SUSE Linux Enterprise Server Administration (Course 3037)

1
SUSE Linux Enterprise Server Administration
(Course 3037)

• Chapter 9
• Enable Internet Services

2
Objectives

• Configure SUSE Linux Enterprise Server Time
• Enable a Web Server (Apache)
• Enable the Extended Internet Daemon (xinetd)
• Enable an FTP Server

3
Configure SUSE Linux Enterprise Server Time

• Objectives
• SUSE Linux Enterprise Server Time Overview
• How to Synchronize Time with hwclock and netdate
• What Network Time Protocol (NTP) Is
• How to Synchronize Time with NTP

4
SUSE Linux Enterprise Server Time Overview

• Hardware clock and system clock
• Hardware clock
• Runs independently of any control program
• Part of the ISA standard
• Also called the BIOS clock or CMOS clock
• System time
• Time kept by a clock inside the Linux kernel
• Driven by a timer interrupt
• Number of seconds since 000000 January 1, 1970,
  UTC
• Synchronized to the hardware clock when Linux
  first starts

5
SUSE Linux Enterprise Server Time Overview
(continued)

• Hardware clock and system clock (continued)
• date and adjtimex commands
• Adjust system time
• ntpd
• Regulates the system clock
• hwclock command
• Sets the hardware clock
• Linux kernel maintains local time zone for the
  system

6
SUSE Linux Enterprise Server Time Overview
(continued)

• GMT (UTC) and local time
• UTC (Universal Time Coordinated)
• Also referred to as GMT (Greenwich mean time)
• Variable HWCLOCK in /etc/sysconfig/clock has the
  value -u
• Local time
• Variable HWCLOCK has the value --localtime
• Time configuration files
• Current time (system time) is calculated using
  variable TIMEZONE
• In the file /etc/sysconfig/clock

7
SUSE Linux Enterprise Server Time Overview
(continued)

• Time configuration files (continued)
• Directory /usr/share/zoneinfo/
• Database of all time zones
• cat /proc/driver/rtc
• Displays the hardware clock time

8
How to Synchronize Time with hwclock and netdate

• How to use hwclock
• Tool for accessing the hardware clock
• Displays the current time
• Sets the hardware clock to a specified time
• Sets the hardware clock to the system time
• Sets the system time from the hardware clock
• Run hwclock periodically
• To insert or remove time from the hardware clock
• Uses device special file /dev/rtc

9
How to Synchronize Time with hwclock and netdate
(continued)
10
How to Synchronize Time with hwclock and netdate
(continued)

• How to use netdate
• Sets up the system time once only
• Syntax netdate timeserver1 timeserver2. . .
• timeserver represents a time server on a network
• netdate client compares server times with its own
  time
• Time differences are sorted into groups and used
  to update time on the local server
• Syntax netdate time_source
• Synchronizes time to a specific external time
  source
• hwclock --systohc or hwclock w
• Sets the hardware clock to the system clock time

11
What Network Time Protocol (NTP) Is

• NTP
• Industry standard protocol
• Uses UDP on port 123 to communicate between time
  providers and time consumers
• NTP time provider
• Server that provides NTP time
• NTP time consumer
• Seeks NTP time from an NTP time provider
• NTP synchronizes clocks to the UTC standard
• Keeps track of consistent time variations

12
What Network Time Protocol (NTP) Is (continued)

• Stratum
• Designation of the location of servers in NTP
  tree hierarchy
• NTP daemon (xntpd)
• Used by server and client to give and obtain time
• Designed to adjust time continuously
• Regularly correcting local computer clock on the
  basis of collected correction data
• Continuously correcting local time with the help
  of time servers in the network
• Enabling management of local reference clocks

13
What Network Time Protocol (NTP) Is (continued)
14
What Network Time Protocol (NTP) Is (continued)

• NTP terms
• Drift
• ntpd measures and corrects for incidental clock
  frequency error
• And writes the current value to a file
  /etc/ntp/drift
• Jitter
• Estimated time error of the peer clock
• How the NTP daemon works
• Automatically synchronizes system time
• With a time server on an ongoing basis

15
What Network Time Protocol (NTP) Is (continued)

• How the NTP daemon works (continued)
• Correction takes place in small increments
• Synchronizations occur about once per minute
• Increasing gradually to once per 17 minutes
• Slewing
• NTP adjustment for small time differences
• Stepping
• NTP adjustment for large time differences
• NTP averages the results of several time exchanges

16
How to Synchronize Time with NTP

• Start NTP from the command line
• Start script is /etc/init.d/xntpd
• Central configuration file is /etc/ntp.conf
• Start NTP daemon using rcxntpd start
• Stop NTP daemon using rcxntpd stop
• Restart NTP daemon using rcxntpd restart
• Check status using rcxntpd status
• Start NTP automatically when system boots
• insserv /etc/init.d/xntpd

17
How to Synchronize Time with NTP (continued)

• Adjust the time with ntpdate
• Perform a one-time update of the client to the
  server
• rcxntpd stop
• ntpdate timeserver
• hwclock --systohc
• rcxntpd start
• Configure the NTP server (/etc/ntp.conf)
• Add following entries to /etc/ntp.conf
• server 127.127.1.0 local clock (LCL)
• fudge 127.127.1.0 stratum 10 LCL is
  unsynchronized

18
How to Synchronize Time with NTP (continued)

• Configure the NTP server (/etc/ntp.conf)
  (continued)
• Entries for current time
• Outside source of synchronized time
• server ptbtime1.ptb.de
• server ptbtime2.ptb.de
• Synchronization methods
• Polling
• Broadcasting
• Entries including name for the drift file
• driftfile /var/lib/ntp/drift/ntp.drift
• logfile /var/log/ntp

19
How to Synchronize Time with NTP (continued)

• Configure an NTP client with YaST
• Start YaST NTP Client module
• Configure NTP client to start each time you boot
  your system
• Enter an NTP server
• Configure your server to synchronize against
  multiple remote hosts
• Or against a locally connected clock (optional)
• Configure the NTP client by selecting Finish
• Close the YaST Control Center (optional)

20
How to Synchronize Time with NTP (continued)
21
How to Synchronize Time with NTP (continued)

• Trace the time source with ntptrace
• ntptrace
• Traces source of time that a time consumer is
  receiving
• Lists
• Client name
• Its stratum
• Its time offset from the local host
• Synchronization distance
• ID of the reference clock attached to a server
• Synchronization distance is a measure of clock
  accuracy

22
How to Synchronize Time with NTP (continued)

• Query the NTP daemon status
• Enter ntpq d to display information such as
• remote
• refid
• st
• when
• poll
• reach
• delay
• offset
• jitter

23
Exercise 9-1 Configure Linux Time with NTP

• In this exercise, you do the following
• Part I Check System Time and Hardware Clock Time
• Part II Enable NTP Client with YaST

24
Enable a Web Server (Apache)

• Objectives
• How a Web Server Works
• Apache and SUSE Linux Enterprise Server
• How to Configure an Apache HTTP Server with YaST

25
How a Web Server Works

• What a Web server is
• Software program that runs on a host computer
• And delivers files over the Internet
• Lets you publish Hypertext Markup Language (HTML)
  documents
• Can also distribute many other types of files
• Must be physically connected to a TCP/IP-based
  network

26
How a Web Server Works (continued)

• How a Web server labels content types
• Web browser relies on a Multipurpose Internet
  Mail Extension (MIME) header
• To correctly identify and display document types
• More than 360 MIME types are included with the
  Apache Web server
• URL components
• Protocol, such as http//, https//, ftp//
• Domain, can be divided into two parts
• Resource, specifies full path to the resource

27
How a Web Server Works (continued)

• How a Web server delivers content
• Web server works in a client-server relationship
• Client programs are usually Web browsers
• Client program requests information
• Apache then delivers the actual resource
• HTML pages can be stored in a directory
• Requests and transfers use HTTP
• Which is part of the TCP/IP suite of protocols
• Commands and data are passed to port 80
• Through a TCP connection

28
Apache and SUSE Linux Enterprise Server

• Installation of Apache packages
• Basic installation, select package apache2
• Multiprocessing, install apache2-prefork or
  apache2-worker
• Documentation, install apache2-doc
• Development and compilation, install
  apache2-devel
• Activating Apache
• Activate it in the runlevel editor
• Test Apache entering http//localhost/ in a Web
  browser

29
Apache and SUSE Linux Enterprise Server
(continued)

• Storing Web resource files for Apache
• Static Web pages
• Place your files in /srv/www/htdocs/
• Custom CGI scripts
• Store custom CGI scripts in /srv/www/cgi-bin/
• Log files
• Apache writes log messages to /var/log/apache2/acc
  ess_log

30
Apache and SUSE Linux Enterprise Server
(continued)

• Expanding Apache functionality
• Apache can execute CGI scripts in diverse
  programming languages
• There are modules for secure data transmission
• In Apache2 almost everything is handled by means
  of modules
• Apache 2 does not necessarily need to be a Web
  server
• There is a proof-of-concept POP3 server module
  based on Apache

31
Apache and SUSE Linux Enterprise Server
(continued)

• Security guidelines for Apache Web server
• Limit unneeded servers
• Limit access to DocumentRoot
• Specify subdirectories for user Web content
• Keep updated on vulnerabilities

32
How to Configure an Apache HTTP Server with YaST

• Steps
• Start the YaST HTTP Server module
• Enable the HTTP server by selecting Enabled
• Adapt the firewall to the ports where Apache2
  listens (optional)
• Edit HTTP server settings
• View existing HTTP server logs
• Save the settings
• Close the YaST Control Center (optional)

33
How to Configure an Apache HTTP Server with YaST
(continued)
34
Exercise 9-2 Enable a Basic Apache Web Server

• In this exercise, you do the following
• Part I Configure an Apache Server
• Part II Test the Apache Server Configuration

35
Enable the Extended Internet Daemon (xinetd)

• Objectives
• What inetd Is
• How to Configure xinetd with YaST
• How to Manage xinetd Manually
• How to Configure the TCP Wrapper

36
What inetd Is

• Many services are administered and started
  through inetd or xinetd
• Acts as a mediator of connection requests for a
  series of services
• Advantage
• Saving resources (especially memory)
• Disadvantage
• Delay occurs while the required service is
  loaded, started, and connected
• Use inetd for services that are occasionally
  needed

37
How to Configure xinetd with YaST

• Steps
• Start the YaST Network Services (inetd) module
• Enable the inetd super daemon
• Configure a service to be administered by inetd
• Change the status of all installed services to on
  or off (optional)
• Save the configuration setting and start the
  inetd (or xinetd) daemon
• Close the YaST Control Center (optional)

38
How to Configure xinetd with YaST (continued)
39
How to Manage xinetd Manually

• Start, stop, and restart xinetd
• /etc/init.d/xinetd script started by xinetd
• insserv xinetd
• Automatically starts xinetd at boot
• rcxinetd status
• Verify whether daemon is activated or not
• rcxinetd start or rcxinetd stop
• Manually start and stop the xinetd daemon

40
How to Manage xinetd Manually (continued)

• Configure xinetd
• How to Edit the File /etc/xinetd.conf
• Default parameters syntax
• defaults
• key operator parameter parameter. . .
• Service syntax
• service service_name
• key operator parameter parameter. . .
• Operators include , -, and

41
How to Manage xinetd Manually (continued)

• Configure xinetd (continued)
• How to Edit the File /etc/xinetd.conf
• First entry is optional and enables default
  configurations
• Other entries contain configuration for the
  respective network service
• The directory /etc/xinetd.d/
• Holds configuration file for every service
• Directive includedir /etc/xinetd.d
• Prompts xinetd to interpret all files in this
  directory
• Using separate files improves transparency

42
How to Manage xinetd Manually (continued)
43
How to Manage xinetd Manually (continued)

• Configure xinetd (continued)
• Internal services example
• /etc/xinet.d/echo
• default off
• description An echo server. This is the tcp
  version.
• service echo
• type INTERNAL
• id echo-stream
• socket_type stream
• protocol tcp
• user root
• wait no
• disable yes

44
How to Manage xinetd Manually (continued)
45
How to Manage xinetd Manually (continued)

• Configure access control
• Parameters
• only_from
• Defines which hosts can use which service
• no_access
• Defines which hosts can be excluded from access
• access_time
• Defines at which times the service is available
• disabled
• Completely shuts off a server
• Can only be used in the defaults section

46
How to Manage xinetd Manually (continued)

• Configure log files
• Record failed and unauthorized connection
  attempts
• Shut off a service but still retain its logging
  functions
• Configure only_from without using any additional
  parameters
• Logging through xinetd is controlled by the
  log_type statement
• Along with the attributes log_on_success and
  log_on_failure
• Log the circumstances of how and why the network
  service was used

47
How to Configure the TCP Wrapper

• The role of the tcpd daemon
• Regulates access to inetd services
• Wrapper acts as a filter
• Steps
• Logs name and address of requesting host
• Verifies if the request is permitted
• Starts the corresponding daemon
• Then the wrapper is deleted from memory
• After an authorized server has started
• It can accept additional connections
• Without consulting the wrapper

48
How to Configure the TCP Wrapper (continued)

• How to configure access controls
• Edit /etc/hosts.allow and /etc/hosts.deny files
• Files syntax daemon host option option
  ...
• Examples
• /etc/hosts.allow
• ALL pluto.example.com
• ALL EXCEPT vsftpd mars.example.com
• vsftpd andromeda.example.com
• /etc/hosts.deny
• ALL ALL

49
How to Configure the TCP Wrapper (continued)
50
How to Configure the TCP Wrapper (continued)
51
How to Configure the TCP Wrapper (continued)

• How to check the TCP wrapper
• Use tcpdchk command
• tcpdmatch command
• Provides information about how tcpd would handle
  various types of access attempts
• Moles and trappers
• You can enter shell commands in the configuration
  files
• To be executed when request matches a pattern
• Example
• ALL ALL spawn echo "Access of u_at_h to d" gtgt
  /var/log/net.log

52
How to Configure the TCP Wrapper (continued)
53
Exercise 9-3 Configure the Internet Daemon
(xinetd) and TCP Wrappers

• In this exercise, you do the following
• Part I Enable xinetd Services with YaST
• Part II Enable xinetd Services Manually
• Part III Configure TCP Wrappers

54
Enable an FTP Server

• Objectives
• The Role of an FTP Server
• How FTP Works
• Advantages of PureFTPd Server
• How to Install and Run PureFTPd Server
• How to Configure PureFTPd Server

55
The Role of an FTP Server

• Basic features
• Sending, receiving, deleting, and renaming files
• Creating, deleting, and changing directories
• Transferring data in binary or ASCII mode
• Allows accesses after authentication against a
  password database
• These are the files /etc/passwd and /etc/shadow
• PureFTPd supports authentication against its own
  password database
• Guest access can be set up as anonymous FTP

56
How FTP Works

• Uses two TCP connections
• One sends FTP command (port 21)
• Second connection is created when a file is ready
  for transfer
• Types of data transfer
• Active data transfer
• FTP client offers FTP server an unprivileged TCP
  port for data channel connection (port 20)
• Passive data transfer
• FTP server offers FTP client an unprivileged TCP
  port for a data channel connection

57
Advantages of PureFTPd Server

• PureFTPd features
• Consistent use of chroot environments
• Uncomplicated configuration of virtual FTP
  servers
• Virtual users independent of the system users
  listed in the file /etc/passwd
• Configuration via command-line parameters or with
  a configuration file

58
How to Install and Run PureFTPd Server

• Use YaST Install and Remove Software module
• To install the PureFTPd server
• /etc/pure-ftpd/pure-ftpd.conf
• Configuration file
• Run PureFTPd server
• From the command line
• Enter pure-ftpd options
• From a start script
• Enter /etc/init.d/pure-ftpd start (or rcpure-ftpd
  start)
• Enter rcpure-ftpd stop to stop the service

59
How to Install and Run PureFTPd Server (continued)

• Run PureFTPd server (continued)
• From a start script
• insserv /etc/init.d/pure-ftpd to initialize
  pure-ftp upon start-up
• From inet.d
• Add a corresponding entry to the file
  /etc/inetd.conf
• Example
• ftp stream tcp nowait root /usr/sbin/tcpd
  pure-ftpd -A -i

60
How to Configure PureFTPd Server

• How to configure anonymous FTP
• You need to have an FTP user and home directory
  in the file /etc/passwd
• You do not need to create any subdirectories
• You can also use command pure-ftp
• Files uploaded to the server belong to the user
  ftp
• How to configure FTP with virtual hosts for
  anonymous FTP
• Virtual FTP hosts allow a number of FTP sites to
  be hosted on one machine

61
How to Configure PureFTPd Server (continued)

• How to configure FTP with virtual hosts for
  anonymous FTP (continued)
• Create virtual network devices
• Using ifconfig
• Create symbolic link in /etc/pure-ftpd/
• How to configure FTP for authorized users
• Important for those who are hosting Web sites
• Use pure-ftpd command
• pure-ftpd -A E
• pure-ftpd -a 500 -E

62
How to Configure PureFTPd Server (continued)

• How to configure FTP with virtual users not
  included in /etc/passwd
• PureFTP users are separated from system users
• And can only access the system by FTP
• Administer PureFTPd users in a separate database
• Create a system user with useradd
• Create the FTP users with pure-pw
• Specify options such as quotas or size limits in
  MB
• Regenerate password file using pure-pw mkdb
• Start PureFTPd with -j

63
How to Manage PureFTPd Logs

• PureFTPd sends messages to the syslog daemon
• PureFTPd can also write its own log files
• Use option -O formatlogfile
• Format can be clf, stats, or w3c
• You can also modify PureFTP configuration file

64
Exercise 9-4 Configure Anonymous PureFTPd Access

• In this exercise, you will configure anonymous
  PureFTPd access

65
Summary

• System time is maintained by the interrupt timer
• And obtained from the computer hardware clock
• netdate utility
• Synchronizes system time
• With that of another computer on the network
• NTP
• Accurately coordinates system time on your
  network
• NTP automatically adjusts for local time drift
• To configure NTP, you may use YaST
• Or edit the /etc/ntp.conf file

66
Summary (continued)

• Apache Web server (httpd)
• The most common Web server on Linux systems
• Internet Super Daemon (inetd) or Extended
  Internet Super Daemon (xinetd)
• Used to start some network daemons
• TCP wrapper daemon (tcpd)
• Used with inetd or xinetd to provide additional
  security
• File Transfer Protocol (FTP)
• Main TCP/IP protocol to transfer files across the
  Internet

67
Summary (continued)

• PureFTPd server
• Installed and used on SLES to provide FTP
  services to clients
• Configure PureFTPd
• Use pure-ftpd command
• Or entries in the /etc/pure-ftpd/pure-ftpd.conf
  file