What is network and systemadministration?
Applying technology in an environment,The human role in systems
Ethical issues, Is systemadministration a discipline? ,The challenges of systemadministration,Common practice and good practice, Bugs and emergent phenomena,Themeta principles of system administration,Knowledge is a jigsaw puzzle,To the student
normally 32 bit system and integer value of count of IP rules apprx.. some millions.
BUT I tested it myself on my SERVER. after 56 000 , (56 Thousands) it becomes slower.
My server has SSD disk and 16 GB memory.
But this is changable. If you do good firewall script, You can use 2 million IP rules with best performance.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 |
OK, for anyone finding this in the future, you need to create your certificates and sign them appropriately. Here are the commands for linux: //Generate a private key openssl genrsa -des3 -out server.key 1024 //Generate Certificate signing request openssl req -new -key server.key -out server.csr //Sign certificate with private key openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt //Remove password requirement (needed for example) cp server.key server.key.secure openssl rsa -in server.key.secure -out server.key //Generate dhparam file openssl dhparam -out dh512.pem 512 Once you've done that, you need to change the filenames in server.cpp and client.cpp. server.cpp context_.use_certificate_chain_file("server.crt"); context_.use_private_key_file("server.key", boost::asio::ssl::context::pem); context_.use_tmp_dh_file("dh512.pem"); client.cpp ctx.load_verify_file("server.crt"); Then it should all work! ---------------------------------------------------------- Secure Socket Layer (SSL) or Transport Security Layer (TSL) Java Introduction: See JavaTM Secure Socket Extension (JSSE) Simple Examples: SimpleServer: SimpleServer.java SimpleClient: SimpleClient.java Running the Examples: Server: java SimpleServer <port> oducsc Client: java -Djavax.net.ssl.trustStore=wahabPublicStore SimpleClient <host> <port> Key Stores: The Server requires a file called: wahabPrivateStore while the Client requires a file called: wahabPublicStore (the password used in the following is: oducsc). Generating wahabPrivateStore: % keytool -genkey -alias wahabkey -keystore wahabPrivateStore ....answer the questions...... Generating wahabPublicStore: % keytool -export -alias wahabkey -keystore wahabPrivateStore -file wahab.cert % keytool -import -alias wahabkey -keystore wahabPublicStore -file wahab.cert C Generating the certificates needed by the examples To create the root CA: % openssl req -newkey rsa:1024 -sha1 -keyout rootkey.pem -out rootreq.pem (cp random.pem ~/.rnd) % openssl x509 -req -in rootreq.pem -sha1 -extfile myopenssl.cnf \ -extensions v3_ca -signkey rootkey.pem -out rootcert.pem (cp /usr/local/ssl/openssl.cnf myopenssl.cnf) % cat rootcert.pem rootkey.pem > root.pem % openssl x509 -subject -issuer -noout -in root.pem To create the server CA and sign it with the root CA: % openssl req -newkey rsa:1024 -sha1 -keyout serverCAkey.pem -out serverCAreq.pem % openssl x509 -req -in serverCAreq.pem -sha1 -extfile myopenssl.cnf \ -extensions v3_ca -CA root.pem -CAkey root.pem -CAcreateserial \ -out serverCAcert.pem % cat serverCAcert.pem serverCAkey.pem rootcert.pem > serverCA.pem % openssl x509 -subject -issuer -noout -in serverCA.pem To create the server's certificate and sign it with the server CA: % openssl req -newkey rsa:1024 -sha1 -keyout serverkey.pem -out serverreq.pem % openssl x509 -req -in serverreq.pem -sha1 -extfile myopenssl.cnf \ -extensions usr_cert -CA serverCA.pem -CAkey serverCA.pem -CAcreateserial \ -out servercert.pem % cat servercert.pem serverkey.pem serverCAcert.pem rootcert.pem > server.pem % openssl x509 -subject -issuer -noout -in server.pem To create the client certificate and sign it with the root CA: % openssl req -newkey rsa:1024 -sha1 -keyout clientkey.pem -out clientreq.pem % openssl x509 -req -in clientreq.pem -sha1 -extfile myopenssl.cnf \ -extensions usr_cert -CA root.pem -CAkey root.pem -CAcreateserial \ -out clientcert.pem % cat clientcert.pem clientkey.pem rootcert.pem > client.pem % openssl x509 -subject -issuer -noout -in client.pem To create the dh512.pem dh1024.pem: % openssl dhparam -check -text -5 512 -out dh512.pem % openssl dhparam -check -text -5 1024 -outdh1024.pem ---------------- As Ency says, provided you've created your own CA, you simply create another key for the new user. Before any more gets typed, when you set up openVPN you did create your own CA, as recommended, didn't you? Edit: OK, then cd easy-rsa . ./vars ./build-key newclient I also have some notes somewhere about making a CRL, which allows you to revoke old certificates, and pointing openVPN at the crl, but I can't immediately find them. |
| Anwendung | SFTP | ||||
| SSH | |||||
| Transport | TCP | ||||
| Internet | IP (IPv4, IPv6) | ||||
| Netzzugang | Ethernet | Token Bus |
Token Ring |
FDDI | |
SFTP – SSH File Transfer Protocol – usually runs over TCP port 22
FTP – plain, old file transfer protocol – usually runns over TCP port 21 (+ opens separate ports for data transfer)
FTP/SSL – FTP over TSL/SSL channel.
FTPS – same as FTP/SSL
Secure FTP – either SFTP or FTPS
More info:
FTPFTP classic
|
FTP/SSLFTP over TLS/SSL
|
SFTPSSH File Transfer Protocol
|
NFS Sun’s Network Filesystem (NFS) is the preferred method of file sharing for networks of Unix or Linux computers. The Linux kernel includes both NFS client support
Coda This is an advanced network filesystem that supports features omitted from NFS. These features include better security (including encryption) and improved caching.
SMB/CIFS The Server Message Block (SMB) protocol, which has been renamed the Core Internet Filesystem (CIFS), is the usual means of network file sharing among Microsoft OSs. The Linux kernel includes SMB/CIFS client support, so you can mount SMB/CIFS shares. You can configure your Linux computer as an SMB/CIFS server using the Samba package (http://www.samba.org). The filesystem type code for SMB/CIFS shares is smbfs.
NCP The NetWare Core Protocol (NCP) is NetWare’s file sharing protocol. As with SMB/CIFS, Linux includes basic NCP client support in the kernel, and you can add separate server packages to turn Linux into an NCP server. NCP’s filesystem type code is ncpfs.
Postfix Configuration Files
The Ubuntu Postfix mail server uses three configuration files, all of which are installed in the
directory /etc/postfix:
dynamicmaps.cf:
Identifies additional capabilities to be loaded at run time based on
the type of operation that is being performed.
main.cf:
Contains configuration information for Postfix that is used during message
processing.
master.cf:
Contains parameters used when the Postfix master program runs other
programs from /usr/lib/postfix.
Postfix can also use standard mailer configuration files such as /etc/aliases (which allows
e‐mail addressed to one user to be automatically delivered to another), but this is not a Postfix-
specific configuration file.
The main.cf configuration file is the only Postfix configuration file that most users will ever
have to modify. As installed on an Ubuntu system, the main.cf configuration file for a system
following the Internet site model looks like the following (I’ve removed some irrelevant com‐
ments and white space):
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
#myorigin = /etc/mailname smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no append_dot_mydomain = no #delay_warning_time = 4h smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = \ btree:${queue_directory}/smtpd_scache smtp_tls_session_cache_database = \ btree:${queue_directory}/smtp_scache 1044 Chapter 30: Setting Up a Mail Server myhostname = ubuntu.vonhagen.org alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = mail.vonhagen.org, ubuntu.vonhagen.org, localhost.vonhagen.org, localhost relayhost = mynetworks = 127.0.0.0/8 [::ffff:127:0.0.0]/104 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all html_directory = /usr/share/doc/postfix/html |
In order, these configuration variables do the following:
myorigin:
An option for Debian and derivative distributions (such as Ubuntu) that
enables you to use the first line of the text file /etc/mailname as the name of the
mailer. This is actually set later in the default file.
smtpd_banner:
Sets the value of the banner that is displayed when an SMTP connec‐
tion is established. In this case, the banner is constructed by using the value of other
variables set in the configuration file.
biff:
Determines whether the local e‐mail notification service (biff) should be used
for each user with new mail each time Postfix processes the incoming mail queue. In
this case, it is disabled because biff notifications can cause a performance drain, and
are relevant only on the machine that houses the mail files. Users who use local mail
files can enable this for themselves.
append_dot_mydomain:
Determines whether Postfix should append a domain name
to mail sent to user@host. Nowadays, this is usually handled by the MUA, so this is
disabled.
delay_warning_time:
Uncommenting this parameter would specify the period of
time after which users would be notified if mail that they had sent had not yet been
delivered. After all, the remote site could be using Microsoft Exchange, and might be
down.
smtpd_tls_cert_file:
Identifies the full pathname of the file on this system that
holds the certificate used by this machine when sending messages using TLS (Transport
Layer Security).
smtpd_tls_key_file:
Identifies the full pathname of the file on this system that
holds the RSA private key for the Postfix SMTP client when sending messages using TLS
(Transport Layer Security).
smtpd_use_tls:
Determines whether this Postfix server should use TLS when a
remote SMTP server announces STARTTLS support. If the remote server does not
announce STARTTLS support, the message is sent in the clear.
1045
Part III: Ubuntu for System Administrators
smtpd_tls_session_cache_database:
Identifies the organization and location of
the SMTP server TLS session cache used by the tlsmgr daemon.
smtp_tls_session_cache_database:
Identifies the organization and location of the
SMTP client TLS session cache used by the tlsmgr daemon.
myhostname:
Identifies the actual Internet hostname of this system. By default, this
value is the value returned by gethostname().
alias_maps:
Identifies the organization and full pathname of the aliases file used for
local mail delivery.
alias_database:
Identifies the organization and full pathname of the aliases file used
for local mail delivery, and which is updated using the traditional newaliases com‐
mand. This is often the same file as that identified by the alias_maps parameter, but
need not be.
myorigin:
Identifies the name of the host or domain that local mail is assumed to come
from and is sent to. On Ubuntu systems, it is the name of a file containing whatever you
specified as the mail name when installing Postfix. This is suitable for single-domain
installations, but insufficient for Postfix mail servers that support multiple domains.
mydestination:
A list of domains for which mail is delivered via local mail delivery. I
specified ubuntu.vonhagen.org as the name of my host when I installed Postfix╃—╃in
most cases, mail.domain-name (i.e., mail.vonhagen.org, in my case) would be the
standard name to use for a mail server to help keep your sysadmins sane and make it
easy to locate/identify your domain’s mail server.
relayhost:
If outgoing mail must be sent to another mail server for delivery, this
parameter identifies that mail server; otherwise, it is empty.
mynetworks:
Identifies the networks or specific hosts from which this mail server will
send mail. This information is specified in both IPv4 and IPv6 formats. In this case, the
mail server will only send mail from the loopback network, which is a problem. This is
discussed in the following section, “Identifying Trusted Hosts and Domains.”
mailbox_size_limit:
Identifies the maximum size of any mailbox on the system. In
this case, 0 means that there is no limit.
recipient_delimiter:
Identifies the separator used internally by the Postfix server
between usernames and addresses.
inet_interfaces:
Identifies the network interfaces on which the machine can receive
mail. In this case, the Postfix server will listen on all network interfaces.
html_directory:
Identifies the location of HTML files that describe how to install and
configure a Postfix server and various Postfix features.
A complete list of Postfix configuration parameters and possible values is available in the files sec‐
tion of the online reference information for the postconf command (man 5 postconf) or online
at locations such as www.postfix.org/postconf.5.html.
What is network and systemadministration?,Applying technology in an environment,The human role in systems
Ethical issues, Is systemadministration a discipline? ,The challenges of systemadministration,Common practice and good practice, Bugs and emergent phenomena,Themeta principles of systemadministration,Knowledge is a jigsaw puzzle,To the student ,
Some road-maps ,System components ,What is ‘the system’? , Handling hardware ,Operating systems ,Filesystems ,Processes and job control ,
Networks ,IPv4 networks, Address space in IPv4,IPv6 networks,
Networked communities,Communities and enterprises,
Policy blueprints, Systemuniformity, User behavior: socio-anthropology , Clients, servers and delegation,
, Host identities and name services, Common network sharingmodels,Local network orientation and analysis,
Host management ,Global view, local action,Physical considerations of server room,Computer startup and shutdown
,Configuring and personalizingworkstations , Installing a Unix disk, Installation of the operating system ,Software installation
Kernel customization ,User management Issues , User registration , Account policy , Login environment, User support services,
Controlling user resources, Online user services , Userwell-being , Ethical conduct of administrators and users , Computer usage policy ,
Models of network and system administration, Informationmodels and directory services, Systeminfrastructure organization, Network administrationmodels, Networkmanagement technologies,
Creating infrastructure .
Systemmaintenancemodels
6.7 Competition, immunity and convergence .
6.8 Policy and configuration automation .
6.9 IntegratingmultipleOSs
6.10 Amodel checklist
7 Configuration and maintenance
7.1 Systemconfiguration policy
7.2 Methods: controlling causes and symptoms .
7.3 Changemanagement
7.4 Declarative languages
7.5 Policy configuration and its ethical usage
7.6 Common assumptions: clock synchronization
7.7 Human–computer job scheduling .
7.8 Automation of host configuration .
7.9 Preventative host maintenance
CONTENTS vii
7.10 SNMP tools
7.11 Cfengine
7.12 Database configurationmanagement .
8 Diagnostics, fault and change management
8.1 Fault tolerance and propagation
8.2 Networks and small worlds .
8.3 Causality and dependency .
8.4 Defining the system .
8.5 Faults .
8.6 Cause trees
8.7 Probabilistic fault trees .
8.8 Changemanagement revisited .
8.9 Game-theoretical strategy selection
8.10 Monitoring
8.11 Systemperformance tuning
8.12 Principles of quality assurance 324
9 Application-level services 331
9.1 Application-level services
9.2 Proxies and agents
9.3 Installing a new service .
9.4 Summoning daemons
9.5 Setting up the DNS nameservice .
9.6 Setting up aWWWserver
9.7 E-mail configuration .
9.8 OpenLDAP directory service
9.9 MountingNFS disks .
9.10 Samba .
9.11 The printer service
9.12 Java web and enterprise services .
10 Network-level services 391
10.1 The Internet .
10.2 A recap of networking concepts
10.3 Getting traffic to its destination
10.4 Alternative network transport technologies .
10.5 Alternative network connection technologies
10.6 IP routing and forwarding .
10.7 Multi-Protocol Label Switching (MPLS)
10.8 Quality of Service
10.9 Competition or cooperation for service? .
10.10 Service Level Agreements
11 Principles of security
11.1 Four independent issues
11.2 Physical security .
viii CONTENTS
11.3 Trust relationships .
11.4 Security policy and definition of security .
11.5 RFC 2196 and BS/ISO 17799 .
11.6 Systemfailuremodes
11.7 Preventing and minimizing failure modes
11.8 Somewell-known attacks
12 Security implementation 453
12.1 Systemdesign and normalization .
12.2 The recovery plan
12.3 Data integrity and protection
12.4 Authenticationmethods
12.5 Analyzing network security .
12.6 VPNs: secure shell and FreeS/WAN
12.7 Role-based security and capabilities .
12.8 WWW security
12.9 IPSec – secure IP .
12.10 Ordered access control and policy conflicts .
12.11 IP filtering for firewalls .
12.12 Firewalls .
12.13 Intrusion detection and forensics .
12.14 Compromisedmachines
13 Analytical system administration
13.1 Science vs technology
13.2 Studying complex systems .
13.3 The purpose of observation .
13.4 Evaluationmethods and problems
13.5 Evaluating a hierarchical system .
13.6 Deterministic and stochastic behavior
13.7 Observational errors .
13.8 Strategic analyses
13.9 Summary .
14 Summary and outlook
14.1 Informationmanagement in the future
14.2 Collaborationwith software engineering .
14.3 Pervasive computing .
14.4 The future of systemadministration .
A Some useful Unix commands
B Programming and compiling
B.1 Make
B.2 Perl .,WWW and CGI programming
|