分类: LINUX
2008-10-12 21:14:15
As computer security issues increase with the rising onslaught of computer crackers and viruses, operating systems (such as Fedora or RHEL) in regards to the services they provide are moving toward more security rather than more ease-of-use. Simply installing server software isn't enough to get the service up and running.
If a service isn't working, check the following items to hunt down the problem:
Is the software package installed? Each network service is represented by one or more software packages. Use the command rpm -qc packagename to find configuration files, and the command rpm -qd packagename to find documentation. If you selected only packages associated with Desktop categories when you first installed Fedora, most network server software may not be installed on your computer at all. Check (at the end of this appendix) to see which package is needed for a particular service to work. (There might be other package dependencies as well, to which you will be alerted when you try to install the package.) Then use the rpm command to install the software from the installation DVD or CD.
Does the firewall permit access to the service? The first time you boot Fedora after installation, the firstboot procedure enables you to configure a firewall. If you choose the default firewall, most services will not be available outside your local computer. Refer to for information on how to change your firewall configuration to open ports that provide the different services.
Is the start-up script set up to launch the service automatically? Most network services are launched from start-up scripts that cause daemon processes to listen to the network continuously for requests for the service. See the "" section for information on how to find start-up scripts and have them launch automatically.
Does SELinux permit access to the service? When SELinux is enabled, it puts an additional layer of security over selected network services. If you get permission denied messages when you are sure that the firewall and file/directory permissions are set appropriately, run system-config-securitylevel. On the SELinux tab, check that the appropriate service (Web, FTP, Samba, and so on) is enabled. You can also disable SELinux to see if that solves the problem or simply set it to Permissive mode (to only have SELinux display messages about security issues, without enforcing them).
Is the configuration file created for the service? Even if the daemon process is listening for requests for a network service, one or more configuration files associated with the service must probably be set up before requests will be accepted. lists important configuration files for each type of server.
Does the configuration file permit proper access to the service? Within the configuration file for a service, there might be several levels of permissions that a user must go through to get permission to the service. For example, a configuration file might allow access to the service from a particular host computer, but deny access to a particular user.
Are there other restrictions to the service being shared? Some standard Linux security measures might block access to a service that is otherwise open to being shared. For example, you can share a Linux directory using NFS or FTP servers, but local file permissions might block access to the directory or files within the shared directory.
|
Feature |
Package Names |
Startup Script(s) |
Daemon |
Configuration File(s) |
|---|---|---|---|---|
|
Web Server | ||||
|
Web-Servers (Apache) |
httpd httpd-manual httpd-devel |
/etc/init.d/httpd |
/user/sbin/httpd |
/etc/httpd/conf/httpd.conf |
|
(Tux) |
tux |
/etc/init.d/tux |
/usr/sbin/tux |
/etc/sysconfig/tux |
|
File Servers | ||||
|
FTP Servers (Vs-ftpd) |
vsftpd |
/etc/init.d/vsftpd |
/usr/sbin/vsftpd |
/etc/vscftpd/vsftpd.conf /etc/vcftpd/user_list |
|
FTP Server with Kerberos Support (Gss-FTP) |
krb5-workstation |
/etc/init.d/xinetd (/etc/xinetd.d/gssftp) |
/usr/sbin/xineted (/usr/kerberos/sbin/ftpd) |
/etc/krb5.conf |
|
Samba Windows File and Printers (SMB) |
samba samba-common samba-client samba-swat system-config-samba |
/etc/init.d/smb /etc/init.d/winbind |
/usr/sbin/smbd /usr/sbin/nmbd /usr/sbin/winbindd |
/etc/samba/smb.conf |
|
UNIX Network File System (NFS) |
nfs-utils system-config-nfs |
/etc/init.d/nfs /etc/init.d/nfslock |
/usr/sbin/rpc.nfsd /usr/sbin/rpc.mountd /sbin/rpc.statd |
/etc/exports |
|
AppleTalk File and Print Server (Netatalk) |
netatalk |
/etc/init.d/atalk |
/usr/sbin/atalkd |
/etc/atalk/* |
|
Login Servers | ||||
|
Telnet |
telnet-server |
/etc/init.d/xinetd (etc/xinetd.d/telnet) |
/usr/sbin/xinetd (/usr/sbin/in.telnetd) |
/etc/issue.net |
|
Telnet with Kerberos Support (krb5-telnet) |
krb5-workstation |
/etc/init.d/xinetd (etc/initd.d/krb5-telnet) |
/usr/sbin/xinetd (/usr/kerberos/sbin/telnetd) |
/etc/krb5.conf |
|
Open Secure Shell (Openssh) |
openssh-server |
/etc/initd/sshd |
/usr/sbin/sshd |
/etc/ssh/* |
|
Remote Login (Rlogin) |
rsh-server |
/etc/init.d/xinetd (etc/xinetd.d/rlogin) |
/usr/sbin/xinetd (/usr/sbin/in.rlogind) |
/etc/hosts.equiv $HOME/.rhosts |
|
Remote Login with kerberos Support (Eklogin) |
krb5-workstation |
/etc/init.d/xinetd (etc/xinetd.d.eklogin) |
/usr/sbin/xinetd (/usr/kerberos/sbin/klogind) |
/etc/krb5.conf $HOME/.k5login $HOME/.klogin |
|
(Klogin) |
krb5-workstation |
/etc/init.d/xinetd |
/usr/sbin/xinetd (/usr/kerberos/sbin/klogind) |
/etc/krb5.conf $HOME/.k5login $HOME/.klogin |
|
E-mail Servers | ||||
|
Remote Mail Access Servers (IMAP) |
dovecot |
/etc/init.d/dovecot |
/usr/sbin/dovecot |
/etc/dovecot |
|
(POP3) |
dovecot |
/etc/init.d/dovecot |
/usr/sbin/dovecot |
/etc/dovecot |
|
E-mail Transfer Severs (Sendmail) |
sendmail sendmail-cf sendmail-doc |
/etc/init.d/sendmail |
/usr/sbin/sendmail |
/etc/sendmail.cf /etc/mail/* |
|
(Postfix) |
postfix |
/etc/init.d/postfix |
/usr/sbin/postfix |
/etc/postfix/* |
|
News Server | ||||
|
Internet Network News (INN) |
inn |
/etc/init.d/innd |
/usr/bin/innd |
/etc/news/* |
|
Print Server | ||||
|
Common UNIX Printing System (CUPS) |
cups cups-drivers cups-libs cups-drivers-hpijs |
/etc/init.d/cups |
/usr/sbin/cupsd |
/etc/cups/* |
|
Network Administration Servers | ||||
|
Network Time Protocol Server (NTP) |
ntp |
/etc/init.d/ntpd |
/usr/sbin/ntpd |
/etc/ntp.conf /etc/ntp/keys |
|
Network Portmap (RPC to DARPA) |
portmap |
/etc/init.d/portmap |
/sbin/portmap |
/etc/rpc |
|
Samba Administration (SWAT) |
samba-swat |
/etc/init.d/xinetd (/etc/xinetd.d/swat) |
/usr/sbin/xinetd (/usr/sbin/swat) |
/etc/smb.conf |
|
Network Management (arpwatch) |
arpwatch |
/etc/init.d/arpwatch |
/usr/sbin/arpwatch |
/etc/sysconfig/arpwatch |
|
Simple Network Management Protocol (SNMP) |
net-snmp |
/etc/init.d/snmpd /etc/init.d/snmptrapd |
/usr/sbin/snmpd |
/etc/snmp/snmpd.conf |
|
Information Servers | ||||
|
Network Information Server (Ypbind) |
ypbind |
/etc/init.d/ypbind |
/sbin/ypbind |
/etc/yp.conf |
|
(Yppasswdd) |
ypserv |
/etc/init.d/yppasswdd |
/usr/sbin/rpc.yppasswd |
/etc/passwd /etc/shadow |
|
(Ypserv) |
ypserv |
/etc/init.d/ypserv |
/usr/sbin/ypserv |
/etc/ypserv.conf |
|
Dynamic Host Configuration Protocol Server (DHCP) |
dhcp |
/etc/init.d/dhcpd |
/usr/sbin/dhcpd |
/etc/dhcpd.conf |
|
Lightweight Directory Access Protocol (LDAP) |
openldap-servers |
/etc/init.d/ldap |
/usr/sbin/slapd /usr/sbin/slurpd |
/etc/openldap/slapd.conf |
|
Domain Name System Server (DNS) |
bind bind-utils bind-chroot |
/etc/init.d/named |
/usr/sbin/named |
/etc/named.conf /var/named/* |
|
Reverse Address Resolution Protocol Server (RARP) |
rarpd |
/etc/init.d/rarpd |
/usr/sbin/rarpd |
/etc/ethers |
|
Database Services | ||||
|
MySQL Database |
mysql mysql-server |
/etc/init.d/mysqld |
/usr/libexec/mysqld |
/etc/my.cnf |
|
Postgresql |
postgresql-libs postgresql postgresql-server |
/etc/init.d/postgresql |
/usr/bin/postmaster |
/var/lib/pgsql/data |
|
User Services | ||||
|
Remote Execution Servers (Rsh) |
rsh-server |
/etc/init.d/xinetd (/etc/xinetd.d/rsh) |
/usr/sbin/xinetd (/usr/sbin/in.rshd) |
/etc/hosts.equiv $HOME/.rhosts |
|
(Rexec) |
rsh-server |
/etc/init.d/xinetd (/etc/xinetd.d/rexec) |
/usr/sbin/xinetd (/usr/sbin/in.rexecd) |
/etc/passwd |
|
(Kshell) |
krb5-workstation |
/etc/init.d/xinetd (/etc/xinetd.d/Kshell) |
/usr/sbin/xinetd (/usr/kerberos/sbin/kshd) |
/etc/krb5.conf |
|
Talk Server (ntalk) |
talk-Server |
/etc/init.d/xinetd (/etc/xinetd.d/ntalk) |
/usr/sbin/xinetd (/usr/sbin/in.ntalkd) |
|
|
(talk) |
talk-server |
/etc/init.d/xinetd (/etc/xinetd.d/talk) |
/usr/sbin/xinetd (/usr/sbin/in.talkd) |
|
|
Finger Server (Finger) |
finger-server |
/etc/init.d/xinetd (/etc/xinetd.d/finger) |
/usr/sbin/xinetd (/usr/sbin/in.fingerd) |
|
|
Identify Users (Rusers) |
rusers-server |
/etc/init.d/rusersd |
/usr/sbin/rpc.rusersd |
|
|
Write All Users (Rwall) |
rwall-server |
/etc/init.d/rwalld |
/usr/sbin/rpc.rwalld |
|
|
Security Services |
||||
|
System Logging (syslog) |
sysklogd |
/etc/init.d/syslog |
/sbin/syslogd |
/etc/syslog.conf |
|
Caching Server (Squid) |
squid |
/etc/init.d/squid |
/usr/sbin/squid |
/etc/squid/squid.conf |
To begin determining where a service failure actually occurs, look to the log files contained in the /var/log directory. The messages and dmesg files contain general messages about processing that occurs when services and hardware are initialized. Many services, such as Sendmail and Apache, have their own log files. Setting debug levels on service daemons is a way to get more details about how a server is working (see the sidebar).
 |
Nearly every service also has an option for running in different debug levels. By turning on debugging, you can see everything from failure messages to detailed information on everything the service does. Usually, you can either add a debug option to an init script (often passed by options set in /etc/sysconfig files) or run a daemon process manually from the shell with debug options added. For example:
# /usr/sbin/sshd -ddd -f /etc/ssh/sshd_config -p 52222
This example starts the secure shell daemon (sshd) in maximum debug mode (-ddd). It uses the sshd_config for its configuration and listens for connections on port number 52222. This port is just begin used for testing purposes, so not to conflict with any common ports. Watch the debug messages appear in the Terminal window. Next you could have an ssh client from another computer try to connect to this server:
$ ssh -l testuser 192.168.1.246 -p 52222
Assuming here that the server's IP address is 192.168.1.246, this example attempts to connect to the sshd server run earlier on port 52222. It tries to log in as the user named testuser. By watching sshd debug messages, you can check that the client can communicate with the server and that the configuration file is working properly.
|
The rest of this appendix provides an overview of the daemon processes, start-up scripts, configuration files, and software packages that are associated with the networking services that come with Fedora and RHEL.
Open table as spreadsheet