mo dow task
# for details of time formats seecron time
# task is executed by the defined shell so may be a command or a script
Once the crontab has been created it must be added to the task list by running
crontab as shown:
The cron job runs under the user that issued the crontab command and thus
permissions need to be carefully examined.
You can create a crontab file by entering the following terminal command:
crontab -e
Entering the above command will open a terminal editor with a new blank crontab file, or it will open an
existing crontab if you already have one. You can now enter the commands to be executed, see syntax
below, before saving the file and exiting the editor. As long as your entries were entered correctly your
commands should now be executed at the times/dates you specified. You can see a list of active crontab
entries by entering the following terminal command:
crontab -l
Crontab syntax
A crontab file has six fields for specifying minute, hour, day of month, month, day of week and the
command to be run at that interval. See below:
* * * * * command to be executed
- - - - -
| | | | |
Crontab examples
Writing a crontab file can be a somewhat confusing for first time users, therefore I have listed below some
crontab examples:
16
For more notes visit https://collegenote.pythonanywhere.com
As well as the above there are also special strings that can be used:
Multiple commands
A double-ampersand “&&” can be used to run multiple commands consecutively. The following example
would run command_01 and then command_02 once a day:
@daily <command_01>&&<command_02>
17
For more notes visit https://collegenote.pythonanywhere.com
By default a cron job will send an email to the user account executing the cronjob. If this is not needed
put the following command at the end of the cron job line:
>/dev/null 2>&1
As mentioned at the top of this post, you can create a new crontab file with the “ crontab -e” command.
However, you may already have a crontab file, if you do you can set it to be used with the following
command:
…would set Tux’s crontab file to that of the file named “crontab” residing in Tux’s home directory.
To remove your crontab file simply enter the following terminal command:
crontab -r
Anacron
Anacron is a task scheduler similar to cron except that it does not require the system to run
continuously. It can be used to run the daily, weekly, and monthly jobs usually run by cron.
To use the Anacron service, you must have the anacron RPM package installed. To determine if
the package is installed, use the command rpm -q anacron. Configuration File
Anacron tasks are listed in the configuration file /etc/anacron. Each line in the configuration file
corresponds to a task and has the format:
18
For more notes visit https://collegenote.pythonanywhere.com
For each tasks, Anacron determines if the task has been executed within the period specified in
the period field of the configuration file. If it has not been executed within the given period,
Anacron executes the command specified in the command field after waiting the number of
minutes specified in the delay field.
After the task is completed, Anacron records the date in a timestamp file in the
/var/spool/anacron directory. Only the date is used (not the time), and the value of the
jobidentifier is used as the filename for the timestamp file.
Environment variables such as SHELL and PATH can be defined at the top of /etc/anacron as with
the cron configuration file.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
As you can see in Figure 22-1, the anacrontab for Red Hat Linux is configured to make sure the
daily, weekly, and monthly cron tasks are run.
To start the anacron service, use the command /sbin/service anacron start. To stop the
service, use the command /sbin/service anacron stop. It is recommended that you start the
service at boot time.
19
For more notes visit https://collegenote.pythonanywhere.com
Log analysis
Log analysis (or system and network log analysis) is an art and science seeking to make sense
out of computer-generated records (also called log or audit trail records). The process of creating
such records is called data logging.
Logs are emitted by network devices, operating systems, applications and all manner of
intelligent or programmable device. A stream of messages in time-sequence often comprise a log.
Logs may be directed to files, stored on disk, or directed as a network stream to a log collector.
Log messages must usually be interpreted with respect to the internal state of its source (e.g.,
application) and announce security-relevant or operations-relevant events (e.g., a user login, or a
systems error).
Logs are often created by the software developers to aid in the debugging of the operation of the
application. The syntax and semantics of data within log messages are usually application or
vendor-specific. The authentication of a user to an application may be described as a login, a
logon, a user connection or authentication event. Hence, log analysis must interpret messages
within the context of an application, vendor, system or configuration in order to make useful
comparisons to messages from different log sources.
Log message format or content may not always be fully documented. A task of the log analyst is
to induce the system to emit the full range of messages in order to understand the complete
domain from which the messages must be interpreted.
A log analyst may map varying terminology from different log sources into a uniform,
normalized terminology so that reports and statistics can be derived from a heterogeneous
environment. E.g., log messages from Windows, Unix, network firewalls, databases may be
aggregated into a "normalized" report for the auditor.
Hence, log analysis practices exist on the continuum from text retrieval to reverse engineering of
software.
Pattern recognition is a function of selecting incoming messages and compare with pattern
book in order to filter or handle different way.
20
For more notes visit https://collegenote.pythonanywhere.com
Normalization is the function of converting message parts to same format (e.g. common date
format or normalized IP address).
Classification and tagging is order messages in different classes or tag them with different
keywords for later usage (e.g. filtering or display).
Correlation analysis is a technology of collecting messages from different systems and finding
all the messages belong to one single event (E.g. messages generated by malicious activity on
different systems: network devices, firewalls, servers etc.). It is usually connected with alerting
system.
Artificial Ignorance a process whereby you throw away the log entries you know aren't
interesting. If there's anything left after you've thrown away the stuff you know isn't interesting,
then the leftovers must be interesting. Artificial ignorance is a method to detect the anomalies in
a working system. In log analysis, this means recognizing and ignoring the regular, common log
messages that result from the normal operation of the system, and therefore are not too
interesting. However, new messages that have not appeared in the logs before can sign important
events, and should be therefore investigated.
Process management
Linux is a very dynamic system with constantly changing computing needs. The representation
of the computational needs of Linux centers around the common abstraction of the process.
Processes can be short-lived (a command executed from the command line) or long-lived (a
network service). For this reason, the general management of processes and their scheduling is
very important.
From user-space, processes are represented by process identifiers (PIDs). From the user's
perspective, a PID is a numeric value that uniquely identifies the process. A PID doesn't change
during the life of a process, but PIDs can be reused after a process dies, so it's not always ideal to
cache them.
In user-space, you can create processes in any of several ways. You can execute a program
(which results in the creation of a new process) or, within a program, you can invoke a fork or
exec system call. The fork call results in the creation of a child process, while an exec call
replaces the current process context with the new program. I discuss each of these methods to
understand how they work.
For this article, I build the description of processes by first showing the kernel representation of
processes and how they're managed in the kernel, then review the various means by which
processes are created and scheduled on one or more processors, and finally, what happens if they
die.
21
For more notes visit https://collegenote.pythonanywhere.com
kill 1721
You can also stop and restart processes by sending them various signals as in the below
examples:
Stops (suspends) process 1721 by sending the STOP signal to the
kill -STOP 1721 process. This process will still be on the task list. The process can't catch
or ignore the STOP signal.
Continue process 1721 causing it to resume. The CONT signal is sent to
kill -CONT 1721
the process.
Terminates process 1721 by sending the TERM signal to the process.
kill -TERM 1721 This process will no longer show up on the task list if it is actually
terminated. Process terminated cannot be continued. The TERM signal
can be caught so TERM is not guaranteed to kill the process.
Stops, then restarts process 1721. This is usually done when a process is
not working properly or the configuration files for that process have
kill -HUP 1721 been changed. This command sends the HUP signal to the process
which means hangup. This signal can be caught by the process.
killall -HUP myprint Restarts any process with the name "myprint".
22
For more notes visit https://collegenote.pythonanywhere.com
The system will respond with a job number and process ID or PID similar to:
[1] 10419
Either number can be used to refer to the job. The "jobs" command can be used to check the job.
When the command is entered the system will respond with a list of running jobs similar to the
following:
The job can be killed using the process ID or the job number. Either
kill %1 or:
kill 10419
23
For more notes visit https://collegenote.pythonanywhere.com
Causes the daemon to reload its config file by sending the hangup signal.
killall -HUP inetd The difference between this example and the previous one is the signal is
1. Reconfigure /etc/inetd.conf
2. Restart inetd by sending it the hangup signal
The easy way to reset a service that was started via the rc script files during system startup:
1. Find the file for the service, you want to start. For example find the file for the print
daemon "lpd". These files should typically be in the directory "/etc/rc.d/init.d". The file
name in this case is "lpd". (Note this is a script file, that starts the daemon, not the actual
binary daemon file).
2. Go to that subdirectory "cd /etc/rc.d/init.d" and type "./lpd restart".
3. You should get output to the screen that indicates this service has been shut down and
then started.
ps -ax |grepmyprog
The first number on the line is your process ID. Enter the command:
This will set your process (PID=756) to priority of -20. Modify the process ID number for that of
your program running on your system. You can use the nice command to determine the default
24
For more notes visit https://collegenote.pythonanywhere.com
priority of new processes by typing "nice" on the command line. If you want to start a process
with a specific priority, use the nice(1) command when you invoke the process.
Process management
Maximum processes
Although processes are dynamically allocated within Linux, certain maximums are observed.
The maximum is represented in the kernel by a symbol called max_threads, which can be found
in ./linux/kernel/fork.c). You can change this value from user-space through the proc file system
at /proc/sys/kernel/threads-max.
Now, let's explore how you manage processes within Linux. In most cases, processes are
dynamically created and represented by a dynamically allocated task_struct. One exception is
the init process itself, which always exists and is represented by a statically allocated
task_struct. You can see an example of this in ./linux/arch/i386/kernel/init_task.c.
All processes in Linux are collected in two different ways. The first is a hash table, which is
hashed by the PID value; the second is a circular doubly linked list. The circular list is ideal for
iterating through the task list. As the list is circular, there's no head or tail; but as the init_task
always exists, you can use it as an anchor point to iterate further. Let's look at an example of this
to walk through the current set of tasks.
The task list is not accessible from user-space, but you can easily solve that problem by inserting
code into the kernel in the form of a module. A very simple program is shown in Listing 2 that
iterates the task list and provides a small amount of information about each task (name, pid, and
parent name). Note here that the module uses printk to emit the output. To view the output, you
need to view the /var/log/messages file with the cat utility (or tail -f
/var/log/messages in real time). The next_task function is a macro in sched.h that simplifies
the iteration of the task list (returns a task_struct reference of the next task).
25
For more notes visit https://collegenote.pythonanywhere.com
26
For more notes visit https://collegenote.pythonanywhere.com
IP by itself can be compared to something like the postal system. It allows you to address a
package and drop it in the system, but there's no direct link between you and the recipient.
TCP/IP, on the other hand, establishes a connection between two hosts so that they can send
messages back and forth for a period of time.
There are currently two version of Internet Protocol (IP): IPv4 and a new version called IPv6.
IPv6 is an evolutionary upgrade to the Internet Protocol. IPv6 will coexist with the older IPv4
for some time.
IPv4 is the most widely deployed Internet protocol used to connect devices to the Internet.
IPv4 uses a 32-bit address scheme allowing for a total of 2^32 addresses (just over 4 billion
addresses). With the growth of the Internet it is expected that the number of unused IPv4
addresses will eventually run out because every device -- including computers, smartphones
and game consoles -- that connects to the Internet requires an address.
A new Internet addressing system Internet Protocol version 6 (IPv6) is being deployed to
fulfill the need for more Internet addresses.
IPv6 is the successor to Internet Protocol Version 4 (IPv4). It was designed as an evolutionary
upgrade to the Internet Protocol and will, in fact, coexist with the older IPv4 for some time.
IPv6 is designed to allow the Internet to grow steadily, both in terms of the number of hosts
connected and the total amount of data traffic transmitted.
IPv6 is often referred to as the "next generation" Internet standard and has been under
development now since the mid-1990s. IPv6 was born out of concern that the demand for IP
addresses would exceed the available supply.
1
For more notes visit https://collegenote.pythonanywhere.com
While increasing the pool of addresses is one of the most often-talked about benefit of IPv6,
there are other important technological changes in IPv6 that will improve the IP protocol:
5. IPv6 addresses are represented in a hexadecimal, colon-separated notation, while IPv4 address
use the dot-decimal notation.
7. IPv6 is used by less than 1% of the networks, while IPv4 is still in use by the remaining 99%.
IPv4 IPv6
IPv4 addresses are 32 bit length. IPv6 addresses are 128 bit length.
IPSec support is only optional. Inbuilt IPSec support.
Fragmentation is done by sender and Fragmentation is done only by sender.
forwarding routers.
No packet flow identification. Packet flow identification is available within
the IPv6 header using the Flow Label field.
Checksum field is available in header. . No checksum field in header
Options fields are available in header. No option fields, but Extension headers are
available.
Address Resolution Protocol (ARP) is Address Resolution Protocol (ARP) is
available to map IPv4 addresses to MAC replaced with Neighbor Discovery Protocol.
addresses.
Internet Group Management Protocol IGMP is replaced with Multicast
(IGMP) is used to manage multicast group Listener Discovery (MLD) messages.
membership.
Broadcast messages are available. Broadcast messages are not available. Instead
2
For more notes visit https://collegenote.pythonanywhere.com
3
For more notes visit https://collegenote.pythonanywhere.com
With this in mind, let's take a look at how Linux boots. Knowing the normal sequence of
events, and determining how far it got before it ran into trouble, are key to diagnosing and
fixing boot-time problems. Figure 1 above, right shows the normal sequence of events (green
arrows) and indicates some of the possible failure paths (red arrows).
The BIOS loads the Master Boot Record (MBR) of the selected boot device and executes it.
(If this fails, the BIOS will report something like "Missing Operating System", and come to a
screaming halt.) The MBR occupies the very first sector of the drive. It holds the drive's
partition table (64 bytes) and a very short program (446 bytes) which is 'stage 1' of the
bootstrap loader.
This stage 1 loader is pretty dumb - all it does is to display the word GRUB on the screen
then load a second stage boot loader using a 'block map' that is embedded into the MBR. (The
4
For more notes visit https://collegenote.pythonanywhere.com
block map specifies the disk block numbers where the second stage loader resides). I'm
assuming here that we're using the Grub boot loader. There's an earlier boot loader called
Lilo, but Grub is more recent, smarter, and used in most modern Linux distros. The second
stage of the Grub boot loader is actually called stage one-and-a-half, and if you list the
directory /boot/grub you can see the files that contain the various versions of this; they have
names like e2fs_stage_1_5 and reiserfs_stage_1_5.
Each of these programs is able to access files by name using one particular filesystem format.
e2fs_stage_1_5 can read ext2 and ext3 filesystems, and reiserfs_stage_1_5 can read
reiserfilesystems, and so on. Grub's ability to access files by name at boot time (before linux
is running) is the thing that really sets it apart from Lilo. The stage one-and-a-half program
loads Grub stage 2 which is considerably larger. This stage reads the Grub configuration file
(usually /boot/grub/menu.lst or /boot/grub/grub.conf) and, based on the entries it finds there,
it presents a menu of choices of the operating system you want to boot. If Grub can't find its
config file it will drop down to an interactive command-line prompt to allow you to enter
Grub commands manually.
In Grub-speak, hd0 refers to the first drive - on a typical PC with IDE drives this corresponds
to the Linux device name /dev/hda, or, in some of the more recent distros, /dev/sda. In
Grubspeak, (hd0,0) refers to the first partition on that drive. Linux would call this /dev/hda1
or /dev/sda1. The kernel line specifies the file that Grub will load as the Linux kernel; at the
end of this line you may see some additional boot parameters that are passed to the kernel.
More about these later.
The initrd line specifies the file that contains the 'initial RAM Disk' - a file system image that
will be used by the kernel as it boots. Grub is also responsible for loading this file into
memory. If Grub fails to find the kernel or the ramdisk images it will report Error 15: File not
found, and halt.
Once the kernel starts running, it mounts the root file system from the hard drive. The name
of the partition that holds this file system is passed as a parameter to the kernel, as you can
see from the menu.lst entry above. Mounting the root file system is a key point in the boot
process and if you're trying to pin down a boot-time problem it's vital to figure out if the
kernel was able to get this far. Failure to mount the root file system will generally result in a
kernel panic, though some systems just appear to halt.
If the kernel succeeds in mounting the root file system, it creates a single process (with
process ID 1) which runs the program /sbin/init. If the kernel can't find init, it will either
5
For more notes visit https://collegenote.pythonanywhere.com
panic and halt or (depending on the distro) drop you into a root shell. Oh, by the way, just to
add a little confusion, Ubuntu doesn't use init any more, it uses a replacement called upstart.
The program init is responsible for running the scripts that will start all the other services in
the system. There is one important and rather low-level script run by init early in the process.
On Red Hat-style systems it's /etc/rc.d/rc.sysinit, on SUSE it's /etc/init.d/boot. Among other
things, these early scripts consistency-check and mount any other disk partitions, as specified
in /etc/fstab. Although there is certainly plenty of scope for things going wrong at this stage,
we need to leave the story at that point, at least for this month.
From here, follow the on-screen instructions to select an item from the menu, and edit the
commands associated with that menu selection before booting. It's even possible to drop
down to a Grub command prompt where you can enter Grub commands directly; for example
at this point you could, in theory, manually enter the root, kernel and initrd lines from the
menu.lst file we looked at earlier. Figure 2 (below) shows the result of typing help at the
Grub command prompt.
Figure 2: the result that is output when 'help' is typed at the Grub command prompt.
6
For more notes visit https://collegenote.pythonanywhere.com
Rescue Booting
If no amount of tweaking with the Grub boot commands will allow your system to boot, it
may be time to perform a 'rescue boot', which means that you'll boot Linux from an
installation CD or other 'rescue media'. The kernel and its modules are loaded off the CD,
along with a small file system that is built in memory. This results in a small but working
Linux system that isn't dependent on any file systems on the hard drive.
You can then mount the hard drive's partitions into the file system and access them to repair
the damage. The installation DVD or CD of almost any modern Linux distribution can be
used for this purpose - there is no requirement that the rescue media is from the same
distribution as the one you're trying to rescue.
It's important to keep a clear head when using a rescue system because the files on your hard
drive won't be in the same place when they are mounted into the rescue system as when
they're viewed by the 'real' installation. For example, if in the rescue system I were to mount
my system's root partition onto /mnt, then the file I would normally see as /etc/fstab will be
seen as /mnt/etc/fstab.
Network Interfaces
Under Red Hat Enterprise Linux, all network communications occur between configured software
interfaces and physical networking devices connected to the system.
The files in each of these categories work together to enable various network devices.
This chapter explores the relationship between these files and how they are used.
/etc/hosts
7
For more notes visit https://collegenote.pythonanywhere.com
The main purpose of this file is to resolve hostnames that cannot be resolved any other way.
It can also be used to resolve hostnames on small networks with no DNS server. Regardless
of the type of network the computer is on, this file should contain a line specifying the IP
address of the loopback device ( 127.0.0.1) as localhost.localdomain. For more
information, refer to the hosts man page.
/etc/resolv.conf
This file specifies the IP addresses of DNS servers and the search domain. Unless configured
to do otherwise, the network initialization scripts populate this file. For more information
about this file, refer to the resolv.conf man page.
/etc/sysconfig/network
This file specifies routing and host information for all network interfaces. For more
information about this file and the directives it accepts, refer to Section 30.1.21,
“/etc/sysconfig/network”.
/etc/sysconfig/network-scripts/ifcfg-<interface-name>
For each network interface, there is a corresponding interface configuration script. Each of
these files provide information specific to a particular network interface. Refer to
Section 15.2, “Interface Configuration Files” for more information on this type of file and the
directives it accepts.
Ethernet Interfaces
One of the most common interface files is ifcfg-eth0, which controls the first Ethernet network
interface card or NIC in the system. In a system with multiple NICs, there are multiple
ifcfgeth<X>files (where <X> is a unique number corresponding to a specific interface). Because
each device has its own configuration file, an administrator can control how each interface functions
individually.
The following is a sample ifcfg-eth0 file for a system using a fixed IP address:
DEVICE=eth0
BOOTPROTO=none
ONBOOT=yes
NETWORK=10.0.1.0
NETMASK=255.255.255.0
IPADDR=10.0.1.27
USERCTL=no
The values required in an interface configuration file can change based on other values. For example,
the ifcfg-eth0 file for an interface using DHCP looks different because IP information is provided
by the DHCP server:
8
For more notes visit https://collegenote.pythonanywhere.com
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
The Network Administration Tool( system-config-network) is an easy way to make changes to
the various network interface configuration files.
However, it is also possible to manually edit the configuration files for a given network interface.
IPsec Interfaces
The following example shows the ifcfg file for a network-to-network IPsec connection for LAN A.
The unique name to identify the connection in this example is ipsec1, so the resulting file is named
/etc/sysconfig/network-scripts/ifcfg-ipsec1.
TYPE=IPsec
ONBOOT=yes
IKE_METHOD=PSK
SRCNET=192.168.1.0/24
DSTNET=192.168.2.0/24
DST=X.X.X.X
In the example above, X.X.X.X is the publicly routable IP address of the destination IPsec router.
The contents of the file can be identical to whatever type of interface is getting bonded, such as an
Ethernet interface. The only difference is that the DEVICE= directive must be bond<N>, replacing
<N> with the number for the interface.
For example, if two Ethernet interfaces are being channel bonded, both eth0 and eth1 may look like
the following example:
DEVICE=eth<N>
BOOTPROTO=none
ONBOOT=yes
9
For more notes visit https://collegenote.pythonanywhere.com
MASTER=bond0
SLAVE=yes
USERCTL=no
In this example, replace <N> with the numerical value for the interface.
For a channel bonding interface to be valid, the kernel module must be loaded. To ensure that the
module is loaded when the channel bonding interface is brought up, add the following line to
/etc/modprobe.conf: alias bond<N> bonding
Alias interface configuration files, which are used to bind multiple addresses to a single interface,
use the ifcfg-<if-name>:<alias-value>naming scheme.
For example, an ifcfg-eth0:0 file could be configured to specify DEVICE=eth0:0 and a static IP
address of 10.0.0.2, serving as an alias of an Ethernet interface already configured to receive its IP
information via DHCP in ifcfg-eth0. Under this configuration, eth0 is bound to a dynamic IP
address, but the same physical network card can receive requests via the fixed, 10.0.0.2 IP address.
Dialup Interfaces
If you are connecting to the Internet via a dialup connection, a configuration file is necessary for the
interface.
ifcfg-ppp<X>
The PPP interface configuration file is created automatically when wvdial, the Network
Administration Tool or Kppp is used to create a dialup account. It is also possible to create and edit
this file manually.
10
For more notes visit https://collegenote.pythonanywhere.com
Serial Line Internet Protocol (SLIP) is another dialup interface, although it is used less frequently. SLIP
files have interface configuration file names such as ifcfg-sl0.
Other Interfaces
Other common interface configuration files include the following: ifcfg-lo
A local loopback interface is often used in testing, as well as being used in a variety of
applications that require an IP address pointing back to the same system. Any data sent to
the loopback device is immediately returned to the host's network layer.
For instructions on how to enable ping, read the relevant section below.
In these versions of XP, the firewall is disabled by default. Therefore it must be enabled, and
then set to allow ping.
Double click the icon labelled "Local Area Connection". The icon may have a number after it,
for example "Local Area Connection 5".
On the "Advanced" tab, select "Protect my computer and network by limiting or preventing
access to this computer from the Internet"
Click Settings, then on the ICMP tab select "Allow Incoming echo request".
Service Pack 2
Load the Control Panel as above, then select the Security Center icon. The Firewall status
should be On.
11
For more notes visit https://collegenote.pythonanywhere.com
How do I configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL /
Fedora / Redhat Enterprise Linux?
Netfilter is a host-based firewall for Linux operating systems. It is included as part of the
Linux distribution and it is activated by default. This firewall is controlled by the program
called iptables. Netfilter filtering take place at the kernel level, before a program can even
process the data from the network packet.
IptablesConfig File
The default config files for RHEL / CentOS / Fedora Linux are:
/etc/sysconfig/iptables - The system scripts that activate the firewall by reading this file.
12
For more notes visit https://collegenote.pythonanywhere.com
1. INPUT - The default chain is used for packets addressed to the system. Use this to open or
close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as
202.54.1.20/29).
2. OUTPUT - The default chain is used when packets are generating from the system. Use this
open or close outgoing ports and ip addresses / subnets.
3. FORWARD - The default chains is used when packets send through another interface. Usually
used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem
and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN
to the Internet.
4. RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT
and FORWARD chains.
Target Meanings
13
For more notes visit https://collegenote.pythonanywhere.com
/etc/sysconfig/iptables
Edit /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
You will see default rules as follows:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A
RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
Find lines:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
Update as follows to change the default policy to DROP from ACCEPT for the INPUT and
FORWARD built-in chains:
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
14
For more notes visit https://collegenote.pythonanywhere.com
Update it as follows:
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT
Open Port
To open port 80 (Http server) add the following before COMMIT line:
open port 53 (DNS Server) add the following before COMMIT line:
To open port 443 (Https server) add the following before COMMIT line:
open port 25 (smtp server) add the following before COMMIT line:
15
For more notes visit https://collegenote.pythonanywhere.com
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
#net.ipv4.icmp_ignore_bogus_error_messages = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
Troubleshooting iptables
A number of tools are at your disposal for troubleshooting iptables firewall scripts. One of the
best methods is to log all dropped packets to the /var/log/messages file.
• Logs all traffic that matches the iptables rule in which it is located.
• Automatically writes an entry to the /var/log/messages file and then executes the next rule.
If you want to log only unwanted traffic, therefore, you have to add a matching rule with a
DROP target immediately after the LOG rule. If you don't, you'll find yourself logging both
desired and unwanted traffic with no way of discerning between the two, because by default
iptables doesn't state why the packet was logged in its log message.
This example logs a summary of failed packets to the file /var/log/messages. You can use the
contents of this file to determine which TCP/UDP ports you need to open to provide access to
specific traffic that is currently stopped.
#---------------------------------------------------------------
# Log and drop all other packets to file /var/log/messages
# Without this we could be crawling around in the dark
#---------------------------------------------------------------
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
16
For more notes visit https://collegenote.pythonanywhere.com
• Firewall denies replies to DNS queries (UDP port 53) destined to server 192.168.1.102 on the
home network.
If nothing shows up in the logs, then follow the steps in "Simple Network Troubleshooting",
to determine whether the data is reaching your firewall at all and, if it is not, the location on
your network that could be causing the problem.
As a general rule, you won't be able to access the public NAT IP addresses from servers on
your home network. Basic NAT testing requires you to ask a friend to try to connect to your
home network from the Internet.
You can then use the logging output in /var/log/messages to make sure that the translations
are occurring correctly and iptables isn't dropping the packets after translation occurs.
iptables Won't Start
The iptables startup script expects to find the /etc/sysconfig/iptables before it starts. If none
exists, then symptoms include the firewall status always being "inactive". An easy way fix
this is to simply create the file using the touch command and then using chmod to give the
file the correct permissions. Starting iptables should be successful after this.
[root@bigboytmp]# touch /etc/sysconfig/iptables
[root@bigboytmp]# chmod 600 /etc/sysconfig/iptables
[root@bigboytmp]# systemctl start iptables.service
[root@bigboytmp]# systemctl status iptables.service iptables.service
- IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled)
Active: active (exited) since Thu, 09 Aug 2012 22:25:50 -0700; 4s ago
rocess: 19177 ExecStop=/usr/libexec/iptables.init stop (code=exited,
status=0/SUCCESS)
17
For more notes visit https://collegenote.pythonanywhere.com
You will eventually find yourself trying to fix a network related problem which usually
appears in one of two forms. The first is slow response times from the remote server, and the
second is a complete lack of connectivity. These symptoms can be caused by:
• Poor routing
• Bad cabling
• Electrical interference
• An overloaded server at the remote end of the connection
• Misconfigured DNS
• Power failures
• The remote server or an application on the remote server being shut down. We
discuss how to isolate these problems and more in the following sections.
18
For more notes visit https://collegenote.pythonanywhere.com
nmap
nslookupdestination_address
digdestination_address
19
For more notes visit https://collegenote.pythonanywhere.com
DHCP
DHCP stands for Dynamic Host Configuration Protocol. It handles the automatic assignment of
IP addresses and other configuration settings for devices on your network.
Isn't there a way to configure IP addresses manually? Yes, there is; if you've explored the
Network and Sharing Center in your control panel, you've probably seen this. But DHCP
automates it. This is especially good for people who have laptops, aren't hooked up to the
Internet all the time and often move from place to place with their portable devices. They can
simply get a new IP address as needed without having to do it manually.
DHCP Basics
DHCP is designed to make the assignment of IP addresses and other network configuration
information faster and easier. Rather than going around to every device on your network and
setting up its network configuration manually, you can use your DHCP server to set up pools of
addresses, called scopes, from which clients can request a temporary IP address.
DHCP is a protocol that uses Level 4 on the OSI model. It communicates using User Datagram
Protocol (UDP) datagrams through UDP Port 68. DHCP works with most current and past
Windows clients, and also Linux, Macintosh, and many network-capable printers.
1
For more notes visit https://collegenote.pythonanywhere.com
DHCP components
These components work together to automate IP addressing.
• DHCP leases
• DHCP scopes
• DHCP reservations DHCP options DHCP relay agents
DHCP Leases
DHCP leases define the lease duration, or the amount of time that a client can keep an IP
address before releasing it. In Windows Server 2008, the default lease duration is 8 days for
wired clients and 6 days for wireless clients. On the DHCP server, leases act as placeholders in
its DHCP database. When the lease is issued, the IP address is removed from the list of available
addresses to prevent the issuing of the same address to more than one computer.
To determine the duration of a lease, one must consider the client type, the connection time, and
the available range of IP addresses.
Client type has to do with the type of devices on your network, such as desktop computers,
mobile notebooks, and servers. If you have more than the usual number of laptops on your
network, the length of lease duration should decrease.
You should estimate the connection time, or the average length of time your clients spend on the
network. If this time is relatively low, such as 2 to 4 hours, your lease duration doesn't have to be
as long.
An important factor is the number of IP addresses you have available, as well as the number of
clients who need DHCP's range of addresses. If you have a lot of clients in relation to your
number of available addresses, a shorter lease duration is advisable to avoid running out of IP
addresses.
For most networks, the default settings should be sufficient. Shorter lease times would be
necessary for networks with many clients that connect for less than a day. A college campus is a
good example, since campuses usually offer free wireless access for their students, who are
typically connected for a few hours a day.
DHCP Scope
A DHCP Scope is a range of IP addresses and related configuration information available by
request from a DHCP client. These scopes usually represent a single subnet, or segment of a
network. Each scope is a continuous range of IP addresses defined by a beginning IP address and
an ending IP address. If you need to exclude IP addresses, you must create exclusions for those
addresses. One reason for creating these addresses might be hardware with static IP addresses,
like printers.
2
For more notes visit https://collegenote.pythonanywhere.com
DHCP Reservations
When would you reserve an IP address? Well, in some cases, a network device needs to have a
static IP address. An example would be a server, a router, or a network printer. In the DHCP role
console, you reserve these addresses using the list below.
• 3: Router
• 6: DNS server
• 15: DNS domain name
• 42: NTP server
• 44: WINS server (NetBIOS name server)
• 45: NetBIOS datagram disribution server (NBDD)
• 46: WINS/NetBIOS node type
• 47: NetBIOS scope ID
• 51: Lease Time
• 53: DHCP message type
• 55: Special option type used to communicate a parameter request list to the DHCP server
• 58: Renewal time value (T1)
• 59: Rebind time value (T2)
DHCP Options
DHCP options are basic settings that a client needs for proper network communication. These
options include an IP address, a subnet mask, a default gatewar, primary and secondary DNS
servers, primary and secondary Windows Internet Name Service (WINS) if applicable, and
DHCP lease expiration. You can define these options when creating the scope or change them
later.
Server options are settings defined on each server that apply to all scopes on a specific DHCP
server. Scope options are settings defined on each scope that apply only to the scope to which
they are added. Router options are typically defined using scope options, which override server
options. Server options are usually used for network resources whose IP addresses are the same
for all scopes, such as DNS and WINS.
3
For more notes visit https://collegenote.pythonanywhere.com
broadcast packets and converts them to unicast packets that can traverse a routed network and
vice versa when the DHCP server replies to the client requesting an IP address. Most modern
routers support the passing of DHCP requests.
Installing the dhcp package creates a file, /etc/dhcp/dhcpd.conf, which is merely an empty
configuration file:
~]#cat /etc/dhcp/dhcpd.conf
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample
The sample configuration file can be found at
/usr/share/doc/dhcp<version>/dhcpd.conf.sample. You should use this file to help you
configure /etc/dhcp/dhcpd.conf, which is explained in detail below.
DHCP also uses the file /var/lib/dhcpd/dhcpd.leases to store the client lease database.
The configuration file can contain extra tabs or blank lines for easier formatting. Keywords are
caseinsensitive and lines beginning with a hash sign (#) are considered comments.
• Parameters — State how to perform a task, whether to perform a task, or what network
configuration options to send to the client.
• Declarations — Describe the topology of the network, describe the clients, provide addresses for
the clients, or apply a group of parameters to a group of declarations.
The parameters that start with the keyword option are referred to as options. These options control
DHCP options; whereas, parameters configure values that are not optional or control how the DHCP
server behaves.
Parameters (including options) declared before a section enclosed in curly brackets ({ }) are considered
global parameters. Global parameters apply to all the sections below it.
4
For more notes visit https://collegenote.pythonanywhere.com
If the configuration file is changed, the changes do not take effect until the DHCP daemon is restarted
with the command service dhcpd restart.
DHCP Servers
Dynamic Host Configuration Protocol ( DHCP) is a network protocol that automatically assigns TCP/IP
information to client machines. Each DHCP client connects to the centrally located DHCP server, which
returns that client's network configuration (including the IP address, gateway, and DNS servers).
If an organization has a functional DHCP server properly connected to a network, laptops and other
mobile computer users can move these devices from office to office.
DHCP Troubleshooting
The most common problems with DHCP usually aren't related to the server; after the server is configured
correctly there is no need to change any settings and it therefore runs reliably. The problems usually
occur at the DHCP client's end for a variety of reasons. The following sections present simple
troubleshooting steps that you can go through to ensure that DHCP is working correctly on your network.
Whenever Microsoft DHCP clients are unable to contact their DHCP server they default to selecting their
own IP address from the 169.254.0.0 network until the DHCP server becomes available again. This is
frequently referred to as Automatic Private IP Addressing (APIPA). Here are some steps you can go
through to resolve the problem:
5
For more notes visit https://collegenote.pythonanywhere.com
Ensure that your DHCP server is configured correctly and use the pgrep command discussed earlier
to make sure the DHCP process is running. Pay special attention to your 255.255.255.255 route,
especially if your DHCP server has multiple interfaces.
Give your DHCP client a static IP address from the same range that the DHCP server is supposed to
provide. See whether you can ping the DHCP server. If you cannot, double-check your cabling and
your NIC cards.
DHCP uses the BOOTP protocol for its communication between the client and server. Make sure
there are no firewalls blocking this traffic. DHCP servers expect requests on UDP port 67 and the
DHCP clients expect responses on UDP port 68. Use tcpdump on the server's NIC to verify the
correct traffic flows.
If the DHCP server fails to start then use your regular troubleshooting techniques outlined in Chapter 4,
"Simple Network Troubleshooting", to help rectify your problems. Most problems with an initial setup are
often due to:
Incorrect settings in the /etc/dhcpd.conf file such as not defining the networks for which the DHCP
server is responsible;
Firewall rules that block the DHCP bootp protocol on UDP ports 67 and 68;
Routers failing to forward the bootp packets to the DHCP server when the clients reside on a
separate network.
Always check your /var/logs/messages file for dhcpd errors and remember that mandatory keywords in
your configuration file may change when you upgrade your operating system. Always read the release
notes to be sure.
6
For more notes visit https://collegenote.pythonanywhere.com
On the Internet, there are thousands of DNS servers that maintain DNS records for name
resolution.
In view of this, Paul Mockapertris designed a system to manage the domain names on the
1
For more notes visit https://collegenote.pythonanywhere.com
Internet. The system is called Domain Name System, or DNS in short, in 1984
2
For more notes visit https://collegenote.pythonanywhere.com
2. When your computer need to connect with a host on the Internet (e.g.
MyGreatName.com), you only need to enter the Domain Name (e.g.
MyGreatName.com) in the URL of browser. Your computer will then contact the
configured or default Name Servers (usually your ISP Name Server), asking for the IP
Address of the host (e.g. MyGreatName.com).
3. The Name Server will then tell your computer the IP Address of the query host.
4. Once your computer get the IP Address of the host, your computer can then
communicate with the host.
From the above working procedures of DNS, you should notice that there are a lot of
disadvantages. For example:
o Each Name Server has to save the information of ALL hosts on the Internet.
o If a Name Server forgets to update the information, many new domain names
will not be found!
o To guarantee that all new domains are activated on the Internet, the
information of all Name Servers must be updated. This may take 2 - 3 months!
DNS Operation
DNS Servers
On the client side, a DNS resolver is used to send queries to DNS servers. The resolver is
normally part of a library routine or it is built into the application. DNS uses zone files to
keep name and IP address database information for the internet domain or hierarchical set of
domains. Zones are storage of information in a file for a DNS domain or DNS subdomains
(DNS domains are not the same as Windows domains). DNS does not yet support dynamic
configuration but has been modified for Windows systems to do so. Different aliases may be
created by the administrator for the same host. Three types of name servers as defined by
how it relates to the zone information:
• Primary - Locally stored files exist on the name server data base. The master zone
file copy is stored here.
• Secondary - Gets data called a zone transfer from another server that is the zone
authority.
• Caching Only - Caches name server information and does not contain its own files.
A primary and secondary name server should be used on a network. When a zone is defined,
some server must be configured to be a master name server for the zone. There can be
different master name servers for different zones. The master server provides copies of the
3
For more notes visit https://collegenote.pythonanywhere.com
zone information to the secondary DNS server. Name servers can be configured to get
information from other name servers when the information is not found in the local database.
These types are forwarders and slaves. Name servers as categorized by function:
• Master - The zone authority that contains the master zone files.
• Forwarders - A name server that passes name resolution requests to other name
servers. This configuration is done on a per server basis.
• Slaves - Slave name servers are configured to use forwarders.
• Standard primary - The same as a primary DNS server listed above. This is a master
server by function.
• Active Directory Integrated (primary) - DNS entries are stored with Active
Directory data rather than a normal zone file. More than one of these Active Directory
primary servers may exist due to Active directory replication. This term is used to
refer to both the Active Directory Integrated zones and files that support the zone.
• Standard secondary - The same as a secondary DNS server listed above. This is a
slave server by function.
• Root server - The server that has the DNS data for the root zone. The root zone is the
organization internal network root zone or internet root zone. It is used when a private
network is not directly on the internet (no connection or via proxy server).
If the DNS server is connected to the internet, the DNS Server Wizard will not allow the
DNS server to be configured as a root server.
Queries
Query types are:
• Inverse - Getting the name from the IP address. These are used by servers as a
security check.
• Iterative - Server gives its best answer. This type of inquiry is sent from one server to
another.
• Recursive - Cannot refer the query to another name server.
Zone Transfers
The DNS zone file serial number is used to track DNS changes. The notify function is used to
initiate zone transfers. Zone transfer types are:
• Full - AXFR Query - Secondary server refresh interval expires and it sends an AXFR
query.
• Incremental - IXFR query - Only new or updated entries are copied.
DNS Zones
Possible zones include:
4
For more notes visit https://collegenote.pythonanywhere.com
Name Server
A name server translates domain names into IP addresses. This makes it possible for a user to
access a website by typing in the domain name instead of the website's actual IP address. For
example, when you type in "www.microsoft.com," the request gets sent to Microsoft's name
server which returns the IP address of the Microsoft website.
Each domain name must have at least two name servers listed when the domain is registered.
These name servers are commonly named ns1.servername.com and ns2.servername.com,
where "servername" is the name of the server. The first server listed is the primary server,
while the second is used as a backup server if the first server is not responding.
Name servers are a fundamental part of the Domain Name System (DNS). They allow
websites to use domain names instead of IP addresses, which would be much harder to
remember. In order to find out what a certain domain name's name servers are, you can use a
WHOIS lookup tool.
A name server is similar to a telephone switchboard. It holds the information that tells the
Internet where to find your web site and where to deliver your email. Name servers look
something like this: yns1.yahoo.com.
Yahoo!'s name servers must be listed as the primary and secondary name servers in order for
Yahoo! to host your domain services properly. If you replace Yahoo!'s default name servers,
Yahoo! will no longer be able to provide any services associated with your domain.
To add new name servers or replace Yahoo!'s name servers with your own, head to your
Domain Control Panel, click the "Advanced DNS settings" link, then choose the "Change
Name Servers" button. On the following page, you'll be able to modify your name servers.
Tip: Name server host names you submit for use with your service must be registered. If your
name server host names are not registered, you may encounter errors when trying to modify
your name servers.
Please note: Any changes that you make to your advanced DNS settings can interrupt your
service. If you are not an advanced user, we strongly recommend that you not change these
settings.
5
For more notes visit https://collegenote.pythonanywhere.com
The terms master server and authoritative server are used interchangeably.
Configuring a primary server requires creating a complete set of configuration files: zone
files for the regular domain and the reverse domain, the boot file, the cache file, and the
loopback file. No other configuration requires creating this complete set of files.
Secondary(replicating)
A secondary server transfers a complete set of domain information from the primary server.
The zone file is transferred from the primary server and stored on the secondary server as a
local disk file. This transfer is called a zone file transfer. A secondary server keeps a complete
copy of all domain information, and can answer queries about that domain with authority.
Therefore, a secondary server is also considered a master server.
Configuring a secondary server does not require creating local zone files, because the zone
files are downloaded from the primary server. However, the other files (a boot file, a cache
file, and a loopback file) are required.
Caching-only
A caching-only server runs the nameserver software, but keeps no nameserver database files.
It learns the answer to every nameserver query from some remote server. Once it learns an
answer, the server caches the answer and uses it to answer future queries for the same
information. All nameservers use cached information in this manner, but a caching-only
server depends on this technique for all of its nameserver information. It is not considered an
authoritative (or master) server, because all of the information it provides is secondhand.
Only a boot file and a cache file are required for a caching-only configuration. But the most
common configuration also includes a loopback file. This is probably the most common
nameserver configuration, and apart from the resolver-only configuration, it is the easiest to
configure.
DNS Cache
DNS is a caching protocol. When a client queries its local DNS server, and the local DNS
server is not authoritative for the query, then this server will go looking for an authoritative
name server in the DNS tree. The local name server will first query a root server, then a TLD
server and then a domain server. When the local name server resolves the query, then it will
relay this information to the client that submitted the query, and it will also keep a copy of
these queries in its cache. So when a(nother) client submits the same query to this name
server, then it will retrieve this information form its cache.
6
For more notes visit https://collegenote.pythonanywhere.com
For example, a client queries for the A record on www.linux-training.be to its local server.
This is the first query ever received by this local server. The local server checks that it is not
authoritative for the linux-training.be domain, nor for the .be TLD, and it is also not a root
server. So the local server will use the root hints to send an iterative query to a root server.
The root server will reply with a reference to the server that is authoritative for the .be
domain (root DNS servers do not resolve fqdn’s, and root servers do not respond to recursive
queries). The local server will then sent an iterative query to the authoritative server for
the .be TLD. This server will respond with a reference to the name server that is authoritative
for the linux-training.be domain. The local server will then sent the query for
www.linuxtraining.be to the authoritative server (or one of its slave servers) for the linux-
training.be domain. When the local server receives the ip-address for www.linux-training.be,
then it will provide this information to the client that submitted this query. Besides caching
the A record for www.linux-training.be, the local server will also cache the NS and A record
for the linuxtraining.be name server and the .be name server.
Caching nameserver
Fortunately, setting up a caching nameserver is easy using RHEL (Red Hat Enterprise Linux)
or Fedora RPMs. The following RPMs need to be installed on the machine acting as the
nameserver (use rpm -q to determine if these packages are installed):
A caching nameserver forwards queries to an upstream nameserver and caches the results.
Open the file /var/named/chroot/etc/named.conf and add the following lines to the global
options section:
forwarders { xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx; }; #IP of upstream ISP
nameserver(s) forward only; #rely completely on our upstream
nameservers
The block above will cause the caching name server to forward DNS requests it can't resolve
to your ISP nameserver. Save the named.conf file and then assign 644 permissions:
chmod 644 named.conf
Check the syntax using the named-checkconf utility provided by the bind RPM: named-
checkconf named.conf
Correct any syntax errors (watch those semicolons) named-checkconf reports. Monitoring the
/var/log/messages file may also be helpful in debugging any errors.
We now need to set the local resolver to point to itself for DNS resolution. Modify the
/etc/resolv.conf file to the following:
nameserver 127.0.0.1
7
For more notes visit https://collegenote.pythonanywhere.com
If you are running a DHCP server on your router make sure your /etc/resolv.conf file does
not get overwritten whenever your DHCP lease is renewed. To prevent this from happening,
modify /etc/sysconfig/network-scripts/ifcfg-eth0 (replace eth0 with your network
interface if different) and make sure the following settings are set:
BOOTPROTO=dhcp
PEERDNS=no
TYPE=Ethernet
Go ahead and start the nameserver as root and configure to start in runlevels 2-5:
service named start chkconfig
named on
Many new Linux user finds it difficult to setup / modify new name server address (NS1 /
NS2).
Local name resolution is done via /etc/hosts file. If you have small network, use /etc/hosts
file. DNS (domain name service is accountable for associating domain names with ip
address, for example domain yahoo.com is easy to remember than IP address 202.66.66.12)
provides better name resolution. To configure Linux as DNS client you need to edit or
modify /etc/resolv.conf file. This file defines which name servers to use. You want to setup
Linux to browse net or run network services like www or smtp; then you need to point out to
correct ISP DNS servers:
/etc/resolv.conf file
In Linux and Unix like computer operating systems, the /etc/resolv.conf configuration file
contains information that allows a computer connected to the Internet to convert
alphanumeric names into the numeric IP addresses that are required for access to external
network resources on the Internet. The process of converting domain names to IP addresses is
called "resolving."
The resolv.conf file typically contains the IP addresses of nameservers (DNS name resolvers)
that attempt to translate names into addresses for any node available on the network.
Steps to configure Linux as DNS client, first login as a root user (use su command):
8
For more notes visit https://collegenote.pythonanywhere.com
202.54.1.112 nameserver
202.54.1.115
Setting Up a Nameserver
This was one of the trickiest things I've had to try to figure out so far. I didn't talk to anybody
as to how to go about this, unlike PPP setup. But I finally found the Linux DNS HOWTO and
used that. Hopefully this will save you some trouble. Here I have instructions for BIND 8,
which is newer and more advanced than BIND 4 (which some distributions still use).
In the event that your distribution already comes with BIND 8, then all you need to do is find
out how the configuration works, and/or put in entries for machines that the Linux box will
be the nameserver for. I think Slackware comes with BIND 8. I don't know about Debian.
Most new distributions (including Red Hat 5.2) will already have BIND 8 so you'll probably
have to look for the configuration file and how it has been pre-configured.
I had to remove the old nameserver first, so it wouldn't get in the way of the new one. It's fine
to remove it and replace it with a new one; there aren't any other packages that really depend
on it.
Using Red Hat 5.1, I typed rpm -e bind bind-utils caching-nameserver. That removed
all the old packages. Be careful about this, especially about bind-utils, because bind-utils
contains the tools such as dnsquery and nslookup that you might be using fairly often. Red
Hat 5.2 already has BIND 8.
9
For more notes visit https://collegenote.pythonanywhere.com
First, download BIND from ftp.isc.org. If you've got it on your system already, then you don't
need to get BIND 8 unless you want to make a minor upgrade. The filename is something
like bind-8.1.2-src.tar.gz, which says that it's BIND version 8.1.2 in source format (which
you have to compile on your system). I'll work with the source version since that's what I
usually do anyway.
After you have it on your system, type tar -zxvf bind-8.1.2.tar.gz. It will extract a
directory called src/ and that's where you go into. Simply type "make" and have it compiled
for you. If you need anything to be tweaked then read the INSTALL file (less INSTALL) and
find what you need. After it finishes compiling, type make install.
Configuration: /etc/named.conf
Configuring the nameserver was probably the hardest part of the process that I had to go
through. Hopefully, what I've written up about what I learned will save the reader some
trouble.
The main BIND 8 configuration file is in /etc/named.conf. The configuration syntax for the
file is documented at http://www.isc.org/bind8/config.html. Here's a sample of a
configuration file (as /etc/named.conf), with an explanation below.
/*
* A simple BIND 8 configuration
*/
options {
directory "/var/named";
};
zone "penguincomputing.com" in {
type master;
file "master/penguincomputing.com";
};
zone "0.0.127.in-addr.arpa" in {
type master; file
"zone/127.0.0";
}; zone "." in
{ type hint;
file "named.cache"; };
In "options" I only had one option: where the directory for zone files were. Zone files are
where information about domains is stored, and each file has information about a zone. It's a
section to cover, I guess, so that's why they're called zones. I have /var/named/ as my named
data directory.
10
For more notes visit https://collegenote.pythonanywhere.com
The "0.0.127.in-addr.arpa" zone is for mapping localhost to 127.0.0.1, basically. It has its
own zone file.
The "." zone indicates a caching nameserver; that is, someone can actually use your machine
to resolve hostnames (including you). I've heard that is is efficient especially when using PPP
connections, but I don't know for sure. Read the "Caching Nameserver" section to read up on
how to create one.
Caching Nameserver
First you need to get a "named.cache" file. I'm not sure if you can name it anything else, but
let's just use that filename. In /var/named/ (or wherever you put your nameserver's data files),
type dig @a.root-servers.net > named.cache. This will ask for the addresses of the
main DNS servers of the Internet and direct them to a file. I'm guessing that the purpose of
this is to give your machine an idea of which machines on the Internet to ask about hosts.
Periodically, like once a month, update the named.cache file by running that command once
in a while. You can use a cron job for that. If you don't know what I'm talking about here,
don't worry about it. Just be sure to update it using dig once in a while, that's all you have to
do.
You have /etc/named.conf point to wherever your named.cache file is under the "." zone.
In /var/named/, I created directories for every type of zone I had. The directories I have in
there are: master, slave/, and zone. With the domain name system, there is a server for each
domain that is the main server (the master). I suppose that the slave server is there in case the
main (master) server is down. For each domain there should be at least 2 servers, one master
and one slave. That's just the way it goes.
While interning at Penguin Computing I set up both the master and slave DNS servers. The
master's information should go in the master directory. You should be able to figure out
where the slave's information goes. The information they store is the same, but since one
machine is the main one that keeps the information (master) and the other simply follows the
master's information (slave), you need to stay organized and make sure you're configuring the
right machine for its right place in the nameserver system.
Note that the slave nameserver for one domain can also be the master nameserver for another
domain. There just can't be two masters for a single domain, though I think there can be
several slaves.
To figure something like this out, I was looking hard for examples. And examples really help,
so hopefully you won't be too confused by my examples. Hey, I try.
11
For more notes visit https://collegenote.pythonanywhere.com
Domains
The information for each domain is put in a single file. This file contains valuable
information for each domain, such as machines that are under that domain (like, for the
penguincomputing.com domain, the nameservers would have the information for what IP
address pasta.penguincomputing.com gets and the one that antarctica.penguincomputing.com
gets). Here's an example of a domain's records:
localhost A 127.0.0.1
router A 140.174.204.2
penguincomputing.com. A 209.81.10.250
ns A 209.81.10.250
www A 209.81.10.250
ftp CNAME penguincomputing.com.
mail CNAME penguincomputing.com.
news CNAME penguincomputing.com.
pasta CNAME penguincomputing.com.
slashdot CNAME penguincomputing.com.
rice CNAME antarctica.penguincomputing.com.
antarctica A 209.81.10.252
antarctic CNAME antarctica.penguincomputing.com.
www.antarctic CNAME antarctica.penguincomputing.com.
www.antarctica CNAME antarctica.penguincomputing.com.
zork A 209.81.10.253
tux A 209.81.10.146
xfce A 209.81.10.252
I'll start explaining what all the stuff does. In the first line, it's saying that this file specifies
the zones for the penguincomputing.com domain, and to send anything about the domain to
[email protected]. Since the "@" character has special significance in these zone
files, the username (root) and machine name (penguincomputing.com) have to be separated
by a dot. I guess BIND just knows how to split it up. That's how you fill in stuff for your
domain as well.
12
For more notes visit https://collegenote.pythonanywhere.com
The line with the comment "serial" shows the serial number of that domain. The syntax is
YYYYMMDDRR; that is, a four digit year, two digit month in numerical form, two digit day
format, and a two digit revision number. In this example (1998082403), it shows that the
zone file was last modified on August 24, 1998. It's the third revision for that day. When
you're changing anything in the file, make sure to increase the revision number by one if the
previous change was on the same day. If I were to change the IP of one of the hosts, I would
make the last two numbers, currently 03, to 04.
The next few lines show times for certain functions such as refreshing, retrying, and expiring
the information. I'm not absolutely sure, but my best guess is that H stands for hour, D stands
for day, and W stands for week.
The "NS" line indicates all the nameservers for that particular domain, including the one this
information is on. This information has to match what has been registered with InterNIC. For
the hostnames of the nameservers, remember to add a dot at the end. If you don't, it will add
the hostname to the current domain. For example, if you forgot the dot at the end of
pasta.penguincomputing.com, you would end up with the nameserver being
pasta.penguincomputing.com.penguincomputing.com, which is obviously not what it's
supposed to be. Watch out for this.
The MX file is the Mail eXchange record, so that mail can get through to the domain. There
should also be an entry in /etc/sendmail.cw to allow messages coming in from that domain
(assuming you're using Sendmail, the default on many Linux systems, for mail transfer).
The next couple of lines point to the local loopback (127.0.0.1), which all Linux systems
should have even if they aren't connected to a network. The "router" line points to the IP
address of where the machine's Internet connection is. I'm not sure if it's really necessary but
I was playing it safe back then and trying to copy the example from the DNS HOWTO as
closely as possible.
The rest of the entries use either A (address) or CNAME (Canonical Name) to point
hostnames to IP addresses. Note that hostnames can be mapped to other hostnames, or they
can be mapped to IP addresses. Use A to map a name to an IP address, and CNAME to map a
hostname to another hostname (which must be mapped to another IP address).
Localhost
The file for mapping localhost is pretty simple. Not much explanation needed. Of course, if
you want to copy and paste, be sure you make the proper changes.
NS pasta.penguincomputing.com.
NS rice.penguincomputing.com.
13
For more notes visit https://collegenote.pythonanywhere.com
1 PTR localhost.
Reverse Mapping
This file looks similar to the zone file for the domains, but it provides the opposite function.
It points IP addresses to hostnames (as opposed to vice versa), because many servers on the
Internet do this thing called reverse lookup on the IP address of your hostname to make sure
that you're not doing anything sneaky.
This is for the zone "209.81.10" specified in the sample configuration file. Note that my
example is not complete, nor does it work in reality, because Penguin Computing doesn't own
the whole block of "209.81.10.*". But this is how you'd fill in a file to resolve your IP
addresses to hostnames if you owned the entire block of IP addresses.
@ IN SOA penguincomputing.com.
root.penguincomputing.com. (
1998072002 ; Serial
4H ; Refresh
2H ; Retry
604800 ; Expire
86400) ; Minimum TTL
NS pasta.penguincomputing.com.
NS rice.penguincomputing.com.
;
; Servers
;
250 PTR pasta.penguincomputing.com.
250 PTR penguincomputing.com.
250 PTR ftp.penguincomputing.com.
250 PTR www.penguincomputing.com.
250 PTR mail.penguincomputing.com.
251 PTR rice.penguincomputing.com.
;
; Workstations
;
252 PTR antarctica.penguincomputing.com.
252 PTR antarctic.penguincomputing.com.
If you were to fill in an actual zone file like this, it's necessary to fill in all the entries in your
block of IP addresses, from 1 to 255. For something like that you may want to assign the task
to anyone who looks bored.
So what should you do if you only own a domain but not the block of IP addresses that it's
part of? Ask the people who are in charge of that block of IP addresses to map your IP
addresses to their respective hostnames for you.
14
For more notes visit https://collegenote.pythonanywhere.com
(AXFRRFC 1035) and incremental (IXFRRFC 1995). Nearly universal at one time, it is now
becoming less popular in favor of the use of other database replication mechanisms that
modern DNS server packages provide.
Operation
Zone transfer operates on top of the Transmission Control Protocol (TCP), and takes the form
of a client–server transaction. The parties involved in a zone transfer are a client (the "slave"
requesting the data from a portion of the database to be transferred to it) and a server (the
"master" supplying those data from its database). Some sources refer to the slave as a
"secondary" server and the master as a "primary" server. The portion of the database that is
replicated is a "zone".
Zone transfer comprises a preamble followed by the actual data transfer. The preamble
comprises a lookup of the SOA (Start of Authority) resource record for the "zone apex", the
node of the DNS namespace that is at the top of the "zone". The fields of this SOA resource
record, in particular the "serial number", determine whether the actual data transfer need
occur at all. The client compares the serial number of the SOA resource record with the serial
number in the last copy of that resource record that it has. If the serial number of the record
being transferred is greater, the data in the zone are deemed to have "changed" (in some
fashion) and the slave proceeds to request the actual zone data transfer. If the serial numbers
are identical, the data in the zone are deemed not to have "changed", and the client may
continue to use the copy of the database that it already has, if it has one.
The actual data transfer proper begins by the client sending a query (opcode 0) with the
special QTYPE (query type) AXFR (value 252) over the TCP connection to the server. The
server responds with a series of response messages, comprising all of the resource records for
every domain name in the "zone". The first response comprises the SOA resource record for
the zone apex. The other data follow in no specified order. The end of the data is signalled by
the server repeating the response containing the SOA resource record for the zone apex.
Some zone transfer clients perform the SOA lookup of the preamble using their system's
normal DNS query resolution mechanism. These clients do not open a TCP connection to the
server until they have determined that they need to perform the actual data transfer. However,
since TCP can be used for normal DNS transactions, as well as for zone transfer, other zone
transfer clients perform the SOA lookup preamble over the same TCP connection as they
then (may) perform the actual data transfer. These clients open the TCP connection to the
server before they even perform the preamble.
The preceding describes full zone transfer. Incremental zone transfer differs from full zone
transfer in the following respects: The client uses the special QTYPE IXFR (value 251)
instead of the AXFR QTYPE.
• The client sends the SOA resource record for the zone apex that it currently has, if
any, in the IXFR message, letting the server know which version of the "zone" it
believes to be current.
• Though the server may respond in the normal AXFR manner with the full data for the
zone, it may also instead respond with an "incremental" data transfer. This latter
15
For more notes visit https://collegenote.pythonanywhere.com
comprises the list of changes to the zone data, in zone serial number order, between
the version of the zone that the client reported to the server as having and the version
of the zone that is current at the server. The changes comprise two lists, one of
resource records that are deleted and one of resource records that are inserted. (A
modification to a resource record is represented as a deletion followed by an
insertion.)
Zone transfer is entirely client-initiated. Though servers can send a NOTIFY message to
clients (that they have been informed about) whenever a change to the zone data has been
made, the scheduling of zone transfers is entirely under the control of the clients. Clients
schedule zone transfers initially, when their databases are empty, and thereafter at regular
intervals, in a pattern controlled by the values in the "refresh", "retry", and "expire" fields in
the SOA resource record of the zone apex.
Limitations
Though it is standardized, full-zone transfer being described as one of the possible database
replication mechanisms in RFC 1034 (incremental zone transfer described in RFC 1995),
zone transfer is the most limited of those database replication mechanisms. Zone transfer
operates in terms of "wire format" resource records, i.e. resource records as they are
transferred using the DNS protocol. However, the schema of wire format resource records
may not match the database schema used by the back ends of the DNS servers themselves.
Dynamic update
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with
SP1, Windows Server 2003 with SP2
Dynamic update
Dynamic update enables DNS client computers to register and dynamically update their
resource records with a DNS server whenever changes occur. This reduces the need for
manual administration of zone records, especially for clients that frequently move or change
locations and use DHCP to obtain an IP address.
The DNS Client and Server services support the use of dynamic updates, as described in
Request for Comments (RFC) 2136, "Dynamic Updates in the Domain Name System." The
DNS Server service allows dynamic update to be enabled or disabled on a per-zone basis at
each server configured to load either a standard primary or directory-integrated zone. By
default, the DNS Client service will dynamically update host (A) resource records (RRs) in
DNS when configured for TCP/IP. For more information about RFCs, see DNS RFCs.
16
For more notes visit https://collegenote.pythonanywhere.com
The primary full computer name, a FQDN, is based on the primary DNS suffix of a
computer appended to its Computer name.
Both of these settings are displayed or configured from the Computer Name tab in System
properties. For more information, see View system properties.
Notes
• By default, the DNS client on Windows XP does not attempt dynamic update over a
Remote Access Service (RAS) or virtual private network (VPN) connection. To
modify this configuration, you can modify the advanced TCP/IP settings of the
particular network connection or modify the registry. For more information, see
Configure TCP/IP to use DNS and the Microsoft Windows Resource Kits Web site.
• By default, the DNS client does not attempt dynamic update of top-level domain
(TLD) zones. Any zone named with a single-label name is considered a TLD zone,
for example, com, edu, blank, my-company. To configure the DNS client to allow the
dynamic update of TLD zones, you can use the Update Top Level Domain Zones
policy setting or modify the registry.
• By default, the primary DNS suffix portion of a computer's FQDN is the same as the
name of the Active Directory domain to which the computer is joined. To allow
different primary DNS suffixes, a domain administrator may create a restricted list of
allowed suffixes by modifying the msDS-AllowedDNSSuffixes attribute in the
domain object container. This attribute is managed by the domain administrator using
Active Directory Service Interfaces (ADSI) or the Lightweight Directory Access
Protocol (LDAP).
For more information, see Programming interfaces and Directory access protocol.
Dynamic updates can be sent for any of the following reasons or events:
• An IP address lease changes or renews with the DHCP server any one of the installed
network connections. For example, when the computer is started or if the ipconfig
/renew command is used.
• The ipconfig /registerdns command is used to manually force a refresh of the client
name registration in DNS.
When one of the previous events triggers a dynamic update, the DHCP Client service (not the
DNS Client service) sends updates. This is designed so that if a change to the IP address
information occurs because of DHCP, corresponding updates in DNS are performed to
synchronize name-to-address mappings for the computer. The DHCP Client service performs
17
For more notes visit https://collegenote.pythonanywhere.com
this function for all network connections used on the system, including connections not
configured to use DHCP.
Notes
• The process of how dynamic updates are performed for computers running Windows
2000, Windows XP, or Windows Server 2003 operating systems that use
DHCP to obtain their IP address is different than is described in this section. For more
information, see Using DNS servers with DHCP.
• The update process described in this section assumes that installation defaults are in
effect for computers running Windows 2000, Windows XP, or servers running
Windows Server 2003. Specific names and update behavior is tunable where
advanced TCP/IP properties are configured to use non-default DNS settings.
In addition to the full computer name (or primary name) of the computer, additional
connection-specific DNS names can be configured and optionally registered or
updated in DNS. For more information, see Configuring multiple names or Configure
TCP/IP to use DNS.
In this example, no connection-specific DNS domain names are configured for the computer.
Later, the computer is renamed from "oldhost" to "newhost", resulting in the following name
changes on the system:
Once the name change is applied in System properties, you are prompted to restart the
computer. When the computer restarts Windows, the DHCP Client service performs the
following sequence to update DNS:
1. The DHCP Client service sends a start of authority (SOA) type query using the
DNS domain name of the computer.
18
For more notes visit https://collegenote.pythonanywhere.com
The client computer uses the currently configured FQDN of the computer (such as
"newhost.example.microsoft.com") as the name specified in this query.
2. The authoritative DNS server for the zone containing the client FQDN responds
to the SOA-type query.
For standard primary zones, the primary server (owner) returned in the SOA query
response is fixed and static. It always matches the exact DNS name as it appears in
the SOA RR stored with the zone. If, however, the zone being updated is
directoryintegrated, any DNS server loading the zone can respond and dynamically
insert its own name as the primary server (owner) of the zone in the SOA query
response.
3. The DHCP Client service then attempts to contact the primary DNS server.
The client processes the SOA query response for its name to determine the IP address
of the DNS server authorized as the primary server for accepting its name. It then
proceeds to perform the following sequence of steps as needed to contact and
dynamically update its primary server:
1. It sends a dynamic update request to the primary server determined in the SOA
query response.
2. If this update fails, the client next sends an NS-type query for the zone name
specified in the SOA record.
3. When it receives a response to this query, it sends an SOA query to the first
DNS server listed in the response.
4. After the SOA query is resolved, the client sends a dynamic update to the
server specified in the returned SOA record.
5. If this update fails, then the client repeats the SOA query process by sending to
the next DNS server listed in the response.
4. Once the primary server is contacted that can perform the update, the client
sends the update request and the server processes it.
The contents of the update request include instructions to add A (and possibly PTR)
RRs for "newhost.example.microsoft.com" and remove these same record types for
"oldhost.example.microsoft.com", the name that was previously registered.
The server also checks to ensure that updates are permitted for the client request. For
standard primary zones, dynamic updates are not secured, so any client attempt to
19
For more notes visit https://collegenote.pythonanywhere.com
update succeeds. For Active Directory-integrated zones, updates are secured and
performed using directory-based security settings.
Dynamic updates are sent or refreshed periodically. By default, computers send a refresh
once every 7 days. If the update results in no changes to zone data, the zone remains at its
current version and no changes are written. Updates result in actual zone changes or
increased zone transfer only if names or addresses actually change.
Note that names are not removed from DNS zones if they become inactive or are not updated
within the refresh interval (7 days). DNS does not use a mechanism to release or tombstone
names, although DNS clients do attempt to delete or update old name records when a new
name or address change is applied.
When the DHCP Client service registers A and PTR resource records for a computer, it uses a
default caching Time to Live (TTL) of 15 minutes for host records. This determines how long
other DNS servers and clients cache a computer's records when they are included in a query
response.
Within the whole domain registration period the Registrant may suspend delegation in
"Manage your account" → My domains" (for gTLDs and ccTLDs the domain should be
delegated with an empty DNS servers list).
Domains delegation periods are subject to the moment the modifications are made:
During domain delegation the specified DNS servers may be checked for operation. If testing
proves successful the domain will be delegated with the new DNS servers.
20
For more notes visit https://collegenote.pythonanywhere.com
Irregular Cases
For DNS servers, which name contains the domain name to be delegated (child DNS server)
IP address should be specified; .PRO domain supports only IPv4; For .ORG domains
delegation with child DNS servers different IP addresses need to be specified.
For example, "com" is a domain that delegates all (or perhaps almost all) of its subdomains to
other name servers. When a request is received at a "com" name server for "google.com", the
"com" name server responds with NS records pointing to Google's name servers.
The dig command with the +trace option will demonstrate. Try `dig +trace google.com` and
part of it will look like this:
Those NS records indicate that those 4 Google name servers are authoritative for the
google.com domain.
21
For more notes visit https://collegenote.pythonanywhere.com
1. Firstly, different Linux distributions use different daemon management systems. Each system
has its own set of commands to do similar operations. The most commonly used daemon
management systems are SysV and Systemd.
2. Secondly, the daemon name needs to be known. In this case the name of the daemon is
httpd.
1
For more notes visit https://collegenote.pythonanywhere.com
Web traffic to reach the Web server correctly. (Chapter 19, "Dynamic DNS", explains port
forwarding, as well.).
DHCP on your protected home network is different. In the book's sample topology, the web server
lives on the 192.168.1.0 home network protected by a firewall. The firewall uses NAT and port
forwarding to pass Internet traffic on to the web server. Remember that the IP address of your web
server can change if it gets its IP address using DHCP. This could cause your firewall port
forwarding, not Dynamic DNS, to break.
In this case I recommend that your web server on the 192.168.1.0 network uses a fixed, or static IP
address that is outside of the range of the DHCP server to prevent you from having this problem.
All the statements that define the features of each web site are grouped together inside their own
<VirtualHost> section, or container, in the httpd.conf file. The most commonly used statements, or
directives, inside a <VirtualHost> container are:
• servername: Defines the name of the website managed by the <VirtualHost> container.
This is needed in named virtual hosting only, as I'll explain soon.
• DocumentRoot: Defines the directory in which the web pages for the site can be found.
By default, Apache searches the DocumentRoot directory for an index, or home, page named index.html.
So for example, if you have a servername of www.my-site.com with a
DocumentRoot directory of /home/www/site1/, Apache displays the contents of the file
/home/www/site1/index.html when you enter http://www.my-site.com in your browser.
Some editors, such as Microsoft FrontPage, create files with an .htm extension, not .html. This
isn't usually a problem if all your HTML files have hyperlinks pointing to files ending in .htm as
FrontPage does. The problem occurs with Apache not recognizing the topmost index.htm page.
The easiest solution is to create a symbolic link (known as a shortcut to Windows users) called
index.html pointing to the file index.htm. This then enables you to edit or copy the file index.htm
with index.html being updated automatically. You'll almost never have to worry about index.html
and Apache again!
2
For more notes visit https://collegenote.pythonanywhere.com
The l at the very beginning of the index.html entry signifies a link and the -> the link target.
It is a good idea to have the files owned by a nonprivileged user so that Web developers can update
the files using FTP or SCP without requiring the root password.
To do this:
Note: Be sure to FTP or SCP new files to your web server as this new user. This will make all the
transferred files automatically have the correct ownership.
If you browse your Web site after configuring Apache and get a "403 Forbidden"
permissionsrelated error on your screen, then your files or directories under your DocumentRoot
most likely have incorrect permissions. Appendix II, "Codes, Scripts, and Configurations," has a
short script that you can use to recursively set the file permissions in a directory to match those
3
For more notes visit https://collegenote.pythonanywhere.com
expected by Apache. You may also have to use the Directory directive to make Apache serve the
pages once the file permissions have been correctly set. If you have your files in the default
/home/www directory then this second step becomes unnecessary.
Virtual hosting
Virtual hosting is a method for hosting multiple domain names (with separate handling of each
name) on a single server (or pool of servers). This allows one server to share its resources, such
as memory and processor cycles, without requiring all services provided to use the same host
name. The term virtual hosting is usually used in reference to web servers but the principles carry
over to other internet services.
One widely used application is shared web hosting. Shared web hosting prices are lower than a
dedicated web server because many customers can be hosted on a single server. It is also very
common for a single entity to want to use multiple names on the same machine so that the names can
reflect services offered rather than where those services happen to be hosted.
There are two main types of virtual hosting, name based and IP based. Name based virtual
hosting uses the host name presented by the client. This saves IP addresses and the associated
administrative overhead but the protocol being served must supply the host name at an
appropriate point. In particular there are significant difficulties using name based virtual hosting
with SSL/TLS. IP based virtual hosting uses a separate IP address for each host name, and it can
be performed with any protocol but requires a dedicated IP address per domain name served. Port
based virtual hosting is also possible in principle but is rarely used in practice because it is
unfriendly to users.
Name based and IP based virtual hosting can be combined, a server may have multiple IP address
and serve multiple names on some or all of those IP addresses. This technique can be useful
when using SSL/TLS with wildcard certificates. For example if a server operator had two
certificates one for *.example.com and one for *.example.net he could serve foo.example.com
and bar.example.com off the same IP address but would need a separate IP address for
baz.example.net.
Name-based
Name-based virtual hosts use multiple host names for the same IP address.
A technical prerequisite needed for name-based virtual hosts is a web browser with HTTP/1.1 support
(commonplace today) to include the target hostname in the request. This allows a server hosting
multiple sites behind one IP address to deliver the correct site's content. More specifically it means
setting the HostHTTP header.
4
For more notes visit https://collegenote.pythonanywhere.com
For instance, a server could be receiving requests for two domains, www.example.com and
www.example.net, both of which resolve to the same IP address. For www.example.com, the server
would send the HTML file from the directory /var/www/user/Joe/site/, while requests for
www.example.net would make the server serve pages from /var/www/user/Mary/site/. Equally
two subdomains of the same domain may be hosted together for example a blog server may host
blog1.example.com and blog2.example.com
The biggest issue with name based virtual hosting is that it is difficult to host multiple secure
websites running SSL/TLS. Because the SSL/TLS handshake takes place before the expected
hostname is sent to the server, the server doesn't know which certificate to present in the
handshake. It is possible for a single certificate to cover multiple names either through the
"subjectaltname" field or through wildcards but the practical application of this approach is
limited by administrative considerations and by the matching rules for wildcards. There is an
extension to TLS called Server Name Indication which presents the name at the start of the
handshake but browser support for this extension is not yet wide enough for public sites to rely on
it (in particular it is not supported by Internet explorer on Windows XP).
Furthermore if the Domain Name System (DNS) is not properly functioning, it is difficult to
access a virtually-hosted website even if the IP address is known. If the user tries to fall back to
using the IP address to contact the system, as in http://10.23.45.67/, the web browser will send
the IP address as the host name. Since the web server relies on the web browser client telling it
what server name (vhost) to use, the server will respond with a default website—often not the site
the user expects.
A workaround in this case is to add the IP address and host name to the client system's hosts file.
Accessing the server with the domain name should work again. Users should be careful when
doing this, however, as any changes to the true mapping between host name and IP address will be
overridden by the local setting. This workaround is not really useful for an average web user, but
may be of some use to a site administrator while fixing DNS records.
IP-based
When IP-based virtual hosting is used, each site (either a DNS host name or a group of DNS host
names that act the same) points to a unique IP address. The webserver is configured with multiple
physical network interfaces, virtual network interfaces on the same physical interface or multiple
IP addresses on one interface.
The web server can either open separate listening sockets for each IP address or it can listen on all
interfaces with a single socket and obtain the address the TCP connection was received on after
accepting the connections. Either way it can use the IP address to determine which website to
serve. The client is not involved in this process and therefore (unlike with name based virtual
hosting) there are no compatibility issues.
5
For more notes visit https://collegenote.pythonanywhere.com
The downside of this approach is the server needs a different IP address for every web site. This
increases administrative overhead (both assigning addresses to servers and justifying the use of those
addresses to internet registries) and contributes to IPv4 address exhaustion.
Port-based
The default port number for HTTP is 80. However, most webservers can be configured to operate
on almost any port number, provided the port number is not in use by any other program on the
server.
For example, a server may host the website www.example.com. However, if the owner wishes to
operate a second site, and does not have access to the domain name configuration for their domain
name, and/or owns no other IP addresses which could be used to serve the site from, they could
instead use another port number, for example, www.example.com:81 for port 81,
www.example.com:8000 for port 8000, or www.example.com:8080 for port 8080.
However this is not a user unfriendly approach. Users cannot reasonably be expected to know the port
numbers for their websites and moving a site between servers may require changing the port number.
Using non-standard port numbers may also be seen as unprofessional and unattractive to users. In
addition, some firewalls block all but the most common ports, causing a site hosted on a non-standard
port to appear unavailable to some users.
Uses
Virtual web hosting is often used on large scale in companies whose business model is to provide
low cost website hosting for customers. The vast majority of web hosting service customer websites
worldwide are hosted on shared servers, using virtual hosting technology.
Many businesses utilize virtual servers for internal purposes, where there is a technological or
administrative reason to operate several separate websites, such as a customer extranet website,
employee extranet, internal intranet, and intranets for different departments. If there are not
security concerns in the website architectures, they can be merged into a single server using virtual
hosting technology, which reduces management and administrative overhead and the number of
separate servers required to support the business.
6
For more notes visit https://collegenote.pythonanywhere.com
The subject of caching comes up again and again in discussions of computers and
networking, because of a phenomenon that is widely observed in these technologies:
whenever a user, hardware device or software process requests a particular piece of
data, there is a good chance it will ask for it again in the near future. Thus, by storing
recently-retrieved items in a cache, we can eliminate duplicated effort. This is why
caching plays an important role in the efficiency of protocols such as ARP and DNS. The
Significance of Caching to HTTP
Caching is important to HTTP because Web users tend to request the same documents
over and over again. For example, in writing this section on HTTP, I made reference to
RFC 2616 many, many times. Each time, I loaded it from a particular Web server. Since
the document never changes, it would be more efficient to just load it from a local cache
rather than having to retrieve it from the distant Web server each time.
However, caching is even more essential to HTTP than to most other protocols or
technologies where it used. The reason is that Web documents tend to be structured so
that a request for one resource leads to a request for many others. Even if I load a
number of different documents, they may each refer to common elements that do not
change between user requests. Thus, caching can be of benefit in HTTP even if a user
never asks for the same document twice, or if a single document changes over time so
that caching the document itself would be of little value.
For example, suppose that each morning I load up CNN’s Web site to see what is going
on in the world. Obviously, the headlines will be different every day, so caching of the
main CCN.com Web home page won’t be of much value. However, many of the
graphical elements on the page (CNN’s logo, dividing bars, perhaps a “breaking news”
graphic) will be the same, every day, and these can be cached. Another example would
be a set of discussion forums on a Web site. As I load up different topics to read, each
one is different, but they have common elements (such as icons and other images) that
would be wasteful to have to retrieve over and over again.
Caching in HTTP yields two main benefits. The first is reduced bandwidth use, by
eliminating unneeded transfers of requests and responses. The second, equally
important, is faster response time for the user loading a resource. Consider that on
many Web pages today, the image files are much larger than the HTML page that
references them. Caching these graphics will allow the entire page to load far more
quickly. Figure 319 illustrates how caching reduces bandwidth and speeds up resource
retrieval by “short-circuiting” the request/response chain.
7
For more notes visit https://collegenote.pythonanywhere.com
This diagram illustrates the impact of caching on the request/response chain of Figure
316. In this example, intermediary #2 is able to satisfy the client’s request from its cache.
This “short-circuits” the communication chain after two transfers, which means the client
gets its resource more quickly, and the HTTP server is spared the need to process the
client’s request.
The obvious advantages of caching have made it a part of the Web since pretty much
the beginning. However, it was not until HTTP/1.1 that the importance of caching was
really recognized in the protocol itself, and many features added to support it. Where
the HTTP/1.0 standard makes passing mention of caching and some of the issues
related to it, HTTP/1.1 devotes 26 full pages to caching (over 20% of the main body of
the document!) I obviously cannot go into that level of detail here, but I will discuss
HTTP caching in general terms to give you a feel for the subject.
squid is a high-performance proxy caching server for web clients, supporting FTP, gopher,
ICAP, ICP, HTCP and HTTP data objects. Unlike traditional caching software, squid
handles all requests in a single, non-blocking process.
squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups,
supports non-blocking DNS lookups, and implements negative caching of failed requests.
squid supports SSL, extensive access controls, and full request logging. By using the
lightweight Internet Cache Protocols ICP, HTCP or CARP, squid caches can be arranged in
a hierarchy or mesh for additional bandwidth savings.
8
For more notes visit https://collegenote.pythonanywhere.com
squid consists of a main server program squid, some optional programs for custom
processing and authentication, and some management and client tools. When squid starts
up, it spawns a configurable number of helper processes, each of which can perform
parallel lookups. This reduces the amount of time the cache waits for results. squid is
derived from the ARPA-funded Harvest Project http://harvest.cs.colorado.edu/ This manual
page only lists the command line arguments. For details on how to configure squid see the
file @[email protected], the Squid wiki FAQ and examples at
http://wiki.squid-cache.org/ , or the configuration manual on the squid home page
http://www.squid-cache.org/Doc/config/
Options
-a port Specify HTTP port number where Squid should listen for requests, in addition
to any http_port specifications in squid.conf.
Parse configuration file, then send signal to running copy (except -k parse) and exit. -n
name Specify Windows Service name to use for service operations, default is: Squid -
9
For more notes visit https://collegenote.pythonanywhere.com
-N No daemon mode.
Files
@DEFAULT_CONFIG_FILE@
The main configuration file. You must initially make changes to this file for squid to work.
For example, the default configuration does not allow access from any browser.
*.default files
Reference copy of the configuration file. Always kept up to date with the version of Squid
you are using. Use this to look up the default configuration settings and syntax after
upgrading.
Reference copy of the configuration file. Always kept up to date with the version of Squid
you are using. Use this to read the documentation for configuration options available in
your build of Squid. The online configuration manual is also available for a full reference
of options. seehttp://www.squid-cache.org/Doc/config/ cachemgr.conf The main
configuration file for the web cachemgr.cgi tools. msntauth.conf The main
configuration file for the Sample MSNT authenticator.
errorpage.css
CSS Stylesheet to control the display of generated error pages. Use this to set any company
branding you need, it will apply to every Language Squid provides error pages for.
@DEFAULT_MIME_TABLE@ (mime_table) MIME type mappings for FTP gatewaying
@DEFAULT_ERROR_DIR@ Location of squid error pages and templates.
10
For more notes visit https://collegenote.pythonanywhere.com
Proxy Authentication
We implement proxy servers to improve internal network security. Mainly we’re attempting to
keep bad traffic from communicating with the outside world. If malware lands on an internal box,
it may for example attempt a call back to its command and control server. Typically this occurs
over port 443 and is lost in the sea of legitimate traffic because your typical firewall is rather
dumb. Compared to a proxy it does not inspect all 7 layers of the OSI model. It doesn’t
understand there is a covert channel pretending to be SSL encrypted traffic.
By funneling all outbound traffic through a proxy we can stop most of these bad packets. Often
malware is not proxy aware and it will attempt to escape your network through the default
gateway (typically your firewall). When implementing a proxy server, you should be adding a
DENY ALL rule blocking ALL hosts from leaving out your front door. While this sounds like a
great solution, there is a small loophole. Modern malware is slowly becoming proxy aware. Hence
some bad traffic may evade even your smart proxy server trough a covert channel especially when
configured in transparent mode.
Enter, Proxy Authentication to the rescue. It’s a simple concept, before a proxy accepts your
request you have to present your credentials and be authenticated, otherwise your packets become
lost in space, hence no reverse shell connection to a command and control server. I’ve talked
about Squid, and its many features and benefits. And you guessed it this week I’ll discuss
enabling Squid Proxy Authentication.
• Basic – Simplest to implement but most insecure (clear text username and password)
• Digest – Easy to implement and more secure using MD5 hashed username and password
• NTLM – Harder to implement using Microsoft’s proprietary SMB protocol
• Negotiate – Hardest to implement but most secure with Kerberos and AD
Depending on your environment and requirements I would suggest NTLM or Negotiate for most
Windows centric networks. Negotiate with Kerberos would be my first choice but there are a few
hoops to jump through. NTLM is a good second choice but because Microsoft hasn’t been forth
coming with its proprietary protocol implementation, it’s been reverse engineered by some very smart
people.
Over the next several weeks I’ll take you through each authentication mechanism in more detail. If
you’re currently not using Proxy authentication with your proxy I would strongly suggest you
begin to think about it and plan to implement it in the near future. As malware evolves, so should
we and our defenses.
11
For more notes visit https://collegenote.pythonanywhere.com
'NTLM Authorization Proxy Server' (APS) is a proxy software that allows you to authenticate via
an MS Proxy Server using the proprietary NTLM protocol. Since version 0.9.5 APS has an
ability to behave as a standalone proxy server and authenticate http clients at web servers using
NTLM method. It can change arbitrary values in your client's request header so that those
requests will look like they were created by MS IE. It is written in Python v1.5.2 language.
Main features:
• supports NTLM authentication via parent proxy server (Error 407 Proxy Authentication Required);
• supports NTLM authentication at web servers (Error 401 Access Denied/Unauthorized);
• supports translation of NTLM scheme to standard "Basic" authentication scheme;
• supports the HTTPS 'CONNECT' method for transparent tunnelling through parent proxy server;
• has ability to change arbitrary values in client's request headers;
• supports unlimited number of client connections;
• supports connections from external hosts;
• supports HTTP 1.1 persistent connections;
• stores user's credentials in config file or requests password from a console during the start time;
• supports intelligent failure detection and failover between multiple upstream proxies;
The server had been written for wget that could not pass through MS Proxy set up in our LAN. But
then it turned out that even browsers can use it, so I spend some time to get it more RFC friendly
and now it looks like it works with most software that can use http/https proxies.
Even distributed Intel-United Devices Cancer Research Project can be used with APS. Just use
HTTPS proxy in "proxy settings" of the United Devices' software and point to your local NTLMAPS,
like server - "localhost" and port - "8080" or something that you set in server.cfg.
'NTLM Authorization Proxy Server' is distributed under the GNUGeneral Public License which is
included in this archive (see file COPYING).
The above mean that 'NTLM Authorization Proxy Server' is pretty much free. You have to pay nothing
for it.
System requirements:
There are no binary files in the distribution. Thus you can use the software on any system that has
Python, with minimal modifications.
Troubleshooting:
12
For more notes visit https://collegenote.pythonanywhere.com
There are two options in server.cfgDEBUG and BIN_DEBUG, if you have toubles with the server
so set these options to DEBUG:1 and BIN_DEBUG:1 just before requesting a problem page (or
resource). You have to restart proxy server to reread server.cfg. This will give you 3 log files per
http request (per connection to be exact), like 127.0.0.1-1048, 127.0.0.1-1048.bin.client and
127.0.0.1-1048.bin.rserver. In the first one there is an info on what APS did, two others contain
raw traffic from client and from proxy.
Populate the table with some test data, eg mysql> insert into passwd
13
For more notes visit https://collegenote.pythonanywhere.com
1. A network access device (RADIUS client) sends an authentication request to a RADIUS proxy
server.
2. The proxy RADIUS server forwards the message to a RADIUS target server.
3. The target RADIUS server performs the authentication services indicated by the message, then
returns a response message to the proxy RADIUS server.
4. The proxy RADIUS server relays the response message to the RADIUS client.
2. Depending on its configuration, the RADIUS server forwards the accounting message to a target
server, records accounting attributes locally on the proxy server, or records the information in
both places.
3. If the proxy server does not receive an acknowledgement of the forwarded packet, it periodically
re-sends the packet according to its retry policy.
4. When the target server acknowledges the request, the proxy server forwards an
acknowledgement to the RADIUS client.
14
For more notes visit https://collegenote.pythonanywhere.com
The carrier might define several such realms, one for each service provider that employs its
services. If a service provider's network is extremely large, a carrier might decide to use several
realms to represent a single service provider. For each of these realms, it is possible to define an
independent set of conventions for storing, forwarding, routing, and filtering the RADIUS requests
that enter the Steel-Belted Radius Carrier server.
For more information, see Figure 47 and Configuring a Proxy RADIUS Realm163.
15
For more notes visit https://collegenote.pythonanywhere.com
After the target is selected, Steel-Belted Radius Carrier matches the target name with a proxy entry
in its database. Using the data in this entry (IP address, UDP port, shared secret) SteelBelted
Radius Carrier establishes a connection between itself and the target, and proxy-forwards the
RADIUS request. You can configure the realm so that all realm routing information and delimiters
are stripped from the Username before forwarding.
The target processes the request as it normally would for RADIUS authentication or accounting.
In the case of authentication, Steel-Belted Radius Carrier waits for a response from the target, then
relays this response to its RADIUS client.
16
For more notes visit https://collegenote.pythonanywhere.com
Unit 7
General Samba Configuration
Samba is a suite of utilities that allows your Linux box to share files and other resources, such as
printers, with Windows boxes. This chapter describes how you can make your Linux box into a
Windows Primary Domain Controller (PDC) or a server for a Windows Workgroup. Either
configuration will allow everyone at home to have:
• their own logins on all the home windows boxes while having their files on the Linux box
appear to be located on a new Windows drive
• shared access to printers on the Linux box
• shared files accessible only to members of their Linux user group.
What's the difference between a PDC and Windows Workgroup member? A detailed description is
beyond the scope of this chapter, but this simple explanation should be enough:
• A PDC stores the login information in a central database on its hard drive. This allows each
user to have a universal username and password when logging in from all PCs on the network.
• In a Windows Workgroup, each PC stores the usernames and passwords locally so that they
are unique for each PC.
This chapter will only cover the much more popular PDC methodology used at home. By default,
Samba mimics a Windows PDC in almost every way needed for simple file sharing. Linux
functionality doesn't disappear when you do this. Samba Domains and Linux share the same
usernames so you can log into the Samba based Windows domain using your Linux password
and immediately gain access to files in your Linux user's home directory. For added security you
can make your Samba and Linux passwords different.
When it starts up, and with every client request, the Samba daemon reads the configuration file
/etc/samba/smb.conf to determine its various modes of operation. You can create your own
smb.conf using a text editor or the Web-based SWAT utility which is easier. Keep in mind,
however, that if you create /etc/samba/smb.conf with a text editor then subsequently use SWAT to
edit the file, you will lose all the comments you inserted with the text editor. I'll explain how to
use both SWAT and a text editor to configure Samba later in this chapter.
Samba is comprised of a suite of RPMs that come on the Fedora CDs. The files are named:
• samba
• samba-common
• samba-client
• samba-swat
1
For more notes visit https://collegenote.pythonanywhere.com
When searching for the file, remember that the RPM's filename usually starts with the RPM name
followed by a version number as in samba-client-3.0.0-15.i386.
Managing the samba daemons is easy to do, but the procedure differs between Linux distributions.
Here are some things to keep in mind.
• Firstly, different Linux distributions use different daemon management systems. Each system
has its own set of commands to do similar operations. The most commonly used daemon
management systems are SysV and Systemd.
• Secondly, the daemon name needs to be known. In this case the names of the daemons are
smb and nmb.
The /etc/samba/smb.conf file is the main configuration file you'll need to edit. It is split into five
major sections, which Table 10-1 outlines:
[profile] A share for storing domain logon information such as "favorites" and desktop icons.
2
For more notes visit https://collegenote.pythonanywhere.com
You can edit this file by hand, or more simply through Samba's SWAT web interface.
SAMBA SWAT
You must always remember that SWAT edits the smb.conf file but also strips out any comments
you may have manually entered into it beforehand. The original Samba smb.conf file has many
worthwhile comments in it, you should save a copy as a reference before proceeding with SWAT.
For example, you could save the original file with the name /etc/samba/smb.conf.original as in:
[root@bigboy tmp]# cp /etc/samba/smb.conf /etc/samba/smb.conf.original
As you can see, using SWAT requires some understanding of the smb.conf file parameters because
it eliminates these comments
SWAT doesn't encrypt your login password. Because this could be a security concern in a corporate
environment you might want to create a Samba administrator user that has no root privileges or
only enable SWAT access from the GUI console or localhost.
The enabling and disabling, starting and stopping of SWAT is controlled by xinetd, which is
covered ,via a configuration file named /etc/xinetd.d/swat. Here is a sample:
service swat
{ port = 901
socket_type = stream
protocol = tcp wait
= no user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = no
only_from = localhost
The file's formatting is fairly easy to understand, especially as there are only two entries of interest.
• The disable parameter must be set to no to accept connections. This can automatically be
switched between yes and no as we will see later.
• The default configuration only allows SWAT web access from the VGA console only as user
root on port 901 with the Linux root password. This means you'll have to enter
"http://127.0.0.1:901" in your browser to get the login screen.
You can make SWAT accessible from other servers by adding IP address entries to the only_from
parameter of the SWAT configuration file. Here's an example of an entry to allow connections
only from 192.168.1.3 and localhost. Notice that there are no commas between the entries.
3
For more notes visit https://collegenote.pythonanywhere.com
Therefore in this case you can also configure Samba on your Linux server bigboy IP with address
192.168.1.100 from PC 192.168.1.3 using the URL http://192.168.1.100:901.
Remember that most firewalls don't allow TCP port 901 through their filters. You may have to adjust
your rules for this traffic to pass.
Network File System (NFS) is a distributed file system protocol originally developed by Sun
Microsystems in 1984,[1] allowing a user on a client computer to access files over a network in a
manner similar to how local storage is accessed. NFS, like many other protocols, builds on the
Open Network Computing Remote Procedure Call (ONC RPC) system. The Network File System
is an open standard defined in RFCs, allowing anyone to implement the protocol.
NFS is often used with Unix operating systems (such as Solaris, AIX and HP-UX) and Unix-like
operating systems (such as Linux and FreeBSD). It is also available to operating systems such as
the classic Mac OS, OpenVMS, Microsoft Windows, Novell NetWare, and IBM AS/400.
Alternative remote file access protocols include the Server Message Block (SMB, also known as
CIFS), Apple Filing Protocol (AFP), NetWare Core Protocol (NCP), and OS/400 File Server file
system (QFileSvr.400). SMB and NetWare Core Protocol (NCP) occur more commonly than NFS
on systems running Microsoft Windows; AFP occurs more commonly than NFS in Macintosh
systems; and QFileSvr.400 occurs more commonly in AS/400 systems.
Assuming a Unix-style scenario in which one machine (the client) requires access to data stored on
another machine (the NFS server):
1. The server implements NFS daemon processes (running by default as nfsd) in order to make
its data generically available to clients.
2. The server administrator determines what to make available, exporting the names and
parameters of directories (typically using the /etc/exports configuration file and the
exportfscommand).
3. The server security-administration ensures that it can recognize and approve validated clients.
4. The server network configuration ensures that appropriate clients can negotiate with it
through any firewall system.
5. The client machine requests access to exported data, typically by issuing a mount command.
(The client asks the server (rpcbind) which port the NFS server is using, the client connects to
the NFS server (nfsd), nfsd passes the request to mountd)
6. If all goes well, users on the client machine can then view and interact with mounted
filesystems on the server within the parameters permitted.
4
For more notes visit https://collegenote.pythonanywhere.com
Note that automation of the NFS mounting process may take place — perhaps using /etc/fstab
and/or automounting facilities.
The mount command mounts NFS shares on the client side. Its format is as follows:
# mount -t nfs -o optionshost:/remote/export/local/directory This
command uses the following variables:
options
A comma-delimited list of mount options; refer to Section 12.5, “Common NFS Mount
Options” for details on valid NFS mount options.
server
The hostname, IP address, or fully qualified domain name of the server exporting the file
system you wish to mount
/remote/export
The file system / directory being exported from server, i.e. the directory you wish to mount
/local/directory
The NFS protocol version used in Red Hat Enterprise Linux 6 is identified by the mount options
nfsvers or vers. By default, mount will use NFSv4 with mount -t nfs. If the server does not
support NFSv4, the client will automatically step down to a version supported by the server. If
you use the nfsvers/ vers option to pass a particular version not supported by the server, the
mount will fail. The file system type nfs4 is also available for legacy reasons; this is equivalent
to running mount -t nfs -o nfsvers=4 host:/remote/export/local/directory.
If an NFS share was mounted manually, the share will not be automatically mounted upon reboot.
Red Hat Enterprise Linux offers two methods for mounting remote file systems automatically at
boot time: the /etc/fstab file and the autofs service.
5
For more notes visit https://collegenote.pythonanywhere.com
The mount point /pub must exist on the client machine before this command can be executed.
After adding this line to /etc/fstab on the client system, use the command mount /pub, and the
mount point /pub is mounted from the server.
The /etc/fstab file is referenced by the netfs service at boot time, so lines referencing NFS shares
have the same effect as manually typing the mount command during the boot process.
A valid /etc/fstab entry to mount an NFS export should contain the following information:
The variables server, /remote/export, /local/directory, and options are the same ones used
when manually mounting an NFS share. Refer to Section 12.3, “NFS Client Configuration” for a
definition of each variable.
Note
The mount point /local/directory must exist on the client before /etc/fstab is read. Otherwise,
the mount will fail.
Configuring CUPS
One of the latest Linux printing solutions is the Common UNIX Printing System (CUPS), it
supports the Internet Printing Protocol (IPP) and provides a complete platform independent
printing solution for most networking environments. The CUPS server is able to be administered
remotely using a web browser, which makes it ideal for a ‘headless server’.
Configuring CUPS
One of the major CUPS advantages is that it can be completely controlled remotely using a
standard web browser, so really all we need to do is get it configured and then access it remotely.
However this guide will provide all the steps necessary to configure from the command line (print
drivers need to be updated manually).
[bash]# vi /etc/cups/cupsd.conf
6
For more notes visit https://collegenote.pythonanywhere.com
ServerName server.example.com
ServerAdmin [email protected]
AccessLog /var/log/cups/access_log
DataDir /usr/share/cups
DefaultCharset utf-8
DefaultLanguage en
ErrorLog /var/log/cups/error_log
MaxLogSize 10485760
LogLevel info
Printcap /etc/printcap
RequestRoot /var/spool/cups
ServerBin /usr/lib/cups
ServerRoot /etc/cups
User lp
Group sys
Listen 127.0.0.1:631
Listen 172.31.81.3:631
To access the resources remotely via a web browser, we need to specify the access controls
(deny/allow) which will be applied to each resource. The “/” (root) resource may be provided to all
users without any authentication so they may view which printers are available and the status of
the queues.
The “admin” resource has been configured for authentication so that all the administration tasks are
only accessible to authorised personnel. It is important to note that no encryption has been
established for CUPS in our configuration (it is optional), so if you are administering the system
via an untrusted network, be aware that your user details may be captured. This should not be a
problem for home networks.
<Location />
Require valid-user
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From 192.168.1.0/24
</Location>
<Location /admin>
Require group printer-admins
7
For more notes visit https://collegenote.pythonanywhere.com
Order Deny,Allow
Deny From All
Allow From 127.0.0.1
Allow From 192.168.1.0/24
</Location>
CUPS is a full networking solution and it is capable of browsing the network and discovering
other CUPS servers. Depending on the configuration, this allows full administration of all your
network printers so they can be centrally managed from the one location. The default for browsing
is on, however for a small home network you would probably prefer to turn this feature off.
Browsing Off
BrowseProtocols cups
BrowseOrder Deny,Allow
BrowseAllow from @LOCAL
BrowseAllow from @IF(eth1)
After making the necessary changes to the configuration file, we need to make the system aware of
the changes by restarting the printing services. The command to do so is
The CUPS daemon can now be controlled through a standard web browser if you are connecting
from either the localhost, or from the internal network. The service is running on port 631 (default)
and can be accessed here: http://localhost:631/.
The message log can be read to decode for any changes and any problems in the CUPS configuration
Setup CUPS (Common UNIX Printing System) Server and Client in Debian
8
For more notes visit https://collegenote.pythonanywhere.com
The Common UNIX Printing SystemTM, or CUPS, is the software you use to print from
applications like the web browser you are using to read this page. It converts the page descriptions
produced by your application (put a paragraph here, draw a line there, and so forth) into
something your printer can understand and then sends the information to the printer for printing.
Now, since every printer manufacturer does things differently, printing can be very complicated.
CUPS does its best to hide this from you and your application so that you can concentrate on printing
and less on how to print. Generally, the only time you need to know anything about your printer is
when you use it for the first time, and even then CUPS can often figure things out on its own.
NOTE:- If your network use DHCP it's a good idea to set up your server to use static IP. I will use
as 172.20.22.74 for the server and 172.20.22.150 for administration workstation.
Configure CUPS
Default configuration file located at /etc/cups/cupsd.conf in this file you need to configure the
following sections to make it work.
to
9
For more notes visit https://collegenote.pythonanywhere.com
to
to
10
For more notes visit https://collegenote.pythonanywhere.com
#/etc/init.d/cupsys restart
The CUPS clients are easy to set up and the config is identical on all machines.You need to install
the following packages for client
#touch /etc/cups/client.conf
#vi /etc/cups/client.conf
Enter the following information the server IP and the encryption requirement
# Servername
ServerName 172.20.22.74
# Encryption
Encryption IfRequested
#/etc/init.d/cupsys restart
FTP Server
Introduction
The FTP protocol dates back to the early 1970s, and was designed for a relatively simple network,
with few computers on it, mostly directly connected, rather than servers within complex private
networks (behind routers and firewalls) being accessed from the internet.
It has to a large extent been superseded by Hypertext Transfer Protocol (HTTP) which has
expanded its abilities way beyond those originally planned in the late 1980s, including the transport
of large binary files.
11
For more notes visit https://collegenote.pythonanywhere.com
FTP excels where there are complex hierarchies of directories and files, which a suitable
graphical client can show the local and distant machines alongside each other, allowing easy
comparison of the two machines. Curiously its most useful application is in conjunction with web
servers - it can be configured to quickly and transparently compare file structures on client and
server, updating the one or the other with newer or non-existent files.
There is a bewildering array of clients available: Absolute FTP, Cute FTP, FileZilla, NcFTP, Smart
FTP, WS_FTP to name but a few. A search on Google for ftp client produced 24 million hits !
Most of these use a graphical interface, but if you are a diehard command-line user, the FTP client
built into even the latest Windows operating system will perform the task perfectly well.
ftp://myftpserver.mydomain.com
In fact, files are often downloaded using FTP by browsers without the user ever knowing - the link
for the final download may actually access a FTP server.
The client will initiate a connection with the server, usually via port 21 - this connection does not pass
any data, only control messages, hence it is called the Control Channel. This allows the connection
to be established, and the login to take place (either anonymous or using a special username and
password).
The transport of data (in either direction, and this includes file/directory listings) requires the setting
up of a separate data channel (initiated by the FTP client), which may be of two possible types, as
shown in the diagram below.
As the image above shows, there are two methods of establishing the data connection, Active or
Passive modes, and these are both usually supported by FTP clients. Mouse over the diagram
above, to show how these work. Active mode is the default: the reason for the different methods will
be explained under Problems with Routers & Firewalls below.
12
For more notes visit https://collegenote.pythonanywhere.com
Via the control channel, the client sends a port number to the server (using the PORT command),
then waits for the server to connect to it on this port, from port 20 on the server (the use of port 20
by the server is a convention, like the use of port 21 for the Control Channel).
The data (in either direction) is transported, and the data channel closed.
If more data is to be transported, the client will send another port number to the server, the server
will connect through its port 20 with the specified port on the client, and that data transported. A
different port is used because there is a delay between the instruction to close the original port
and its actually closing, which mean it cannot be re-used immediately.
The client will choose port numbers using its own scheme, the details of which are unimportant here
as long as ports are not re-used until they will definitely be free.
Via the control channel, the client will issue an instruction to the server (using the PASV
command) that the server should open a port to which the client can open a connection. The server
will respond with a port number and await the client's initiating a connection to that port. Once
established, this will be used for the transport of data, then closed again, just as with the Active
method above.
The File Transfer Protocol (FTP) allows the exchange of files between computers. One may get
files from or put files to a remote computer. For obvious security reasons these operations are
allowed only after identification of the user. Thus an FTP session may be divided into the following
operations:
FTP allows the exchange of all types of files be they simple text, word processor documents,
graphics, video, audio or executable files. Although it may possible to transfer a file from one
machine to another, this does not ensure that the target machine will be able to use the file. For
example, the file containing a program in executable form will never be compatible between
processors belonging to a different family: an executable file for a Pentium cannot run on a DEC
Alpha platform. Hopefully in the future more and more computers will use IEEE formats to store
data, consequently easing the task of communication between computers.
FTP uses a client-server approach. The user sends requests from his computer through a ftp client
program to a remote computer which receives it through a ftp server program. Thus the
communication is asymmetric. Assuming one is on line to machine A and that one wants to
exchange files with a remote computer B, it means that:
13
For more notes visit https://collegenote.pythonanywhere.com
However with the above programs running, a user on line to computer B, will not be able to
exchange files with computer A since there is no client running on machine B and no server on
machine A. To allow symmetric communications one needs both client and server programs running
on the same machine.
Security considerations
Unix, VMS, OS/2, Windows NT... do not present this problem since a user is always identified.
On Unix machines the user may facilitate the access to an account by suppressing the need for a
password from trusted locations and users. This is often used by persons with accounts on
different machines to rapidly exchange files between the computers without the need of a full
identification. However the system manager may disable this feature and it may not work at some
sites.
Anonymous FTP
The need for identification prevents file exchange between computers for users not having a
proper account identification and password on the remote computer. This is very frustrating: How
can one retrieve a file without asking for a password? How can one send a file to a remote user
without this information?
To overcome this difficulty on multiuser machines one may install a special identification called
anonymous. Anybody can make a FTP connection giving anonymous as login identification.
Netiquette recommends that ones e-mail address be entered as password but in many cases any
string of characters will suffice. anonymous access is limited to a restricted set of files. Further it is
frequent that the number of simultaneous anonymous connexions be limited and one may thus be
bounced out with a message saying to try later.
Some servers not only allow to retrieve files but also permit to upload files onto the server,
usually in a directory called incoming with special properties (i.e. the commands dir or ls do not
work). This is very useful for exchanging information with other users. It avoids having to give a
personal password to many people with its consequent increase in security risks. To exchange
14
For more notes visit https://collegenote.pythonanywhere.com
files, one person deposits the file in the incoming directory and the end-user fetches it out. Since
everybody can fetch the file this mechanism must not be used for confidential information.
15
For more notes visit https://collegenote.pythonanywhere.com
Simple Mail Transfer Protocol (SMTP) is an Internet standard for electronic mail (e-mail)
transmission across Internet Protocol (IP) networks. SMTP was first defined by RFC 821 (1982,
eventually declared STD 10),[1] and last updated by RFC 5321 (2008)[2] which includes the
extended SMTP (ESMTP) additions, and is the protocol in widespread use today. SMTP uses
TCPport 25. The protocol for new submissions (MSA) is effectively the same as SMTP, but it uses
port 587 instead. SMTP connections secured by SSL are known by the shorthand SMTPS, though
SMTPS is not a protocol in its own right.
While electronic mail servers and other mail transfer agents use SMTP to send and receive mail
messages, user-level client mail applications typically only use SMTP for sending messages to a
mail server for relaying. For receiving messages, client applications usually use either the Post
Office Protocol (POP) or the Internet Message Access Protocol (IMAP) or a proprietary system
(such as Microsoft Exchange or Lotus Notes/Domino) to access their mail box accounts on a mail
server.
Email is submitted by a mail client (MUA, mail user agent) to a mail server (MSA, mail
submission agent) using SMTP on TCP port 587. Most mailbox providers still allow submission
on traditional port 25. From there, the MSA delivers the mail to its mail transfer agent (MTA,
mail transfer agent). Often, these two agents are just different instances of the same software
launched with different options on the same machine. Local processing can be done either on a
single machine, or split among various appliances; in the former case, involved processes can
share files; in the latter case, SMTP is used to transfer the message internally, with each host
configured to use the next appliance as a smart host. Each process is an MTA in its own right; that
is, an SMTP server.
The boundary MTA has to locate the target host. It uses the Domain name system (DNS) to look
up the mail exchanger record (MX record) for the recipient's domain (the part of the address on the
1
For more notes visit https://collegenote.pythonanywhere.com
right of @). The returned MX record contains the name of the target host. The MTA next connects
to the exchange server as an SMTP client. (The article on MX record discusses many factors in
determining which server the sending MTA connects to.)
Once the MX target accepts the incoming message, it hands it to a mail delivery agent (MDA) for
local mail delivery. An MDA is able to save messages in the relevant mailbox format. Again, mail
reception can be done using many computers or just one —the picture displays two nearby boxes
in either case. An MDA may deliver messages directly to storage, or forwardthem over a network
using SMTP, or any other means, including the Local Mail Transfer Protocol (LMTP), a
derivative of SMTP designed for this purpose.
Once delivered to the local mail server, the mail is stored for batch retrieval by authenticated mail
clients (MUAs). Mail is retrieved by end-user applications, called email clients, using Internet
Message Access Protocol (IMAP), a protocol that both facilitates access to mail and manages
stored mail, or the Post Office Protocol (POP) which typically uses the traditional mbox mail file
format or a proprietary system such as Microsoft Exchange/Outlook or Lotus Notes/Domino.
Webmail clients may use either method, but the retrieval protocol is often not a formal standard.
SMTP defines message transport, not the message content. Thus, it defines the mail envelope and
its parameters, such as the envelope sender, but not the header or the body of the message itself.
STD 10 and RFC 5321 define SMTP (the envelope), while STD 11 and RFC 5322 define the
message (header and body), formally referred to as the Internet Message Format.
POP3 and IMAP are two different protocols used to access e-mail. POP3 and IMAP function very
differently from each other and each has their own advantages. POP3 is useful for checking your
e-mail from one computer at a single location. IMAP is the better option when you need to
check your e-mail from multiple computers at different locations such as at work, home, or on
the road.
POP3
POP3 works by accessing the inbox on the mail server and then downloading the new messages
to your computer. With this type of account you do not have to stay logged on to the Internet.
You can log on when you want to receive and send new messages. Once your new messages
have been downloaded to your computer you can log off to read them. This option is good when
you connect to the internet through a dial up service and are charged for your connection time.
IMAP
2
For more notes visit https://collegenote.pythonanywhere.com
IMAP lets you view the headers of the new messages on the server and then retrieves the
message you want to read when you click on them. When using IMAP, the mail is stored on the
mail server. Unless you copy a message to a "Local Folder" the messages are never copied to
your PC. Using this protocol, all your mail stays on the server in multiple folders, some of which
you have created. This enables you to connect to any computer and see all your mail and mail
folders. In general, IMAP is great if you have a dedicated connection to the internet or you like
to check your mail from various locations.
It is important to point out that POP3 can be set to leave your e-mail on the server instead of
downloading to your computer. This feature enables you to check your e-mail from multiple
locations just like IMAP. So why choose IMAP rather than POP3 with the leave mail on server
setting? With the POP3 leave mail on server setting only your e-mail messages are on the server,
but with IMAP your e-mail folders are also on the server.
So in a nutshell the scenarios for using POP3 and IMAP can be summarized as follows…
-When you only check e-mail from one computer at a single location.
-You want to remove your e-mail from the mail server.
-You connect to the internet through dial up and are charged for connection time.
-When you need to check e-mail from multiple computers at multiple locations.
-You use Web mail such as Gmail, Yahoo or Hotmail.
-You need to preserve the different e-mail folders you have created.
Keep your Inbox small! This is especially true for POP3 and will speed up your e-mail retrieval.
Checking the e-mail is directly dependent on how many e-mail messages are in your inbox on
the mail server.
POP3
- Try to reduce your inbox size. POP'ing large mail boxes consume excessive server resources.
- Set to remove mail from server at the end of every month or even sooner.
- Do not check your email more frequently than every 15 minutes.
IMAP
3
For more notes visit https://collegenote.pythonanywhere.com
- Do NOT check all folders for new messages! This slows your e-mail substantially. - Organize
your mail into folders, and archive your older messages. This speeds up e-mail retrieval by
minimizing the number of messages in the inbox.
The following table lists some common e-mail tasks and compares how they are carried out with the
POP protocol to how they're carried out with the IMAP protocol:
POP IMAP
What does it Post Office Protocol Internet Message Access Protocol
stand for?
Which protocol If you access mail using only one If you want to access your mail from
would suit me computer e.g. your office PC or a multiple computers or locations.
best? laptop.
Which mail All mail programs or clients have Most mail programs have IMAP
programs can I POP capability capability and you will also be able to
use? access your mail via a web page
using any web browser.
Some Common
Tasks:
Check for By default, incoming messages are By default, incoming messages stay
incoming mail transferred to your local machine on the server when you check your
when you check your incoming mail. mail - only headers are transferred
Only new messages are available if with full messages only downloaded
you connect to the server using a PC when selected for reading. All your
other than your normal one. You are messages are always available no
connected to the server only for the matter where or how you connect to
transfer of messages. the server. You remain connected to
the server whilst you deal with mail
but some clients allow for off-line
working.
Read and respond Reading and responding to messages You can read and respond to
to mail is done on your local machine. messages directly on the server but
you can also read and respond to
messages on your local machine,
after downloading for offline working
(depending on client). When you
reconnect, your mailboxes are
4
For more notes visit https://collegenote.pythonanywhere.com
Move messages in You can move messages in and out of You can move messages in and out of
and out of mailboxes only on your local mailboxes on the server and on your
mailboxes machine. local machine.
Transfer messages You cannot transfer any messages You can transfer individual messages
from local from your local machine to the server. from mailboxes on your local
machine to server Messages are automatically machine into mailboxes on the server
and vice versa transferred from the server to your and vice versa.
local machine when you check your
incoming mail.
Delete selected When using some clients (e.g. You can delete individual messages
messages on the Eudora), if you specified to leave and groups of messages directly on
server messages on the server, you can the server as well as on your local
delete individual messages left there. machine.
SMTP relay
SMTP
Before we dive into SMTP Relay, it is important to know how the SMTP protocol works. SMTP is
an acronym for Simple Mail Transfer Protocol. Most of Internet service providers nowadays use
this protocol to send email. Email clients, also known as Mail User Agents (MUA), utilize this
protocol and act as an SMTP client to distribute email messages to the recipients. When a MUA
5
For more notes visit https://collegenote.pythonanywhere.com
sends an email messages, it connects to the configured SMTP server and communicates to it using
the SMTP protocol.
Internet mail works pretty much like our postal mail. When you wish to send a letter or a package
via snail mail, you put the letter inside an envelope, write the recipient's as well as your return
address and drop it off at your local post office. The local post office figures out the final
destination of the package and sends it to the appropriate post office in the recipient's town. One
important factor to notice here is that if both sender and recipient are in the same town no other
post office gets involved.
Electronic mail works pretty much the same. SMTP servers act as local post offices. When a user
wishes to send an email, he or she sends it to the SMTP server, which then forwards it to the
recipient's SMTP server. Rather than street address and apartment numbers, electronic mail
recipients are identified by unique email addresses. Every SMTP server is configured to handle
one or more domain names. Analogous to snail mail, if both sender and recipient are in the same
domain no other SMTP server gets involved. Following characteristics are common between snail
mail and electronic mail.
• Sender's name and address. List of recipients and their email address.
• Recipient's name and address. SMTP server's signature. There can be more than one
SMTP server involved. Post office's stamp.
• A timestamp when package was received. The date and time the email was received.
Electronic mail can have more elements than mentioned above.
There is no guarantee that the sender's name
Similarly, it is very easy to hide the sender's true
and address will always be correct. It is very identity in an electronic mail. easy to fake the
sender's identity.
If the sender and receiver are in the same
If the sender and receiver are handled by the same town,
your local post office will not send
SMTP server, no other server will get involved. the
package to any other post office.
Although the sender's identity cannot be
Similarly, the SMTP envelope (also known as
trusted, you can still find a few things about header) contains information such as sender's IP
the package by looking at the envelope such
Address and date/time stamp the mail was sent. as
the town letter was mailed from and time.
These postal/zip codes are known as domain names
6
For more notes visit https://collegenote.pythonanywhere.com
Every post office is assigned a postal code in SMTP speak. Every SMTP server is configured
or zip code, which is used to identify it to handle one or more domains. Domain name is
location. It is possible that in one post office the text that appears after the @ sign in an email
may handle multiple zip codes. address.
Mail relay
In case of snail mail, the local post office is a government agency and there are no restrictions on who
can send a package. Consider a scenario where you live in town A and you want to send a package to
town B. When one town's post office accepts packages from another town it is said to "Relay" your
message.
Similarly, if you work for company A and want to send an email to someone in company B, you
connect to your SMTP server which then relays your message to the SMTP server owned by
company B. The notion that an SMTP server accepts an email that is destined for a different SMTP
server is called relaying.
It would be impossible to send email if every SMTP server in the world stopped relaying
User authentication
The electronic world is a bit different than the real world: you can do things faster, cheaper and
distances do not matter. Imagine every time you wanted to send a snail mail you were asked to
show your passport or any other document that proved your identity. This would add extra
security at a cost of frustration and time. However, the frustration level associated with asking for
a user's id and password in an electronic transaction is much lower than the burden of having to
carry your passport.
Most SMTP servers ask for the user's credentials in terms of their id and password. The SMTP server
will allow users to relay their message to a different server only if these credentials are correct. This
authentication mechanism ensures that no one outside the organization can use the company's SMTP
server to send message to a third party recipient.
7
For more notes visit https://collegenote.pythonanywhere.com
Mail server program reads the /etc/mail/sendmail.cf. To change the configuration on mail server, we
should edit the /etc/mail/sendmail.mc file. When Sendmail is started or restarted with the service
sendmail restart command a new sendmail.cf file is automatically generated if sendmail.mc has been
modified. In exam you should generate it with m4 command.
You can allow other computers to use your sendmail server by commenting
out this line.
In the sendmail.mcfile , lines that begin with dnl, which stands for delete to new line, are considered
comments. Some lines end with dnl, but lines ending in dnl are not comments
if sendmail service restart without any error means you have configured
sendmail successfully.
8
For more notes visit https://collegenote.pythonanywhere.com
We are using another linux system to test sendmail server. All configuration are same as you have done on
server system.
Check sendmail and m4 rpm for install. Open /etc/mail/sendmail.mc file and locate line no
116 and put a dnl with # sing and save file. All step are same which you have done on
server.
Now generate new sendmail.cf file by using m4 command as shown here
Appliances are more commonly used by large and very large sites because they can handle extremely
high volumes (millions of messages per day) and can be configured in redundant configurations so that
no single failure will disable spam filtering. The appliances are basically high-quality PCs with custom mail
software and special configuration front-ends. They are complex devices and generally require expert
mail administrators to get the most out of them, although the vendors will configure and maintain them,
for a fee. The very largest sites (AOL, Yahoo, Google and MSN Hotmail) essentially build their own custom
appliances. Appliances will work in front of any MTA.
Anti-spam techniques
To prevent email spam (aka unsolicited bulk email), both end users and administrators of email systems
use various anti-spam techniques. Some of these techniques have been embedded in products, services
and software to ease the burden on users and administrators. No one technique is a complete solution to
the spam problem, and each has trade-offs between incorrectly rejecting legitimate email vs. not
rejecting all spam, and the associated costs in time and effort.
9
For more notes visit https://collegenote.pythonanywhere.com
Anti-spam techniques can be broken into four broad categories: those that require actions by individuals,
those that can be automated by email administrators, those that can be automated by email senders and
those employed by researchers and law enforcement officials.
The original SMTP specification did not include a facility for authentication of senders.
Subsequently, the SMTP-AUTH extension was defined by RFC 2554.[19] The SMTP extension
(ESMTP) provides a mechanism for email clients to specify a security mechanism to a mail server,
authenticate the exchange, and negotiate a security profile (Simple Authentication and Security
Layer, SASL) for subsequent message transfers.
Microsoft products implement the proprietary Secure Password Authentication (SPA) protocol through
the use of the SMTP-AUTH extension.
Modifying SMTP extensively, or replacing it completely, is not believed to be practical, due to the
network effects of the huge installed base of SMTP. Internet Mail 2000 was one such proposal for
replacement.
Spam is enabled by several factors, including vendors implementing MTAs that are not standards-
compliant, which make it difficult for other MTAs to enforce standards, security vulnerabilities
within the operating system (often exacerbated by always-on broadband connections) that allow
spammers to remotely control end-user PCs and cause them to send spam, and a lack of
"intelligence" in many MTAs.
There are a number of proposals for sideband protocols that will assist SMTP operation. The Anti-
Spam Research Group (ASRG) of the Internet Research Task Force (IRTF) is working on a
number of E-mail authentication and other proposals for providing simple source authentication
that is flexible, lightweight, and scalable. Recent Internet Engineering Task Force (IETF) activities
include MARID (2004) leading to two approved IETF experiments in 2005, and DomainKeys
Identified Mail in 2006.
10
For more notes visit https://collegenote.pythonanywhere.com
OSPF is an interior gateway protocol that routes Internet Protocol (IP) packets solely within a
single routing domain (autonomous system). It gathers link state information from available
routers and constructs a topology map of the network. The topology determines the routing table
presented to the Internet Layer which makes routing decisions based solely on the destination IP
address found in IP packets. OSPF was designed to support variable-length subnet masking
(VLSM) or Classless Inter-Domain Routing (CIDR) addressing models.
OSPF detects changes in the topology, such as link failures, very quickly and converges on a new
loop-free routing structure within seconds. It computes the shortest path tree for each route using
a method based on Dijkstra's algorithm, a shortest path first algorithm.
The link-state information is maintained on each router as a link-state database (LSDB) which is
a tree-image of the entire network topology. Identical copies of the LSDB are periodically
updated through flooding on all OSPF routers.
The OSPF routing policies to construct a route table are governed by link cost factors (external
metrics) associated with each routing interface. Cost factors may be the distance of a router
(round-trip time), network throughput of a link, or link availability and reliability, expressed as
simple unitless numbers. This provides a dynamic process of traffic load balancing between
routes of equal cost.
An OSPF network may be structured, or subdivided, into routing areas to simplify administration
and optimize traffic and resource utilization. Areas are identified by 32-bit numbers, expressed
either simply in decimal, or often in octet-based dot-decimal notation, familiar from IPv4 address
notation.
By convention, area 0 (zero) or 0.0.0.0 represents the core or backbone region of an OSPF
network. The identifications of other areas may be chosen at will; often, administrators select the
IP address of a main router in an area as the area's identification. Each additional area must have
a direct or virtual connection to the backbone OSPF area. Such connections are maintained by an
interconnecting router, known as area border router (ABR). An ABR maintains separate link
state databases for each area it serves and maintains summarized routes for all areas in the
network.
OSPF does not use a TCP/IP transport protocol (UDP, TCP), but is encapsulated directly in IP
datagrams with protocol number 89. This is in contrast to other routing protocols, such as the
Routing Information Protocol (RIP), or the Border Gateway Protocol (BGP). OSPF handles its
own error detection and correction functions.
1
For more notes visit https://collegenote.pythonanywhere.com
OSPF uses multicast addressing for route flooding on a broadcast network link. For nonbroadcast
networks special provisions for configuration facilitate neighbor discovery. OSPF multicast IP
packets never traverse IP routers, they never travel more than one hop. OSPF reserves the
multicast addresses224.0.0.5 for IPv4 or FF02::5 for IPv6 (all SPF/link state routers, also known
as AllSPFRouters) and 224.0.0.6 for IPv4 or FF02::6 for IPv6 (all Designated Routers,
AllDRouters), as specified in RFC 2328 and RFC 5340.
For routing multicast IP traffic, OSPF supports the Multicast Open Shortest Path First protocol
(MOSPF) as defined in RFC 1584. Neither Cisco nor Juniper Networks include MOSPF in their
OSPF implementations. PIM (Protocol Independent Multicast) in conjunction with OSPF or
other IGPs, (Interior Gateway Protocol), is widely deployed.
The OSPF protocol, when running on IPv4, can operate securely between routers, optionally
using a variety of authentication methods to allow only trusted routers to participate in routing.
OSPFv3, running on IPv6, no longer supports protocol-internal authentication. Instead, it relies
on IPv6 protocol security (IPsec).
OSPF version 3 introduces modifications to the IPv4 implementation of the protocol. Except for
virtual links, all neighbor exchanges use IPv6 link-local addressing exclusively. The IPv6
protocol runs per link, rather than based on the subnet. All IP prefix information has been
removed from the link-state advertisements and from the Hello discovery packet making
OSPFv3 essentially protocol-independent. Despite the expanded IP addressing to 128-bits in
IPv6, area and router identifications are still based on 32-bit values.
An area border router (ABR) is a router that connects one or more areas to the main
backbone network. It is considered a member of all areas it is connected to. An ABR keeps
multiple copies of the link-state database in memory, one for each area to which that router is
connected.
An autonomous system boundary router (ASBR) is a router that is connected to more than
one Routing protocol and that exchanges routing information with routers in other protocols.
ASBRs typically also run an exterior routing protocol (e.g., BGP), or use static routes, or
both. An ASBR is used to distribute routes received from other, external ASs throughout its
own autonomous system. (An interactive ASBR simulation shows how an ASBR creates
External LSA for external addresses and floods them to all areas via ABR.) Routers in other
areas use ABR as next hop to access external addresses. Then ABR forwards packets to the
ASBR that announces the external addresses.
2
For more notes visit https://collegenote.pythonanywhere.com
An internal router is a router that has OSPF neighbor relationships with interfaces in the
same area. An internal router has all its interfaces in a single area.
Backbone routers are all routers that are connected to the OSPF backbone, irrespective of
whether they are also area border routers or internal routers of the backbone area. An area
border router is always a backbone router, since all areas must be either directly connected to
the backbone or connected to the backbone via a virtual link (spanning across another area to
get to the backbone).
Applications
OSPF was the first widely deployed routing protocol that could converge a network in the low
seconds, and guarantee loop-free paths. It has many features that allow the imposition of policies
about the propagation of routes that it may be appropriate to keep local, for load sharing, and for
selective route importing more than IS-IS. IS-IS, in contrast, can be tuned for lower overhead in
a stable network, the sort more common in ISP than enterprise networks. There are some
historical accidents that made IS-IS the preferred IGP for ISPs, but ISP's today may well choose
to use the features of the now-efficient implementations of OSPF, after first considering the pros
and cons of IS-IS in service provider environments.
As mentioned, OSPF can provide better load-sharing on external links than other IGPs. When the
default route to an ISP is injected into OSPF from multiple ASBRs as a Type I external route and
the same external cost specified, other routers will go to the ASBR with the least path cost from
its location. This can be tuned further by adjusting the external cost.
In contrast, if the default route from different ISPs is injected with different external costs, as a
Type II external route, the lower-cost default becomes the primary exit and the higher-cost
becomes the backup only.
The only real limiting factor that may compel major ISPs to select IS-IS over OSPF is if they
have a network with more than 850 routers. There is mention of an OSPF network with over
1000 routers, but that is quite uncommon and the network must be specifically designed to
minimize overhead to achieve stable operation.
3
For more notes visit https://collegenote.pythonanywhere.com
support. A hop count of 16 is considered an infinite distance and used to deprecate inaccessible,
inoperable, or otherwise undesirable routes in the selection process.
RIP implements the split horizon, route poisoning and holddown mechanisms to prevent
incorrect routing information from being propagated. These are some of the stability features of
RIP. It is also possible to use the so called RMTI (Routing Information Protocol with
Metricbased Topology Investigation) algorithm to cope with the count-to-infinity problem. With
its help, it is possible to detect every possible loop with a very small computation effort.
Originally each RIP router transmitted full updates every 30 seconds. In the early deployments,
routing tables were small enough that the traffic was not significant. As networks grew in size,
however, it became evident there could be a massive traffic burst every 30 seconds, even if the
routers had been initialized at random times. It was thought, as a result of random initialization,
the routing updates would spread out in time, but this was not true in practice. Sally Floyd and
Van Jacobson showed in 1994 that, without slight randomization of the update timer, the timers
synchronized over time. In most current networking environments, RIP is not the preferred
choice for routing as its time to converge and scalability are poor compared to EIGRP, OSPF, or
IS-IS (the latter two being link-state routing protocols), and (without RMTI) a hop limit severely
limits the size of network it can be used in. However, it is easy to configure, because RIP does
not require any parameters on a router unlike other protocols (see here for an animation of basic
RIP simulation visualizing RIP configuration and exchanging of Request and Response to
discover new routes).
RIP uses the User Datagram Protocol (UDP) as its transport protocol, and is assigned the
reserved port number 520.
Limitations
• Without using RMTI, Hop count cannot exceed 15, in the case that it exceeds this limitation, it
will be considered invalid.
• Most RIP networks are flat. There is no concept of areas or boundaries in RIP networks.
• Variable Length Subnet Masks were not supported by RIP version 1.
• Without using RMTI, RIP has slow convergence and count to infinity problems.
Introduction ToWebmin
Webmin is a web-based interface for system administration for Unix. Using any browser that
supports tables and forms (and Java for the File Manager module), you can setup user accounts,
Apache, DNS, file sharing and so on.
Webmin consists of a simple web server, and a number of CGI programs which directly update
system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are
written in Perl version 5, and use no non-standard Perl modules.
Almost all the development of Webmin was done by Jamie Cameron, though many people have
contributed patches and translations into additional languages. There are also many third-party
modules that were developed by other people separately.
Because Webmin supports the concept of modules (like PhotoShop plugins), anyone can develop
and distribute their own Webmin modules for any purpose, and distribute them under any licence
(such as GPL, commercial or shareware).
What is Usermin?
Usermin is a web-based interface for webmail, password changing, mail filters, fetchmail and
much more. It is designed for use by regular non-root users on a Unix system, and limits them to
tasks that they would be able to perform if logged in via SSH or at the console.
Most users of Usermin are sysadmins looking for a simple webmail interface to offer their
customers. Unlike most other webmail solutions, it can be used to change passwords, read email
with no additional servers installed (like IMAP or POP3), and setup users' Procmail
configurations for forwarding, spam filtering and autoreponders.
Usermin also provides web interfaces for viewing and managing data in MySQL and
PostgreSQL databases, editing Apache .htaccess configuration files, and running commands on
the server. The administrator has full control over which of these modules are available to users.
By far the easiest way to configure Usermin is via the Usermin Configuration module in
Webmin. All functionality can be managed via a browser, and because both products come from
the same developer the management user interface is always up to date.
TeamViewer
TeamViewer is a proprietary computer software package for remote control, desktop sharing,
online meetings, web conferencing and file transfer between computers. The software operates
with the Microsoft Windows, Mac OS X, Linux, iOS, and Androidoperating systems. It is
possible to access a machine running TeamViewer with a web browser. While the main focus of
the application is remote control of computers, collaboration and presentation features are
included.
5
For more notes visit https://collegenote.pythonanywhere.com
TeamViewer GmbH was founded in 2005 in Uhingen, Germany. TeamViewer is now owned by
GFI.
Establishing connections
TeamViewer may be installed with an installation procedure, although the 'Quick Support'
version will run without installation. To connect to another computer, TeamViewer has to be
running on both machines. To install TeamVieweradministratoraccess is required, but once
installed it can be run by any user. When TeamViewer is started on a computer, it generates a
partner ID and password (user-defined passwords are also supported). To establish a connection
from a local client to a remote host machine, the local operator must communicate with the
remote operator, request the ID and password, then enter these into the local TeamViewer.
To start an online meeting the presenter gives the Meeting ID to their participants. They join the
meeting by using the TeamViewer full version or by logging on to http://go.teamviewer.com/ and
enter the Meeting ID.
Telnet
Telnet is a program that allows users to log into your server and get a command prompt just as if
they were logged into the VGA console. The Telnet server RPM is installed and disabled by
default on Fedora Linux.
One of the disadvantages of Telnet is that the data is sent as clear text. This means that it is
possible for someone to use a network analyzer to peek into your data packets and see your
username and password. A more secure method for remote logins would be via Secure Shell
(SSH) which uses varying degrees of encryption.
In spite of this, the older Telnet application remains popular. Many network devices don't have
SSH clients, making telnet the only means of accessing other devices and servers from them.
The command to do remote logins via telnet from the command line is simple. You enter the word telnet
and then the IP address or server name to which you want to connect.
Most Linux software products are available in a precompiled package format. Downloading and
installing packages isn't hard.
6
For more notes visit https://collegenote.pythonanywhere.com
When searching for the file, remember that the Telnet server RPM's filename usually starts with
the word "telnet-server" followed by a version number as in telnet-server-0.17-
28.i386.rpm.
Redhat / Fedora
You can also use the chkconfig --list command to verify that telnet will be started on the next
reboot.
[root@bigboytmp]# chkconfig --list | grep telnet telnet:
on
[root@bigboytmp]#
Use the chkconfig command to deactivate telnet, even after the next reboot.
[root@bigboytmp]# chkconfig telnet off
SSH
SSH is some kind of an abbreviation of Secure SHell. It is a protocol that allows secure
connections between computers. In this tutorial, we’ll be dealing with the ssh command on
Linux, the OpenSSH version. Most Linux distributions feature the OpenSSH client today, but if
you want to be sure, have a look at the SSH manpage on your system. You can do this by typing:
Note: this should be done in a terminal. This tutorial assumes that you have some basic terminal
knowledge, like knowing how to start a terminal session on your system and being familiar with
the basic commands and syntaxes.
NAME
ssh – OpenSSH SSH client (remote login program) then you can
7
For more notes visit https://collegenote.pythonanywhere.com
Note: If you do not have any ssh server nearby that you can access, you can also try this
command with your own computer as a server. To do this, replace “yourserver” with
“localhost”.
Of course, yourserver should be replaced by a hostname or an ip address of the server you want
to connect to. As you can see in the terminal snippet, I am logged in as pineehad. If you do not
specify a username (I’ll explain how to do that later in this tutorial), SSH will assume that you
want to login with the username you’re currently logged in with. So, in this case, SSH will try
the username pineehad.
Of course, you need to be sure that the server supports ssh connections. The ssh client tries to
connect to port 22 defaultly. This means that, if you want to connect to a remote host with the
default settings, you should make sure that, if applicable, port 22 is forwarded to the server
you’re trying to connect to. You will find more regarding the SSH port further in this tutorial.
Now, back to the command we ran. If the server supports SSH connections and you can reach it
by port 22, you should be prompted for a password (if this is the first time you try to connect to
the server, ssh will first ask the question if you want to continue connecting, which can generally
just be answered with a ‘yes’). If you type a password here, you won’t see asterisks appearing.
Don’t panic, this is ssh’s normal behaviour. It makes connecting using ssh even more safe,
because any accidental spectators won’t be able to see the length of the password. After entering
the password, if the username and the password were correct, you should be running a shell on
the server. If not, make sure you are connecting to a server of which you know that you should be
able to login with your username and the specified password. You could try connecting to your
own computer (see the note beneath the terminal quote) or read on to learn how to specify
another username.
Once you’re done trying the ssh shell, you can exit it by pressing Ctrl + D.
Specifying a username
It’s actually quite simple to specify a different username. You might even already be familiar
with it. See the following example:
The above will make ssh try to connect with the username “yourusername” instead of (in my
case) pineehad. This syntax is also used by a lot of other protocols, so it’ll always come in handy
8
For more notes visit https://collegenote.pythonanywhere.com
to know it. By the way, you will still be asked for a password. For security reasons, it is not even
possible to directly specify the password in the syntax. You will always be asked interactively,
unless you start configuring the server in an advanced way (which is exactly why that topic is out
of this tutorials scope: this tutorial documents how to use the clients, not how to configure the
server).
Specifying a port
There are many reasons to move the ssh service to another port. One of them is avoiding
bruteforce login attempts. Certain hackers try to get access to ssh servers by trying a lot of
common usernames with common passwords (think of a user “john” with password “doe”).
Although it is very unlikely that these hackers will ever get access to the system, there is another
aspect of the brute-force attacks that you’ll generally want to avoid: the system and connection
load. The brute-force attacks usually are done with dozens or even thousands of tries a second,
and this unnecessarily slows down the server and takes some bandwidth which could’ve been
used a lot better. By changing the port to a non-default one, the scripts of the hackers will just be
refused and most of the bandwidth will be saved.
As the ssh command can’t just guess the port, we will have to specify it if it’s not the default 22
one. You can do that this way:
Of course, you will have to replace “yourport” with the port number. These is an important
difference between ssh and scp on this point. I’ll explain it further on.
This will make the server update its searching database. Of course, this is a very simple
command without arguments. What if you’d want to tell someone about the latest news you read
on the web? You might think that the following will give him/her that message:
9
For more notes visit https://collegenote.pythonanywhere.com
What happened? Bash (the program behind your shell) tried to interpret the command you
wanted to give ssh. This fails because there are exclamation marks in the command, which bash
will interpret as special characters that should initiate a bash function. But we don’t want this, we
just want bash to give the command to ssh! Well, there’s a very simple way to tell bash not to
worry about the contents of the command but just pass it on to ssh already: wrapping it in single
quotes. Have a look at this:
The single quotes prevent bash from trying to interpret the command, so ssh receives it
unmodified and can send it to the server as it should. Don’t forget that the single quotes should
be around the whole command, not anywhere else.
SCP
The scp command allows you to copy files over ssh connections. This is pretty useful if you want
to transport files between computers, for example to backup something. The scp command uses
the ssh command and they are very much alike. However, there are some important differences.
The scp command can be used in three* ways: to copy from a (remote) server to your computer,
to copy from your computer to a (remote) server, and to copy from a (remote) server to another
(remote) server. In the third case, the data is transferred directly between the servers; your own
computer will only tell the servers what to do. These options are very useful for a lot of things
that require files to be transferred, so let’s have a look at the syntax of this command:
Looks quite familiar, right? But there are differences. The command above will transfer the file
“examplefile” to the directory “/home/yourusername/” at the server “yourserver”, trying to get
sshacces with the username “yourusername”. That’s quite a lot information, but scp really needs
it all. Well, almost all of it. You could leave out the “yourusername@” in front of “yourserver”,
but only if you want to login on the server with your current username on your own computer.
Let’s have a closer look at the end of the command. There’s a colon over there, with a directory
after it. Just like Linux’s normal cp command, scp will need to know both the source file(s) and
the target directory (or file). For remote hosts, the file(s)/directory are given to the scp command
is this way.
You can also copy a file (or multiple files) from the (remote) server to your own computer. Let’s
have a look at an example of that:
10
For more notes visit https://collegenote.pythonanywhere.com
Note: The dot at the end means the current local directory. This is a handy trick that can be used
about everywhere in Linux. Besides a single dot, you can also type a double dot ( .. ), which is
the parent directory of the current directory.
This will copy the file “/home/yourusername/examplefile” to the current directory on your own
computer, provided that the username and password are correct and that the file actually exists.
You probably already guessed that the following command copies a file from a (remote) server to
another (remote) server:
Please note that, to make the above command work, the servers must be able to reach each other,
as the data will be transferred directly between them. If the servers somehow can’t reach each
other (for example, if port 22 is not open on one of the sides) you won’t be able to copy anything.
In that case, copy the files to your own computer first, then to the other host. Or make the servers
able to reach each other (for example by opening the port).
Well, those are the main uses of scp. We’ll now go a bit more in-depth about the differences
between ssh and scp.
*: Actually you can also use it just like the normal cp command, withhout any ssh connections in
it, but that’s quite useless. It requires you to type an extra ‘s’ =).
This is caused by the different architecture of scp. It aims to resemble cp, and cp also features the
-p option. However, in cp terms it means ‘preserve’, and it causes the cp command to preserve
things like ownership, permissions and creation dates. The scp command can also preserve things
like that, and the -p option enables this feature. The port specification should be done with the -P
option. Therefore, the following command will work:
11
For more notes visit https://collegenote.pythonanywhere.com
Also note that the -P option must be in front of the (remote) server. The ssh command will still
work if you put -p yourport behind the host syntax, but scp won’t. Why? Because scp also
supports copying between two servers and therefore needs to know which server the -P option
applies to.
rsync
rsync is a software application and network protocol for Unix-like systems with ports to
Windows that synchronizes files and directories from one location to another while minimizing
data transfer by using delta encoding when appropriate. Quoting the official website: "rsync is a
file transfer program for Unixsystems.rsync uses the 'rsync algorithm' which provides a very fast
method for bringing remote files into sync." An important feature of rsync not found in most
similar programs/protocols is that the mirroring takes place with only one transmission in each
direction. rsync can copy or display directory contents and copy files, optionally using
compression and recursion.
In daemon mode, rsync listens on the default TCPport of 873, serving files in the native rsync
protocol or via a remote shell such as RSH or SSH. In the latter case, the rsync client executable
must be installed on the remote machine as well as on the local machine.
rsync was originally written as a replacement for rcp and scp. As such, it has a similar syntax to
its parent programs. Like its predecessors, it still requires a source and a destination to be
specified, either of which may be remote. Because of the flexibility, speed and scriptability of
rsync, it has become a standard Linux utility and is included in all popular Linux distributions.
As a result, rsync has been ported to Windows (via commercial Cygwin, freeware Grsync or
SFU[11]) and Mac OS.
Possible uses:
rsync [OPTION] … SRC [SRC] … [USER@]HOST:DEST rsync
[OPTION] … [USER@]HOST:SRC [DEST]
One of the earliest applications of rsync was to implement mirroring or backup for multiple Unix
clients to a central Unix server using rsync/ssh and standard Unix accounts.
With a scheduling utility such as cron, one can schedule automated encrypted rsync-based
mirroring between multiple hosts and a central server.
12
For more notes visit https://collegenote.pythonanywhere.com
Examples
The preferred (and simplest) way to mirror the PuTTY website to the current directory is to use
rsync.
rsync -auH
rsync://rsync.chiark.greenend.org.uk/ftp/users/sgtatham/puttywebsite-mirror/ .
13