Professional Documents
Culture Documents
System Administration II
course materials
originally released under the GFDL by LinuxIT
modified and released under the GFDL by University of Zagreb University Computing Centre SRCE
(the publisher)
Acknowledgments
The original material was made available by LinuxIT's technical training centre www.linuxit.com.
The original manual is available online at http://savannah.nongnu.org/projects/lpi-manuals/.
The modified version of this manual is available at http://www.srce.unizg.hr/linux-akademija/.
History
CVS version 0.0 January 2004, Adrian Thomasset <adrian@linuxit.com>.
Reviewed/Updated April 2004, Andrew Meredith <andrew@anvil.org>.
Review/Update May 2005, Adrian Thomasset <adriant@linuxit.com>.
February 2014. Title: L220: Advanced Linux System Administration II (version 1.0). Revised and modified at
University of Zagreb University Computing Centre SRCE (the publisher) by Vladimir Braus.
Notations
Commands and filenames will appear in the text in bold.
The <> symbols are used to indicate a non optional argument.
The [] symbols are used to indicate an optional argument
Commands that can be typed directly in the shell are highlighted as below
command
No Guarantee
The manual comes with no guarantee at all.
Table of Contents
________________________________________________________________________________
Table of Contents
DNS .............................................................................................................................................. 7
1. Basic Bind Configuration ....................................................................................................... 7
1.1 The Logging Statement ....................................................................................................... 8
1.2 The Options Statement ..................................................................................................... 10
1.3 The Zone Statement ......................................................................................................... 11
1.4 The Access Control Lists (acl) Statement.......................................................................... 12
2. Create and Maintain Zone Files............................................................................................ 13
3. Securing a DNS Server ......................................................................................................... 15
3.1 Server Authentication ........................................................................................................ 15
3.2 DATA Integrity and Authenticity ........................................................................................ 17
MAIL AND LISTS ....................................................................................................................... 19
1. Using Sendmail ..................................................................................................................... 19
1.1 Configuration Settings ....................................................................................................... 19
1.2 Virtual Hosting................................................................................................................... 21
2. Configuring Mailing Lists ..................................................................................................... 22
2.1 Majordomo and Sendmail ................................................................................................. 22
3. Managing Mail Traffic ........................................................................................................... 24
3.1 Mail Filtering with Procmail................................................................................................ 24
WEB SERVICES ........................................................................................................................ 27
1. Implementing a Web Server ................................................................................................. 27
1.1 Installing Apache............................................................................................................... 27
1.2 Monitoring apache load ..................................................................................................... 27
1.3 Using Apachectl ................................................................................................................ 28
1.4 Basic Configuration Options .............................................................................................. 29
1.5 Restricting Client Access .................................................................................................. 31
1.6 Client Basic Authentication ............................................................................................... 31
2. Maintaining a Web Server..................................................................................................... 32
2.1 HTTPS Overview .............................................................................................................. 32
2.2 SSL Virtual Hosts .............................................................................................................. 33
2.3 Managing Certificates ....................................................................................................... 34
2.4 Virtual Hosts ..................................................................................................................... 35
3. Implementing a Proxy Server ............................................................................................... 37
3.1 Getting Started .................................................................................................................. 37
3.2 Access Lists and Access Control ...................................................................................... 37
3.3 Additional Configuration Options ....................................................................................... 39
3.4 Reporting Tools................................................................................................................. 40
3.5 User Authentication (using PAM) ...................................................................................... 42
Table of Contents
________________________________________________________________________________
DNS
________________________________________________________________________________
DNS
NOTICE
Computer name resolution can be performed in a number of ways, including /etc/hosts
file and DNS.
/etc/hosts file is a convenient way to manage name resolution for a small number of
computers, such as a small home network with just two or three machines. /etc/hosts
must be updated on every computer on a network whenever any machines name or IP
address changes or whenever a computer is added to or removed from the network.
In addition to /etc/hosts and DNS, several other name resolution systems exist, including
Network Information Service (NIS), Windows Internet Name Service (WINS), and more.
Specify where logs are written too and what needs to be logged
options
Global options are set here (e.g the path to the zone files)
zone
Defines a zone: the name, the zone file, the server type
acl
server
Let's look at a typical configuration file for a caching only server. We will add entries to it as
we go to create new zones, logging facilities, security, etc.
DNS
________________________________________________________________________________
Skeleton named.conf file
options {
directory "/var/named";
datasize 100M;
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
The channel defines where logs are sent to (file, syslog or null). If syslog is selected then
the facility and the log level can be specified too.
DNS
________________________________________________________________________________
The category clause defines the type of information sent to a given channel (or list of
channels). The type of channel is given then the default logging facility is used
category default { default_syslog; default_debug; };
Example:
We choose not to use the syslog daemon and log everything to a file called LOG that will
be created in the same directory as the zone files (default /var/named/). For this we will
create the channel foo_channel. Next we want to log queries using this channel.
The entry in named.conf will look like this:
logging {
channel foo_channel {
file "LOG";
print-time yes;
print-category yes;
print-severity yes;
};
category "queries" {
"foo_channel";
};
};
Categories such as queries are predefined and listed in the named.conf(5) manpages.
However some of the names have changed since BIND 8, so we include as a reference
the list of categories for BIND 9 below:
BIND 9 Logging Categories
default
Category used when no specific channels (log levels, files ...) have
been defined
general
Catch all for messages that haven't been classified below
database
Messages about the internal zone files
security
Approval of requests
config
Processing of the configuration file
resolver
Infornation about operations performed by clients
xfer-in or xfer-out Received or sent zone files
notify
Log NOTIFY messages
client
Client activity
update
Zone updates
queries
Client Queries
dnssec
DNSEC transactions
lame-servers
Transactions sent from servers marked as lame-servers
DNS
________________________________________________________________________________
directory
The working directory of the server
directory "/var/named";
10
DNS
________________________________________________________________________________
forwarders (list)
List of servers to be used for
forwarding. The default is an empty
list.
datasize
Limit the size of the cache
datasize 512M;
allow-query (list)
A lists of hosts or networks that may query the server
allow-recursion (list)
List of hosts that can submit recursive queries
allow-transfer (list)
List of hosts (usually the slaves) who are allowed to do zone transfers
DNS
________________________________________________________________________________
The zone_file is a path to the file containing the zone records. If the path is not an absolute
path then the path is taken relatively to the directory given earlier by the directory option
(usually /var/named).
Example master zone entries, allowing zone transfers to a slave server at 10.1.2.3:
zone seafront.bar {
type master;
file "seafront.zone";
allow-transfer{10.1.2.3;);
};
zone 2.1.10.in-addr.arpa {
type master;
file "10.1.2.zone"
allow-transfer{10.1.2.3;);
};
The next example is the corresponding named.conf zone section for the slave server,
assuming the master has the IP 10.1.2.1:
zone "seafront.bar" IN {
type slave;
masters {10.1.2.1;};
file "slave/seafront.zone";
};
zone "2.1.10.in-addr.arpa" IN {
type slave;
masters {10.1.2.1;};
file "slave/10.1.2.local";
};
12
DNS
________________________________________________________________________________
There are built-in ACLs as follow:
any
all hosts
none
no host
localhost
localnets
13
DNS
________________________________________________________________________________
The root-name is often replaced with an @ symbol which resolves to the name of the
zone specified in named.conf.
Example:
$TTL
@
1D
86400
IN
SOA
ns.seafront.bar. root.seafront.bar. (
46
; serial (d. adams)
1H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
NS
ns
NOTICE
1. If the name of the domain is missing then @ is assumed
2. The fully qualified name of the name-server is ns.seafront.bar.. A host name that
doesn't end with a dot will automatically have the domain-name '@' appended to it.
Here for example
ns becomes ns.seafront.bar.
14
DNS
________________________________________________________________________________
Example:
devel.myco.com.
ns1
IN NS
IN A
ns1.devel.myco.com
192.168.21.254
IN PTR
host-name
These keys must NOT be inserted in the zone files (there is an IN KEY
section in the public key that is misleading, looks like a RR).
The public and the private keys are identical: this means that the private key
can be kept in any location. This also means that the public key shouldn't be
published.
15
DNS
________________________________________________________________________________
The content of the Kseafront.bar.+157+49196.key is:
seafront.bar. IN KEY 512 3 157 QN3vIApnV76WS+a2Hr3qj+AqZjpuPjQgVWeeMMGSBC4=
2. In the same directory as the server's named.conf configuration file create the file
slave.key with the following content:
key "seafront.bar." {
algorithm hmac-md5;
secret "QN3vIApnV76WS+a2Hr3qj+AqZjpuPjQgVWeeMMGSBC4=";
};
3. Apply the following changes in named.conf:
include "/etc/slave.key";
zone "seafront.bar" IN {
type master;
file "seafront.zone";
allow-transfer { key seafront.bar.; };
};
zone 2.1.10.in-addr.arpa {
type master;
file "10.1.2.zone"
allow-transfer { key seafront.bar.; );
};
Slave Configuration
Copy the slave.key file to the slave server in the directory containing named.conf. Add
the following server and include statements to named.conf:
server 10.1.2.1 {
keys {seafront.bar.;};
};
include "/etc/slave.key";
Troubleshooting
Restart named on both servers and monitor the logs. Notice that DNSSEC is sensitive to
time stamps so you will need to synchronise the servers (using NTP). Then run the
following command on the master server in the same directory where the dnssec keys
16
DNS
________________________________________________________________________________
where generated:
dig @10.1.2.1 seafront.bar AXFR -k Kseafront.bar.+157+49196.key
New RR records
The integrity and authenticity of data is guaranteed by signing the Resource Records using
a private key. These signatures can be verified using a public DNSKEY. Only the validity
of the DNSKEY needs to be established by the parent server or delegation signer DS.
So we have the following new RRs in the zone files:
RRSIG
DNSKEY
DS
17
seafront.bar.
DNS
________________________________________________________________________________
2. Insert the public key into the unsigned zone file:
cat
Kseafront.bar.+003+31173.key
>> seafront.bar
-o
seafront.bar
Kseafront.bar.+003+31173
This is due to the fact that the dnssec-signzone tool doesn't support the -k switch which
would allow to make use of a key signing key (KSK) which is then forwarded to a parent
zone to generate a DS record.
If you want to make use of this signed zone, change the filename in named.conf to
seafront.bar.signed
18
________________________________________________________________________________
1. Using Sendmail
Sendmail is a general purpose internetwork email routing facility that supports many kinds
of mail-transfer and delivery methods, including the Simple Mail Transfer Protocol
(SMTP) used for email transport over the Internet.
IN
MX 10
test1.seafront.bar.
test1.seafront.bar.
IN
192.168.246.12
19
________________________________________________________________________________
2. Next we need to make sure that this information is read by the resolvers, so we add the
following at the top of the file /etc/resolv.conf:
nameserver 127.0.0.1
domain seafront.bar
Sendmail Settings
We go into sendmail's main configuration directory /etc/mail. Here we need to do the
following:
1. By default sendmail is configured to listen for connections ONLY for the 127.0.0.1
interface. In order to make sendmail listen to all interfaces we need to comment out the
following line in /etc/mail/sendmail.mc using 'dnl' which stands for do next line:
dnl
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
RELAY
4. Finally, we also need to tell sendmail to accept mail for @seafront.bar addresses.
For this, add the domain name to /etc/mail/local-host-names:
seafront.bar
Restart sendmail and send a mail to an existing user. If you have a user tux on the
machine then check the output of the following:
mail -v -s "test seafront domain" tux@seafront.bar < /etc/passwd
20
________________________________________________________________________________
IN
MX 10
test1.seafront.bar.
city.bar.
IN
MX 10
test1.seafront.bar.
test1.seafront.bar.
IN
192.168.246.12
Sendmail Settings
1. We need to make sendmail accept mail for users at @city.bar. For this we add the next
line to the local-host-names file:
city.bar
If mail is sent to tux@city.bar and tux is a valid user on test1.seafront.bar
then mail will be delivered to the local user tux.
To avoid this we can use the /etc/mail/virtusertable database.
2. If you want to forward mail onto another account here are example entries for the
virtusertable database:
tux@city.bar
@city.bar
list@city.bar
mr.tux@otherdomain.org
administrator
local-list
Here mail for user tux is diverted to mr.tux@otherdomain.org, the user administrator is
the catchall account and lists are redirected to local lists (this needs to point to a valid
list defined in the aliases).
21
________________________________________________________________________________
________________________________________________________________________________
Sendmail Configuration
The sendmail configuration involves adding appropriate entries in /etc/aliases for each
mailing list we create. But before that we need a symbolic link in /etc/smrsh pointing to the
majordomo wrapper binary, and here is why.
In order to limit the number of programs mail can be piped to (using a '| command' instead
of an email address) sendmail defines a set of commands known as sendmail restricted
shells or smrsh. The list of restricted shells is contained in /etc/smrsh which are symbolic
links to the actual binaries we allow mail to be piped to.
We will make the wrapper binary available, which is located in /usr/test/majordomo-1.94.5,
with the following:
ln -s
/usr/test/majordomo-1.94.5/wrapper /etc/smrsh
Before adding the entries to /etc/aliases we need to decide on a name for our first list, and
we choose ... test.
Remember that before sending mail to the list test@seafront.bar we first need to subscribe
to this list by sending a mail to majordomo@seafront.bar with the contents subscribe
test. Some work needs to be done for this to work.
Creating the list test (as documented in NEWLIST):
1. Create an empty file called test and a file containing information about the list called
test.info in the directory /usr/test/majordomo-1.94.5/lists/
2. Create the following aliases in /etc/aliases:
majordomo:
test:
test-list:
test-request:
owner-test:
test-approval:
"|/usr/test/majordomo-1.94.5/wrapper majordomo"
"|/usr/test/majordomo-1.94.5/wrapper resend -l test test-list"
:include:/usr/test/majordomo-1.94.5/lists/test
"|/usr/test/majordomo-1.94.5/wrapper request-answer test"
tux
tux
________________________________________________________________________________
Flags Description
H
This recipe only executes if the immediately preceding recipe was not executed.
Wait for the filter or program to finish and check its exit code
24
________________________________________________________________________________
The conditions are extended regular expressions with the additional conditions below:
Conditions
Description
<
Check if the total length of the mail is shorter than the specified (in decimal)
number of bytes
>
Check if the total length of the mail is larger than the specified (in decimal)
number of bytes
Description
Followed by at least one space, tab or newline will mark the start of a
nesting block
Anything
else
Examples:
Sort all mail coming from the lpi-dev mailing list into the mail folder LPI:
:0:
* ^To.*lpi-dev
LPI
Forward mails between two accounts main.address and the-other.address. This rule is for
the procmailrc on the main address account. Notice the X-Loop header used to prevent
loops:
:0 c
* !^X-Loop: yourname@main.address
| formail -A "X-Loop: yourname@main.address" | \
$SENDMAIL -oi yourname@the-other.address
The c option tells Procmail to keep a local copy.
25
________________________________________________________________________________
Filtering Spam
Spam filtering generally takes place using SpamAssassin. This program analyzes your
mail for its likely level of "spamminess", and gives it a numeric score; anything greater than
5 is generally considered spam, and is marked up as such, by adding an "X-Spam-Status:
yes" header.
The new mail server automatically runs all emails through SpamAssassin. You can filter
messages that SpamAssassin marks as spam by adding the following recipe to your
.procmailrc file:
:0:
* ^X-Spam-Status: yes
spam
26
Web Services
________________________________________________________________________________
Web Services
1. Implementing a Web Server
1.1 Installing Apache
The apache source code can be downloaded from www.apache.org.
There are two versions of the apache server: 1.3 and 2.x
The configure script allows us to customise the installation. In particular we can choose
which modules we want to compile etc. Modules can either be
- statically compiled with
--enable-MODULE (where MODULE is the Module Indentifier ) or
--enable-modules=MOD1 MOD2 ...
- dynamically compiled with
--enable-mods-shared=MOD1 MOD2 ...
-disabled with
--disable-MODULE
Web Services
________________________________________________________________________________
MRTG
MRTG stands for multi-router traffic grapher and uses SNMP to get information about the
system.
cfgmaker
--output=/etc/mrtg/seafront.cfg \
-ifref=ip --global "workdir: /var/www/mrtg/stats" \
lifesavers@localhost
This will create a file called /etc/mrtg/seafront.cfg. We next update the information in
/var/www/mrtg/stats with the following command:
mkdir /var/www/mrtg/stats
mrtg /etc/mrtg/seafront.cfg
This should be run at regular intervals so it should be run through a cron job.
Task: The graphical output for MRTG will be saved in /var/www/mrtg/stats as an HTML
document. This is not a usual place to keep files for the apache server. After the next
section, we will make the appropriate changes to httpd.conf to make this directory
accessible through the webserver.
Many other tools are available such as Webalizer which analyse the access logs of the
apache server.
stop
restart
28
Web Services
________________________________________________________________________________
fullstatus
Displays a full status report from mod_status. For this to work, you
need to have mod_status enabled on your server and a text-based
browser such as lynx available on your system. The URL used to
access the status report can be set by editing the STATUSURL
variable in the script.
status
graceful
configtest
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 20
MaxClients 150
MaxRequestsPerChild 1000
29
Web Services
________________________________________________________________________________
Multi Threaded Server
These options are available only for apache2 and onwards. You need to recompile apache
to enable threads. Most current apache2 binary distributions are still single threaded
because of conflicts with most dynamic modules which don't support multi threading yet.
StartServers 2
Notice that this is much lower than the single threaded server
MinSpareThreads 25
MaxSpareThreads 75
ThreadsPerChild 25
MaxClients 150
MaxRequestsPerChild 0
Never retires?
Listen 80
Include FILE
User
Group
DocumentRoot
<Directory>
Alias
AliasScript
DirectoryIndex
<VirtualHost HOSTNAME:PORT>
30
Web Services
________________________________________________________________________________
31
Web Services
________________________________________________________________________________
<Directory /var/www/html/seafront>
AuthType basic
AuthName "protected site"
AuthUserFile conf/seafront.passwd
Require user gnu
</Directory>
Notice: Alternatively, with httpd2 configurations we could create a file called seafront.conf
with the above content and save it in the /etc/httpd/conf.d directory.
Reread the configuration file with:
apachectl graceful
32
Web Services
________________________________________________________________________________
2 Send Certificate
client
server
3
4
Encrypt HTTP session with session key
On the other hand communications would be too slow if the session was encrypted using
public key encryption. Instead, once the authenticity of the server is established, the client
generates a unique secret session key which is encrypted using the servers public key
found in the certificate. Once the server receives this session key it can decrypt it using the
private key associated with the certificate. From there on the communication is encrypted
and decrypted using this secrete session key generated by the client.
33
Web Services
________________________________________________________________________________
The SSL CONFIGURATION lines are:
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile PATH_TO_FILE.crt
SSLCertificateKeyFile PATH_TO_FILE.key
We need to generate the servers private key (FILE.key) and certificate (FILE.crt) to
complete this configuration.
req -new
This file can be sent to a certificate authority (CA) to be signed. The certificate authority
will send back the signed certificate.
34
Web Services
________________________________________________________________________________
Pass Phrases
A private key can be generated with or without a passphase, and a private key without a
passphrase can be constructed from an existing private key.
A passphrased file: If a private key has a passphrase set then the file starts with
-----BEGIN RSA PRIVATE KEY----Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC, ---- snip ---.....
this means that the file is protected by a pass-phrase using 3DES. This was generated by
the line /usr/bin/openssl genrsa -des3 1024 > $@ in the Makefile. If the -des3
flag is omitted NO passphrase is set.
You can generate a new private key (mysite-nophrase.key) without a passphrase from the
old private key (mysite.key) as follows:
openssl rsa -in mysite.key -out mysite-nopass.key
test1.seafront.bar. IN CNAME
server1
IN A
server1.seafront.bar.
192.x.x.x
35
Web Services
________________________________________________________________________________
Example 2: Create an SSL aware VirtualHost for test1
- Make the certificate and the key: make host1.seafront.bar
- Add these lines to httpd.conf:
<VirtualHost 192.168.3.200:443>
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/test1.seafront.bar.crt
SSLCertificateKeyFile /etc/httpd/conf/test1.seafront.bar.out
ServerAdmin webmaster@seafront.bar
DocumentRoot /var/www/html/test1
ServerName test1.seafront.bar
</VirtualHost>
Notice that the certificate that is presented once you connect to the https://test1 site is
incorrect. This is because test1.seafront.bar resolves to the servers IP address and the
server will start the SSL handshake before looking at the HTTP request. The next section
will fix that.
IP Based Virtual Hosts
Example: We will directly create a series of virtual SSL aware hosts and verify that they
present the client with the correct certificate.
- Assign new IP addresses to the eth0 interface: ifconfig eth0:0 X.X.X.X
- For each IP enter a new A record: www1 IN A X.X.X.X
- For each host create a self signed certificate.
- Enter a <VirtualHost X.X.X.X:443> paragraph in httpd.conf.
Notice: You may have to change the existing SSL virtual host from
<VirtualHost _default_:443>
to
<VirtualHost 127.0.0.1:443>
This prevents the default host certificate from being presented irrespective of the site
hostname.
Test that https://www1 and https://www2 do present the proper certificates.
Notice that if you permanently accept a certificate it will be added to the list of CA
certificates on your browser!
36
Web Services
________________________________________________________________________________
NOTICE
You may need to add an access rule in the squid configuration file before being able to
rebuild the cache (see the next section Access Lists and Access Control)
The configuration file is /etc/squid/squid.conf. The syntax of this file can be checked
using the -k switch:
squid -k check
As with most network services the /etc/init.d/squid rc-script is used to start the service.
aclname
acltype
string/file
In the simplest cases an acl defines a list of hosts, networks or domains and is given a
name. This list can then be granted or denied access using the access control command
http_access described in the next paragraph.
37
Web Services
________________________________________________________________________________
The next line defines an access list name called localnet corresponding to the local LAN:
acl localnet src 192.168.2.0/255.255.255.0
The main ACL types are listed below:
acltype
description
src
dst
arp
MAC address
srcdomain
dstdomain
time
range of times
port
With http_access a particular access list is either allowed or denied access via the proxy.
The format is as follows:
http_access
allow|deny
aclname
The http_access requests are read in sequence and the first rule matched is used. To
allow access to all computers on the network insert the following before the http_access
deny all line:
http_access allow localnet
38
Web Services
________________________________________________________________________________
Description
http_port
cache_peer
cache_mem
cache_swap_low
cache_swap_high
maximum_object_size
maximum_object_size_in_memory objects larger than this will not be kept in the memory cache
Web Services
________________________________________________________________________________
221
0
0
In order to get information on webpage requests per host one can use the -R switch: There
are many more switches available (check the manpages for calamaris).
40
Web Services
________________________________________________________________________________
There are also a number of scripts that can run hourly or monthly reports. These scripts
are included in the EXAMPLES file distributed with calamaris.
calamaris -R 5 /var/log/squid/access.log
# Incoming TCP-requests by host
host / target
request
hit-%
Byte
hit-% sec
kB/sec
--------------------------------- --------- ------ -------- ------ ---- ------192.168.2.103
72
0.00
323336
0.00
0
10.24
*.redhat.com
35
0.00
126726
0.00
0
10.44
*.suse.co.
20
0.00
63503
0.00
0
13.15
*.lemonde.fr
6
0.00
109712
0.00
1
16.39
207.36.15.*
5
0.00
8946
0.00
0
3.94
*.akamai.net
4
0.00
12428
0.00
1
4.43
other: 2 requested urlhosts
2
0.00
2021
0.00
1
0.71
192.168.2.101
63
0.00
295315
0.00
1
4.65
cord.de
17
0.00
115787
0.00
0
20.86
*.doubleclick.net
13
0.00
26163
0.00
1
2.07
*.google.com
10
0.00
30646
0.00
1
3.71
*.squid-cache.org
8
0.00
51758
0.00
1
6.53
<error>
4
0.00
4290
0.00
0
10474
other: 6 requested urlhosts
11
0.00
66671
0.00
5
2.28
--------------------------------- --------- ------ -------- ------ ---- ------Sum
135
0.00
618651
0.00
1
6.51
Webalizer
This tool is often installed by default on some Linux distributions. It is also GPL'ed and can
be downloaded from http://www.mrunix.net/webalizer/.
By editing the /etc/webalizer.conf file one can choose between apache access logs, ftp
transfer logs or squid logs.
Example graphics generated with Webaliser:
41
Web Services
________________________________________________________________________________
PAM authentication
settings
[Older versions]
authenticate_program /usr/lib/squid/pam_auth
[Squid V2.5]
auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Anvil Internet Proxy
auth_param basic credentialsttl 2 hours
acl password proxy_auth REQUIRED
http_access allow password
Web Services
________________________________________________________________________________
/etc/pam.d/system-auth file.
Also note the following from the pam_auth man page.
When used for authenticating to local UNIX shadow password databases the program
must be running as root or else it won't have sufficient permissions to access the user
password database. Such use of this program is not recommended, but if you absolutely
need to then make the program setuid root
chown root pam_auth
chmod u+s pam_auth
Please note that in such configurations it is also strongly recommended that the program is
moved into a directory where normal users cannot access it, as this mode of
operation will allow any local user to brute-force other users passwords. Also note the
program has not been fully audited and the author cannot be held responsible for any
security issues due to such installations.
43
________________________________________________________________________________
________________________________________________________________________________
Since a single DHCP server can be used to administer IPs over several networks, the
dhcpd.conf configuration file is composed of global options followed by network sections:
Example network block:
subnet 10.0.0.0 netmask 255.0.0.0 {
....
}
In the next example we will assign both dynamic IP addresses and a fixed IP address:
subnet 10.0.0.0 netmask 255.0.0.0 {
range 10.5.5.10 10.5.5.200;
host
proxy {
hardware ethernet 00:80:C6:30:0A:7E;
fixed-address 10.5.5.2;
}
}
routers
nis-domain
domain-name
domain-name-servers
10.254.254.254;
"nisdomain";
"seafront.bar";
10.0.0.2;
45
________________________________________________________________________________
NOTICE
When the DHCP server is started for the first time, it fails unless the dhcpd.leases file
exists. Use the command touch /var/lib/dhcpd/dhcpd.leases to create the file if it does
not exist.
If the same server is also running BIND as a DNS server, this step is not necessary, as
starting the named service automatically checks for a dhcpd.leases file.
To start the DHCP service, use the command /sbin/service dhcpd start. To stop the
DHCP server, use the command /sbin/service dhcpd stop.
If more than one network interface is attached to the system, but the DHCP server should
only be started on one of the interfaces, configure the DHCP server to start only on that
device. In /etc/sysconfig/dhcpd, add the name of the interface to the list of
DHCPDARGS:
DHCPDARGS=eth0
46
________________________________________________________________________________
Optionally, it is possible to set a specific host name and domain name for a given host with
the keywords
ddns-hostname host_name
ddns-domain-name domain_name
If the ddns-hostname option is not present then the DHCP server will try and use the
name provided by the client. The domain on the other hand cannot be set by the client, so
if ddns-domain-name is not present then the DHCP server will use the value given by the
domain-name option.
47
________________________________________________________________________________
The following commands are good to know:
server [server address] - Sets the target server for who to send updates.
key [keyname] [secret]
zone [zonename]
update [...]
send
- Send updates.
show
Client Configuration
On Linux clients it is possible to set the DHCP_HOSTNAME variable in the interface setup
script. In Redhat-like variants this would be in the /etc/sysconfig/network-scripts/ifcfg-ethX
files. Notice that this is simple a hostname, the domain name will be appended to that
name on the DHCP sever.
IP_FOR_DHCP_server
48
________________________________________________________________________________
2. NIS Configuration
2.1 Master Server Configuration
On a Linux system the network information system (NIS) server is called ypserv (package
name: ypserv). The RPM package has the same name and installs the following main files:
Description
/etc/rc.d/init.d/yppasswdd
/etc/rc.d/init.d/ypserv
/etc/rc.d/init.d/ypxfrd
/etc/ypserv.conf
/var/yp/Makefile
49
________________________________________________________________________________
5. Create the databases, the -m option to ypinit is to indicate the server is a master server
/usr/lib/yp/ypinit m
Enter the list of slave servers you will run on this domain. This will create a number of
DBM files in /var/yp/linis as well as a file called /var/yp/ypservers.
50
________________________________________________________________________________
/home
defaults
51
________________________________________________________________________________
Additional Commands
Command
Description
ypcat
ypwhich
3. LDAP Configuration
3.1 What is ldap
LDAP stands for Lightweight Directory Access Protocol. The protocol allows access to
data in a tree-like structure using attributes. LDAP can be thought of as a specialised
database which handles trees. Since directories are also trees, navigating LDAP fields is
like navigating a directory. Added to this LDAP has been designed mainly for optimal
access. This clarifies the words Directory and Access.
ou=People
ou=Aliases
cn=Tux
dn: cn=Tux, ou=People , dc=Example, dc=com
More Terminology
DIT
DN
RDN
LDIF
52
________________________________________________________________________________
Attributes:
dc
cn
c
l
o
ou
sn
st
uid
Domain Component
Common Name
Country
Location
Organisation
Organisational Unit
Surname
State
User id
/etc/openldap/schema/core.schema
/etc/openldap/schema/misc.schema
/etc/openldap/schema/cosine.schema
/etc/openldap/schema/nis.schema
/etc/openldap/schema/inetorgperson.schema
Database Definition
Available DBMs (Database Managers) are ldbm or the more recent bdb.
We will use bdb:
database
bdb
53
________________________________________________________________________________
You need to specify the root or base for the LDAP directory, as well as the directory where
the database file will be kept. This is done below:
suffix
directory
"dc=example,dc=com"
/var/lib/ldap/
The following lines are only needed when modifying the LDAP server online. You can then
specify an administrator username/password. Use the slappasswd to generate an
encrypted hash (see 3.4 Migrating System Files to LDAP):
rootdn
rootpw
"cn=Manager,dc=example,dc=com"
{SSHA}KiXS5htbnVEQp7OrjoteQZHHICs0krBO
-x
dc=example, dc=com
127.0.0.1
So far we have configured slapd and the configuration file for ldapsearch in particular.
Once we have populated an LDAP directory we will be able to test our setup by typing:
ldapsearch x
If the ldap daemon slapd is stopped, we can do an offline update using slapadd
While slapd is running, it is possible to perform an online update using ldapadd or
ldapmodify
54
________________________________________________________________________________
We will also use migration tools which can be downloaded from
http://www.padl.com/OSS/MigrationTools.html.
Creating LDAP directories offline
We are going to work in the directory containing the LDAP migration Perl scripts which we
have downloaded from www.padl.com.
Notice: Some distributions may include the migration tools with the LDAP server package.
You should have the following files:
migrate_automount.pl
CVSVersionInfo.txt
Make.rules
MigrationTools.spec
README
ads
migrate_netgroup_byhost.pl
migrate_netgroup_byuser.pl
migrate_networks.pl
migrate_passwd.pl
migrate_profile.pl
migrate_protocols.pl
migrate_rpc.pl
migrate_services.pl
migrate_slapd_conf.pl
migrate_base.pl
migrate_common.ph
migrate_fstab.pl
migrate_group.pl
migrate_hosts.pl
migrate_netgroup.pl
migrate_aliases.pl
migrate_all_netinfo_offline.sh
migrate_all_netinfo_online.sh
migrate_all_nis_offline.sh
migrate_all_nis_online.sh
migrate_all_nisplus_offline.sh
migrate_all_nisplus_online.sh
migrate_all_offline.sh
migrate_all_online.sh
We create our first LDIF file called base.ldif to serve as our root:
/migrate_base.pl > base.ldif
This flat file will be converted into bdb (or ldbm) files stored in /var/lib/ldap as follows:
slapadd -v < base.ldif
55
________________________________________________________________________________
We next choose to migrate the password without shadow passwords as follows:
Now let's add this LDIF file to our LDAP directory:(remember that LDAP is stopped so we
are still offline)
slapadd -v -l passwd.ldif
or
NOTICE:
Make sure all the files in /var/lib/ldap belong to user ldap.
TESTING:
Restart the LDAP server:
/etc/init.d/ldap restart
Search all the entries in the directory:
ldapsearch -x
If the ldap server does not respond, or the result from ldapsearch is empty, it is possible
to show the content of the LDAP databases in /var/lib/ldap with the slapcat command.
56
________________________________________________________________________________
Creating LDAP Directories Online
The LDAP server can be updated online, without having to shut the ldap service down. For
this to work we must specify a rootdn and a rootpw in /etc/openldap/slapd.conf.
The password is generated from the command line as follows
sldappasswd
New password:
Re-enter new password:
{SSHA}XyZmHH1RlnSVXTj87UvxOAOCZA8oxNCT
We next choose the rootdn in /etc/openldap/slapd.conf to be
rootdn
rootpw
"cn=Manager,dc=example,dc=com"
{SSHA}XyZmHH1RlnSVXTj87UvxOAOCZA8oxNCT
-S -x -W
57
________________________________________________________________________________
You may allow users to change their passwords on the LDAP server as follows:
1. Copy the passwd PAM file /etc/share/doc/nss_ldap-version/pam.d/passwd to
/etc/pam.d
2. Add the following access rule in /etc/openldap/slapd.conf
access to attrs=userPassword
by self write
by anonymous auth
by * none
Client Configuration
The clients need to have the nss_ldap package installed (some distributions have a
separate pam_ldap package with the PAM related modules and files). The following files
and libraries are installed:
/etc/ldap.conf
/lib/libnss_ldap-2.3.2.so
/lib/security/pam_ldap.so
/usr/lib/libnss_ldap.so
/usr/share/doc/nss_ldap-207/pam.d
58
________________________________________________________________________________
4. PAM Authentication
Services or applications which need authentication can use the pluggable authentication
module (PAM) mechanism which offers a modular approach to the authentication process.
For example, if a new hardware authentication scheme is added to a system, using smart
cards or prime number generators, and if corresponding PAM library modules are
available for this new scheme, then it is possible to modify existing services to use this
new authentication scheme.
These applications will scan the PAM configuration files which in turn tell the application
how the authentication will take place.
59
________________________________________________________________________________
type
control
module-path
module-arguments
However, if the directory /etc/pam.d exists then pam.conf is ignored and each service is
configured through a separate file in pam.d. These files are similar to pam.conf except
that the service name is dropped:
type
type:
control
module-path
module-arguments
defines the management group type. PAM modules are classified into four
management groups which define different aspects of the authentication process:
account:
check the validity of the account (eg. does the users have a UNIX
account, is the user authorised to use the application ...)
auth:
the authentication method. This points to a module(s) responsible for
the challenge-response
password: defines how to change user passwords, if at all
session: modules that are run before and after a service is granted
control: defines what action to take if the module fails. The simple controls are:
requisite: a failure of the module results in the immediate termination of the
authentication process
required: a failure of the module will result in the termination of the
authentication once all the other modules of the same type have been
executed
sufficient: success of the module is sufficient except if a prior required module
has failed
optional: success or failure of this module are not taken into account unless it is
the only requirement of its type
module-path: the path to a PAM module (usually in /lib/security)
module-arguments: list of arguments for a specific module
60
System Security
________________________________________________________________________________
System Security
1. Iptables/Ipchains
What is a Packet Filter?
A packet filter is a piece of software which looks at the header of packets as they pass
through, and decides the fate of the entire packet. It might decide to DROP the packet (i.e.,
discard the packet as if it had never received it), ACCEPT the packet (i.e., let the packet go
through), or something more complicated. - from the Packet Filtering HOWTO by Rusty
Russell
For more in depth information see the HOWTOs at www.netfilter.org.
In this section we introduce the iptables concepts of chains, tables and targets. We then
look at some examples to illustrate network address translation (NAT) as well as the
special cases of masquerading and transparent redirections.
61
System Security
________________________________________________________________________________
filter: this is the default table and the packets are never altered. Packets are available from
the following chains:
INPUT
OUTPUT
FORWARD
for packets being routed through the box (check the value of
/proc/sys/net/ipv4/ip_forward)
nat: this table only deals with network address translations (NAT) it is consulted when a
packet creating a new connection is encountered. Packet headers connected with routing
can be altered here. The following chains are considered:
PREROUTING
POSTROUTING
OUTPUT
mangle: used for specialized packet alterations. Targets in this table allow the TOS or TTL
field to be modified.
Until kernel 2.4.17 it could only interact with two chains:
PREROUTING
OUTPUT
Since kernel 2.4.18, the three other chains are also supported:
INPUT
FORWARD
POSTROUTING
62
System Security
________________________________________________________________________________
all tables: ACCEPT, REJECT, DROP, LOG, ULOG, TCPMSS, MIRROR
filter: (nothing individual to this chain)
nat: DNAT, SNAT, MASQUERADE, REDIRECT
mangle: TOS, MARK, DSCP, ECN
There are more targets, but they come as part of additional extension kernel modules.
iptables
-j DROP
-j DROP
Notice: The protocol extension flags allow you to specify more information about a
specific protocol. In the case of TCP packets for example you may have:
-p tcp tcp-flags ALL SYN,ACK
ALL stands for SYN ACK FIN RST URG and PSH. This rule says that all flags must be
examined and of those, if the SYN and ACK flags are set, the rule is true.
2. Example Destination Network Address Translation (DNAT):
All requests on port 80 for host 192.168.3.100 are redirected to the host 10.1.1.1 on port
80:
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.3.100 \
--dport 80 -j DNAT --to 10.1.1.1:80
63
System Security
________________________________________________________________________________
4. Example Redirection:
A redirection is a special case of DNAT where the -to host is the same host. For
example if a proxy server is running on a router, all requests through port 80 can be
PRE-routed through port 3128 with:
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
TASK: At this stage if you want to implement a transparent proxy with the previous
redirection rule you will have to change the configuration file squid.conf and add the
following:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Remember that if you have implemented an authentication scheme with squid you may
have to disable it for the transparent proxy to work.
System Security
________________________________________________________________________________
values are NEW, ESTABLISHED, RELATED or INVALID.
iptables -A INPUT -p tcp -m state -state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state -state NEW,ESTABLISHED -j ACCEPT
Description
Option (example)
connrate
dstlimit
--dstlimit avg
icmp
iprange
--src-range IP-IP
length
--length length
mac
state
3. Security Tools
3.1 SSH
For a first description of the ssh client and sshd server see the section on Basic Security
in the lpi-manuals document for LPI 102. For an in depth presentation see the Internet
draft The SSH (Secure Shell) Remote Login Protocol at http://www.free.lp.se/fish/rfc.txt.
This section covers the server configuration file and briefly discusses other mechanisms
that the SSH protocol offers such as X11 forwarding and port forwarding.
65
System Security
________________________________________________________________________________
sshd_con fig overview
Port 22
Protocol 2,1
DenyUsers [USER]@HOST
IgnoreRhosts yes/no
PermitEmptyPasswords yes/no
PermitRootLogin yes/no
X11Forwarding yes/no
Port Forwarding
It is possible to do port forwarding with the SSH client. This is often used to provide a
simple mechanism to encrypt a connection. For example one can open a local (-L) port
(1234) pointing to the remote host (www.google.com) on another port (80) as follows:
ssh -L 1234:www.google.com:80 127.0.0.1
Quick VPN
This is a user-space VPN as opposed to other types of VPNs which are kernel based.
/usr/sbin/pppd noauth pty \
"ssh SOME_HOST -l root '/usr/sbin/pppd notty noauth
192.168.0.1:192.168.0.2'"
\
192.168.0.2:192.168.0.1
66
System Security
________________________________________________________________________________
3.2 LSOF
lsof shows open files used by processes. Traditionally it is used to list PIDs of processes
running on a given directory:
lsof +D DIRECTORY
lsof will output the following information:
NAME:
PID:
process ID
USER:
FD:
TYPE:
NODE:
NAME:
lsof can also be used to display network sockets. For example the following line will list all
internet connections:
lsof -i
You can also list connections to a single host:
lsof -i @HOST
For example if a host TOFFY is connected to your localhost on port 1234, the following
would display information about the connection:
lsof -i @TOFFY:1234
67
System Security
________________________________________________________________________________
3.3 NETSTAT
netstat is used to print network connections, routing tables, etc.
Main options are:
-r
-C
-l
only listening services
--inet restrict to network sockets
select tcp
select udp
3.4 TCPDUMP
tcpdump dumps traffic on a network.
From the man page:
Flags
Data-seqno
Ack
Window
Urg
Options
68
System Security
________________________________________________________________________________
A TCP header usually holds 20 octets of data, unless options are present. The first line
of the graph contains octets 0 - 3, the second line shows octets 4 - 7 etc.
Starting to count with 0, the relevant TCP control bit are contained in octet 13:
0
7|
15|
23|
31
----------------|---------------|---------------|---------------| HL
| rsvd |C|E|U|A|P|R|S|F|
window size
|
----------------|---------------|---------------|---------------|
| 13th octet
|
|
|
These are the TCP control bits we are interested in. We have numbered the bits in this
octet from 0 to 7, right to left, so the PSH bit is bit number 3, while the URG bit is
number 5.
Recall that we want to capture packets with only SYN set. Lets see what happens to
octet 13 if a TCP datagram arrives with the SYN bit set in its header:
69
System Security
________________________________________________________________________________
|C|E|U|A|P|R|S|F|
|---------------|
|0 0 0 0 0 0 1 0|
|---------------|
|7 6 5 4 3 2 1 0|
Looking at the control bits section we see that only bit number 1 (SYN) is set.
Assuming that octet number 13 is an 8-bit unsigned integer in network byte order, the
binary value of this octet is
00000010
and its decimal representation is
7
6
5
4
3
2
1
0
0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 0*2 + 1*2 + 0*2 =
Were almost done, because now we know that if only SYN is set, the value of the 13th
octet in the TCP header, when interpreted as a 8-bit unsigned integer in network byte
order, must be exactly 2.
This relationship can be expressed as
tcp[13] == 2
3.5 NMAP
nmap is the network exploration tool and security scanner.
The scanner makes use of the fact that a closed port should (according to RFC 793) send
back an RST. In the case if a SYN scan, connections that are half opened are immediately
close by nmap by sending an RST itself.
The main scan types are:
SYN or Half-open: -sS
nmap will send a synchronisation packet SYN asking for a connection. If the remote host
send a RST/ACK it is assumed that the port is closed. If the remote host sends a
SYN/ACK this indicates that the port is listening.
UDP: -sU
UDP is connectionless. So there is no need for a 3 way handshake as with TCP. If a port
is closed the server will send back a ICMP PORT UNREACHABLE. One then deduces
70
System Security
________________________________________________________________________________
that all the other ports are open (not reliable in the case were ICMP messages are
blocked).
TCP NULL: -sN
TCP packet with no flags set. Closed port will send a RST when receiving these packets
(except with MS Windows).
TCP Xmas: -sX
TCP packet with the FIN+URG+PUSH flags set. The remote host should send back a RST
for all closed ports when receiving a Xmas packet.
71
Vjebe
Vjebe
__________________________________________________________
Mrea/maska: _________________
IP-adresa: __________________
IP-adresa: _________________
Hostname (FQDN): _________________
Gateway: _________________
DNS:
_________________
server1
Mrea/maska: _________________
IP-adresa: _________________
IP-adresa: _________________
Hostname (FQDN): _________________
Gateway: _________________
DNS:
_________________
server2
Napomena: Nije nuno da su sve postavke na poetku teaja postavljene ili ispravne
(ipak ih zabiljeite). Neke postavke e se tijekom teaja mijenjati.
74
Vjebe
__________________________________________________________
Vjeba 2: DNS
Jednostavna konfiguracija (forward only)
1. Na sustavu server1 instalirajte pakete bind i bind-utils
(yum install bind bind-utils).
2. U datoteku /etc/named.conf unutar sekcije options (na primjer iza retka s oznakom
directory) upiite:
forward only;
forwarders {
161.53.2.69;
161.53.2.70;
};
Obriite ili oznaite kao komentar redak: listen-on-v6 port 53 { ::1; };
Pokrenite naredbu /usr/sbin/named-checkconf kako biste provjerili postoje li greke
u konfiguracijskoj datoteci /etc/named.conf.
3. Pokrenite named i postavite da se pokree prilikom svakog pokretanja sustava:
service named start
chkconfig named on
Napomena: Ako ne postoji datoteka rndc.key, skripta /etc/init.d/named e je
stvoriti, to moe potrajati i nekoliko minuta.
Provjerite radi li named ispravno:
dig @127.0.0.1 www.srce.hr
ili
nslookup www.srce.hr 127.0.0.1
Definiranje zona
4. Dodajte sljedei tekst na kraj datoteke /etc/named.conf:
zone "tecaj.hr" IN {
type master;
file "zone/tecaj.hr";
};
75
Vjebe
__________________________________________________________
zone "1.168.192.in-addr.arpa" IN {
type master;
file "zone/192.168.1";
};
zone "2.168.192.in-addr.arpa" IN {
type master;
file "zone/192.168.2";
};
5. Provjerite postoji li definicija za root-zonu:
zone "." IN {
type hint;
file "named.ca";
};
6. Promijenite forward only; u forward first;
Napomena: Ova izmjena ne utjee na izvoenje vjebe, ali dobro ju je napraviti zbog
preglednosti koda.
7. Stvorite direktorij u koji e se upisivati podaci za zone:
mkdir /var/named/zone
chown named:named /var/named/zone
chmod 770 /var/named/zone
8. U direktoriju /var/named/zone stvorite datoteke tecaj.hr, 192.168.1 i 192.168.2
na sljedei nain:
Neka datoteka tecaj.hr ima sljedei sadraj (na mjestu opcije serial umjesto
2014030201 moete upisati oznaku koja odgovara aktualnom datumu):
$TTL 1D
@
localhost
server1
server2
IN
SOA
NS
tecaj.hr. root.tecaj.hr. (
2014030201
1D
1H
1W
3H )
server1.tecaj.hr.
A
A
A
A
127.0.0.1
192.168.1.100
192.168.2.201
192.168.2.202
76
;
;
;
;
;
serial
refresh
retry
expire
minimum
Vjebe
__________________________________________________________
Neka datoteka 192.168.1 ima sljedei sadraj:
$TTL 1D
@
100
IN
SOA
tecaj.hr.
NS
root.tecaj.hr. (
2014030201
1D
1H
1W
3H )
server1.tecaj.hr.
PTR
server1.tecaj.hr.
;
;
;
;
;
serial
refresh
retry
expire
minimum
;
;
;
;
;
serial
refresh
retry
expire
minimum
201
202
IN
SOA
tecaj.hr.
NS
root.tecaj.hr. (
2014030201
1D
1H
1W
3H )
server1.tecaj.hr.
PTR
PTR
server1.tecaj.hr.
server2.tecaj.hr.
77
Vjebe
__________________________________________________________
10. U datoteci /etc/named.conf (u sekciji options) izmijenite redak u kojem pie
listen-on port 53 { 127.0.0.1; };
tako da on glasi:
listen-on port 53 { any; };
U sekciji options izmijenite postojei ili dodajte novi (ako ne postoji) redak s
direktivom allow-query tako da pie:
allow-query
Pokrenite service named reload (ili service named restart). Provjerite je li sve
u redu:
nslookup server1.tecaj.hr 192.168.2.201
Postavke na klijentima
11. Na sustavu server1 izmijenite datoteku /etc/resolv.conf tako da njezin sadraj
bude:
search tecaj.hr
nameserver 192.168.1.100
nameserver 192.168.2.201
Sadraj datoteke /etc/sysconfig/network neka bude:
NETWORKING=yes
HOSTNAME=server1.tecaj.hr
GATEWAY=192.168.1.1
Provjerite sadraj datoteka /etc/sysconfig/network-scripts/ifcfg-eth0 i
/etc/sysconfig/network-scripts/ifcfg-eth1 i napravite izmjene ako je
potrebno (posebno provjerite vrijednosti varijabli IPADDR, PREFIX i GATEWAY).
Ponovno pokrenite sustav. (Aktivacija nainjenih izmjena mogua je i bez ponovnog
pokretanja sustava - dovoljno je ponovno pokrenuti odgovarajue servise. Ponovnim
pokretanjem sustava provjerit emo prije nastavka rada jesu li nainjene izmjene trajne.)
Napomena: Ako elite, moete iskljuiti Network Manager
(yum -y remove NetworkManager; service network restart).
12. Na sustavu server2 izmijenite datoteku /etc/resolv.conf tako da njezin sadraj
bude:
search tecaj.hr
nameserver 192.168.2.201
78
Vjebe
__________________________________________________________
Provjerite radi li naredba nslookup server1.
Sadraj datoteke /etc/sysconfig/network na sustavu server2 neka bude:
NETWORKING=yes
HOSTNAME=server2.tecaj.hr
GATEWAY=192.168.2.201
Provjerite sadraj datoteke /etc/sysconfig/network-scripts/ifcfg-eth0 i
napravite izmjene ako je potrebno.
Ponovno pokrenite sustav.
79
Vjebe
__________________________________________________________
IN
SOA
NS
NS
tecaj.hr.
root.tecaj.hr. (
2014030202
1D
1H
1W
3H )
server1.tecaj.hr.
server2.tecaj.hr.
;
;
;
;
;
serial
refresh
retry
expire
minimum
Ponovno pokrenite named. (Da smo izmjene radili samo na zonama, tada bi bilo dovoljno
da pokrenemo naredbu rndc reload.)
2. Na sustavu server2 instalirajte paket bind (umetnite instalacijski medij u optiki ureaj,
potraite odgovarajui paket u direktoriju Packages te instalirajte ga naredbom rpm, na
primjer: rpm -i bind-9.8.2-0.17.rc1.el6_4.6.i686.rpm).
3. Na sustavu server2 izmijenite datoteku /etc/named.conf tako da u sekciji options
bude:
listen-on port 53 { any; };
forward first;
forwarders {
192.168.2.201;
};
allow-query {
192.168.1.0/24;
192.168.2.0/24;
localhost;
};
80
Vjebe
__________________________________________________________
Na kraj datoteke /etc/named.conf dodajte podatke o zonama:
zone "tecaj.hr" IN {
type slave;
masters { 192.168.2.201; };
file "slaves/tecaj.hr";
};
zone "1.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.2.201; };
file "slaves/192.168.1";
};
zone "2.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.2.201; };
file "slaves/192.168.2";
};
81
Vjebe
__________________________________________________________
Provjerite rezultate sljedeih upita:
> server
Odgovor bi trebao biti:
> server1
Nakon kratkog ekanja, odgovor bi trebao biti:
Server:
Address:
192.168.2.202
192.168.2.202#53
Name:
server1.tecaj.hr
Address: 192.168.1.100
Name:
server1.tecaj.hr
Address: 192.168.2.201
to moete zakljuiti iz rezultata upita?
Ponovno pokrenite named na sustavu server1 (service named start).
82
Vjebe
__________________________________________________________
Vjeba 4: DNSSEC
1. Na sustavu server1 (u nekom direktoriju koji nije dostupan ostalim korisnicima, na
primjer u home-direktoriju ili direktoriju /var/named/zone) pokrenite naredbu:
dnssec-keygen -a HMAC-MD5 -b 256 -n host tecajhr
Napomena: Na sporijim sustavima kreiranje kljua moe trajati i desetak minuta.
U radnom direktoriju stvorit e se dvije nove datoteke, na primjer:
Ktecajhr.+157+45497.key
Ktecajhr.+157+45497.private
Primjer sadraja datoteke key-datoteke (Ktecajhr.+157+45497.key):
tecaj.hr. IN KEY 512 3 157 WmcHtBlHmTyw7HNM9+h6Brlp+EjGmqLmHW6Y6tMvXJg=
83
Vjebe
__________________________________________________________
Postavite odgovarajue postavke na datoteku /etc/slave.key:
chown root:named /etc/slave.key
chmod 640 /etc/slave.key
3. U datoteku /etc/named.conf (na primjer iza include "/etc/named.root.key";)
dodajte redak:
include "/etc/slave.key";
U sekciju koja opisuje zonu tecaj.hr dodajte:
allow-transfer { key tecajhr.; };
Provjerite da u sekciji options pie:
dnssec-enable yes;
dnssec-validation no;
Provjerite s /usr/sbin/named-checkconf postoje li greke u datoteci named.conf.
Ponovno pokrenite named: service named restart
Napomena: Zone 1.168.192.in-addr.arpa i 2.168.192.in-addr.arpa su radi
potreba ove vjebe namjerno ostale su nepromijenjene. U stvarnom sluaju
primijenili bismo isti postupak i na njih (tj. dodali bismo redak
allow-transfer { key tecajhr; }; u sve sekcije koje opisuju zone).
4. Na sustavu server2 zaustavite named (service named stop) i obriite podatke u
direktoriju /var/named/slaves (na primjer: rm /var/named/slaves/*).
Ponovno pokrenite named: service named start
Provjerite sadraj direktorija /var/named/slaves. Koje su se zone kopirale? Nedostaje
li koja?
Provjerite to se dogodilo:
nslookup server1.tecaj.hr localhost
nslookup 192.168.2.201 localhost
4. Kopirajte datoteku /etc/slave.key sa sustava server1 na sustav server2 (na
primjer, naredbom scp ili neposredno kopirajui tekst (copy&paste) iz jednog u drugi
terminalski prozor).
Postavite datoteci /etc/slave.key (na sustavu server2) odgovarajua prava
pristupa:
84
Vjebe
__________________________________________________________
chown root:named /etc/slave.key
chmod 640 /etc/slave.key
U datoteku /etc/named.conf na sustavu server2 dodajte sljedee retke:
include "/etc/slave.key";
server 192.168.2.201 {
keys tecajhr;
};
Ponovno pokrenite named.
Pogledajte sadraj direktorija /var/named/slaves. to se promijenilo?
Potraite redak s kljunom rijeju TSIG u datoteci /var/log/messages.
85
Vjebe
__________________________________________________________
Instaliranje Sendmaila
1. Aplikacija alternatives slui za stvaranje i upravljanje alternativnim softverskim
paketima na sustavu. Na sustavu server1 provjerite trenutanu situaciju s MTA:
alternatives --display mta
Napomena: Uvid u trenutanu situaciju moete dobiti i sa
ls -l /etc/alternatives/mta* | cut -f10- -d" "
odnosno
( cd /etc/alternatives ; ls -l mta* | cut -f10- -d" " )
Ukoliko sendmail nije instaliran, instalirajte ga:
yum install sendmail sendmail-cf m4
Ako je potrebno, zaustavite postfix i onemoguite njegovo pokretanje prilikom
pokretanja sustava:
service postfix stop
chkconfig postfix off
Zamijenite Postfix sa Sendmailom:
alternatives --set mta /usr/sbin/sendmail.sendmail
Kako biste dobili detaljniji uvid u nainjene promjene, ponovno pokrenite
( cd /etc/alternatives ; ls -l mta* | cut -f10- -d" " )
U datoteci /etc/mail/sendmail.mc dodajte rije dnl na poetak retka koji glasi:
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
Nakon izmjene, taj redak izgleda ovako:
dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
86
Vjebe
__________________________________________________________
Napomena: Rije je o retku kojim se odreuje da sendmail prihvaa konekcije samo na
adresi 127.0.0.1. Ovime smo osigurali da se taj redak kod sljedeeg
stvaranja nove konfiguracijske datoteke za sendmail ignorira (sendmail
e prihvaati konekcije na svim mrenim sueljima).
Stvorite novu konfiguracijsku datoteku:
mv /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
Provjerite u emu se razlikuju nova i stara konfiguracijska datoteka:
diff /etc/mail/sendmail.cf /etc/mail/sendmail.cf.orig
Napomena: Izmjene smo mogli napraviti i neposredno na datoteci sendmail.cf, na
primjer:
sed -i.orig 's/Addr=127.0.0.1,//' /etc/mail/sendmail.cf
Pokrenite sendmail:
chkconfig sendmail on
service sendmail start
2. Poaljite poruku korisniku root (mail root@server1.tecaj.hr). Provjerite je li
isporuena.
Prouite sadraj direktorija /var/spool/mail.
3. Ako je potrebno, instalirajte telnet (yum install telnet).
Pokrenite telnet:
telnet localhost 25
i upiite sljedee:
HELP
EHLO pogodi-tko-sam.hr
MAIL From: opasan_haker@tajna-lokacija.hr
RCPT To: root@server1.tecaj.hr
DATA
Subject: Opasna prijetnja
Pozdrav od hakera.
.
QUIT
87
Vjebe
__________________________________________________________
Je li isporuena nova poruka za korisnika root?
Prouite zapise u log-datoteci /var/log/maillog.
IN
MX
10
server1.srce.hr.
root
Pokrenite newaliases.
Poaljite poruke na ime.prezime@tecaj.hr i Ime.Prezime@tecaj.hr:
mail -s "Ovo je /etc/passwd" ime.prezime@tecaj.hr < /etc/passwd
mail -s "Ovo je /etc/passwd" Ime.Prezime@tecaj.hr < /etc/passwd
Provjerite jesu li poruke isporuene.
Mail queue
7. Popis poruka koje ekaju u redu za isporuku (mail queue) moe se ispisati naredbama
sendmail -bp i mailq. Provjerite ima li na sustavu server1 neisporuenih poruka koje
ekaju u redu.
Pokuajte poslati sljedeu poruku:
mail -s "Oprostite na smetnji" user@srce.hr < /dev/null
88
Vjebe
__________________________________________________________
Provjerite je li poruka ostala ekati u redu za isporuku:
mailq
Neisporuene poruke nalaze se u direktoriju /var/spool/mqueue. Pogledajte sadraj
tog direktorija i usporedite ga s prethodnim rezultatom naredbe mailq:
ls -l /var/spool/mqueue
Prouite sadraj kontrolne datoteke (s prefiksom qf):
more /var/spool/mqueue/qf*
Pronaite u log-datoteci /var/log/maillog zapise vezane uz isporuku poruke koje ste
poslali.
Pokuajte odgovoriti na sljedea pitanja:
Kojem je posluitelju u domeni srce.hr na posluitelj pokuao proslijediti poruku?
Zato je poruka ostala u redu (nije isporuena primatelju niti se vratila poiljatelju)?
Postfix
9. Provjerite je li na sustavu server2 instaliran i pokrenut Postfix:
service postfix status
Upoznajte se s aktualnom konfiguracijom:
postconf mail_version
postconf inet_interfaces
89
Vjebe
__________________________________________________________
Prouite koje su standardne postavke programa Postfix izmijenjene zapisima u main.cf:
postconf -n
U datoteci /etc/postfix/main.cf postavite vrijednost varijable inet_interfaces
na all:
inet_interfaces = all
Obriite redak u kojem pie inet_interfaces = localhost ili ga pretvorite u
komentar: # inet_interfaces = localhost
Ponovno pokrenite Postfix:
service postfix restart
Napomena: Obzirom da je u datoteci main.cf promijenjena vrijednost varijabla
inet_interfaces (promijenjene su postavke koje se odnose na mreno
suelje), nije bilo dovoljno pokrenuti postfix reload.
10. Na sustavu server1 provjerite je li poruka koju smo pokuali poslati korisniku
root@server2.tecaj.hr jo uvijek u redu za isporuku (mailq).
Runo pokrenite obradu poruka koje ekaju u redu:
sendmail -q
Provjerite je li poruka jo uvijek u redu. Provjerite je li ju primatelj na sustavu server2
primio.
Mail relaying
Obzirom da server2 za sada jo uvijek ne moe pristupati sadrajima na Internetu (za to je
potrebno implementirati NAT na sustavu server1, to emo napraviti kasnije), postavit
emo da sva pota sa sustava server2 ide preko sustava server1. Isto tako, postavit
emo da sustav server1 prihvaa i prosljeuje svu potu za sustav server2.
Takoer, postavit emo (putem datoteke .forward) da se pota za korisnika
root@server2.tecaj.hr prosljeuje i korisniku root na sustavu server1.
11. Na sustavu server2 promijenite sadraj datoteke /etc/postfix/main.cf tako da
pie:
relayhost = [server1.tecaj.hr]
90
Vjebe
__________________________________________________________
Pokrenite postfix reload.
Provjerite jesu li izmjene prihvaene: postconf relayhost.
12. Na sustavu server1 u datoteku /etc/mail/access dodajte redak:
Connect:192.168.2
RELAY
Pokrenite naredbu
makemap hash /etc/mail/access.db < /etc/mail/access
(ili ponovno pokrenite sendmail).
13. Na sustavu server2 pokuajte poslati poruku korisniku user@srce.hr:
mail user@srce.hr < /dev/null
Na oba sustava (server1 i server2) pokrenite naredbu mailq i provjerite na kojem je
sustavu ova poruka zavrila u redu za isporuku (trebala bi biti na sustavu server1).
to znai dobiveni rezultat?
14. Na sustavu server2 u home-direktoriju korisnika root stvorite datoteku .forward
sljedeeg sadraja:
\root
root@server1.tecaj.hr
91
Vjebe
__________________________________________________________
Vjeba 6: Majordomo
Instaliranje Majordoma
1. Ako na sustavu server1 nije instaliran kompajler za C, instalirajte ga
(yum install gcc).
Preuzmite s Interneta Majordomovu distribucijsku arhivu i raspakirajte je u direktoriju
/tmp:
cd /tmp
wget http://www.greatcircle.com/majordomo/1.94.5/majordomo-1.94.5.tar.gz
92
Vjebe
__________________________________________________________
Napravite provjeru (na pitanje: Shall I send email to majordomoregistration@greatcircle.com to register this version? odgovorite s no):
cd /usr/local/majordomo
./wrapper config-test
Omoguite da sendmail pokree Majordomov wrapper:
ln -s /usr/local/majordomo/wrapper /etc/smrsh
U datoteku /etc/mail/sendmail.mc dodajte sljedei redak (uoite da su prvi
navodnici backquote):
define(`confDONT_BLAME_SENDMAIL',`GroupWritableDirPathSafe,GroupWritableIncludeFile')
i pokrenite
m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
Ponovno pokrenite sendmail (service sendmail restart).
Napomena: Oni koji se odlue za neposredno editiranje datoteke
/etc/mail/sendmail.cf trebaju dodati sljedei redak u datoteku
sendmail.cf (potraite gdje se u datoteci sendmail.cf nalazi kljuna
rije DontBlameSendmail i na tom mjestu napravite izmjenu):
O DontBlameSendmail=GroupWritableDirPathSafe,GroupWritableIncludeFile
93
Vjebe
__________________________________________________________
Definiranje lista
3. Ako ne postoji korisnik tux stvorite ga (tux e biti vlasnik liste koju emo stvoriti u
nastavku vjebe): useradd -c "Tux the Penguin" tux
Podesite sve to je potrebno za novu listu koja e se zvati moja-lista.
Prvo je potrebno stvoriti praznu datoteku /usr/local/majordomo/lists/moja-lista:
touch /usr/local/majordomo/lists/moja-lista
chgrp majordomo /usr/local/majordomo/lists/moja-lista
chmod 664 /usr/local/majordomo/lists/moja-lista
Sljedei je korak stvaranje datoteke moja-lista.info. U njoj e se nalaziti uvodne
informacije o listi:
cat > /usr/local/majordomo/lists/moja-lista.info
Ovo je lista za sve moje oboavatelje.
^D
(control-D)
Stvorite nove aliase. U datoteku /etc/aliases dodajte:
moja-lista: "|/usr/local/majordomo/wrapper resend -l moja-lista moja-lista-outgoing"
moja-lista-outgoing: :include:/usr/local/majordomo/lists/moja-lista
moja-lista-request: "|/usr/local/majordomo/wrapper request-answer moja-lista"
owner-moja-lista: tux
moja-lista-approval: tux
i pokrenite naredbu newaliases.
Poaljite poruku Majordomu i prouite odgovor:
echo lists | mail -s "" majordomo
Napomena: Obzirom da nismo stvorili datoteku
/usr/local/majordomo/lists/moja-lista.config, Majordomo e
je po primitku ove poruke sam stvoriti. Moete prouiti njezin sadraj.
94
Vjebe
__________________________________________________________
Dobit ete odgovor s uputama to dalje trebate uiniti (a to je da na adresu
majordomo@tecaj.hr poaljete poruku poput:
auth 35219738 subscribe moja-lista root@server1.tecaj.hr).
Poaljite poruku kojom potvrujete zahtjev za predbiljebom:
mail -s "" majordomo
auth 35219738 subscribe moja-lista root@server1.tecaj.hr
.
Proitajte odgovor koji ste dobili.
Pogledajte sadraj datoteke /usr/local/majordomo/lists/moja-lista.
Pogledajte koju je poruku dobio tux (more /var/spool/mail/tux).
5. Konano, poaljite poruku na listu:
echo "Pozdrav svima." | mail -s "Juhuhu ..." moja-lista
95
Vjebe
__________________________________________________________
Vjeba 7: Procmail
1. Provjerite je li na sustavu server1 Procmail postavljen kao lokalni mail delivery agent
(MDA):
grep "^Mlocal" /etc/mail/sendmail.cf
Kada Procmail ne bi bio postavljen kao lokalni mail delivery agent, tada bismo mu potu
upuivali na filtriranje putem datoteke .forward.
2. Neka se sva pota koja doe od korisnika tux automatski arhivira u datoteku tux (u
home-direktoriju).
U tu svrhu kao korisnik root na sustavu server1 stvorite (u home-direktoriju) datoteku
.procmailrc sljedeeg sadraja:
:0:
* ^From.*tux@server1\.tecaj\.hr
$HOME/tux
U gornjem je primjeru :0 oznaka za poetak recipea, a prva zvjezdica (*) u drugom retku
je oznaka za poetak uvjeta. Ostatak uvjeta je regularni izraz (regular expression) kojim
se opisuje traeni uzorak. U naem sluaju to je uzorak na poetku retka (^) koji
zapoinje s From nakon ega slijedi proizvoljan niz znakova koji zavrava s
tux@server1.tecaj.hr.
Navedeni izraz odgovara razliitim varijantama From-zaglavlja poput:
From: tux@server1.tecaj.hr
ili
From: Tux the Penguin <tux@server1.tecaj.hr>
Neka Vam tux poalje neku poruku. to se s njom dogodilo?
3. Neka se sve poruke koja dou s liste moja-lista automatski arhiviraju u komprimiranu
datoteku moja-lista.gz. Poruke se trebaju pojaviti i u standardnom mailboxu.
U tu svrhu na poetak datoteke .procmailrc dodajte:
:0c:
* ^(From|Cc|To).*moja-lista
| gzip >> $HOME/moja-lista.gz
Poaljite poruku na adresu moja-lista te provjerite je li se poruka pojavila u mailboxu i
je li arhivirana u datoteci moja-lista.gz.
96
Vjebe
__________________________________________________________
4. Korisnik root na sustavu server2 (root@server2.tecaj.hr) esto alje svojim
poslovnim kolegama poruke sa alama. Takve poruke naslovljava s joke ili funny.
Obzirom da ne elimo da se takve poruke pojavljuju u naem mailboxu, automatski emo
ih pohraniti u arhivu jokes. Te poruke takoer elimo automatski proslijediti drugom
poznatom aljiviji i ljubitelju viceva - korisniku tux na sustavu server1.
U tu svrhu u datoteku .procmailrc dodajte:
:0:
* ^From.*root@server2\.tecaj\.hr
* ^Subject.*(joke|funny)
{
:0c
! tux@tecaj.hr
:0
jokes
}
Poaljite poruku kao root@server2.tecaj.hr:
[root@server2 ~]# mail -s "joke #1453" root@server1.tecaj.hr < /etc/motd
97
Vjebe
__________________________________________________________
Vjeba 8: Apache
Jednostavna konfiguracija web-posluitelja Apache
1. Na sustavu server1 instalirajte web-posluitelj Apache:
yum install httpd
U datoteci /etc/httpd/conf/httpd.conf (otvorite je u editoru) pronaite vrijednosti
sljedeih varijabli, zabiljeite njihovu vrijednost te proitajte komentare koji ih opisuju:
ServerRoot
__________________
DocumentRoot
__________________
Include
__________________
User
__________________
Group
__________________
PidFile
__________________
Listen
__________________
KeepAlive
_______
MaxKeepAliveRequests
_______
KeepAliveTimeout
_______
StartServers
_______
MinSpareServers
_______
MaxSpareServers
_______
ServerLimit
_______
MaxClients
_______
MaxRequestsPerChild
_______
CNAME
server1.tecaj.hr.
98
Vjebe
__________________________________________________________
3. Pokrenite web-posluitelj (service httpd start). Provjerite odaziva li se webposluitelj na adresi http://www.tecaj.hr.
Ako je sve u redu pokrenite naredbu chkconfig httpd on.
(to se dogaa ako pokuate pristupiti adresi http://www.tecaj.hr/index.html?)
4. U direktoriju na koji u datoteci /etc/httpd/conf/httpd.conf upuuje varijabla
DocumentRoot (a to je /var/www/html) stvorite datoteku index.html sljedeeg
sadraja:
<HTML>
<HEAD>
<TITLE>Pozdrav svijetu</TITLE>
</HEAD>
<BODY>
<P>Pozdrav svima!</P>
</BODY>
</HTML>
Ponovno provjerite to se nalazi na adresama http://www.tecaj.hr i
http://www.tecaj.hr/index.html.
5. Pokrenite naredbu telnet localhost 80 (umjesto localhost takoer moete
upisati server1 ili www) i upiite:
GET / HTTP/1.1
Host: www.tecaj.hr
[Enter]
(Prazan redak)
Prouite rezultat.
Ponovno pokrenite naredbu telnet localhost 80. Ovaj put upiite samo:
GET /
Prouite rezultat.
Jo jednom pokrenite naredbu telnet localhost 80. Ovaj put upiite:
HEAD / HTTP/1.1
Host: www.tecaj.hr
[Enter]
Napomena: Komunikaciju izmeu web-posluitelja i klijenta mogue je pratiti pomou
naredbe curl -v. Na primjer:
curl -v http://www.tecaj.hr
99
Vjebe
__________________________________________________________
6. Stvorite direktorij /var/www/html/prijatelji:
mkdir /var/www/html/prijatelji
cp /var/www/html/index.html /var/www/html/prijatelji/index.html
Pokrenite naredbu telnet localhost 80 i upiite:
GET /prijatelji
Rezultat je poruka o greki 301 Moved Permanently i preusmjeravanje na novi URL.
Ponovite naredbu telnet localhost 80, ali ovaj put upiite
GET /prijatelji/
Basic Authentication
7. Stvorite datoteku www.passwd u direktoriju /etc/httpd/conf na sljedei nain:
htpasswd -c -b /etc/httpd/conf/www.passwd root glavni
htpasswd -b /etc/httpd/conf/www.passwd tux sporedni
Napomena: U prvoj smo naredbi rabili prekida -c koji stvara datoteku, obzirom da prije
pokretanja naredbe ciljna datoteka nije postojala. Da smo u drugoj naredbi
ponovno rabili taj prekida, izgubili bismo sav prethodni sadraj.)
Pogledajte to se nalazi u datoteci /etc/httpd/conf/www.passwd.
U datoteku httpd.conf (direktorij /etc/httpd/conf) dodajte (moe i na kraj
datoteke):
<Directory /var/www/html/prijatelji>
AuthType basic
AuthName "Restricted Stuff"
AuthUserFile conf/www.passwd
Require user root tux
</Directory>
Pokrenite service httpd reload.
Pokuajte pristupiti URL-u http://www.tecaj.hr/prijatelji.
100
Vjebe
__________________________________________________________
Napomena: U ovom smo konkretnom sluaju umjesto Require user root tux
mogli koristiti i direktivu Require valid-user.
Korisnici se takoer mogu grupirati u skupine. U tom bismo sluaju, na
primjer, u datoteku www.group upisali:
prijatelji: root tux
a u httpd.conf bismo napisali:
<Directory /var/www/html/prijatelji>
AuthType basic
AuthName "Restricted Stuff"
AuthUserFile conf/www.passwd
AuthGroupFile conf/www.group
Require group prijatelji
</Directory>
8. Pokrenite naredbu telnet localhost 80 i upiite:
GET /prijatelji/
Prouite rezultat.
Kriptirajte (Base64 encoding) string tux:sporedni:
echo -n "tux:sporedni" | openssl base64 -base64
Rezultat je kod koji emo u nastavku koristi za autentikaciju (na primjer:
dHV4OnNwb3JlZG5p).
Pokrenite naredbu telnet localhost 80 i upiite:
GET /prijatelji/ HTTP/1.1
Authorization: Basic dHV4OnNwb3JlZG5p
Host: localhost
[Enter]
Pogledajte kako to isto izgleda s naredbom curl:
curl -v -u tux:sporedni http://www.tecaj.hr/prijatelji/
101
Vjebe
__________________________________________________________
CNAME
server1.tecaj.hr.
102
Vjebe
__________________________________________________________
Napomena: S obzirom na to da je virtualni posluitelj s direktivom ServerName
www.tecaj.hr naveden prvi u konfiguracijskoj datoteci, on ima najvii
prioritet i moe se smatrati primarnim (default) posluiteljem. To znai da ako
web-posluitelj primi upit koji ne odgovara niti jednoj od direktiva
ServerName (na primjer za posluitelj server1.tecaj.hr), bit e
posluen od strane prvog virtualnog posluitelja navedenog u konfiguracijskoj
datoteci (u naem sluaju www.tecaj.hr).
4. Pistupite (curl, wget ili Firefox) sljedeim URL-ovima:
http://www.tecaj.hr
http://portal.tecaj.hr
http://server1.tecaj.hr
i provjerite radi li sve kako treba.
Sljedea dva primjera pokazuju kako u praksi funkcionira mehnizam virtualnih posluitelja.
Pokrenite naredbu telnet localhost 80 i upiite:
GET / HTTP/1.1
Host: www.tecaj.hr
[Enter]
Zapamtite rezultat i ponovno pokrenite telnet localhost 80. Ovaj put upiite:
GET / HTTP/1.1
Host: portal.tecaj.hr
[Enter]
Uoite razliku u odnosu na prethodni rezultat. to je uzrok razliitim rezultatima? Koji bi
rezultat bio kad bi se ponovila naredba telnet localhost 80 i upisalo: Host:
server1.tecaj.hr?
103
Vjebe
__________________________________________________________
104
Vjebe
__________________________________________________________
Novostvoreni certifikat moete pogledati sljedeom naredbom:
openssl x509 -in /etc/httpd/ssl/trgovina.crt -text -noout | more
4. U zonu tecaj.hr (datoteka /var/named/zone/tecaj.hr) dodajete sljedei zapis:
trgovina
192.168.1.110
PTR
trgovina.tecaj.hr.
105
Vjebe
__________________________________________________________
<VirtualHost 192.168.1.110:443>
SSLEngine on
SSLCertificateFile
SSLCertificateKeyFile
ServerName
DocumentRoot
ServerAlias
CustomLog
ErrorLog
</VirtualHost>
/etc/httpd/ssl/trgovina.crt
/etc/httpd/ssl/trgovina.key
trgovina.tecaj.hr
/var/www/trgovina
trgovina
/var/log/httpd/trgovina-access.log common
/var/log/httpd/trgovina-error.log
<VirtualHost 192.168.1.110:80>
ServerName
trgovina.tecaj.hr
ServerAlias
trgovina
Redirect 301 / https://trgovina.tecaj.hr/
</VirtualHost>
8. Pokrenite naredbu service httpd reload. Nakon toga pristupite sljedeim
URL-ovima:
https://trgovina.tecaj.hr
http://trgovina.tecaj.hr
106
Vjebe
__________________________________________________________
/etc/snmp/snmpd.conf-orig
public
"Srce, Ucionica B"
postmaster@tecaj.hr
3. Pokrenite snmpd:
service snmpd start
chkconfig snmpd on
4. Instalirajte paket net-snmp-utils:
yum install net-snmp-utils
5. Pokrenite sljedee naredbe i prouite rezultate:
snmpwalk -v1 -cpublic 127.0.0.1 syslocation
snmpwalk -v1 -cpublic 127.0.0.1 sysname
snmpwalk -v1 -cpublic 127.0.0.1 system
MRTG
6. Instalirajte paket mrtg:
yum install mrtg
Sauvajte originalnu konfiguracijsku datoteku mrtg.cfg:
mv /etc/mrtg/mrtg.cfg /etc/mrtg/mrtg.cfg-bak
107
Vjebe
__________________________________________________________
7. Stvorite novu konfiguracijsku datoteku /etc/mrtg/mrtg.cfg sljedeom naredbom:
cfgmaker --output=/etc/mrtg/mrtg.cfg \
-ifref=name --global "workdir: /var/www/mrtg/stats" \
public@localhost
8. Stvorite direktorij /var/www/mrtg/stats:
mkdir /var/www/mrtg/stats
9. Paket mrtg je prilikom instalacije stvorio cron-datoteku /etc/cron.d/mrtg. Pogledajte
njezin sadraj.
10. Sauvajte originalnu datoteku /etc/httpd/conf.d/mrtg.conf:
mv /etc/httpd/conf.d/mrtg.conf /etc/httpd/conf.d/mrtg.conf-orig
Stvorite novu datoteku /etc/httpd/conf.d/mrtg.conf sljedeeg sadraja:
Alias /mrtg /var/www/mrtg
<Location /mrtg>
Options Indexes
</Location>
Pokrenite service httpd reload.
11. Pristupite URL-u http://server1.tecaj.hr/mrtg i prouite to se tamo nalazi.
Prouite i sadraj poddirektorija stats.
Stvorite datoteku /var/www/mrtg/stats/index.html sljedeom naredbom:
indexmaker --output /var/www/mrtg/stats/index.html \
--columns=1 /etc/mrtg/mrtg.cfg
i posjetite URL http://server1.tecaj.hr/mrtg/stats.
108
Vjebe
__________________________________________________________
109
Vjebe
__________________________________________________________
110
Vjebe
__________________________________________________________
6. Pokrenite sljedee naredbe i prouite rezultat:
cat /var/log/squid/access.log | calamaris
calamaris -R 5 /var/log/squid/access.log
7. Stvorite direktorij /var/www/html/calamaris:
mkdir /var/www/html/calamaris
Pokrenite naredbu:
calamaris -a -F html \
/var/log/squid/access.log > /var/www/html/calamaris/index.html
Posjetite URL http://server1.tecaj.hr/calamaris.
8. Na kraju, moemo iskljuiti EPEL Repo s popisa paketnih repozitorija.
U datoteci /etc/yum.repos.d/epel.repo sve retke u kojima pie enabled=1
zamijenite s enabled=0.
Napomena: EPEL Repo smo s popisa paketnih repozitorija mogli iskljuiti i na druge
naine. Na primjer: yum-config-manager --disable epel.
Popis paketnih repozitorija moe se ispisati naredbom yum repolist all.
111
Vjebe
__________________________________________________________
"tecaj.hr";
192.168.2.201;
112
Vjebe
__________________________________________________________
Stoga neka datoteka /etc/sysconfig/dhcpd sadri sljedei redak:
DHCPDARGS=eth1
Provjerite postoje li greke u konfiguracijskoj datoteci DHCP-posluitelja:
service dhcpd configtest
Pokrenite dhcpd i postavite da se pokree prilikom svakog pokretanja sustava:
service dhcpd start
chkconfig dhcpd on
Prouite sadraj datoteke /var/lib/dhcpd/dhcpd.leases.
113
Vjebe
__________________________________________________________
114
Vjebe
__________________________________________________________
U zone za koje elite da se dinamiki mijenjaju dodajte:
allow-update { key dhcpupdate; };
U naem sluaju to su zone tecaj.hr i 2.168.192.in-addr.arpa.
Iz zona tecaj.hr i 2.168.192.in-addr.arpa (datoteke tecaj.hr i
2.168.192.in-addr.arpa u direktoriju /var/named/zone) obriite sve podatke za
server2 (ukljuivi i one koje ga definiraju kao sekundarnog name-servera).
Ponovno pokrenite named.
Napomena: Obzirom da sustav server2 nee imati stalnu IP-adresu, nije prikladno da
bude sekundarni name-server. Takoer, njegove smo podatke u potpunosti
izbrisali iz DNS-tablica jer e ubudue te podatke upisivati DHCP-posluitelj.
3. Pomou naredbe nsupdate provjerite je li sve u redu:
nsupdate
> server 192.168.1.100
> key dhcpupdate S9fpDs3dmJQF7k5kGE6U80skG+DuOlAKZnWo5OQXLh4=
(Na ovom mjestu upiite vrijednost Vaeg kljua.)
>
>
>
>
>
>
>
zone tecaj.hr.
update add server5.tecaj.hr. 600 IN A 192.168.2.205
send
zone 2.168.192.in-addr.arpa.
update add 205.2.168.192.in-addr.arpa. 600 IN PTR server5.tecaj.hr.
send
quit
Ukoliko je sve u redu, tada se nakon pokretanja komandi send nee javiti poruka o greki.
Sluei se naredbom nslookup dodatno provjerite radi li sve kako treba:
nslookup server5
nslookup 192.168.2.205
4. Na sustavu server1 na poetak datoteke /etc/dhcp/dhcpd.conf dodajte:
ddns-updates on;
ddns-update-style interim;
update-static-leases on;
ignore client-updates;
include "/etc/dhcp/dhcpupdate.key";
zone tecaj.hr. {
primary 192.168.1.100;
key dhcpupdate;
}
115
Vjebe
__________________________________________________________
zone 2.168.192.in-addr.arpa. {
primary 192.168.1.100;
key dhcpupdate;
}
Ponovno pokrenite dhcpd: service dhcpd restart.
5. Na sustavu server2 izmijenite datoteku /etc/resolv.conf tako da je njezin sadraj
bude:
search tecaj.hr
nameserver 192.168.2.201
Na sustavu server2 zaustavite named i onemoguite njegovo pokretanje prilikom
pokretanja sustava:
service named stop
chkconfig named off
Podesite mreno suelje eth0 na sustavu server2 tako da adresu preuzima od DHCPposluitelja. Neka je sadraj /etc/sysconfig/network-scripts/ifcfg-eth0:
DEVICE=eth0
TYPE=Ethernet
ONBOOT=yes
BOOTPROTO=dhcp
DHCP_HOSTNAME=server2
Napomena: Uoite novu varijablu DHCP_HOSTNAME.
Ako je potrebno, pokrenite naredbu service network restart.
S ifconfig provjerite je li se promijenila IP-adresa na suelju eth0. Koja je nova
adresa?
Na stroju server1 pogledajte ponovno sadraj datoteke
/var/lib/dhcpd/dhcpd.leases.
Provjerite s nslookup je li zabiljeena promjena IP-adrese stroja server2.
Napomena: Ako runo radite izmjene u sadraju zone koja koristi Dynamic DNS (DDNS),
tada prvo zamrznite zonu: rndc freeze tecaj.hr
Nakon to ste zavrili s izmjenama odmrznite zonu (uitajte izmjene i
ponovno dozvolite DDNS): rndc thaw tecaj.hr
(Sustav e odgovoriti porukom: The zone reload and thaw was
successful.)
116
Vjebe
__________________________________________________________
117
Vjebe
__________________________________________________________
Ako u datoteci olcDatabase={2}bdb.ldif postoji redak koji poinje s
olcConfigFile (na primjer: olcConfigFile: /etc/openldap/slapd.conf.bak),
obriite ga.
Izmijenite sadraj datoteke olcDatabase={1}monitor.ldif
(vi olcDatabase\=\{1\}monitor.ldif) tako da pie:
olcAccess: {0}to * by
dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=tecaj,dc=hr" read by * none
3. Stvorite datoteku /var/lib/ldap/DB_CONFIG na sljedei nain:
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
118
Vjebe
__________________________________________________________
4. Zadajte naredbu:
ldapsearch -h localhost -D "cn=Manager,dc=tecaj,dc=hr" \
-w 123 -b "dc=tecaj,dc=hr" -s sub "objectclass=*"
Stvorite novu datoteku /etc/openldap/ldap.conf sljedeeg sadraja:
BASE
HOST
dc=tecaj,dc=hr
127.0.0.1
Sada moete pokrenuti prethodnu naredbu u njezinom kraem obliku (bez navoenja
posluitelja i baze):
ldapsearch -D "cn=Manager,dc=tecaj,dc=hr" -w 123 -s sub "objectclass=*"
119
Vjebe
__________________________________________________________
120
Vjebe
__________________________________________________________
Napomena: U ovom emo dijelu vjebe prenijeti samo dio sistemskih podataka u LDAP
(prenijet emo podatke o korisnicima). U stvarnoj bismo situaciji vjerojatno
prenijeli sve podatke (skripta migrate_all_offline.sh).
Ponovno prouite sadraj direktorija /var/lib/ldap. to se promijenilo?
Promijenite atribute datotekama u direktoriju /var/lib/ldap:
chown ldap:ldap /var/lib/ldap/*
Ponovno pokrenite slapd (service slapd start).
Pokrenite sljedee naredbe:
ldapsearch -x -W -D 'cn=Manager,dc=tecaj,dc=hr' \
-b 'ou=People,dc=tecaj,dc=hr' dn cn
ldapsearch -x -w p@ssword -D 'cn=Manager,dc=tecaj,dc=hr' \
-b 'uid=tux,ou=People,dc=tecaj,dc=hr' dn cn uid userPassword
Postavke na klijentima
4. Na sustavu server2 instalirajte paket openldap-clients (umetnite instalacijski medij
u optiki ureaj, potraite odgovarajui paket u direktoriju Packages te instalirajte ga
naredbom rpm, na primjer: rpm -i openldap-clients-2.4.23-31.el6.i686.rpm).
Provjerite radi li prethodna naredba i na sustavu server2:
ldapsearch -x -w p@ssword -h server1 -D 'cn=Manager,dc=tecaj,dc=hr' \
-b 'uid=tux,ou=People,dc=tecaj,dc=hr' dn cn uid userPassword
5. Na sustavu server2 instalirajte pakete nscd, pam_ldap i nss-pam-ladpd.
Na primjer:
rpm -i nscd-2.12-1.107.el6.i686.rpm
rpm -i pam_ldap-185-11.el6.i686.rpm
rpm -i nss-pam-ldapd-0.7.5-18.el6.i686.rpm
6. Preimenujte originalnu datoteku /etc/ldap.conf (ako postoji):
mv /etc/ldap.conf /etc/ldap.conf-orig
121
Vjebe
__________________________________________________________
Stvorite novu datoteku /etc/ldap.conf sa sljedeim sadrajem:
base
dc=tecaj,dc=hr
suffix "dc=tecaj,dc=hr"
uri ldap://192.168.2.201
pam_password md5
Izmijenite datoteku /etc/sysconfig/authconfig tako da pie:
USELDAPAUTH=yes
USELDAP=yes
Na kraj datoteke /etc/nslcd.conf dodajte sljedee retke (ili izmjenite postojee retke
ako navedene direktive ve postoje):
uri ldap://192.168.2.201
base dc=tecaj,dc=hr
Pokrenite naredbe:
chkconfig nslcd on
shutdown -r now
7. Na sustavu server2 izmijenite sadraj datoteke /etc/nsswitch.conf tako da pie:
passwd:
shadow:
ldap files
ldap files
122
Vjebe
__________________________________________________________
Na sustavu server2 izmijenite sadraj datoteke /etc/nsswitch.conf tako da sada
pie:
passwd:
files
files
Napomena: U ovoj smo vjebi sve izmjene na posluitelju server2 radili runo. Izmjene
je mogue napraviti i pomou grafikog alata
system-config-authentication i(li) pomou tekstne aplikacije
authconfig-tui.
123
Vjebe
__________________________________________________________
/etc/sysconfig/iptables /etc/sysconfig/iptables-orig
INPUT
INPUT
INPUT
INPUT
INPUT
-m
-m
-m
-m
-m
state
state
state
state
state
--state
--state
--state
--state
--state
NEW
NEW
NEW
NEW
NEW
-p
-p
-p
-p
-p
udp
tcp
tcp
tcp
tcp
--dport
--dport
--dport
--dport
--dport
53 -j ACCEPT
389 -j ACCEPT
3128 -j ACCEPT
80 -j ACCEPT
443 -j ACCEPT
Pokrenite naredbu:
service iptables restart
Na sustavu server2 ponovno provjerite moete li pristupiti ranije navedenim servisima.
124
Vjebe
__________________________________________________________
Transparentni web-posrednik
3. Sustav server1 podesit emo tako da se ponaa kao transparentan web-posrednik
(samo za port 80). To emo napraviti tako da sve web-konekcije (na port 80) koje prolaze
kroz sustav server1 a dolaze iz interne mree, preusmjerimo na web-posrednika (Squid)
na portu 3128. Squid emo podesiti tako da radi kao transparentan posrednik.
Na sustavu server1 na kraj datoteke /etc/sysconfig/iptables dodajte sljedee
retke:
*nat
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
COMMIT
Izmijenite sadraj datoteke /etc/squid/squid.conf tako da pie:
http_port 3128 intercept
Ako nije ukljuen, ukljuite ip-forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
Ponovno pokrenite vatrozid i Squid:
service iptables restart
service squid restart
4. Na sustavu server2 pokuajte pristupiti web-sadrajima izvan lokalne mree bez
vidljive uporabe posrednika.
Na primjer:
wget http://www.srce.hr
ili podesite Firefox tako da ponovno ne koristi web-posrednika (pogledajte vjebu 12) i
pokuajte pristupiti nekom sadraju izvan lokalne mree (na primjer
http://www.srce.hr).
NAT
5. Na sustavu server1 u datoteku /etc/sysconfig/iptables na odgovarajue mjesto
(prije direktiva s REJECT, na primjer iza direktiva koje su upisane u koraku 2 ove vjebe)
dodajte sljedee retke:
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
125
Vjebe
__________________________________________________________
Izmijenite direktive u sekciji nat (one se nalaze na kraju datoteke, pogledajte korak 3 ove
vjebe). Neka ta tablica izgleda ovako:
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
Obriite ranije unesene direktive za transparentnog web-posrednika:
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128
126
Vjebe
__________________________________________________________
127
Vjebe
__________________________________________________________
Dodatne informacije
DNS
BIND9 Master and Slave DNS Server setup on CentOS 6.5 (Dorin Ocsovszki)
http://ocsovszki-dorian.blogspot.com/2013/12/bind9-master-and-slave-dns-serversetup.html
Using the rndc Utility
http://access.redhat.com/site/documentation/enUS/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s2-bind-rndc.html
DNSSEC verification with dig
http://backreference.org/2010/11/17/dnssec-verification-with-dig/
Securing Zone Transfers With Bind 9 (John Cartwright)
http://www.grok.org.uk/docs/tsig.html
HOWTO turn BIND into a Validating Resolver (Rick van Rein)
http://dnssec.surfnet.nl/?p=402
Validating and Exploring DNSSEC with dig (Mark Bryars)
http://bryars.eu/2010/08/validating-and-exploring-dnssec-with-dig/
Sendmail
Understanding SMTP Error Messages (Heinz Tschabitscher)
http://email.about.com/cs/standards/a/smtp_error_code.htm
SMTP reply codes
http://www.greenend.org.uk/rjk/tech/smtpreplies.html
SMTP Commands (Andy Welter)
http://the-welters.com/professional/smtp.html
Overriding File Security Checks
http://www.sendmail.com/sm/open_source/tips/DontBlameSendmail/
Postfix
Postfix Standard Configuration Examples
http://www.postfix.org/STANDARD_CONFIGURATION_README.html
Majordomo
Majordomo
http://www.greatcircle.com/majordomo/
Creating a Majordomo E-Mail List
http://www.gsp.com/support/virtual/email/majordomo/list/
128
Vjebe
__________________________________________________________
Procmail
Procmail (Red Hat Linux 7.2: The Official Red Hat Linux Reference Guide)
http://www.centos.org/docs/2/rhl-rg-en-7.2/s1-email-procmail.html
Mail Filtering with Procmail (Ian Soboroff)
http://userpages.umbc.edu/~ian/procmail.html
Introduction to Procmail
http://partmaps.org/era/mail/procmail-presentation.html
Apache SpamAssassin Used via Procmail
http://wiki.apache.org/spamassassin/UsedViaProcmail
Apache
How To Create a SSL Certificate on Apache for CentOS 6 (Etel Sverdlov)
http://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-onapache-for-centos-6
How To Set Up Apache Virtual Hosts on CentOS 6 (Etel Sverdlov)
http://www.digitalocean.com/community/articles/how-to-set-up-apache-virtual-hosts-oncentos-6
VirtualHost Examples
http://httpd.apache.org/docs/current/vhosts/examples.html
Using User Authentication
http://www.apacheweek.com/features/userauth
Common Apache Misconfigurations (Paul Waring)
http://wiki.apache.org/httpd/CommonMisconfigurations
HTTP
Testing Basic Authentication with telnet and openssl
http://community.mcafee.com/thread/41920
SNMP
Install and configure SNMP on RHEL or CentOS
http://www.it-slav.net/blogs/2008/11/11/install-and-configure-snmp-on-rhel-or-centos/
MRTG
MRTG 2.17.4 configuration reference (Tobias Oetiker)
http://oss.oetiker.ch/mrtg/doc/mrtg-reference.en.html
MRTG Implementation Manual (Florin Prunoiu)
http://www.enterastream.com/whitepapers/mrtg/mrtg-manual.html
129
Vjebe
__________________________________________________________
SQUID
cachemgr (Cache Manager) configuration for Squid (Nikesh Jauhari)
http://linuxpoison.blogspot.com/2008/06/cachemgr-cache-manager-configuration.html
DDNS
Dynamic DNS and DHCP (Jordan Sissel)
http://www.semicomplete.com/articles/dynamic-dns-with-dhcp/
DDNS
http://wiki.debian.org/DDNS
LDAP
Setting up OpenLDAP on CentOS 6
http://docs.adaptivecomputing.com/viewpoint/hpc/Content/topics/1setup/installSetup/settingUpOpenLDAPOnCentos6.htm
Minimal LDAP configuration on RHEL6 in stages and details
http://spectlog.com/content/Minimal_LDAP_configuration_on_RHEL6_in_stages_and_details
Introduction to LDAP (Brad Marshall)
http://quark.humbug.org.au/publications/ldap/ldap_tut.html
OpenLDAP Software 2.4 Administrator's Guide
http://www.openldap.org/doc/admin24/
Installing OpenLDAP on Redhat / CentOS 6.3 (Suneet Shah)
http://wiki.openiam.com/pages/viewpage.action?pageId=7635198
LDAP authentication using pam_ldap and nss_ldap
http://www.tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/pamnss.html
CentOS : secure OpenLDAP traffic with SSL
http://blog.wains.be/2007/07/13/centos-secure-openldap-traffic-with-ssl/
PAM
Pluggable Authentication Modules (PAM)
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-pam.html
130
Vjebe
__________________________________________________________
How PAM works
http://www.tuxradar.com/content/how-pam-works
Understanding and configuring PAM (Vishal Srivistava)
http://www.ibm.com/developerworks/linux/library/l-pam/index.html
NIS
Configuring NIS under Red Hat Linux
http://bradthemad.org/tech/notes/redhat_nis_setup.php
iptables
NAT with Linux and iptables
http://www.karlrupp.net/en/computer/nat_tutorial
Fundamentals of iptables (Rajnesh Kumar Siwal)
http://www.youtube.com/watch?v=fQF2vEvqHgU
131
Vjebe
__________________________________________________________
132
133
134
A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document,
and from those of previous versions (which should, if there were any, be listed in the History
section of the Document). You may use the same title as a previous version if the original
publisher of that version gives permission.
B. List on the Title Page, as authors, one or more persons or entities responsible for
authorship of the modifications in the Modified Version, together with at least five of the
principal authors of the Document (all of its principal authors, if it has fewer than five), unless
they release you from this requirement.
C. State on the Title page the name of the publisher of the Modified Version, as the publisher.
D. Preserve all the copyright notices of the Document.
E. Add an appropriate copyright notice for your modifications adjacent to the other copyright
notices.
F. Include, immediately after the copyright notices, a license notice giving the public
permission to use the Modified Version under the terms of this License, in the form shown in
the Addendum below.
G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts
given in the Document's license notice.
H. Include an unaltered copy of this License.
I. Preserve the section Entitled "History", Preserve its Title, and add to it an item stating at
least the title, year, new authors, and publisher of the Modified Version as given on the Title
Page. If there is no section Entitled "History" in the Document, create one stating the title,
year, authors, and publisher of the Document as given on its Title Page, then add an item
describing the Modified Version as stated in the previous sentence.
J. Preserve the network location, if any, given in the Document for public access to a
Transparent copy of the Document, and likewise the network locations given in the Document
for previous versions it was based on. These may be placed in the "History" section. You may
omit a network location for a work that was published at least four years before the Document
itself, or if the original publisher of the version it refers to gives permission.
K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title of the
section, and preserve in the section all the substance and tone of each of the contributor
acknowledgements and/or dedications given therein.
L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their titles.
Section numbers or the equivalent are not considered part of the section titles.
M. Delete any section Entitled "Endorsements". Such a section may not be included in the
Modified Version.
N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in title with
any Invariant Section.
O. Preserve any Warranty Disclaimers.
If the Modified Version includes new front-matter sections or appendices that qualify as Secondary
Sections and contain no material copied from the Document, you may at your option designate some
or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the
Modified Version's license notice. These titles must be distinct from any other section titles.
You may add a section Entitled "Endorsements", provided it contains nothing but endorsements of
your Modified Version by various parties--for example, statements of peer review or that the text has
been approved by an organization as the authoritative definition of a standard.
You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words
as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage
of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made
by) any one entity. If the Document already includes a cover text for the same cover, previously added
by you or by arrangement made by the same entity you are acting on behalf of, you may not add
another; but you may replace the old one, on explicit permission from the previous publisher that
added the old one.
135
136
137