Study Notes

The first thing that hackers will do before they invade computer systems is scan throught the network.If there are specified monitor software which could detect their accesses immediately,we could protect our system.In the worst situation,it seemed we had to shut down the system,however,it was useful.

The three common monitor tools are listed here:

1.klaxon: if we used klaxon to listen many ports,perhaps the system will be attacked by refusing access which lead heavy load to the inetd process.
2.courtney: sniff and tcpdump
3.scanlogd: if scanlogd detects 7 connection of super privilege in 3 seconds,or 5 times scan in 20 seconds, it will stop recording the connection log in order to avoid so many refusing messages being full of the system’s log.

As the name indicated,scanlogd only logs ports scans.It does not prevent them.You will only receive summaried informateion in the system’s log.

Obviously,the source address of port scans can be spoofed.Don’t take any action against the source of attacks unless other evidence is available.Sometimes IP addresses are shared between many people,this is the case for ISP shell servers,dynamics dialog pools, and corporate network bebind NAT(This action is also called masquerading).

Note:IDE and SATA harddisk device is the same except for the interface.

Nautilus is the GUI interface of gnome.

Strengthen system:
Strengthem system raise the security by checking the system’s granting overflowed.There are some strengthem system listed here: Bastillie,Openwall Linux, LIDS.

syslog process records the information into system’s logs by the lever of issues: emerg,alert,crit,err,warning,notice,info and debug.

/etc/syslog.conf is the configuration of syslog process.The formation of each line in /etc/syslog.conf is listed here:
facility.loglevel logtarget
for example:

daemon.notice   /var/log/daemon.log

Note,logtarget could be configured as not only local path but also remote system’s log server which should add “@” before the logtarget strings.It is very useful when local system was crashed by hackers.Even everything of localhost was erased by hacker who want nobody snaping his trace,we can also find the log information in the remote log server.

In some case,user types the password text as the username, yes,this log issue would be recorded in the system’s log.How dangerous it is! Hackers could analyze the log file and detect these type log information string so that the password was acquired easily.How to prevent this? I think nobady except root is permited to read the system’s log.

These software are used to analyzing system’s log: Swatch,Logsurfer.

First Part: Quota

Linux’s quota is used to configure the user’s harddisk spaces in order to prevent few users occupy nearly the most of resources.we could configure the quota by following steps:

1.Add “usrquota” to the fourth table position of “/etc/fstab”,for example:

 /etc/hda7    /home    ext2    default, usrquota,1,2 

2.Create two files in the identified partition:

 # touch /home/quota.user
 # touch /home/quota.group 

and then grant the privileges:

 # chmod 600 /home/quota.user
 # chmod 600 /home/quota.group 

3.reboot the system
4.Issue the following command to configure quota for identified user:

# edquota -u username 

Second Part: Limitation
Hard limitation: user can not overflow the specified limitation
Soft limitation: when spaces used reach the specified limitation,system will display a worning message.

# ulimit
# ulimit -a 
(list all limitation parameters which including
 cpu time and counts of files opened.)
 

There are two ways to configure the limitation:

1.Add “ulimit” lines to /etc/profile
2.Modify the /etc/security/limits.conf.It is very important.When I installed Oracle 10g in Red Hat,this file always was modified by adding hard and soft limitation for nproc.The formation of /etc/security/limits.conf is listed here:

    domain    type    item    value 

domain: this parameter startes with “@” first and contains username and group name.if “*” is used,it means all the users and groups.
type: this parameter indicates whether the limitation is hard or soft.
item: this parameter indicates which resouce will be limited.
value:this parameter indicates the setting value.

Issue the following command to list all attribute of file:

# lsattr 

This command is used for modifing the attribute of file:

# chattr 

All the above is operated on EXT2 and EXT3 file system.
Note: parameter “i” means no operation could be done on the specified file.It is very useful.

Linux user’s group is collection of users who have the same property.This is a convenience for defining a group of users.The configuration is located in /etc/group.

The privilege of file is list as the following formation: -rw-rw-rwr. In the above string showed the information about file type and operating privilege.The first signature of this string indicate the type of file.”-” means general files,”d” means directory,”l” means link,and “s” means security socket.The follow three signature “rw-” indicates the privilege of the file’s owner.”r” means read,”w” means write, and “x” means execute.”-” means no privilege for operate the file.The middle three signature such as “rw-” is used for identifing the privelege of group.and the final three indicate the privilege of others.

If user A has the privilege of the directory,he can delete the file belong to others.How to forbid this?We could use the following command :

# chmod + t 

And then,the file could not be deleted by others including those men who have the operating privilege of the specific directory.For example, the /tmp directory could be benifit from this.All the user could only operate their own files and directories.

When a general user creates a directory,the default privilege is set as “drwxrwxr-x” 664; if a general file is created,its default property is “-rw-rw-r–” which also be called 775.

umask command is used to set the customer’s default privilege.For example,if the umask value is 002,the realy privilege is the value set by user substrate “002”.if the value set by user is 666,then the result is 664 which is created by substation between 666 and 002.

In this way,we could create the strictest privilege by setting the umask value to 777 because 777 is the maximal number and any other number substrate with 777 will get the result “0” that means no privilege for operating. But the most common way is setting the umask value to 077.It means only the owner could operate the file,groups and others have no privilege.

The grant rules: first,grant the strictest privilege by setting the umask value to 077,and then modify the privileges for identified usage.This method could avoid many unnecessary troubles because adding privilege is easier than deleting them.

Wisdom words : Victory belongs to the last second man who was wrong.

The hacker’s target why they attack your system is get the privilege of root. If they’ve gotten this privilege,they could do anything they want. So the security problem of Linux is concentred in administration of accout,file system and application services.

Many Linux users think their system which have no important information would not be attacked by hackers. They are wrong. Hackers always used these machines have been conquered to attacked other more important computers which are their really targets.

All the account’s information are stored in the file named “/etc/passwd” whose each line indicates the information of indentified accout. The root account’s user id is “0”(number zero). Those users whose id is “0” have the root privilege whatever their names are. For example. both toor and super belong to root. System account which belong to nobody would never login because they are used for special application.For example, “nobody” account response the user’s http request, and the “lp” account works on print request.

Summary: Three type account of Linux: root(toor,super), system account(nobody,lp), general account.

Intel server board SE7520BD2 has six DIMMs,each three DIMMs are belong to one channel.There are two banks in this board,each bank contains four ranks.In this way,there would be only four Dual rank of DDR333 in the serverboard. If we use DDR266,there is no limitation for DDR266 memory series.The board could support DDR266 up to 24GB and DDR333 up to 16GB. Single rank DDR333 memory really exist,which I’ve found in the SE7520’s memory list report.However,this report does not give us the details of 4GB DDR333.

I modified the “/etc/rc.d” file by adding “swapon /Swapdir/Swapfile” strings in order to run this command automatically when system start up.

ftp command
Formation: ftp -v -d -i -n -g [hostname]
-v : display all responsable messages
-d : debug mode
-i : elimitate automatical logining
Inner commands of ftp:
1. ![cmd[args]] : use the local shell in ftp command statue.
2. account[passwd] : supply the username and password
3. bye : turn off the ftp session.
4. cd remote-dir : cd the directory of remote-host
5. cd up : cd Up level directory
6. close : shutdown ftp connection between localhost and remote server
7. delete remote-file
8. debug[debug value]
9. dir : list all directories and files in the remote host.
10. disconnect : = close
11. get remote-file [local-file] : download file from remote host to local host.
12. hash : it will display a “#” after every 1024 bit has been transferred.
13. open host [port] : identify the remote host and its port
14. put local-file [remote-file] : upload file from localhost to remote host.
15. pwd : show the current working directory of remote host.
16. recv : = get
17. reset : clear message queue.
18. send local-file [remote-file] : = put
19. size file-name : show the file size of remote host
20. status : show the current ftp status
21. system : show the operated system of remote host
22. user username [passwd] [account] : indicate user’s profile to remote host.

If the ftp server permits,we could issue the following command to change user’s passward:

ftp> quote "site pswd oldpasswd newpasswd" 

In the Linux,there is a ftp tool named “lftp”,for example:

# lftp remote-host
# lftp > open remote-name
# lftp > user username
...... 

(testing ftp: 219.133.55.11 username:product)

In the Red Hat Linux9.0, the default X window setting is Gnome.I installed KDE desktop and then, I changed the desktop starting parameter in order to start x window with KDE. when the setting was confirmed,I rebooted the system. I usually start up my Linux9.0 in text mode,and in this way,input the username and password,issued the “startx” command.Yes,it really opened a KDE window,however,there was nothing in the screen except a living mouse.

I thought it may be caused by something wrong when system initialize.But the same thing happened after restarting the system again. When issued the “startx gnome” command,some error messages displayed and no GUI has been running up.It seemed no way to start my X window again.Some documents I found in the Internet said editing a file named “.xinitrc” could resolve this problem.It was dissapointed when I found no usrful message in both /etc/X11/xinit/.xinitrc.d and /etc/X11/xinit/.xinitrc file. I do not want to lose my operation system and re-install it,it will take me so much time.So,researching in the internet again untill I’ve found this “switchdeskop” command which is used to switch desktop windows between Gnome and KDE. And this command could only be issued before executing “startx” command. I restarted operating system again,and issues the following commands:

# switchdeskop Gnome
# startx 

Yeah!!! I was succeed!The system started up with Gnome desktop.Hmmm,I must found the reason caused this matted through system had been running up.”.Xclient-default” was included in switchdeskop’s manual(by issued: # man switchdeskop) contains messages what I want.For example,the “.Xclient-default” file’s content was listed here:

# pwd
/root
# cat .Xclient-default
*content*
---------------------------
# Created by Red Hat Deskop Switcher
exec gnome-session 

I think the switchdeskop command modified the “.Xclient-default” file so that the initial program read this message and start X window by this setting. To prove my guessing,I changed default starting desktop from Gnome to KDE,and restarted the system again.When system was restarted,the “.Xclient-default”file had really been modied,the string “gnome-session” had been insteaded by the string “startkde”.I changed the “startkde” to “gnome-session” and issued the “startx” command again,the system started up by Gnome desktop.I am right.The “.Xclient-default”file was operated by command “switchdeskop”.

Nautilus is the skin of Gnome.

There are some error messages displayed after installed Marvell Ethernet device in Linux operating system such as Red Hat AS 3.0 and Fedora 1.I issued the following command to check ethernet device’s driver information.

# dmesg | grep eth

Though errors were listed,the other things run very well.Using the ping command to test Marvell Ethernet device is ok,and I could find the right configuration of Marvell Ethernet in the GUI interface.It seems Marvell Ethernet device could work normally.But I still confused why these error messages were showed.

In the Marvell’s installation manual,it shows the matter I meet is caused by compiling in single processor statue.But in factor,there are two Xeon processors in my platform.Why and How?
I’ve called Intel’s support term,they did the installation test and then told me there are no error messages.Did I install the device in a wrong way?

First,I choose the second step to create a pitch during installation.Second,issue the following command:

# ./install.sh

When the driver’s compiling completed,

# modprobe sk98lin

In the GUI,System Setting – Network,I could find Marvell Ethernet device in the hardware list.Click the Device tip, and then click New button to create new profile.For example,Devices – New – Ethetnet Connection ,select Marvell Ethernet device and configure it.Finally,issue the checking command again:

# dmesg | grep eth0

I found no error messages were showed. and then I rebooted system.
In the Linux services,kutzu serviee was used to check and configure new hardware.In the first time rebooting after install Marvell Ethernet device,kutzu asked users to configure the new hardware.
Because I’ve installed Marvell Ethernet device,I choose “Do Nothing” .I issued “# dmesg | eth0”,everything is ok.how could this happen?I think maybe I usually choose “Configure the device” in the kutzu service,and the error messages exist.

DNS,domain name server,usually has a cache server in the font which has a special database.If the request are listed in the database of cache server,turn the specified IP address to user.If the request could not be found,the cache server pass the request to the really DNS server to resolve the address.The /etc/named.conf file contains the parameters of DNS setting,and the /etc/named/named.ca is owned by cache server.The file named “named.ca” will ofen be updated,there are total 13 root DNS server all around world,these root machine’s IP address are indicated in the “named.ca” file.

E-mail system has two main partitions:UA(user agent) and MTA(Message Transfer Agent).US are installed in the client used to write and read mails,many softwares are developed for US,for example,Outlook express,Foxmail or Evolution of Linux.MTA is also called mail server which provides storage and re-sending the mails utilities.There are three common protocol:SMTP,POP3 and IMAP.SMTP(simple mail transport protocol) put the mail to the target address step by step.IMAP(Internet Message Access Protocol) acts like POP3 which is more popurlar.

Linux Mail Server are the following:Sendmail,Qmail,CommuniGate ProMessaging Server for linux,Mail studio 2000.

Sendmail service is installed in the Linux by default.It re-writes the mail’s address,if the address is local,the mail will be saved at /var/spool/mail.

# /etc/rc.d/init.d/sendmail start
# /etc/rc.d/init.d/sendmail stop
# /etc/rc.d/init.d/sendmail restart