[ Pobierz całość w formacie PDF ]
.Another source of concern should be programs that enable login or command execution with limited authentica-tion.The rlogin, rsh, and rexec commands are all very useful, but offer very limited authentication of thecalling party.Authentication is based on trust of the calling host name obtained from a name server (we'll talkabout these later), which can be faked.Today it should be standard practice to disable the r commands com-pletely and replace them with the ssh suite of tools.The ssh tools use a much more reliable authenticationmethod and provide other services, such as encryption and compression, as well.You can never rule out the possibility that your precautions might fail, regardless of how careful you have been.You should therefore make sure you detect intruders early.Checking the system log files is a good starting point,but the intruder is probably clever enough to anticipate this action and will delete any obvious traces he or sheleft.However, there are tools like tripwire, written by Gene Kim and Gene Spafford, that allow you to checkvital system files to see if their contents or permissions have been changed.tripwire computes various strongchecksums over these files and stores them in a database.During subsequent runs, the checksums are recom-puted and compared to the stored ones to detect any modifications.11There have been commercial Unix systems (that you have to pay lots of money for) that came with a setuid-root shell script, whichallowed users to gain root privilege using a simple standard trick12In 1988, the RTM worm brought much of the Internet to a grinding halt, partly by exploiting a gaping hole in some programs includingthe sendmail program.This hole has long since been fixed34Chapter 2 - Issues of TCP/IP NetworkingIn this chapter we turn to the configuration decisions you'll need to make when connecting your Linux machineto a TCP/IP network, including dealing with IP addresses, hostnames, and routing issues.This chapter gives youthe background you need in order to understand what your setup requires, while the next chapters cover the toolsyou will use.To learn more about TCP/IP and the reasons behind it, refer to the three-volume set Internetworking withTCP/IP, by Douglas R.Comer (Prentice Hall).For a more detailed guide to managing a TCP/IP network, seeTCP/IP Network Administration by Craig Hunt (O'Reilly).Networking InterfacesTo hide the diversity of equipment that may be used in a networking environment, TCP/IP defines an abstractinterface through which the hardware is accessed.This interface offers a set of operations that is the same for alltypes of hardware and basically deals with sending and receiving packets.For each peripheral networking device, a corresponding interface has to be present in the kernel.For example,Ethernet interfaces in Linux are called by such names as eth0 and eth1; PPP (discussed in Chapter 8, The Point-to-Point Protocol) interfaces are named ppp0 and ppp1; and FDDI interfaces are given names like fddi0 andfddi1.These interface names are used for configuration purposes when you want to specify a particular physicaldevice in a configuration command, and they have no meaning beyond this use.Before being used by TCP/IP networking, an interface must be assigned an IP address that serves as its identifi-cation when communicating with the rest of the world.This address is different from the interface name men-tioned previously; if you compare an interface to a door, the address is like the nameplate pinned on it.Other device parameters may be set, like the maximum size of datagrams that can be processed by a particularpiece of hardware, which is referred to as Maximum Transfer Unit (MTU).Other attributes will be introducedlater.Fortunately, most attributes have sensible defaults.IP AddressesAs mentioned in Chapter 1, Introduction to Networking, the IP networking protocol understands addresses as 32-bit numbers.Each machine must be assigned a number unique to the networking environment.13 If you are run-ning a local network that does not have TCP/IP traffic with other networks, you may assign these numbers ac-cording to your personal preferences.There are some IP address ranges that have been reserved for such privatenetworks.These ranges are listed in Table 2.1
[ Pobierz całość w formacie PDF ]