Networks
René Serral-Gracià1
1Universitat Politècnica de Catalunya (UPC)
November 26, 2020
Introduction Servers Services
Lectures
1 System administration introduction2 Operating System installation3 User management4 Application management5 System monitoring6 Filesystem Maintenance7 Local services8 Network services9 Security and Protection
10 Virtualization
R. Serral-Gracià, et. al Networks 2
Introduction Servers Services
Outline
1 IntroductionGoalsPrevious ConsiderationsNetwork Address TranslationFirewall
2 Servers
3 Services
R. Serral-Gracià, et. al Networks 3
Introduction Servers Services
Goals
Knowledge
Main services and networking protocolsSuperserver, portmapper, DNS, FTP, WWW, e-mail
Abilities
Service configurationsSuperserverDNSFTPWWWE-Mail
R. Serral-Gracià, et. al Networks 4
Introduction Servers Services
Network admin considerations (I)
Security measures
Never execute services with superuser privilegesExpose only necessary services – firewallsConfigure carefully all the offered services
Never leave default configurationsDisable/Remove unused services
Monitor the service’s logsCheck for security issues – be up to date
R. Serral-Gracià, et. al Networks 5
Introduction Servers Services
Network admin considerations (and II)
Port classification
Privileged ports: 0 - 1023Controlled and assigned by IANAOnly privileged users (root) mai install services to thoseports
Registered ports: 1024 - 49151Not controlled but registered by IANARegistry about services using those ports –/etc/services
Dynamic ports: 49152 - 65535Used for temporary connections
R. Serral-Gracià, et. al Networks 6
Introduction Servers Services
/etc/services
Relates services with corresponding port numbervarious applications use it (netstat, . . . )servicename port/protocol alias list
echo 7/tcpecho 7/udpsystat 11/tcp userssystat 11/udp usersftp-data 20/tcpftp-data 20/udp# 21 is registered to ftp, but also used by fspftp 21/tcpftp 21/udp fsp fspdssh 22/tcpssh 22/udptelnet 23/tcptelnet 23/udp# 24 - private mail systemsmtp 25/tcp mailsmtp 25/udp maildomain 53/tcpdomain 53/udphttp 80/tcp www www-httphttp 80/udp www www-http
R. Serral-Gracià, et. al Networks 7
Introduction Servers Services
Network Address Translation – NAT
Router translates internal addresses by one (or various) ofits own
Allows using a reserved IP (pool) and keep connectivity tothe outside
The router remembers the output connections to identify itsanswers
Output connection:192.168.1.25 (port 1085) → 212.106.192.142 (11086)
Reply connection:212.106.192.142 (11086) → 192.168.1.25 (1085)
Tools: iptables (SNAT), dnsmasq
R. Serral-Gracià, et. al Networks 8
Introduction Servers Services
NAT collateral effects
Private addresses are not visible from the outsideAttacks may only fall to the router – except over ongoingconnections
Network security depednds on router securityInternal machines cannot offer services to the outside
Except when using Destination Network AddressTranslation (DNAT)
Important performance penalty for the networkAll external connections go through a single routerEach packet requires some CPU time for processing
Some services do not behave properly when using NATThose establishing connections to the insideFTP, IRC, Netmeeting, . . .
R. Serral-Gracià, et. al Networks 9
Introduction Servers Services
Destination Address Translation (DNAT)
Indicate to the NAT router it must forward some inputconnections to a particular machineMap router ports to some internal machine
147.83.159.200
192.168.12.1/24
.2
.3
.4
.5
Port 22, 25, 80
Port 22
Port 25, 80
Eines: iptables (DNAT)
R. Serral-Gracià, et. al Networks 10
Introduction Servers Services
Firewall
Server that determines which connections may be establishedbetween two networks
It typically works at network and transport layersIn general application details are not known
It can keep connection status (Connection Tracking)It allows related connections: “replies“
R. Serral-Gracià, et. al Networks 11
Introduction Servers Services
Firewall == Security?
A firewall is another piece of the overall security of asystemIts use can potentially offer a false security feelingOther aspects cannot be neglected
Correct application configurationPerform regular security updates on installed softwareLimit concurrent connections
Other security tools in the private network and servers arestill necessary
R. Serral-Gracià, et. al Networks 12
Introduction Servers Services
Outline
1 Introduction
2 ServersServer types
3 Services
R. Serral-Gracià, et. al Networks 13
Introduction Servers Services
Server types
Connection orientedThe server keeps status about the different sessionsBetter performanceLess error resilience
ConnectionlessThere is no status about the client connectionsThere are no sessionsRequests must be self containedClient request must contain all the required informationBetter failure resilience and recovery
R. Serral-Gracià, et. al Networks 14
Introduction Servers Services
Server types – Depending authority
PrimaryThey keep a copy of all the informationIf there is mismatch in the stored information the primarytakes precedenceThere is one per service
SecondaryKeep copies of the informationPerforming periodic updates with the primaryThere can be more than one per serviceLoad balancingAre an implicit backup of the primary
Cache (and/or proxies)Keep –partial– copies of the most used informationMore than one per service
Better performanceThey can add security checks, filtering, log, . . .
R. Serral-Gracià, et. al Networks 15
Introduction Servers Services
Outline
1 Introduction
2 Servers
3 ServicesRemote Procedure Calls (RPC)Domain Name System (DNS)Dynamic Host Configuration Protocol (DHCP)Hypertext Transfer Protocol (HTTP)File Transfer Protocol (FTP)Simple Mail Transfer Protocol (SMTP)E-mail receptionSecure ShellNetwork File System (NFS)Samba (SMB)Lightweight Directory Access Protocol (LDAP)Virtual Private Networks (VPN)
R. Serral-Gracià, et. al Networks 16
Introduction Servers Services
Superserver
A service even when idle uses resourcesMany services are requested only from time to time:telnet, ftp, ssh, . . .
Superserver listens to all the ports and activates theservice only when needed
It detects the requestInitiates the servicePasses the message
LimitationsBetween connections it is not possible to keep informationin memoryOverhead caused by process creation
Implementations: inetd, xinetd
R. Serral-Gracià, et. al Networks 17
Introduction Servers Services
/etc/xinetd.conf, /etc/xinetd.d
Indicates the services offered by the superserverService, Protocol, User/group, Server, Parameters
$ cat /etc/xined.confincludedir /etc/xinetd.d
$ cat /etc/xined.d/ftpservice ftp{
socket_type = streamwait = nouser = rootserver = /usr/sbin/vsftpdlog_on_success += HOST DURATIONlog_on_failure += HOSTdisable = no
}
R. Serral-Gracià, et. al Networks 18
Introduction Servers Services
Remote Procedure Calls (RPC)
Remote subroutine invokationIdentified by a service number ID
RPC ServersThey implement a set of remote connectionsListen in a dynamic port
PortmapperRegisters the RPC servers
Maps the port with the subroutinesNeeded by other services
NFS, . . .
int read(int fd, ...
...b = read(8, ......
int read(int fd, ...
Stub Implementation
R. Serral-Gracià, et. al Networks 19
Introduction Servers Services
Portmapper
All the status is kept on memoryIf the process fails, is not enough restarting itAll RPC servers must be restarted
All services must be registered upon portmapper start
demanar serveiport
1
2
3
Crida RPC
Resultat
Client
Portmapper
Server
Reg
istr
ar
serv
ei
R. Serral-Gracià, et. al Networks 20
Introduction Servers Services
Domain Name System (DNS)
Name resolution serviceHostname → IP addressIP Address → hostname
IssuesLarge amount of machinesLarge number of changes
SolutionHierarchical distribution of the information (domains)Authority delegation
R. Serral-Gracià, et. al Networks 21
Introduction Servers Services
DNS Internals
Authority delegation
Each domain administers its own serverEverybody knows the higher servers in the hierarchy (root)Everybody knows the server for their domainName resolution is iterative
/etc/resolv.conf:
search ac.upc.edunameserver 147.83.33.45
www.google.com
Servidor DNSLocal
a.root-server b.root-server
internic.net...
www.google.com?
.com
.comiana.orgalldomains.com
www.google?
www?www
NS3.google.comgoogle.com
DNS: RFCs 1034/1035
R. Serral-Gracià, et. al Networks 22
Introduction Servers Services
Service performance
Using ”caches“ is convenient
High temporal localityAvoids repeating the same query
High spacial localityAvoids going up to the root servers too often
Avoids some steps of the iterative search
DNS can be used for load balancing
We can have several IPs for the same nameEach query returns different values: Round Robin or ”geographical“ criteria
$ nslookup www.google.comName: www.google.comAddress: 212.106.221.23Name: www.google.comAddress: 212.106.221.27Name: www.google.comAddress: 212.106.221.25...
R. Serral-Gracià, et. al Networks 23
Introduction Servers Services
DNS client configuration
/etc/host.confWhere a name is searched and its order
/etc/hostsLocally translated machines
/etc/resolv.confAutomatic domains to be searchedIP addresses of the DNS servers
R. Serral-Gracià, et. al Networks 24
Introduction Servers Services
DNS Server configuration
/etc/bind/named.confWhat are we administering?
DNS DomainsIP addresses ranges
Indicates primary, secondary, or cacheDirect translation files
Name.domain → IP address1 file for each administered domain
Inverse translation fileIP Address → name.domain1 file for each administered IP range
R. Serral-Gracià, et. al Networks 25
Introduction Servers Services
DNS type of registers
SOA (Start of Authority)Serial numberRefresh time and retriesExpiration timesMinimum TTL
A - Direct translationName → IP address
romeu IN A 147.83.32.4
CNAME - synonymsName → name
romeu IN CNAME lp_romeu
R. Serral-Gracià, et. al Networks 26
Introduction Servers Services
DNS type of registers
PTR - inverse translationIP Address → DNS name
4 IN PTR romeu.ac.upc.edu.
NS - Domain delegationDNS Domain→ server
ac IN NS 147.83.32.3
MX - mail exchangerDNS Domain → server
ac IN MX 147.83.33.10
I altres. . .HINFO, WKS, . . .
R. Serral-Gracià, et. al Networks 27
Introduction Servers Services
DNS configuration example
Zone ”cluster.craax.upc.edu“, as primary.
$ cat /etc/bind/named.confoptions {
directory "/var/cache/bind";forwarders {
147.83.159.217;};auth-nxdomain no; # conform to RFC1035listen-on-v6 { any; };
};zone "cluster.craax.upc.edu" {type master;file "/etc/bind/cluster.zone";
};
zone "1.1.10.in-addr.arpa" {type master;file "/etc/bind/cluster.rev";
};
R. Serral-Gracià, et. al Networks 28
Introduction Servers Services
DNS configuration example
$ cat /etc/bind/cluster.zone$TTL 604800@ IN SOA cluster. cluster.craax.upc.edu. (
20101220 ; Serial604800 ; Refresh86400 ; Retry
2419200 ; Expire604800 ) ; Negative Cache TTL
;@ IN NS gandalf$ORIGIN cluster.craax.upc.edu.gandalf IN A 10.1.1.1boromir-1 IN A 10.1.1.2
$ cat /etc/bind/cluster.rev$TTL 604800@ IN SOA cluster. cluster.craax.upc.edu. (
20101220 ; Serial604800 ; Refresh86400 ; Retry
2419200 ; Expire604800 ) ; Negative Cache TTL
;@ IN NS gandalf$ORIGIN cluster.craax.upc.edu.1 IN PTR gandalf.cluster.craax.upc.edu.2 IN PTR boromir-1.cluster.craax.upc.edu.
R. Serral-Gracià, et. al Networks 29
Introduction Servers Services
Exercise
We have 3 services at (server1, server2 i server3)with these registersserver1 IN A 123.123.123.1server2 IN A 123.123.123.2server3 IN A 123.123.123.3
We want to add the following serviceswww at server1 (server2 is the backup server)ftp at server1 and server2incoming/outgoing mail at server3
Which registries would you add?
R. Serral-Gracià, et. al Networks 30
Introduction Servers Services
DNS Related tools
whois domainProvides contact information for a domain
dig [@server] queryPerforms a DNS queryIt allows controlling different resources
Server, type of register, iterative/recursive resolution, . . .Returns the registers corresponding to the query
It supports debugging
R. Serral-Gracià, et. al Networks 31
Introduction Servers Services
Dynamic Host Configuration Protocol (DHCP)
It delivers automatically the network configuraiton to a hostIP assignation, Gateway and DNS
Machine trustfulness is not verifiedBy default it is assumed that if the host can reachconnectivity then it is legitimateIt can provide MAC address verification
IP addresses are assigned from a predefined range
R. Serral-Gracià, et. al Networks 32
Introduction Servers Services
Dynamic Host Configuration Protocol (DHCP)
Remote boot support through BOOTP and PXE
Preboot Execution Environment (PXE)Network card uses BIOS to get network informationIt allows to decide the kernel image to boot
Downloaded through TFTPA remote root system can be mounted
R. Serral-Gracià, et. al Networks 33
Introduction Servers Services
Dynamic Host Configuration Protocol (DHCP)
For /etc/resolv.conf
For PXE
For ifconfig
For route
ddns-update-style none;option domain-name-servers 192.168.1.1;
allow booting;allow bootp;default-lease-time 600;max-lease-time 7200;authoritative;
subnet 192.168.1.0 netmask 255.255.255.0 {range dynamic-bootp 192.168.1.172 192.168.1.254;range 192.168.1.2 192.168.1.171;filename "pxelinux.0";
option subnet-mask 255.255.255.0;option broadcast-address 192.168.1.255;option routers 192.168.1.1;
}
R. Serral-Gracià, et. al Networks 34
Introduction Servers Services
Dynamic Host Configuration (DHCP)
DHCP and DNS can work together
dhcpd named
update zone "cluster.craax.upc.edu"
update zone "1.1.10.in-addr.arpa"
/etc/dhcpd/dhcpd.conf
ddns-update-style interim;key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;secret pRP5FapFoJ95JEL06sv4PQ==;
};zone ac.upc.edu. {
primary 192.168.1.1;key DHCP_UPDATER;
}
/etc/bind/named.conf
key DHCP_UPDATER {algorithm HMAC-MD5.SIG-ALG.REG.INT;secret pRP5FapFoJ95JEL06sv4PQ==;
};zone ac.upc.edu. {
type master;file "ac.zone";allow-update { key DHCP_UPDATER; };
};...
R. Serral-Gracià, et. al Networks 35
Introduction Servers Services
Exercise
In group
Which potential problem can be caused by a DHCP servercrash?Propose an implementation to solve it
R. Serral-Gracià, et. al Networks 36
Introduction Servers Services
Hypertext Transfer Protocol (HTTP)
Data transfer serviceConnectionless
There is no state between connectionsEach petition is self-contained
Nevertheless it uses TCP
Client httpd
connect/accept
GET /path/to/file
transfer file contents
R. Serral-Gracià, et. al Networks 37
Introduction Servers Services
Apache Web Server
Implements support for HTTP/etc/apache/httpd.conf
Main features
Unprivileged user executionQueries are served using memory separatedprocesses/threads
Memory sharing configurable by the administratorMaximum concurrent processes limit
Configuration options in a per directory basisVirtual Host configuration
By IP addressBy DNS name
R. Serral-Gracià, et. al Networks 38
Introduction Servers Services
File Transfer Protocol (FTP)
Data transfer serviceConnection orientedControl connection
There is state between connections: cwdData connection
active: does not support NATpassive: NAT is supportedThere is a new data connection per transfer
Client ftpd
Comanda
ok/error
data connection
21
21
20
R. Serral-Gracià, et. al Networks 39
Introduction Servers Services
FTP Configuration
There are many server implementationswu-ftpd, proftpd, vsftpd, . . .
User level based authorization: /etc/ftpusersList of the users that CAN’T access FTP
Use chroot for security in Aonymous FTPChanges the root of the processExtra configurationRequires install basic commands and configuration files
/etc/passwd, /etc/shadow/bin/ls, /lib/libc.so, . . .
Use it even for regular users
R. Serral-Gracià, et. al Networks 40
Introduction Servers Services
Simple Mail Transfer Protocol (SMTP)
Parts composing the mail system
MUA - Mail User AgentUser application to read/write e-mails
MSA - Mail Submission AgentApplication to transmit the mail from the client to the MTAIt make all previous error checking
MTA - Mail Transport AgentIt sends the e-mail between servers
Delivery AgentApplication to store mails into the user’s mailboxSometimes the mails are stored into a database
Access AgentApplication allowing the user to access its e-mail
R. Serral-Gracià, et. al Networks 41
Introduction Servers Services
Mail system components
Client de mailComplet
MUA
Client de mailSimple
MUA
Servidor de Mail(SSMTP)
MSA
Servidor de Mail(SMTP)
MTA
Servidor de Mail(SMTP)
MTA
Client de MailSimple
MUA
mbox
MailClassification
DA
MailStorage
DA
Client de mailComplet
AA/MUA
SSMTP
SMTP
SMTP
SMTP
POP3/IMAP
R. Serral-Gracià, et. al Networks 42
Introduction Servers Services
Internals of an e-mail
EnvelopeMessage destinationSourceNot received by the clients – only for servers
HeadersSet of message properties
Sending dateSource and destination (shown by the e-mail clients)List of servers the message has crossed
Message bodyUses 7 bits ASCIIAttachments use Base-64
R. Serral-Gracià, et. al Networks 43
Introduction Servers Services
Mail client configuration
Mail reception
Access to local mailboxMailbox/maildir format interpreter
Remote mailbox accessPOP3IMAP
Mail sending
Using an SMTP server
R. Serral-Gracià, et. al Networks 44
Introduction Servers Services
E-Mail server configuration
Mail sending – sendmail/postfix
Sending direct to the destinationSearch for MX record in DNS – local destination
Sending through a RelayNo direct access to the destination
Mail reception
Store the mails locallyPOP3, DIMAP
Store the mails in the remote serverIMAP
R. Serral-Gracià, et. al Networks 45
Introduction Servers Services
E-Mail server configuration
Mail aliases
Redirect mail to other usersIn a remote machine
Users with multiple namesroot, postmaster, webmaster → usuari@host
Send a mail to a file instead of a userspam: /dev/null
Send the e-mail to a programautoftp: ”| /usr/bin/ftpserver“
Mailing list definitionIs better to use: Majordomo, Mailman, ListProc, SmartList,. . .
Aliases defined in /etc/aliases or /etc/mail/aliases
R. Serral-Gracià, et. al Networks 46
Introduction Servers Services
Security considerations
User authentication
By default the server does not ask for credentialsSASL can be used
Envelope can be forged — SPAM . . .
Trust mail relaysThe server always tries to send the messageEven if the headers do not belong to the domain (OpenRelays)
R. Serral-Gracià, et. al Networks 47
Introduction Servers Services
Security considerations
Mail privacy
Mail is sent in plain textUse of TLS (SSL) only between MUA and MTA
PGP - Pretty Good PrivacyMessage cyphering and signingBased in public key cryptography
S/MIME
Filter installation
Anti-spamSpamassasin, gray lists, black lists, . . .
Anti-virusClam AV, Amavis, f-prot,. . .
R. Serral-Gracià, et. al Networks 48
Introduction Servers Services
Exercise – In group
We just set up a filter to control spam
Which action would you take as a server when you detecta spam message?And if the filter is an anti-virus?
R. Serral-Gracià, et. al Networks 49
Introduction Servers Services
E-mail reception
Post Office Protocol (POP)
It allows users to access their mailboxIt downloads the messages to the local machineAuthentication without encryption
pop3s secure alternative using SSL
Internet Message Access (IMAP)
It allows users to manage their mailboxManagement is performed remotelyUser authentication
Allowing encryption
imaps even more secure alternative using SSL
R. Serral-Gracià, et. al Networks 50
Introduction Servers Services
Secure Shell
It substitutes rsh/rlogin and telnetAdding security
It performs authentication based on RSA, DSA, ECDSASession key is signed by the client’s private keyThe server uses the public key as stored in(.ssh/authorized_keys) to check if the signature iscorrectpassword based authentication is also supported
Connection is fully encryptedConfidentiality: 3DES, Blowfish, . . .Integrity: hmac-md5, . . .
The server runs the specified command or offer a shellTransparent session
Whenever a pseudo-terminal is not requestedIt can be used to transfer binary files
login SessionX11 Protocol forwarding can be configured
R. Serral-Gracià, et. al Networks 51
Introduction Servers Services
Exercise – In group
Secure Shell actions
How would you implement secure copy and secure FTPdirectly with ssh?
R. Serral-Gracià, et. al Networks 52
Introduction Servers Services
Network File System (NFS)
File access in a remote serverKeeping the semantics (privilege wise) of the localfilesystem
It is transparent to the userImplemented using RPC’s
OS
NFS Client
...open/closeread/write...
OS
NFS ServerNFS Protocol
shared disk
R. Serral-Gracià, et. al Networks 53
Introduction Servers Services
Remote mounting for NFS
The mounted directory is presented as local
OS
NFS Client
OS
NFS Server
shared disklocal disk
/
/usr
/home
/home
R. Serral-Gracià, et. al Networks 54
Introduction Servers Services
Access privileges
UIDs in the remote machines must be the same as used inlocal
Filesystems store UID rather than usernamesThis can be adapted by using idmapd
UID automatic translation (idmapd)root, nobody
Optionsno_root_squash, root can su to any user!all_squash, all users become nobodyWe can decide who nobody is
anonuid=UID,anongid=GID
R. Serral-Gracià, et. al Networks 55
Introduction Servers Services
NFS Configuration
Determine which resources to exportHosts to export toConfiguration flags
/etc/exports
/ master(rw) trusty(rw,no_root_squash)/projects proj*.local.domain(rw)/usr *.local.domain(ro) @trustedgroup(rw)/home/joe pc001(rw,all_squash,anonuid=150,anongid=100)/pub (ro,insecure,all_squash)
R. Serral-Gracià, et. al Networks 56
Introduction Servers Services
SMB — Samba
It allows sharing files and printersUser level access control
Authentication using login and passwordBased on username not UIDEncripted and plaintext password transmission
Machine based access restrictionIt does not allow to change permissions depending on thesourceOne must use different share names
R. Serral-Gracià, et. al Networks 57
Introduction Servers Services
Lightweight Directory Access Protocol (LDAP)
It provides access to users databaseDirectory format (X.500)
It offers user authentication methods/etc/passwd, /etc/shadow, /etc/group, . . .. . . they can be dumped to the LDAP database
Besides regular files, login can also be controlled throughthe database
R. Serral-Gracià, et. al Networks 58
Introduction Servers Services
Virtual Private Networks (VPN)
Server and client negotiate a secure connectionAn internal IP is offered through a secure tunnel
It grants access to all the internal services
192.168.1.31Internet 88.40.135.97 (wlan0)VPN 192.168.1.200 (tun0)
192.168.1.30
192.168.1.32
192.168.1.33
CtrlFn
Alt
Alt Gr
Ctrl
Shift
ZX
CV
BN
M,
./
AS
DF
GH
JK
L;
'
QW
ER
TY
UI
OP
[]
12
34
56
78
90
-=
!@
#$
%^
&*
()
_+
45
6*
{}
78
9/
12
3_
0
\
|
:"
<>
?
.+
`~Esc F1
F2F3
F14F5
F6F7
F8F9
F10F11
F12
Caps LockTab
NumLkScr Lk SysRqPrtSc BreakPause Ins
Del
Backspace
Enter
Shift
Home
Pg Up
Pg Dn
End
$
€
WebCAM
Internet 147.83.159.97 (eth0)VPN 192.168.1.1 (tun0)
R. Serral-Gracià, et. al Networks 59