book

Advanced Linux Networking

Name: Advanced Linux Networking
Author: Roderick W. Smith
ISBN: 0201774232

by Roderick W. Smith

June 2002

Intermediate to advanced

784 pages

20h 25m

English

Addison-Wesley Professional

Read now

Unlock full access

Copyright
Dedication
Preface
Who Should Buy This BookLinux DistributionsHow This Book Is OrganizedConventions Used in This BookContacting MeAcknowledgments
I. Low-Level Configuration
1. Kernel Network Configuration
Starting Kernel ConfigurationNetwork Protocol SupportPacket and Socket OptionsNetwork Filter OptionsTCP/IP Routing OptionsIPv6 Support OptionsQoS OptionsHigh-Level Protocol SupportHTTP AccelerationNFS OptionsSMB/CIFS OptionsAlternative Network Stack OptionsNetwork Hardware OptionsEthernet DevicesAlternative Local Network DevicesBroadband and WAN DevicesWireless DevicesPC Card DevicesDial-Up DevicesCompiling and Installing a KernelDrivers: Modules or Built-InA Typical Kernel CompilationCommon Kernel Compilation ProblemsInstalling and Using a New KernelSummary
2. TCP/IP Network Configuration
Loading Network DriversUsing a DHCP ClientConfiguring a Static IP AddressConfiguring Network InterfacesBasic ifconfig Syntax and UseConfiguring Multiple Network InterfacesAdjusting the Routing TableUnderstanding Routing Table StructureBasic route Syntax and UseMultiple Interfaces with One GatewayMultiple Interfaces with Multiple GatewaysConfiguring DNSSetting the HostnameMaking Your Changes PermanentUsing a GUI Configuration ToolEditing Configuration FilesUsing a PPP LinkUsing a GUI DialerAdjusting Configuration ScriptsSetting PPP Authentication OptionsConfiguring Dialing ScriptsUsing PPP Dialing ScriptsConfiguring Dial-on-DemandSummary
3. Alternative Network Stacks
Understanding Network StacksThe OSI Network Stack ModelWrapping and Unwrapping DataThe Role of the TCP/IP StackAppleTalkAppleTalk Features and CapabilitiesUsing Linux AppleTalk SoftwareIPX/SPXIPX/SPX Features and CapabilitiesUsing Linux IPX/SPX SoftwareNetBEUINetBEUI Features and CapabilitiesObtaining a NetBEUI Stack for LinuxUsing Linux NetBEUI SoftwareSummary
4. Starting Servers
Using SysV Startup ScriptsStartup Script Locations and Naming ConventionsManually Enabling or Disabling Startup ScriptsUsing Startup Script UtilitiesUsing chkconfigUsing ntsysvSetting and Changing the RunlevelUsing inetdThe /etc/inetd.conf File FormatUsing TCP WrappersUsing xinetdThe /etc/xinetd.conf File FormatSetting Access Control FeaturesUsing Local Startup ScriptsUsing GUI ToolsUsing LinuxconfUsing YaST and YaST2Using ksysvWhen to Use Each Startup MethodSummary
II. Local Network Servers
5. Configuring Other Computers via DHCP
When to Run a DHCP ServerKernel and Network Interface IssuesDHCP Configuration FilesAssigning Dynamic AddressesSetting Global OptionsDefining a Subnet RangeAssigning Fixed AddressesLocating Client MAC AddressesLocating the MAC Address from the ClientLocating the MAC Address from the ServerDefining Hosts via MAC AddressesCustomizing Client-Specific ParametersIntegrating with Other ProtocolsIncluding NetBIOS InformationCommunicating with a DNS ServerUsing the Ad-Hoc Update MethodUsing the Interim Update MethodSummary
6. Authenticating Users via Kerberos
When to Run a Kerberos ServerUnderstanding Kerberos OperationBasic Principles of Kerberos OperationKerberos Network ElementsKerberos Design Goals and OperationRequirements for the Kerberos ServerKerberos Versions and VariantsSetting Up a Kerberos ServerModifying Server Configuration FilesSetting Up a RealmChanging krb5.confChanging kdc.confCreating a Master KeyAdministering a RealmDefining Basic ACLsCreating PrincipalsStarting the KDCConfiguring a Slave KDCConfiguring a Kerberos Application ServerConfiguring KerberosRunning Kerberized ServersConfiguring a Kerberos ClientAccessing Kerberos ServersUsing Kerberos Network UtilitiesUsing Kerberized ClientsUsing Kerberos for User LoginsPerforming Text-Mode Kerberos Login AuthenticationChanging Your Account After Logging InUsing PAM with KerberosSummary

7. File and Printer Sharing via Samba
When to Run a Samba ServerGeneral Samba ConfigurationThe Samba Configuration FileSetting Server IdentificationSetting Security OptionsBecoming a NetBIOS Name ServerBecoming a Master BrowserBecoming a Domain ControllerServing Files with SambaCreating a File ShareSetting Windows Filename OptionsConfiguring Ownership and PermissionsLimiting Access to SharesServing Printers with SambaCreating a Printer ShareSharing a PostScript PrinterSharing a Non-PostScript PrinterUsing GhostscriptCreating a Non-PostScript QueueChoosing an ApproachSamba Scripting FeaturesUsing preexec and postexec ScriptsUsing Pseudo-PrintersExample: CD BurningBurning a CD via preexec and postexec ScriptsBurning a CD via a Pseudo-PrinterExample: Creating PDF FilesSummary
8. File Sharing via NFS
When to Run an NFS ServerNFS Servers Available for LinuxUser-Mode and Kernel-Mode ServersNFS Versions 2 and 3Understanding the PortmapperServing Files with NFSDefining NFS ExportsAccess Control MechanismsMounting NFS ExportsOptimizing PerformanceUsername Mapping OptionsSynchronizing Client and Server User IDsUsing a Server-Side User ID MapUsing a Client-Side Mapping DaemonSummary
9. Printer Sharing via LPD
When to Run an LPD ServerLPD Server Options for LinuxConfiguring a BSD LPD ServerConfiguring /etc/hosts.lpdSpecifying the Server on a BSD LPD ClientConfiguring an LPRng ServerConfiguring /etc/lpd.permsSpecifying the Server on an LPRng ClientConfiguring a CUPS ServerConfiguring /etc/cups/cupsd.confAccepting Jobs from BSD LPD or LPRng ClientsSpecifying the Server on a CUPS ClientSummary
10. Maintaining Consistent Time: Time Servers
When to Run a Time ServerSetting Up an NTP ServerUnderstanding How a Time Server FunctionsTime Server Programs for LinuxConfiguring ntp.confMonitoring NTP's OperationsUsing an NTP Client PackageUsing Samba to Serve TimeSamba's Time Serving OptionsConfiguring a Windows Client to Set Its ClockSummary
11. Pull Mail Protocols: POP and IMAP
When to Run a Pull Mail ServerUnderstanding POP and IMAPPull Mail's Place in the Mail Delivery SystemStoring Mail: On the Client or the ServerA Sample POP SessionA Sample IMAP SessionDetermining Which to UseConfiguring a POP ServerPOP Servers for LinuxPOP Server Installation and ConfigurationConfiguring an IMAP ServerIMAP Servers for LinuxIMAP Server Installation and ConfigurationUsing FetchmailFetchmail's Place in Mail Delivery SystemsUsing fetchmailconfConfiguring .fetchmailrcSummary
12. Running a News Server
When to Run a News ServerUnderstanding NNTPRunning INNObtaining a News FeedConfiguring INNGeneral ConfigurationSetting Up NewsgroupsControlling AccessFeeding News to Other SitesSetting News Feed AccessSetting News Reader AccessSetting Message Expiration OptionsOngoing News Server MaintenanceUsing LeafnodeUnderstanding Leafnode's CapabilitiesConfiguring LeafnodeGeneral Configuration SettingsSetting Up the ServerFetching NewsExpiring Old NewsFiltering ArticlesSummary
13. Maintaining Remote Login Servers
When to Run a Remote Login ServerConfiguring rlogindSetting rlogind Startup OptionsUnderstanding rlogind SecurityControlling rlogind AccessConfiguring TelnetSetting Telnet Startup OptionsAdjusting the Telnet Login DisplayUnderstanding Telnet SecurityConfiguring SSHAvailable SSH SoftwareUnderstanding SSH CapabilitiesSetting SSH Startup OptionsAdjusting the sshd_config FileSSH Authentication OptionsUnderstanding SSH AuthenticationGenerating Keys to Automate Logins or Improve SecurityUsing ssh-agentSummary
14. Handling GUI Access with X and VNC Servers
When to Run a GUI Access ServerConfiguring Basic X AccessUnderstanding the X Client/Server RelationshipConfiguring an X Server to Accept X Client AccessUsing xhostUsing xauthSetting Client Options to Use an X ServerTunneling X Connections Through SSHA Summary of Remote-Login X AccessUsing an XDMCP ServerUnderstanding XDMCP OperationConfiguring a Login Server to Accept ConnectionsXDM ConfigurationAdjusting XDM's AvailabilitySetting Displays XDM is to ManageKDM ConfigurationGDM ConfigurationRunning an XDMCP ServerConfiguring a Remote X Login ClientRunning a VNC ServerUnderstanding the VNC Client/Server RelationshipInstalling a VNC ServerRunning a VNC ServerUsing a VNC Client to Access the ServerAdjusting VNC Server ConfigurationAdjusting Basic Server FeaturesCustomizing Individual Users' SettingsRunning an XDMCP Login Server in VNCA Comparison of Access TechniquesSummary
15. Providing Consistent Fonts with Font Servers
When to Run a Font ServerUnderstanding Font File FormatsBitmapped Font FormatsOutline Font FormatsRunning a Traditional Font ServerFont Server Options for LinuxCommon Default Font Server ConfigurationsAdjusting a Font Server for a LANAdjusting Font AvailabilityChanging a Font Server's Font PathAdding Fonts to a Font DirectoryRunning an Expanded Font ServerSummary
16. Maintaining a System Remotely
When to Run Remote System Maintenance ToolsThe Challenge of a Cross-Distribution Configuration ToolRunning Linuxconf RemotelyConfiguring Linuxconf to Work RemotelyRunning the Linuxconf ServerAuthorizing Remote AccessUsing Web-Based LinuxconfRunning WebminConfiguring WebminUsing WebminRunning SWATConfiguring SWAT to RunUsing SWATRemote Administration Security ConcernsSummary
17. Performing Network Backups
When to Run Network Backup ServersTypes of Network Backup SolutionsClient-Initiated BackupsServer-Initiated BackupsUsing tarBasic tar FeaturesTesting Local tar and Tape FunctionsPerforming a Client-Initiated BackupClient-Initiated Network ConfigurationsPerforming the BackupPerforming a Server-Initiated BackupServer-Initiated Network ConfigurationsPerforming the BackupUsing SMB/CIFSBacking Up Windows Clients from LinuxSharing Files to Back UpUsing smbtarUsing smbmountSpecial Windows Filename ConsiderationsBackup SharesWhat Is a Backup Share?Creating a Backup ShareUsing a Backup ShareUsing AMANDAThe Function of AMANDAConfiguring Clients for AMANDAConfiguring the AMANDA Backup ServerCreating an AMANDA ConfigurationSetting Basic OptionsPreparing TapesDefining Dump TypesDefining a Backup SetRunning an AMANDA BackupRestoring DataSummary
III. Internet Servers
18. Administering a Domain via DNS
When to Run a DNS ServerRunning an Externally Accessible DNS ServerRunning a Local DNS ServerObtaining a Domain NameDNS Server Options for LinuxCore DNS ConfigurationThe BIND Configuration FileLocating Other Name ServersSetting Up a Forwarding ServerSetting Up ZonesConfiguring a Slave ServerDomain Administration OptionsA Sample Zone Configuration FileSetting Master Zone OptionsSpecifying Addresses and AliasesConfiguring a Reverse DNS ZoneRunning a Caching-Only Name ServerCommunicating with a DHCP ServerStarting and Testing the ServerSummary
19. Push Mail Protocol: SMTP
When to Run an SMTP ServerSMTP Server Options for LinuxMail Domain AdministrationUnderstanding SMTP TransportSMTP Server Configuration OptionsAddress MasqueradingAccepting Mail as LocalRelaying MailAnti-Spam ConfigurationBlocking Incoming SpamHow to Avoid Becoming a Spam SourceBasic Sendmail ConfigurationSendmail's Configuration FilesSendmail Address MasqueradingConfiguring Sendmail to Accept MailSendmail Relay ConfigurationConfiguring Sendmail to Relay MailConfiguring Sendmail to Send Through a RelaySendmail Anti-Spam ConfigurationBasic Exim ConfigurationExim's Configuration FilesExim Address MasqueradingConfiguring Exim to Accept MailExim Relay ConfigurationConfiguring Exim to Relay MailConfiguring Exim to Send Through a RelayExim Anti-Spam ConfigurationBasic Postfix ConfigurationPostfix's Configuration FilesPostfix Address MasqueradingConfiguring Postfix to Accept MailPostfix Relay ConfigurationConfiguring Postfix to Relay MailConfiguring Postfix to Send Through a RelayPostfix Anti-Spam ConfigurationUsing a Procmail FilterUnderstanding the Role of ProcmailDesigning a RecipeThe Recipe Identification LineThe Recipe ConditionsThe Recipe ActionSome Example RecipesUsing Existing Filter SetsCalling ProcmailSummary
20. Running Web Servers
When to Run a Web ServerWeb Server Options for LinuxBasic Apache ConfigurationUnderstanding Apache Configuration FilesStandalone versus Super Server ConfigurationSetting Common Configuration OptionsSetting Server Directory OptionsLoading Apache ModulesConfiguring kHTTPdHandling Forms and ScriptsUnderstanding Static Content, Forms, and CGI ScriptsSetting Script and Form OptionsWriting CGI ScriptsScripting Security MeasuresHandling Secure SitesUnderstanding SSLConfiguring SSLEnabling SSL in ApacheHandling Virtual DomainsWhy Use a Virtual Domain?Virtual Domain Configuration OptionsUsing VirtualDocumentRootUsing <VirtualHost>Producing Something Worth ServingHTML and Other Web File FormatsTools for Producing Web PagesWeb Page Design TipsAnalyzing Server Log FilesThe Apache Log File FormatUsing AnalogSetting Analog OptionsRunning AnalogInterpreting Analog OutputUsing the WebalizerSetting the Webalizer OptionsRunning the WebalizerInterpreting the Webalizer OutputSummary
21. Running FTP Servers
When to Run an FTP ServerFTP Server Options for LinuxBasic FTP Server ConfigurationRunning the FTP ServerWU-FTPD ConfigurationWU-FTPD Configuration FilesCommon WU-FTPD Configuration OptionsProFTPd ConfigurationProFTPd Configuration FilesCommon ProFTPd Configuration OptionsSetting Up an Anonymous FTP ServerSpecial Needs of Anonymous ServersSecurity Concerns of Anonymous ServersSetting Anonymous OptionsSetting Up an Anonymous Directory TreeWU-FTPD Anonymous OptionsProFTPd Anonymous OptionsSummary
IV. Network Security and Router Functions
22. General System Security
Shutting Down Unnecessary ServersLocating Unnecessary ServersLocating ServersUsing Package Management SystemsExamining Server Startup FilesExamining Running ProcessesUsing netstatUsing External ScannersDetermining When a Server Is UnnecessaryMethods of Shutting Down ServersControlling Accounts and PasswordsAccount Creation Procedures and PoliciesMonitoring Account UsageHandling Inactive AccountsChecking for Account AbuseSetting Good PasswordsKeeping the System Up to DateThe Importance of Server UpdatesHow to Monitor for Updated SoftwareAutomatic Software Update ProceduresMonitoring for Intrusion AttemptsIntrusion-Detection ToolsUsing Package DatabasesUsing TripwireGeneral Intrusion Detection ProceduresWhat to Do if You Discover an IntruderKeeping Abreast of Security DevelopmentsSecurity Web SitesSecurity Mailing Lists and NewsgroupsSummary
23. Configuring a chroot Jail
What Is a chroot Jail?Necessary chroot Environment FilesPreparing a Directory TreeCopying Server FilesCopying System FilesConfiguring a Server to Operate in a chroot JailRunning a Server in a chroot JailControlling Local Access to the chroot EnvironmentAn Example: Running BIND in a chroot JailMaintaining the chroot EnvironmentSummary
24. Advanced Router Options
When to Use Advanced Router ConfigurationsAdvanced Kernel OptionsPolicy RoutingType of Service ValuesMultipath RoutingRouter Logging OptionsLarge Routing TablesMulticast RoutingQuality of ServiceUsing iproute2Using ipUsing tcUsing Routing ProtocolsUnderstanding Routing ProtocolsUsing routedUsing GateDUsing ZebraSummary
25. Configuring iptables
What Is iptables?Kernel Configuration for iptablesChecking Your iptables ConfigurationConfiguring a Firewall with iptablesWhat Is a Firewall?Setting a Firewall's Default PolicyCreating Firewall RulesOpening and Closing Specific PortsUsing Source and Destination IP AddressesFiltering by InterfacePerforming Stateful InspectionUsing Additional ParametersPutting It All TogetherConfiguring NAT with iptablesWhat Is NAT?Setting iptables NAT OptionsForwarding Ports with iptablesWhen to Forward PortsSetting iptables Port Forwarding OptionsLogging iptables ActivitySummary
26. Using a VPN
When to Use a VPNVPN Options for LinuxConfiguring PPTP in LinuxObtaining and Installing PoPToPPoPToP Server ConfigurationEnabling Encryption FeaturesPPTP Client ConfigurationUsing Linux PoPToP ClientsUsing Windows PPTP ClientsConfiguring a Linux FreeS/WAN ServerObtaining and Installing FreeS/WANEditing Configuration FilesSetting Up KeysEditing the IPSec SettingsAdjusting Local OptionsAdjusting Default Remote OptionsAdjusting System-Specific Remote OptionsEstablishing a LinkPotential Security Risks with a VPNSummary

Content preview from Advanced Linux Networking

Chapter 23. Configuring a `chroot` Jail

Every server must be able to read certain local files, and some servers must be able to change at least some local files. If these powers can be warped to serve the needs of an attacker, that attacker can corrupt your system's configuration, gain more power, and ultimately gain complete control of your system. What, though, if that corrupted system is really just a subset of the real computer, and a subset with very limited abilities? This is the idea behind a chroot jail—to run a server in an environment so limited that it won't do an attacker any good if the server is compromised.

Not all servers operate well in a chroot jail, but some are designed to be used in this way. For those servers that support

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 0201774232Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Advanced Linux Networking

by Roderick W. Smith

Chapter 23. Configuring a `chroot` Jail

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.