RH253 - Red Hat Enterprise Linux Network Services and Security Administration docx

RH253 - Red Hat Enterprise Linux Network Services and Security AdministrationRH253 - Red Hat Enterprise Linux Network Services and Security Administration Introduction - RH253: Network S

Trang 1

RH253 - Red Hat Enterprise Linux Network Services and Security Administration

RH253 - Red Hat Enterprise Linux Network Services and Security Administration

Introduction - RH253: Network Services and Security Administration

Copyright

Welcome

Participant Introductions

Red Hat Enterprise Linux

Red Hat Enterprise Linux Variants

Red Hat Network

Other Red Hat Supported Software

The Fedora Project

Classroom Network

Objectives of RH253

Audience and Prerequisites

Unit 1 - System Performance and Security

Objectives

System Resources as Services

Security in Principle

Security in Practice

Security Policy: the People

Security Policy: the System

Response Strategies

System Faults and Breaches

Method of Fault Analysis

Fault Analysis: Hypothesis

Method of Fault Analysis, continued

http://www.way2download.com/linux/RH253/ (1 of 10) [2008/02/06 08:25:50 PM]

Trang 2

Fault Analysis: Gathering Data

Benefits of System Monitoring

Network Monitoring Utilities

Networking, a Local view

Networking, a Remote view

File System Analysis

Typical Problematic Permissions

Monitoring Processes

Process Monitoring Utilities

System Activity Reporting

Managing Processes by Account

System Log Files

syslogd and klogd Configuration

Log File Analysis

End of Unit 1

Unit 2 - System Service Access Controls

Objectives

System Resources Managed by init

System Initialization and Service Management

chkconfig

Initialization Script Management

xinetd Managed Services

xinetd Default Controls

xinetd Service Configuration

xinetd Access Controls

Host Pattern Access Controls

The /etc/sysconfig/ files

Service and Application Access Controls

tcp_wrappers Configuration

Trang 3

IPv6: Dynamic Interface Configuration

IPv6: Static Interface Configuration

IPv6: Routing Configuration

tcp_wrappers and IPv6

New and Modified Utilities

Netfilter Overview

Netfilter Tables and Chains

Netfilter Packet Flow

Rule Matching

Rule Targets

Simple Example

Trang 4

Basic Chain Operations

Additional Chain Operations

Rules: General Considerations

Match Arguments

Connection Tracking

Connection Tracking, continued

Connection Tracking Example

Network Address Translation (NAT)

Host Name Resolution

The Stub Resolver

The Everything Lookup

Exploring DNS with host

Transitioning to the Server

Trang 5

Service Profile: DNS

Access Control Profile: BIND

Getting Started with BIND

Essential named Configuration

Configure the Stub Resolver

bind-chroot Package

caching-nameserver Package

Address Match List

Access Control List (ACL)

Modifying BIND Behavior

Access Controls: Putting it Together

Slave Zone Declaration

Master Zone Declaration

Zone File Creation

Tips for Zone Files

Testing

BIND Syntax Utilities

Advanced BIND Topics

Remote Name Daemon Control (rndc)

Trang 6

Overview of smb.conf Sections

Configuring File and Directory Sharing

Printing to the Samba Server

Authentication Methods

Passwords

Samba Syntax Utility

Samba Client Tools: smbclient

Samba Client Tools: nmblookup

Samba Clients Tools: mounts

Samba Mounts in /etc/fstab

Trang 7

RH253 - Red Hat Enterprise Linux Network Services and Security AdministrationApache Namespace Configuration

Virtual Hosts

Apache Access Configuration

Apache Syntax Utilities

Using htaccess Files

.htaccess Advanced Example

CGI

Notable Apache Modules

Apache Encrypted Web Server

Squid Web Proxy Cache

Service Profile: Squid

Useful parameters in /etc/squid/squid.conf End of Unit 6

Unit 7 - Electronic Mail Services

Objectives

Essential Email Operation

Simple Mail Transport Protocol

SMTP Firewalls

Mail Transport Agents

Service Profile: Sendmail

Intro to Sendmail Configuration

Incoming Sendmail Configuration

Outgoing Sendmail Configuration

Inbound Sendmail Aliases

Outbound Address Rewriting

Sendmail SMTP Restrictions

Sendmail Operation

Using alternatives to Switch MTAs

Service Profile: Postfix

Trang 8

RH253 - Red Hat Enterprise Linux Network Services and Security AdministrationIntro to Postfix Configuration

Incoming Postfix Configuration

Outgoing Postfix Configuration

Inbound Postfix Aliases

Outbound Address Rewriting

Postfix SMTP Restrictions

Postfix Operation

Procmail, A Mail Delivery Agent

Procmail and Access Controls

Intro to Procmail Configuration

Sample Procmail Recipe

Mail Retrieval Protocols

Service Profile: Dovecot

Dovecot Configuration

Verifying POP Operation

Verifying IMAP Operation

End of Unit 7

Unit 8 - Securing Data

Objectives

The Need For Encryption

Cryptographic Building Blocks

Random Number Generator

Trang 9

RH253 - Red Hat Enterprise Linux Network Services and Security AdministrationOpenSSH Authentication

The OpenSSH Server

Service Profile: SSH

OpenSSH Server Configuration

The OpenSSH Client

Protecting Your Keys

Account Information (Name Service)

Name Service Switch (NSS)

getent

Authentication

Pluggable Authentication Modules (PAM)

PAM Operation

/etc/pam.d/ Files: Tests

/etc/pam.d/ Files: Control Values

Example: /etc/pam.d/login File

The system_auth file

Trang 10

RH253 - Red Hat Enterprise Linux Network Services and Security AdministrationEnd of Unit 9

Appendix A - Installing Software

Software Installation

Trang 12

Copyright

● No part of this publication may be stored in a retrieval system, transmitted or reproduced in any way, including, but not limited to, photocopy, photograph, magnetic, electronic or other record, without the prior written permission of Red Hat, Inc

● This instructional program, including all material provided herein, is supplied without any guarantees from Red Hat, Inc Red Hat, Inc assumes no liability for damages or legal action arising from the use or misuse of contents or details contained herein

● If you believe Red Hat training materials are being used, copied, or otherwise improperly distributed please email training@redhat.com or phone toll-free (USA) +1 866 626 2994

Trang 15

Red Hat Enterprise Linux

Red Hat Enterprise Linux

❍ Certified with leading OEM and ISV products

subscription and support contract

❍ Support available for seven years after release

❍ Up to 24x7 coverage plans available

5

http://www.way2download.com/linux/RH253/introduction/page05.html [2008/02/06 08:26:13 PM]

Trang 16

Red Hat Enterprise Linux Variants

Red Hat Enterprise Linux Variants

❍ Red Hat Enterprise Linux

❍ Red Hat Enterprise Linux Advanced Platform

Trang 17

Red Hat Network

Red Hat Network

management, and monitoring framework

Provides software updates

■ Included with all Red Hat Enterprise Linux subscriptions

❍ Management

large deployments

❍ Provisioning

configuration management, and multi-state configuration rollback capabilities

❍ Monitoring

monitoring of networks, systems, applications, etc

7

Trang 18

Other Red Hat Supported Software

Other Red Hat Supported Software

8

Trang 19

The Fedora Project

The Fedora Project

❍ Rapid four to six month release cycle

❍ Available as free download from the Internet

ground for technologies which may be used in upcoming enterprise products

9

Trang 20

Classroom Network

Classroom Network

Names IP Addresses Our Network example.com 192.168.0.0/24 Our Server server1.example.com 192.168.0.254 Our Stations stationX.example.com 192.168.0.X

Hostile Network cracker.org 192.168.1.0/24 Hostile Server server1.cracker.org 192.168.1.254 Hostile Stations stationX.cracker.org 192.168.1.X

Trusted Station trusted.cracker.org 192.168.1.21

10

Trang 21

Objectives of RH253

Objectives of RH253

setup a Red Hat Enterprise Linux server and configure common network services and

implement a security policy at a basic level.

11

Trang 22

Audience and Prerequisites

Audience and Prerequisites

equivalent skills and experience A working knowledge

of Internet Protocol(IP) networking.

12

Trang 24

1-2

http://www.way2download.com/linux/RH253/unit-1/page02.html [2008/02/06 08:26:45 PM]

Trang 25

System Resources as Services

System Resources as Services

roles

❍ systems that serve

❍ systems that request

❍ processes that serve

❍ processes that request

❍ accounts that serve

❍ accounts that request

accounted for as policy of securing

Trang 27

those you must

❍ "Do I need or know to host this?"

❍ "Do they need or know to access this?"

❍ "Is this consistent with past records of system behavior?"

❍ "Have I applied all relevant security updates?"

and poor performance

1-5

Trang 28

Security Policy: the People

Security Policy: the People

❍ includes Security Policy maintenance

1-6

Trang 29

Security Policy: the System

Security Policy: the System

❍ Log to an external server in case of compromise

❍ Monitor logs with logwatch

❍ Monitor bandwidth usage inbound and outbound

1-7

Trang 30

Response Strategies

Response Strategies

❍ Do not run programs from the suspected system

❍ Boot from trusted media to verify breach

❍ Analyze logs of remote logger and "local" logs

❍ Check file integrity against read-only backup of rpm database

Trang 31

System Faults and Breaches

System Faults and Breaches

concern

❍ a system fault yields an infrastructure void

❍ an infrastructure void yields opportunity for alternative resource access

❍ an opportunity for alternative resource access yields unaccountable resource access

❍ an unaccountable resource access is a breach of security policy

1-9

Trang 32

Method of Fault Analysis

Method of Fault Analysis

1-10

Trang 33

Fault Analysis: Hypothesis

Fault Analysis: Hypothesis

1-11

Trang 34

Method of Fault Analysis, continued

Method of Fault Analysis, continued

hypothesis if needed

result, further characterize the problem

1-12

Trang 35

Fault Analysis: Gathering Data

Fault Analysis: Gathering Data

Trang 36

Benefits of System Monitoring

Benefits of System Monitoring

maintained with regular system monitoring

❍ Network monitoring and analysis

❍ File system monitoring

Trang 37

Network Monitoring Utilities

Network Monitoring Utilities

❍ Show what interfaces are available on a system

❍ Show what services are available on a system

❍ Stores and analyzes all network traffic visible to the

Trang 38

Networking, a Local view

Networking, a Local view

❍ Called by initialization scripts

❍ Greater capability than ifconfig

❍ active network servers

Trang 39

Networking, a Remote view

Networking, a Remote view

to remote connection attempts

❍ Advanced scanning options available

❍ Offers remote OS detection

❍ Scans on small or large subnets

scanned system's admin!

1-17

Trang 40

File System Analysis

File System Analysis

❍ Exhausting system resources

❍ Security breaches due to poor access controls

❍ Data integrity scans

❍ Investigating suspect files

Trang 41

Typical Problematic Permissions

Typical Problematic Permissions

unauthorized access:

❍ Locate files and directories with no user or group entries in the /etc/passwd file:

find / \( -nouser -o -nogroup \)

permission (o+w) may indicate a problem

❍ Locate other-writable files with:

find / -type f -perm -002

❍ Locate other-writable directories with:

find / -type d -perm -2

1-19

Trang 42

Monitoring Processes

Monitoring Processes

❍ Cause of decreased performance

❍ If suspicious processes are executing

Trang 43

Process Monitoring Utilities

Process Monitoring Utilities

● top

❍ view processor activity in real-time

❍ interactively kill or renice processes

❍ watch system statistics update through time, either

in units or cumulatively

❍ gnome-system-monitor: GNOME process, CPU,

and memory monitor

❍ kpm: KDE version of top

1-21

Trang 44

System Activity Reporting

System Activity Reporting

❍ cron spawns sa1 and sa2

❍ sar reads and generates "human friendly" logs

❍ more accurate statistics

■ binary "database" collection method

Tiêu đề	RH253 - Red Hat Enterprise Linux Network Services and Security Administration
Trường học	Red Hat Academy
Chuyên ngành	Network Services and Security Administration
Thể loại	course material
Năm xuất bản	2008
Thành phố	Unspecified

Định dạng
Số trang	272
Dung lượng	1,5 MB