ITI-481 – UNIX ADMIN Chris Uriarte, Instructor ITI-481: Unix Administration Meeting 6 Christopher...

ITI-481 – UNIX ADMIN Chris Uriarte, Instructor

ITI-481: Unix Administration

Meeting 6

Christopher Uriarte

Rutgers University Center for Applied Computer Technology


Today’s Agenda

• Network File System (NFS)

• An introduction to backup

• Security Overview

• Final Project overview

• Open issues….???


Network File System (NFS)• NFS allows access to file systems on remote file

servers.• Remote file systems can be mounted to provide

services comparable to local file systems.• Uses TCP/IP over the Internet or a local network.• Uses client/server model.• Allows organizations to create a central repository

of information that can be shared among many users on many different systems.


The NFS Server• Started though rc script:/etc/rc.d/init.d/nfsMust be started after:/etc/rc.d/init.d/portmap

• Uses these RPC daemons in /usr/sbin:– rpc.nfsd – main component of NFS system– rcp.mountd – handles mount requests– rpc.quotad – allows for quota enforcement via NFS.– All of which are started in the nfs rc script when the system

starts

• /etc/exports – the main server configuration file• Above utilities are part of knfsd package .rpm

package on Linux.


/etc/exports• Contains information about the directory paths and

partitions that are sharable and hosts they can be shared with.– i.e. “Any host from .rutgers.edu can access the

/home/documents directory on my server”

• Entry format:/dir/to/export client1(permissions) client2 (permissions)Sample entry:/tmp iti.rutgers.edu(rw) 185.14.237.4(ro)

• Need to run exportfs to inform NFS server process about changes in /etc/exports:> /usr/sbin/exportfs –a (exports all entries)


The NFS Client• Requires knfsd-clients .rpm package on Linux.• Necessary services started from:/etc/rc.d/init.d/nfslock

• RPC daemons in /sbin handle file locking between client and server:– rpc.locked – rpc.statd– All are started from the nfslock rc script

automatically• Allows clients to mount remote file systems either

using the mount command or by placing an entry in the /etc/fstab file.


A Review: Mounting and Unmounting File Systems

• File Systems mounted with the mount command:mount [options] device directoryFor example:mount –o rw –t ext2 /dev/hda10 /tmpWill mount the /dev/hda10 partition onto the /tmp mount point

• File systems umounted with the umount command:umount [-f] directory For example:umount /tmp

• File systems should only be umounted when they are not in use.


Mounting Remote File Systems from the Client

• Just like mounting disk paritions, you can use the mount command to mount remote file systems with the format:

mount HOSTNAME_or_IP:/remote/path /local_mount_point i.e. mount iti.rutgers.edu:/home/shared /mnt/itishare mount 128.6.4.125:/var/share /mnt/remoteshare

• Just like mounting disk partitions, the local mount point must be an empty directory on the system.

• Frequently used mounts can be added to /etc/fstab, similar to partitions that are mounted during boot time, e.g.:trainee101.rutgers.edu:/tmp /foo nfs rw 0 0


Exercise: Access an NFS Share• Given a hostname and shared path by the

instructor, use your workstation as an NFS client to access the shared file path.

• What is the name of the only file in the remote directory you have mounted?

• What is the text of the file in the directory?• What might be a possible entry in the /etc/exports file on the server you just accessed?


NFS Recap

• NFS is a client-server protocol that allows client computers to access file system resources on a server.

• The server computer requires shared file systems to be specified in /etc/exports.

• The client computer can access shared file system resources by using the mount command or by placing an NFS share entry in /etc/fstab.


BACKUP: Why should we backup our UNIX systems?

• To restore data loss caused by disk corruption, security incidents, accidental file deletion, etc.

• No matter how expensive or redundant your hardware is, the possibility of data corruption ALWAYS exists.


What should we backup on UNIX systems?

• Critical system and configuration files, especially files under the /etc directory.

• User data, usually under /home.• Possibly all data on the system, e.g. full

system backup.• The answer to this question will vary

from organization to organization depending on the business needs.


How often should data be backed up?• Backup frequency depends on how

dynamic your system is: – If the files on your system do not change

too much on a daily basis, then weekly backups may be sufficient.

– Systems with a lot of users and dynamic content may require nightly backups.


Classes of Backups

• There are two general classes of backups:– Full System Backup: Every file on the system is

backed up. Requires most time for backup to complete and more backup media resources (e.g. more tape, disk drives, etc.)

– Incremental backup: Only files that have been modified since the last backup are backed up. Requires less time and backup media than full system backups.


Backup Media• Disk-to-Disk Backups – when you backup your

files to another hard drive on your system. Easy to restore in the case of failure, but expensive for many systems.

• Network backup – backing up system files to another server, possibly via NFS. Easy to implement, but may take much time.

• Backup to Removable Media – usually some type of backup tape. DAT and DLT tape formats are very popular today. (Most popular for enterprise-class backups)


Backup Tape Drives• Tape drives are associated with the type of

backup media they use, i.e. a DLT drive or a DAT drive.

• Usually perform data compression, which allows for a greater amount of information to be stored on a single tape.

• Capacities vary today from 20GB to over 400GB per tape.


Native UNIX Backup Utilities

• UNIX Systems include 3 core utilities that allow you to backup files to tape or disk.– tar (very simple to use)– cpio (a bit more complex)– dump (most complex of the three)


Know your backup destination…

• Before you begin your backups, know your output directory or device.

• Tape drives have a specific device name, just like hard drive:– /dev/ht0 – first IDE tape drive on many

UNIX systems, including Linux– /dev/st0 – first SCSI tape drive on many

UNIX systems, including Linux


More on Tape Drive Device Names

• Solaris also uses device names for tape drives, but they are different:– /dev/rmt/0 is the standard name for a tape device– You can add an additional “compression identifier”

to the device name to specify how the data should be compressed when written to the tape:

• /dev/rmt/0l = low compression• /dev/rmt/0m = medium compression• /dev/rmt/0h = high compression• /dev/rmt/0 = no compression


Using the tar Utility for Backup

• tar usage:tar [x|c]vf [tape device name] [files or directory]

• Where: – x = extract from a tape – c = compress onto tape

(just like when we tar and untar regular .tar files)


tar Examples – Backup to Tape

• Backup the /home partition to the IDE tape device:– tar –cvf /dev/ht0 /home

• Backup the entire file system to the SCSI tape device:– tar –cvf /dev/st0 /

• Backup the password file to the IDE tape device:– tar –cvf /dev/st0 /etc/passwd


• List the contents of the IDE tape device:– tar –tf /dev/ht0

Will print out a list of the filles on the tape:/etc/acct

/etc/aliases

/etc/asppp.cf

/etc/auto_home

/etc/auto_master

/etc/Autopush

Etc…

tar Examples – Listing Tape Contents


Other UNIX Backup Utilities• cpio – has the ability to detect I/O errors

during backup that tar cannot detect. Also has the ability to do things like specify wildcard patters during restore.

• dump – very fast, detects I/O errors, allows you to perform incremental backups.

• A comprehensive guide to using these utilities is available at http://www.backupcentral.com/native-backup-utils.html.

• Comparison of backup technologies available at: http://www.cju.com/classes/unix/backupcomparison.html.


Other Issues: Backup Retention• Backups should be retained for at least

2 previous backup cycles (may vary based on your environment). – For example, if you perform a full system

backup once a week, you should retain at least the last 2 weeks of backups.

• Removable media backups should be retained off-site. All local backups should be retained in a fire-proof safe.


Backup Resources

• Backup Central – http://www.backupcentral.com

• Book: UNIX Backup and Recovery (W. Curtis Preston, 1999; O’Reilly and Associates)


UNIX Security: An Introduction• Many of UNIX’s core features inherently

make UNIX an architecture with many possible security risks.- Multiple users log into a single system and

share resources - UNIX Machines are usually networked- Distributions include many pieces of third-

party software.


Securing Your UNIX Machine…

• Requires that you use common sense on technical and non-technical levels:

• Learning about system security is a great way to learn the ins-and-outs of your UNIX system.


Before you examine the technical details…

There are 5 important areas that you need to examine first:


1. Know Your “Threat Model”(Lasser, 1999)

• Catalog the resources on your system that are at risk:– Is there a risk if the system is unavailable?– Is there a risk if certain data is stolen (i.e.

data in a database, private web pages or email messages)

– Examine the possible operational and legal ramifications if data is stolen or a system is hacked.


Know Your “Threat Model”continued…

• Who are you afraid of?– “Hackers” (Opportunistic attacks)– Competitors (Targeted attacks)– Employees (Internal attacks)

• What can they touch?– Infrastructure– Internal Services– Software, etc.


2. Develop a Security Policy

• Define authorized/unauthorized access – based on your threat model.

• Grant access on a “need to know” basis

• Define auditing procedure – how will you know if your policy is being violated


3. Dedicate Resources to Security

• Security takes resources– People and time– Training– Possible Equipment and Tools

• You must make a real effort to care about the security of your system, including security-related tasks in your daily admin routines (remember, “out-of-sight=out-of-mind)


4. Monitory Industry Security News and Activity

• Subscribe to security mailing lists:– CERT Mailing List (http://www.cert.org)– Security mailing list for your UNIX distribution

(RedHat, Mandrake, Sun, etc.)– Bugtraq Mailing List (http://www.securityfocus.com

)

• Monitory Security Websites– SecurityFocus (http://www.securityfocus.com)– UNIX distribution security sites (RedHat, Sun, etc.)


After you have the policy and procedure-related things worked out…

You must make a technical effort to secure your system.


5. Keep Current Backups

• Keep current backups of all your important files– Use them to restore lost files in the case of

a “hack”– Use them for file comparison

(/etc/passwd, /etc/shadow, /bin/login, etc.)


6. Keep Your System Up-to-Date

• Apply patches recommended by your distribution vendor (check their website)

• Don’t be the first on the block to install a new major OS release – wait a couple of months or until next minor release

• Don’t let your UNIX release fall 2 or more versions behind your current release


7. Limit Access to resources• Limit who gets system accounts.

• Create good user/group schemes for shared filed (groupadd, chmod, chgroup, etc.)

• Limit PHYSICAL access to your machines


8. Avoid “Cleartext” Protocols

• Protocols such as telnet, ftp, imap and pop3 are NOT encrypted, which means network eavesdroppers can “sniff” usernames and passwords when they are transmitted.

• Only use ftp, imap and pop3 when necessary• Install ssh and require all users to access

system with ssh instead of telnet. (see http://www.openssh.org, http://www.ssh.fi)


Security Resources on the Web• Security Focus –

http://www.securityfocus.com

• CERT – http://www.cert.org

• RedHat Security Errata - http://www.redhat.com/apps/support/updates.html

• Sun Security FAQs at Sun BigAdmin Site - http://www.sun.com/bigadmin/


More Security Resources on the Web

• Linux Security How-To: http://howto.tucows.com/LDP/HOWTO/Security-HOWTO.html

• A good overview of Linux security: http://www.cju.com/classes/unix/linuxsecurity.html


Section Wrap Up….

• Overview of the final project.

• Open questions/issues?


And finally….

• Thank you!

• And Good Luck!

Chris Uriarte

[email protected]

[email protected]

Date post:	19-Jan-2016
Category:	Documents
Upload:	shon-miles-fitzgerald
View:	216 times
Download:	0 times

ITI-481 – UNIX ADMIN Chris Uriarte, Instructor ITI-481: Unix Administration Meeting 6 Christopher...

Documents