Beruflich Dokumente
Kultur Dokumente
Solaris 10 Edition
Training Notes 20060801.01
Table of Contents
Apache Web Server - Notes.......................................................................................................................3
BIND DNS Implementation - Notes.......................................................................................................... 6
System Scheduler Cron - Notes.............................................................................................................. 8
File System Management - Notes............................................................................................................ 10
Volume Management - Notes.................................................................................................................. 12
File Transfer Protocol Daemon (FTPD) Implementation - Notes........................................................... 15
GNU Privacy Guard (GPG) - Notes........................................................................................................ 17
MySQL Implementation - Notes..............................................................................................................18
NETSTAT - Notes................................................................................................................................... 19
Network Configuration Overview - Notes...............................................................................................20
Network File System(NFS) - Notes......................................................................................................... 22
AutoFS - Notes.........................................................................................................................................23
Network Mapper Nmap - Notes...............................................................................................................23
Network Time Protocol (NTP) - Notes....................................................................................................24
Quota Implementation & Management - Notes....................................................................................... 25
Samba Windows Integration - Notes.................................................................................................... 25
Remote Desktop Installation - Notes....................................................................................................... 26
Samba Server Configuration - Notes....................................................................................................... 26
System Security Overview - Notes.......................................................................................................... 27
Sendmail MTA Features - Notes............................................................................................................. 27
Snoop Network Sniffer - Notes.............................................................................................................30
TCPDump Network Sniffer - Notes......................................................................................................30
Snort Network Intrusion Detection System (NIDS) - Notes....................................................................31
SYSLOG Implementation - Notes........................................................................................................... 32
Log Rotation using logadm - Notes......................................................................................................... 32
Zettabyte File System (ZFS) - Notes....................................................................................................... 33
Solaris Zones - Notes............................................................................................................................... 34
Apache Web Server - Notes
Note: Apache ALWAYS maintains a DEFAULT HOST. Config is in httpd.conf and outside
of ANY and ALL virtual hosts containers
Note: Apache requires the following info. for the DEFAULT HOST:
1. ServerName linuxcbtsun1.linuxcbt.internal
2. ServerAdmin
3. DocumentRoot - where to serve content from
4. IP Address:Port to bind to - optional
5. Logging information - custom/combined & error logs
Note: Listen directive controls IPs and ports that Apache binds to
Note: specify 'Listen' directive(s) in the DEFAULT HOST(httpd.conf)
Note: You can specify multiple Listen Directives
Note: Apache binds to ALL IP addresses when 'Listen' is specified without an IP
address
DEFAULT HOST(IP:PORT)
-Virtual Host 1
-Virtual Host 2
<Directory "/var/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/var/apache2/htdocs/temp">
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Note: <Directory "/var/apache2/htdocs"> - applies to all sub-directories
###Alias Directive###
Maps webspace location to file system location, usually non-document root
###Files Directive###
Facilitates restrictions on matchings files regardless of location on server
<Files noaccess.html>
Order allow,deny
Deny from all
</Files>
Note: When applied OUTSIDE of <Directory> block, applies to all instances of named
file throughout the web server
Steps:
1. Implement appropriate 'Listen' directive
2. Configure Virtual Hosts
3. Restart Apache
4. Test configuration
Listen 192.168.1.50:80
<VirtualHost 192.168.1.50:80>
ServerName linuxcbtsun1.linuxcbt.internal
ServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal
DocumentRoot /var/apache2/ipvhost1
ErrorLog /var/apache2/logs/ipvhost1.error.log
CustomLog /var/apache2/logs/ipvhost1.access.log
</VirtualHost>
Note: Apache will serve content from the DocumentRoot of DEFAULT HOST if a request
does NOT match any of the Virtual Hosts
Listen 192.168.1.51:80
<VirtualHost 192.168.1.51:80>
ServerName linuxcbtsun3.linuxcbt.internal
ServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal
DocumentRoot /var/apache2/ipvhost2
ErrorLog /var/apache2/logs/ipvhost2.error.log
CustomLog /var/apache2/logs/ipvhost2.access.log combined
</VirtualHost>
Listen 80
NameVirtualHost *:80 - means to permit NameBased Virtual Hosts on ALL IPs
Note: NameVirtualHost directive MUST match VirtualHost directive
<VirtualHost *:80>
ServerName linuxcbtsun1.linuxcbt.internal
ServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal
DocumentRoot /var/apache2/namevhost1
ErrorLog /var/apache2/logs/namevhost1.error.log
CustomLog /var/apache2/logs/namevhost2.access.log combined
</VirtualHost>
BIND DNS Implementation - Notes
Bind 9.x
SUNWbind(client & server utilities) & SUNWbindr(SMF)
options {
directory "/var/named";
};
###Reverse Zones###
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "db.192.168.1";
};
zone "20.16.172.in-addr.arpa" {
type master;
file "db.172.20.16";
};
###Forward Zones###
zone "unixcbt.internal" {
type master;
file "db.unixcbt.internal";
};
Steps:
1. copy the following files to slave server:
a. db.127.0.0 - houses reverse, loopback zone info.
b. db.cache - houses root hints
c. named.conf - primary DNS BIND configuration file
Note: DNS BIND server can also be a slave server in addtion to caching-only and
authoritative server.
System Scheduler Cron - Notes
Features:
1. Permits scheduling of scripts(shell/perl/python/ruby/PHP/etc.)/tasks on a per-
user basis via individual cron tables.
2. Permits recurring execution of tasks
3. Permits one-time execution of tasks via 'at'
4. Logs results(exit status but can be full output) of executed tasks
5. Facilitates restrictions/permissions via - cron.deny,cron.allow,at.*
Cron command:
crontab - facilitates the management of cron table files
-crontab -l - lists the cron table for current user -
- reads /var/spool/cron/crontabs/root
Note: each line contains 6 fields/columns - 5 pertain to date & time of execution,
and the 6th pertains to command to execute
#m h dom m dow
10 3 * * * /usr/sbin/logadm - 3:10AM - every day
* * * * * /usr/sbin/logadm - every minute,hour,dom,m,dow
*/5 * * * * /usr/sbin/logadm - every 5 minutes(0,5,10,15...)
1 0-4 * * * /usr/sbin/logadm - 1 minute after the hours 0-4
0 0,2,4,6,9 * * * /usr/sbin/logadm - top of the hours 0,2,4,6,9
Note:
Default Solaris install creates 'at.deny' & 'cron.deny'
You MUST not be included in either file to be able to submit at & cron entries
Conversely, if cron.allow and at.allow files exist, you MUST belong to either file
to submit at or cron entries
File System Management - Notes
Steps:
1. Determine available memory and the amount you can spare for TEMPFS
-prtconf
- allocate 100MB
2. Execute mount command:
mkdir /tempdata && chmod 777 /tempdata && mount -F tmpfs -osize=100m swap /tempdata
Modify /etc/vfstab
Volume Management - Notes
Solaris' Volume Management permits the creation of 5 object types:
1. Volumes(RAID 0(concatenation or stripe)/1(mirroring)/5(striping with parity)
2. Soft partitions - permits the creation of very large storage devices
3. Hot spare pools - facilitates provisioning of spare storage for use when RAID-
1/5 volume has failed
i.e. MIRROR
-DISK1
-DISK2
-DISK3 - spare
Note: Volume Management relies upon Majority Consensu Algorithm (MCA) to determine
the consistency of the volume information
##RAID-1 Configuration###
Note: RAID-1 relies upon submirrors or existing RAID-0 volumes
c0t1d0s0 - /dev/md/dsk/d0
c0t2d0s0 - /dev/md/dsk/d1
/dev/md/dsk/d2
d0 - source sub-mirror
d1 - destination sub-mirror
###RAID-5 Configuration###
Steps:
1. Ensure that 3 components(slices/disks) are available for configuration
2. Ensure that components are identical in size
Note: You may attach components to RAID-5 volume, but they will not store parity
information, however, their data will be protected.
Note: When extending RAID-1 volumes, extend each sub-mirror first, and then Solaris
will automatically extend the RAID-1 volume. Then run 'growfs.'
###Soft Partitions###
1. Provides an abstracted, extensible partition object
2. Permits virtually unlimited segmentation of disk
c0t1d0 - s0-9 (0-7 except 2, usable)
Steps:
1. Clean up partitions on existing disks: c0t1d0 & c0t2d0
File Transfer Protocol Daemon (FTPD) Implementation - Notes
wu-ftpd
FTPD binds to TCP port 21 and is running by default
SMF controls service configuration
svcs -l ftp - returns configuration
Steps:
1. useradd -d /home/guests/unixcbt4 -s /bin/true
2. mkdir /export/home/guests/unixcbt4
3. chown unixcbt4 /export/home/guests/unixcbt4
4. ftpconfig -d /export/home/guests/unixcbt4 - sets up chrooted environment
5. updated /etc/ftpd/ftpaccess - config file
guestuser unixcbt4
6. restart ftp using svcadm restart ftp
Note: Guest users are similar to real users except guest users are chrooted/jailed.
###Virtual Hosts###
wu-ftpd - supports 2 forms of virtual hosts:
1. Limited - relies upon primary config files /etc/ftpd{ftpaccess,ftpusers...}
Admin. may define unique attributes including the following:
a. banner
b. logfile
c. hostname
d. email
e. distinct IP address
Note: Virtual hosts do not allow real & guest users access by default
###Install GPG###
1. www.sunfreeware.com
2. gunzip gnupg-1.2.6-sol10-intel-local.gz && pkgadd -d gnupg-1.2.6-sol10-intel-
local
Note: Client options specified on command-line override all other instances of the
opion.
Order of options/directives to be processed usually resembles the following:
1. /etc/my.cnf - global config file
2. /var/mysql/my.cnf - data-server specific config file
3. ~/my.cnf - user-specific config file
4. command line options
Note: Drop test database using the following syntax: 'drop database test;'
Note: You CANNOT drop the 'mysql' database because it contains the following
critical information:
1. list of databases to manage
2. user table
3. privileges table
Lists connections for ALL protocols & address families to and from machine
Address Families (AF) include:
INET - ipv4
INET6 - ipv6
UNIX - Unix Domain Sockets(Solaris/FreeBSD/Linux/etc.)
###NETSTAT Usage###
netstat - returns sockets by protocol using /etc/services for lookup
/etc/nssswitch.conf is consulted by netstat to resolve names for IPs
netstat -n -f inet
netstat -anf inet -P tcp
netstat -anf inet -P udp
Network Configuration Overview - Notes
2-Modes
1. Local Files Mode - config is defined statically via key files
2. Network Client Mode - DHCP is used to auto-config interface(s)
NIC naming within Solaris OS: i.e. e1000g0 - e1000g(driver name) 0(instance)
mv dhcp.e1000g0 to some other name or remove the file so that the DHCP agent is
NOT invoked
echo "linuxcbtsun1" > /etc/nodename
###Sub-interfaces/Logical Interfaces###
e1000g0(physical interface) - 192.168.1.50(Primary Apache website)
192.168.1.51(Secondary Apache website)
192.168.1.52(Used for SSH)
iprb0 - 172.16.20.10
iprb1
2. share -F nfs -d test_share /tempnfssun1 - exports for current session. Does NOT
persist across reboots
###AutoFS Maps###
3 Types:
1. Master map - /etc/auto_master
2. Direct map - /etc/auto_direct - facilitates direct mappings
3. Indirect map - /etc/auto_* - referenced from /etc/auto_master
###/etc/auto_master###
Note: /etc/auto_master is always read by autofs(automountd daemon)
/etc/nsswitch.conf - used to determine lookup location for automount
-hosts - references hosts defined in /etc/hosts & the hosts MUST export shares
using NFS
www.insecure.org
Compilation Instructions:
1. export PATH=$PATH:/usr/ccs/bin
2. ./configure
3. make || gmake
4. gmake install - copies nmap to /usr/local/bin
Note: nmap can be run by any user on the system, however, only root, may perform
more dangerous functions. i.e. SYN-based scans
###Client configuration###
xntpd or the ntp service searches for /etc/inet/ntp.conf
NTP Pool Site: www.pool.ntp.org (Derive NTP public servers from their lists)
Quota Implementation & Management - Notes
Features:
Soft Limits - function as stage-1 or warning stage
- if user exceeds soft limit, timer is invoked (default 7-days)
i.e. 100MB - if user exceeds beyond timer, soft limit becomes hard limit
Quota Tools:
1. edquota - facilitates the creation of quotas for users
2. quotacheck - checks for consistency in usage and quota policy
3. quotaon - enables quotas on file system
4. repquota - displays quota information
.smbpaswd
username=unixcbt
password=abc123
Features RDesktop support for Remote Desktop Protocol (RDP) versions 4 & 5
Connects to:
1. Windows XP - RDP-5
2. Windows 2000 - RDP-5
3. Windows 2003 - RDP-5
4. Windows NT Server 4 - Terminal Services Edition - RDP-4
###usage###
smb.conf - is the main configuration file for Samba server & many of the Samba
clients search for key directives from the file.
Features:
1. File & Print sharing
2. Implemented as 2 daemons (smbd & nmbd)
smbd - file & print sharing - connections based on SMB/CIFS protocols
SMB - TCP 139
CIFS - TCP 445
nmbd - handles NETBIOS names using primarily UDP connectivity
Browse list (master browser or derive current list from master browser)
Names of servers - derived using broadcast or WINS
UDP 137 & 138
3. Legacy service - does not currently benefit from SMF
4. Service is located in: /etc/init.d & referenced via run-levels
5. Configuration changes to /etc/sfw/smb.conf are read automatically
logins command
logins -x -l unixcbt - returns info. from /etc/{passwd,shadow}
logins -p - lists users without passwords
Config files:
1. /etc/mail/sendmail.cf - primary config file for Sendmail MTA
2. /etc/mail/submit.cf - primary config file for Sendmail MSP (smmsp)
Note: Sendmail does NOT understand m4 files. Use m4 to generate updated .cf files
if necessary
unixcbt:unixcbt@linuxcbtsun1
unixcbt@localhost
unixcbt@linuxcbtsun1
unixcbt@linuxcbtsun1.linuxcbt.internal
/etc/mail/local-host-names
unixcbt.internal
unixcbt@linuxcbtsun1.unixcbt.internal
###per-user mail###
1. Sendmail stores mail using the older mbox format, which stores all mail in 1
potentially huge ASCII text files
2. /var/mail/username - flagged with the STICKY bit
sendmail -v unixcbt
Virtual Users:
Create: /etc/mail/virtusertable
Populate with mappings: virtual_email_address local_mailbox|remote_email
unixcbt@unixcbt.internal unixcbt
###Relay Domains###
/etc/mail/relay-domains
Houses domains that sendmail should relay; local and/or remote
linuxcbt.com
192.168.1.100
###IMAP/POP2|3 Support###
Differences between IMAP & POP
1. IMAP stores messages on server
2. POP downloads messages to client
Note: IMAP server must support mbox mail storage format and optionally Maildir mail
storage format
Note: Try to snoop to output of file as opposed to STDOUT for performance reasons
(to minimize packet loss)
snoop
snoop -o snoop1.out - redirects captured traffic to file named 'snoop1.out'
and returns a packet-count to STDOUT
Note: If connected to a switched environment, MIRROR the traffic to the Sun box in
order for traffic to be available to snoop
Syntax:
tcpdump options expression
tcpdump
tcpdump -D - returns available interfaces
tcpdump -i interface_name - binds to specific interface
tcpdump -q suppresses some packet header information
tcpdump -n - avoids name resoltion - improves performance
Features:
1. Packet Capturing - libpcap.a(tcpdump.org)
2. Packet Logging - Captures are stored to disk (ASCII/TCPDump Formats)
3. Network Intrusion Detection Mode
Requirements:
1. libpcap
2. libpcre
###Configuring Snort###
./configure --with-libpcap-libraries=/opt/sfw/lib --with-libpcre-
includes=/opt/sfw/include --with-libpcre-libraries=/opt/sfw/lib
make
make install
###Snort as a Sniffer###
snort -v - Dumps link headers(Layers 3(IPs) & 4(Ports) of the OSI Model)
snort -v -i e1000g0
snort -vd -i e1000g0 - Dumps Application Layer (Layer-7 of OSI Model)
snort -ve -i e1000g0 - Dumps data-link layer (Layer-2 of OSI Model)
snort -vde -i e1000g0 - Dumps Layers 2,3,4,7 of OSI Model
1: selector(*.emerg) 2: action(/dev/console)
*.emerg /dev/console
Selector = facility(user).severity_level(debug)
Action = target for log entry (files, console, remote host)
local0.info /var/log/ciscofirewall1.log
touch /var/log/ciscofirewall1.log
svcadm restart system-log
Features:
1. 256 quadrillion zettabytes (Terabytes - Petabytes - Exabytes - Zettabytes(1024
Exabytes))
2. RAID-0/1 & RAID-Z(RAID-5 with enhancements) (2-required virtual devices)
3. Snapshots - read-only copies of file systems or volumes
4. Creates volumes
5. Uses storage pools to manage storage - aggregates virtual devices
6. File systems attached to pools grow dynamically as storage is added
7. File systems may span multiple physical disks
8. ZFS is transactional
9. Pools & file systems are auto-mounted. No need to maintain /etc/vfstab
10. Supports file system hierarchies: /pool1/{home(5GB),var(10GB),etc.}
11. Supports reservation of storage: /pool1/{home(10GB),var}
12. Provides a secure web-based management tool-https://localhost:6789/zfs
###ZFS - CLI###
zpool list - lists known pools
zpool create pool_name(alphanumeric, _,-,:,.)
Pool Name Constraints (DO NOT USE THESE NAMES FOR YOUR POOL NAMES):
1. mirror
2. raidz
zfs get -r compression pool1 - returns compression property for file systems
associated with 'pool1'
###ZFS Redundancy/Replication###
1. Mirroring - RAID-1
2. RAID-5 - RAID-Z
Virtual Devices:
1. c0t1d0 - 36GB
2. c0t2d0 - 36GB
###ZFS Snapshots###
Features:
1. Read-only copies of volumes or file systems
2. Use no additional space, initially
###Zone Configuration###
Use: zonecfg - to configure zones
Note: zonecfg can be run: interactively, non-interactively, command-file modes
Zone Types:
1. Sparse Root Zones - share key files with global zone
2. Whole Root Zones - require more storage