Note the following in regard to the hosts file. A host may have several “aliases.” In the previous code, the host may be addressed as grumpy.plc.com,its fully qualified host name. The names grumpy or loghost are nicknames that it will also answer to. All hosts connected to the corporate network need not be listed in the hosts file. Typically, only those hosts routinely contacted are listed. For security reasons, root is the only user who can edit the /etc/hosts file. If a host routinely communicates with many hosts (e.g., more than a dozen) on the network, maintaining a large hosts file can become cumbersome. If this is the case, using an on-line distributed name service database system, such as the Domain Name System (DNS) or Network Information Service (NIS+), should be considered. WARNING: Trailing blank characters on a line in the hosts file may cause that entry to fail.
Each network interface will probably have a unique host name assigned to it. For example, a multi-homed machine with an hme0 and le0 interface on separate networks might be called thishost on one network interface and thishostthat_subnetwork on another. The /etc/hosts file should list both addresses for the host in order to facilitate mapping the unique interface names to an IP address. The following example shows the host name files for a host with two hme interfaces connected to two different networks. The host is registered as wazoo on one network and wazoo-206 on the second network. # more /etc/hostname.hme0 wazoo # more /etc/hostname.hme1 wazoo-206 WARNING: The name in the hostname.if_name file must resolve at boot time. It is wise to use IP addresses instead of the host’s name. Alternatively, ] you can have an entry in the /etc/hosts file for each hostname.if_name entry on the machine. Failure to use resolvable names will result in interfaces that cannot be configured at boot time.
In general, ports numbered 0 through 512 are reserved Internet protocol ports. These port numbers are assigned to particular services by the NIC. Port numbers between 512 and 1024 are generally recognized UNIX network service ports. These ports are not reserved, but are generally treated as though they were reserved port numbers. Port numbers above 1024 are unassigned, and may be used for local network services as required by the site. NOTE: The use of ports not assigned by the NIC may vary from site to site. Some sites may reserve a group of ports above 1024 for internal use. Checking with the local network administrator before assigning local ports and/or services is recommended.
You may want to limit the service requests a machine answers. This is done by removing the service from the /etc/inetd.conf file (or by removing the file from /etc/xinet.d ) and restarting inetd/xinetd . Conversely, to add a new service to a host, add information to the /etc/inetd.conf file (or add the appropriate configuration file to the /etc/xinet.d directory) and then restart inetd/xinetd . TIP: It is sometimes possible to send a signal to the inetd process to cause it to reread the configuration file. This is achieved by sending a kill -HUP signal to the process ID (PID) of the running inetd process. For example, if the inetd process is running with a PID of 73, the command kill -HUP 73 should cause the inetd process to reread the configuration file.
The files entry tells the system to check the configuration files located on the host’s file systems. The dns entry tells the host to try to resolve host names using the DNS if the host name was not found in the local configuration files. Some systems allow for more complicated processing of the service switch file. For example, many operating systems allow the administrator to explicitly state what should happen in the case of lookup failures. Solaris and HPUX allow the following result/action values in the service switch file. [NOTFOUND=action] : Causes the lookup to perform the action if the preceding service could not perform the resolution [SUCCESS=action] : Causes the system to perform action upon a successful lookup [UNAVAIL=action] : Causes the system to perform action if the resolution method was not available [TRYAGAIN=action\\] : Causes the system to perform action if the resolution method was busy, or not responding Note that the action taken upon satisfying the condition may be return or continue . The return action tells the system to return a failed status, whereas the continue action tells the system to try the next resolution method in the list. In addition, the TRYAGAIN keyword allows the action forever , with an optional limit on the number of times the action will actually be retried.
The –f flag is used to flush the routing table of all entries. Some operating systems use route –flush instead of route –f . The keyword field indicates the operation to be performed. Keywords available in all versions of the route command include the following. add : Add the specified route. delete : Delete the specified route. Some versions of route also support the following keywords: get : Look up and display the route for a destination. change : Change some aspect of the route (for example, change the gateway). flush : Remove all entries from routing tables. Monitor : Continuously monitor and report changes in the status of routing tables, routing hits and misses, and suspected network partitioning. The type field indicates whether this route is a host route or a network route. Because the route command may not have knowledge of local subnet masks, the administrator should always specify whether the route is a host or network route. Note, however, that some versions of the route command will consult the /etc/networks and /etc/netmasks files in an attempt to determine local subnet masks, and therefore assign the “proper” type of route if the type is not specified. Note also that some operating systems require a hyphen before type field. The values allowed in the type field are therefore limited to the following. [-]host : Route to a specific host [-]net : Route to a network
Feb 12 14:30:14 grumpy inetd[251]:[ID 317013 daemon.notice] ftp[13370] from 172.16.25.96 32769 This syslog entry includes several important pieces of information about this network connection attempt. The Date field tells when the message was logged. The Hostname field gives the name of the host ( grumpy ) that sent this log message. The Process field tells what process running on hostname generated this message. In this case, the inetd process, running on grumpy , with process ID of 251, sent the message. The Severity field tells the severity level of this notice (daemon notice). The Subprocess field lists the command invoked by inetd as a result of this connection request. In this case, the inetd service launches ftpd on host grumpy . The ftpd process invoked has a process ID of 13370. The Remote host field lists the IP address of the host that made this network connection request.
Other values often modified include the TCP high water and low water marks, and the type of link in use (half/full duplex, “autobaud”/10/100/1000 Megabit Ethernet capabilities). The ndd command may be used to probe the following devices. /dev/tcp : TCP protocol stack variables /dev/udp : UDP protocol stack variables /dev/ip : IP protocol stack variables /dev/icmp : ICMP protocol stack variables /dev/rawip : ICMP protocol stack variables /dev/arp : ARP protocol variables /dev/le : Lance Ethernet device driver variables / dev/hme : 100 Mbit Ethernet device driver variables /dev/eri : Gigabit Ethernet device driver variables To see what variables are available under a specific device, invoke ndd as follows. ndd /dev/{devicename} \\? This will cause ndd to query the driver and produce a list of variables that the driver lists as available to be viewed/set using the ndd interface.
NOTE: Different vendors implement multi-pathing in different ways. Consult your vendor information to determine the specifics of how your operating environments implement/configure multi-pathing. The following example shows the host name files from a Solaris host using Sun’s multi-path mode of operation. This configuration provides better bandwidth, and redundancy for the host by “bonding” two interfaces. If one interface fails, the system will continue to run with half the bandwidth previously available to it. Note that both interfaces are on the same network and have the same host name. The interfaces are added to an interface group by directives in the hostname.if_name file. # more /etc/hostname.hme0 wazoo group plc -failover # more /etc/hostname.hme1 wazoo group plc –failover NOTE: Not all operating systems allow the operator to place the same information in their hostname.ifname files. Consult the manual page for your OS to determine the appropriate values to place in your files.
# cat /proc/sys/net/ipv4/conf/eth0/accept_redirects 1 If the command returns a 1 (as in the previous code), the feature is enabled on the eth0 interface. If the administrator decides to turn off the system’s capability of accepting ICMP REDIRECT directives on the eth0 interface, he/she could change the file using the following. # echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects The System Administration, Networking, and Security Institute (SANS) publishes step-by-step guides to assist an administrator with the task of securing operating systems. The SANS Step-by-Step Guide to Securing Linux contains many helpful tips for securing a Linux host on the network using the /proc interface files.
As an example of a simple DHCP configuration, the astro.com administrators created a DHCP server named (aptly) dhcpserve . This machine provides DHCP service to clients on the 192.168.0.0 network. The network has 10 client machines that obtain IP addresses via DHCP. When the administrator has completed the configuration process, the dchpconfig command will create two database files. The files created by the dhcpconfig command are stored in the /var/dhcp directory. The /var/dhcp/dhcptab file contains information about the server environment. The /var/dhcp/[IP_with_underscores] file contains the information regarding addresses leased out, and available addresses. If the network number for the DHCP network is 192.168.0.0, this file name would be /var/dhcp/192_168_0_0 .
Linux, BSDI, and MacOS X Once the hosts file has been modified, try one (or both) of the following commands. route add -host all-ones dev eth0 route add 255.255.255.0 dev eth0 Once the route has been added, you need to edit the /etc/dhcp.conf file to configure the DHCP server’s operation. If you are using the KDE window manager, you can use the kcmdhcpd GUI to configure the DHCP service. The following sample dhcp.conf file configures the server to provide client addresses in the 172.16.1.10 through 172.16.1.100 and 172.16.1.150 through 172.16.1.200 ranges. The default lease time will be 600 seconds unless the client requests some other value. The time limit on a lease is 7200 seconds (2 hours). The client will be instructed to use the subnet mask 255.255.0.0, and the broadcast address 172.16.1.255 . The client will also be told to use 172.16.1.254 as its default gateway. The host will be told to use the name servers at 127.16.1.1 and 172.16.1.2. The client domain name will be set to plc.com . Windows clients will be configured with 172.16.1.1 as their WINS server. default-lease-time 600; max-lease-time 7200; option subnet-mask 255.255.0.0; option broadcast-address 172.16.1.255; option routers 172.16.1.254; option domain-name-servers 172.16.1.1, 172.16.1.2; option domain-name "plc.com"; option netbios-name-servers 172.16.1.1; subnet 172.16.1.0 netmask 255.255.255.0 { range 172.16.1.10 172.16.1.100; range 172.16.1.150 172.16.1.200; }
The easiest way to configure DHCP on a HPUX system is through the SAM program. Under SAM, select Networking and Communications | Bootable Devices | DHCP Device Groups Booting From This Server. At this point, the system should display any existing DHCP groups assigned to this server. If none appear, you need to add one, as follows. Use the ACTION menu, select Add DHCP Group. Fill in the information on this screen. This includes the following items. DHCP group name Subnet mask [subnet] Address pool Lease time Consult the dhcp manual pages for more information on these options.
Several third-party utilities are available to parse message files, and alert you to messages you may have missed. The following are two of the more popular utilities. logcheck : Now called Psionic LogSentry. LogSentry is available at http://www.psionic.com/products/logsentry.html . This utility comes complete with installation and configuration information. The LogSentry utility is very similar to the log parser that comes with the TIS Guantlet firewall product. swatch : Simple watcher developed by E. Todd Atkins at the University of California, Santa Barbara. Swatch is available at http://www.engr.ucsb.edu/~eta/swatch/ . The distribution code includes installation and configuration information for this utility.
WARNING: SNMP has been perpetually insecure. The use of well-known “community strings” (passwords), and the existence of buffer overflows in many implementations, has made the use of SNMP somewhat dangerous. If your site uses SNMP, you need to take extra caution to block external access to the SNMP processes. Failure to do so may result in your systems becoming compromised by hackers.
sysdescr PLC SparcStation syscontact [email_address] sysLocation Poodle Lecture Consulting # system-group-read-community Myreadgroupstring #system-group-write-community Mywritegroupstring # read-community Myreadcomstring #write-community Mywritecomstring # trap localhost trap-community SNMP-trap # #kernel-file /vmunix # managers localhost Once the snmpd.conf file has been modified, make sure it is only accessible by root . If the file is readable by others, they will have access to your read/write strings, and therefore access to your systems. You can start the snmp utilities running by invoking the S76snmpdx script, followed by the S77dmi script with the start argument.
get-community-name : your_read_community_password set-community-name : your_write_community_password trap-dest : Name of the hosts that should receive trap notifications. There may be more than one trap destination. location : Physical location of the host. contact : E-mail address of the person to contact about the host. The HPUX SNMP daemon logs information to /var/adm/snmpd.log . Starting snmp with a log mask can control the amount of logging. See the manual page for snmp to determine the proper log mask for your site.
Monitoring traffic containing specific data. Monitoring a network to determine which host is creating the most network traffic. The snoop command even provides a “cheap and dirty” means of determining which hosts are generating the most traffic on the network. You could start snoop and visually monitor which hosts are generating traffic ( snoop -d hme0 ). Alternatively, you could generate some shell scripts to invoke snoop to capture a specified number of packets, and then analyze which hosts were sending and receiving packets during the sample window. For example , snoop -d hme0 -o /tmp/snapshot -c 10000 will collect 10,000 packets and save them in the /tmp/snapshot file. You can then use snoop -i /tmp/snapshot | grep hostname |wc -l to determine how many of the 10,000 packets hostname contributed. Figure 16-13 shows snoop used to monitor network traffic. WARNING: By default, snoop is a root-restricted command because the network interface device special file is created with root read permission. Some applications require that the network interface run in promiscuous mode. This changes the read/write modes of the device-special file such that any user on the host can use the snoop command to capture packets. You may want to have the root crontab invoke a utility such as ifstatus periodically to determine the mode of the network interface(s) on your hosts.
# nettl -tn 0x30800000 -e ns_ls_ip -size 1024 0tracemax 99999 -f /tmp/raw0 To view the data just collected, the user would need to invoke the netfmt command with the options required to format the output as desired. The following example shows the use of the netfmt command to give a one-line trace analysis of all packets captured to the /tmp/raw0.TRC0 file. # netfmt -N -n -l -1 -f /tmp/raw0.TRC0 > /tmp/fmt-10 The nettl utility provides the ability to incorporate filters into the packet capture and analysis process. A filter is a small “program” or specification that tells the utility what packets to capture/display. The filters can be used to specify source or destination addresses, MAC addresses, protocols, ports, and other useful classifiers for the packet capture/display. Consult the manual pages for nettl , netfmt , and nettlgen.conf for more information on the use of the HPUX nettl utility.
# tcpdump -vvv -i hme1 -e -c 1 -x ‘icmp’ 14:21:40.496416 8:0:20:7e:80:69 8:0:20:9a:5d:bc ip 98: cse.nd.edu > grumpy.cse.nd.edu: icmp: echo request (DF) (ttl 255, id 56704, len 84) 4500 0054 dd80 4000 ff01 68cc 814a 1965 814a 1962 0800 6843 2328 0000 3c98 e144 0004 63b0 0809 0a0b 0c0d 0e0f 1011 1213 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 3435 One of the most powerful features of tcpdump is its ability to use filters to narrow down the type of packet to be displayed. This filtering capability makes tcpdump an extremely powerful tool. If you want to capture specific types of packets, all you have to do is write a filter that uniquely specifies that type of packet. Once you have the filter written, call tcpdump with the filter option, and tcpdump will use your filter as part of the packet selection criteria. The format of the filters is pretty straightforward. The basic formula for a filter is as follows. <header> [<offset>:<length>] <relation> <value> The relational operators tcpdump understands are =, <, >, <=, >=, and !=. The logical operators it understands are the and (&), or (|), and not (!) operators. A simple example of a filter would be a filter for capturing all telnet traffic, such as follows. # tcpdump -i hme1 -x ‘tcp[2:2] = 25’ This tells tcpdump to look at the tcp header. Skipping bytes 0 and 1 (the source port), and looking at bytes 2 and 3 (the destination port), if this two-byte field contains the value 25, this is an SMTP packet! To make life simpler, tcpdump also includes some built-in macros that make writing filters even simpler.