scis.regis.edu ● scis@regis.edu

CS 468: Advanced UNIXClass 6

Dr. Jesús BorregoRegis University

1

Topics

•IA Lab visit was scheduled for today; attempting to reschedule for next week

•Review of Homework 4•Managing Devices•Security•Homework 5•Q&A

2

New disk installation

•Attach the drive and reboot to allow system to recognize it ▫sudo fdisk -l

•Partition disk if required▫cfdisk, fdisk, sfdisk, parted, gparted

•Allocate space to the partition without installing a file system▫Note the device name (something like

/dev/sdc1)

4

New disk installation (Cont’d)•Prepare for use:

$ sudo pvcreate /dev/sdc1•Create volume group (vgname)

$ sudo vgcreate vgname /dev/sdc1•Create logical volume

$ sudo lvcreate –l 100%FREE –n volname vgname

•Create file system:$ sudo mkfs –t ext4 /dev/vgname/volname

5

New disk installation (Cont’d)•Create mount point:

$ sudo mkdir mountpoint•Set mount opt, mntpoint:

$ sudo vi /etc/fstab•In /etc/fstab add a line from an existing

file system and modify it•Mount the file system

$ sudo mount mountpoint

6

Hard disks

8

Solid State Disks

9

Source: http://www.ibmsystemsmag.com/power/infrastructure/storage/SSD_benefits/Internal-Structure-of-an-SSD/

Solid State Array Architecture

10 Source: http://www.anandtech.com/show/2738/5

Storage Interfaces

•ATA (Advanced Technology Attachment, aka IDE, Integrated Drive Electronics): hardware controller inside the disk. Has been improved

•PATA (Parallel ATA): disks are connected to motherboard with 40/80 conductor cable

•SATA (Serial ATA): successor of PATA, higher transfer rate, simpler connectivity, hot swapping, optional command queuing

11

Storage Interfaces (Cont’d)

•SCSI (Small Computer System Interface): Not as popular but has a long installation base, allows for multiple disks on a bus, daisy chained

•FC (Fibre Channel): Serial interface for enterprise environments with high speed (fiber)

•USB (Universal Serial Bus) and FW (FireWire): popular for external hard disk connectivity

12

Storage Software

•Unix disk installation is more complex than Windows (plug-and-play)

•See Exhibit B on page 221 (next slide)•Storage device- anything that looks like a

disk•Partition- fixed subsection of a disk; acts as

an independent device•RAID Array- combines multiple devices into

one virtualized device•Volume/Logical volumes- subdivision of disks

14

Attachment

•After connecting the disk, the OS will acknowledge its existence if everything is OK

• Initial POST will detect the disk and list its characteristics

•See example on page 223 of USAH•The new disk will have devices files in /dev•Make sure you know the correct device

when you format

17

Formatting

•All hard disks are preformatted at the factory

•No need to perform a low-level format•Formatting writes address information

and timing marks on the platter▫Indicates sector limits▫Also indicates bad blocks

•Any bad blocks found afterwards may or may not be handled automatically

19

Partitioning

•Partitioning is the lowest level of disk management

•Partitioning divides a disk into separate areas of known size

•Traditional Partitioning: writes a “label” at the beginning of the disk to define blocks included in the partition

•The device driver responsible reads the label and uses table to calculate location of each partition

21

Sample Partitions

22

RAID

•RAID: Redundant Arrays of Inexpensive(independent) Disks

•Distributes/replicates data across multiple disks

•Intent is to avoid data loss and minimize downtime, increasing performance

•Software and Hardware RAID: different issues

•Different RAID levels

23

RAID Levels

•The RAID levels specify the exact details of parallelism and redundancy implemented in the array

•Levels refer to the configuration•The higher levels do not necessarily mean

faster or better▫Depend on the application

24

Linear Mode

•Also known as JBOD (Just a bunch of disks)

•Not really RAID•Concatenates the block addresses of

multiple drives to create the illusion of single, larger virtual drive

•There is no data redundancy or performance benefit

25

RAID Level 0

•Used to increase performance•Combines two or more drives of equal

size with stripes alternating between them

•Decreases write and access time•Reliability is inferior to separate disks•Two disks have double the failure rate of

a single drive, for example

26

27

RAID Level 1

•Also known as Mirroring•Writes are duplicated to two or more

drives at the same time•Slower writing•Reads are similar to RAID 0•Prevents data loss when a disk fails

28

RAID 0+1 and 1+0

•Stripes of mirrors or mirrors of stripes•Logical concatenation of RAID 0 and RAID

1•Attempts to obtain performance of RAID 0

and the redundancy of RAID 1

30

RAID 5

•Stripes both data and parity information•Adds redundancy •Improves read performance•More efficient use of disk space than

RAID 1

32

33

RAID 6

•Similar to RAID 5 with two parity disks•RAID 6 can withstand complete failure of

two drives without losing data

34

Disk Failure Recovery

•JBOD and RAID 0 do not help with disk failure•Data must be recovered manually from

backups•Bad disks must be replaced with new ones as

soon as possible•Once the new disk is replaced, data must be

written to new disk▫Not a very fast operation

•Can designate “hot spares” drives to allow swapping of drives when failure occurs

35

RAID5 Drawbacks

•RAID 5 is very popular but has disadvantages•Does not replace regular offline backups• Just protects the system against disk failures•Does not protect against controller failures,

hackers, fires, or other hazards•Does not have great write performance•Prone to corruption•“Write hole”: cannot guarantee that the

blocks are properly updated

36

Logical Volume Management

•Want to manage space in a partition at different times

•Groups storage devices into volume groups•The blocks in the volume group are allocated

to logical volumes – act as disk partitions•Logical volumes are more flexible and

powerful•Logical volumes provide many useful

operations

37

Logical Volume Operations

•Move logical volumes among different physical devices

•Grow and shrink logical volumes on the fly•Take copy-on-write “snapshots” of logical

volumes•Replace on-line drives without interrupting

service• Incorporate mirroring or striping in your

logical volumes

38

File Systems

•After the partitions are set up, we need to load the file system

•UFS: Unix File System•The file system was removed from the

kernel▫To abstract the implementation

•Many file systems are available•See examples in the book (pp. 255-264)

40

Storage Area Networking

•Lower-level system for abstracting storage•Network storage appears as local storage•Clients must provide own file system

implementation to use SAN•SAN can be used for swap areas that do

not require a full blown file system•Not typically used to share files, but to

replace hard disks with centralized storage area

41

Operating System Security

•No OS is 100% safe•Best we can hope is to make our OS

resistant to attack•Architecture stresses easy manipulation

of data in a networked, multiuser environment

•Applications on the OS are developed by many vendors▫Can introduce security vulnerabilities

43

Security Threats

•Social Engineering•Operating System vulnerabilities•Application software vulnerabilities•Configuration Errors•Unpatched software•Attachments in emails•Inside threats

▫Disgruntled employees▫Lack of security policy enforcement

44

Security Tips

•Patch software•Detect and remove unnecessary services•Secure hosts for remote logging•Frequent and proper backups•Virus and worm protection•Trojan Horses, Rootkits•Packet filtering•Vigilance•Intrusion Detection Systems

45

Pluggable Authentication Modules•PAM provides flexible modular control

over authentication tasks•System authentication routines are stored

in a shared library that can be used by applications▫Accessible to programmers also

•Can integrate advances in security into a single location

46

Setuid programs

•Setuid programs are run as the user that owns the executable file

•Programs that run setuid create security issues

•Security holes have been discovered in these setuid commands

•Best practice: scan disks at normal intervals to find new setuid programs

48

Effective use of chroot

•Command chroot restricts a process to a specific directory▫No access to other files outside this

directory•Can provide a false sense of security if not

understood well•Does not relieve administrators from

exercising due diligence in security matters

49

Security Tools

•Nmap: network port scanner

50

Security Tools (Cont’d)

•Nessus: Next generation network scanner

51

SnortIDS

52

Others

•John the Ripper (JTR): Finder of insecure passwords

•Bro: programmable network intrusion detection system

•OSSEC: Host based intrusion detection system

•Wireshark: Network packet analyzer

53

MAC

•Mandatory Access Control is an alternative to Unix access control system

•MAC does not allow users to change permissions

•Permissions are granted based on sensitivity of resource being controlled

•Users can read or write items of same classification or lower, but not of higher

•Mainly used for classified projects

54

Cryptography

•Kerberos: developed by MIT, uses tickets to validate user access

•PGP: Pretty good privacy – uses encryption tools for files, signatures, and to verify origin

•SSH: secure shell; provides cryptographic authentication between two hosts

55

Firewalls

•Filters unwanted packets from leaving or entering a zone

•Scans packet header to determine if it should be allowed access

•Services listen to a predefined port▫Defined in /etc/services

58

59

Service filtering

•Well-known services are associated with a port

•Ports in the range 1-1023 are “privileged” and can only execute as root

•Ports > 1024 are non-privileged•To start, deny inbound connections

▫Allow one at a time for services you want to allow

60

Stateful inspection firewalls

•Inspects traffic flowing through firewalls and compares with what should be being transmitted

•If you open an ftp port connection, you expect data to flow through that port

•Attempts to connect to other ports are dropped

61

Linux Firewalls

•Netfilter packet-handling engine•Command line tool iptables used to filter

network traffic▫Default table: filter▫Consists of chains of rules to filter traffic▫Filter contains three default chains:

FORWARD, INPUT, OUTPUT▫Each packet passes through one of these

chains•Other tables: nat and mangle

62

Linux Firewalls (Cont’d)

•Nat contains chains of rules to control Network Address Translation (NAT)

•Mangle contains chains of rules that modify or alter the contents of network packets outside of NAT

•Mangle is used for special handling, but not typically used in production environments

•USAH pp. 938-939 contain a complete example

63

IPFilter

•Most Unix vendors do not have firewall software▫But can add to the system

•IPFilter is an open source package to supply NAT and stateful firewall services for Unix▫Included in many distributions, and in Linux

•It reads filter rules from configuration file•If multiple matches are found, the last one

wins

65

Sources of Security Information

•CERT: Computer Emergency Response Team, by Carnegie-Mellon University

•SANS: Professional organization sponsoring security conferences and training programs

•ISSA: Information Systems Security Association, a professional organization

•ISACA: Information Systems Audit and Control, a professional organization in areas of governance and compliance

68

Installation of Software and Devices•UPU pp641-643

69

Installing Software

•Installed software is typically in /usr/local▫Indicates not from distribution▫Vendors installed in different locations

•Two ways to install software:▫1. create directory and copy all there

(/opt/pianoman)▫2. create directory and copy software

there, but configuration files in a central location (/usr/local/pianoman)

•Impact: PATH modifications

70

Installation best practices

•Allow user to change location▫Avoid hard coding locations

•Use common installation packages (tar, cpio)▫Exist in most versions of Unix▫Can use distribution’s provided packages

Advantage: these are typically better in functionality

Disadvantage: you are tied to that distribution and may have to develop multiple installation packages

71

Installation of Devices

•Install device driver•Determine device’s major and minor

numbers•Use mknod to associate a filename

in”/dev” with the new device▫mknod creates special file in the file system

Can create character or block oriented special file

Can create a named pipe See page 642 in UPU

72

Installation of Terminal Files

73

Name Description

/etc/termcap or /etc/terminfo

Encoded list of every standard terminal’s capabilities and control codes. The Unix editors use the value of the environment variable $TERM to index into this file and fetch your terminal’s characteristics

/etc/sys A list of every terminal on the system, together with the program that should be associated with it when the system is initialized (usually ‘getty”). If the terminal’s type is constant and known, that information is also included

/etc/gettyttab A list of baud rate information that is used by “getty” in determining how to listen to a login command

Figure 15.12. Unix system files containing information about terminals

Network Troubleshooting

•Most used protocol is TCP/IP•Troubleshooting tools are available to

troubleshoot a network•Sample tools: ping, arp, traceroute,

netstat, tcpdump, Wireshark•Understand network protocols

75

Ping

•Simple to use, but useful to detect connectivity problems

•Submits ICMP ECHO_REQUEST packet to a host and waits to see if the host replies

76

SmokePing

•An open source tool used to keep ping packets over time

•Displays the history of each monitored link using front end

•Documents the round trip time of pings over time

•Spikes show transit times of individual packets

77

Traceroute

•Displays the sequence of gateways from which a packet traverses to its destination

•All OS contain a version of traceroute•Syntax:

▫traceroute hostname

79

80

Windows tracert

81

Netstat: network statistics

82

Netstat options

83

Packet Sniffers•Examples: Tcpdump and WireShark

85

Network Management Protocols•SNMP: Simple Network Management

Protocol•Organized in a standard hierarchy•Manager relies on agents to provide

information•Device configuration is stored in a MIB

(Management Information Base)•Attributes are called OIDs (Object Identifiers)•Has simple commands: get next, trap, set,

getnext

87

Homework 5•Download nmap from http://nmap.org•Review the nmap documentation there•Perform a scan of www.regis.edu•Perform a scan of your localhost (172.0.0.1)•Capture the scan and save it to a file•Write a report discussing your findings•Visit the nmap documentation portal and

review the Nmap Reference Guide for more information

94

Questions?

95