Tuesday, May 27, 2008

TCP/IP Administration

TCP/IP is one of the most common networks used for connecting UNIX System computers. TCP/IP networking utilities are part of UNIX. Many networking facilities such as the Mail System and NFS can use a TCP/IP network to communicate with other machines. (Such a network is required to run the Berkeley remote commands and the DARPA commands.

This chapter will discuss what is needed to get your TCP/IP network up and running. You will need to

  1. Obtain an Internet address.

  2. Install the Internet utilities on your system.

  3. Configure the network for TCP/IP.

  4. Configure the TCP/IP startup scripts.

  5. Identify other machines to your system.

  6. Configure the STREAMS listener database.

  7. Start running TCP/IP.

Once you have TCP/IP running, you need to administer, operate, and maintain your network. Some areas you may be concerned with will also be addressed, including

  • Security administration

  • Troubleshooting

  • Some advanced features available with TCP/IP

Internet Addresses

You need to establish the Internet address you will be using on your machine before you begin the installation of the Internet utilities. If you are joining an existing network, this address is usually assigned to you. If you are starting your own network, you need to obtain a network number and assign Internet addresses to all your hosts.

Internet addresses permit routing between computers to be done efficiently, much as telephone numbers are used to efficiently route calls. Area codes define a large number of telephone exchanges in a given area; exchanges define a group of numbers, which in turn define the phone on your desk. If you call within your own exchange, the call need only go as far as the telephone company office in your neighborhood that connects you to the number you are calling. If you call within your area code, the call need only go to the switching office at that level. Only if you call out of your area code is switching done between switching offices. This reduces the level of traffic, since most connections tend to stay within a small area. It also helps to quickly route calls.

The Format of Internet Addresses

The Internet has long been run on Version 4 of the Internet Protocol, or IPv4, for short. In IPv4, Internet addresses are 32 bits, separated into four 8-bit fields (each field is called an octet), separated by periods. Each field can have a value in the range of 0–255. The Internet address is made of a network address followed by a host address. (Version 6 of the Internet Protocol, IPv6, may eventually replace IPv4. In IPv6, Internet addresses have a different form that supports many more addresses.)

Obtaining IP Addresses

The Internet Corporation for Assigned Names and Numbers (ICANN) manages and coordinates the Domain Name System (discussed in depth later in this chapter). This system ensures that every Internet address used anywhere in the world is unique. Furthermore, it ensures that every user on the Internet is able to locate all valid addresses and every domain name is mapped to the correct IP address. If you want to register a new domain name for your company or organization and obtain a block of IP addresses, you need to register this domain name with one of many different domain name registrars, each accredited by ICANN. (You can find a list of accredited registrars at http://www.internic.net/regist.html.) Of course, your new domain name cannot be the same as one already taken by another organization. The domain name registrar you contact will be able to tell you if you have selected an available domain name and will be able to help you find a unique domain name if you have trouble finding one not already taken.

Once you have selected your new domain name, the registrar you select will ask you to submit contact and technical information and will give you a registration contract specifying the terms under which your registration is accepted and maintained. The registrar submits the appropriate information about your domain name and the Internet address or addresses associated with that name to the appropriate Network Information Center (NIC). The NIC maintains a database keeping track of which domain name corresponds to which IP address in the domain name service. This information can then become available to other computers throughout the world through the Domain Name Service (DNS). You will also be required to enter a registration contract with the registrar, which sets forth the terms under which your registration is accepted and will be maintained.

If you only need an IP address for your particular computer, or you have a small organization and do not want to register a domain name yourself, your Internet service provider (ISP) can obtain an IP address for you and assign you a domain name that is a subdomain of its own domain.

Network Addresses

In IPv4, the network of each Internet domain is assigned a class, or level of service. Depending on the size of the domain, that is, the number of Internet addresses it supports, a network may be of class A, B, or C. The network addresses of Class A networks consist of one field, with the remaining three fields used for host addresses. Consequently Class A networks can have as many as 16,777,216 (256×256×256) hosts. The first field of a Class A network is, by definition, in the range 1–126. Any network addresses that start with 127 are loopback addresses. A loopback address is used to test your computer’s connectivity capability and tell you if your network is set up correctly The official site for loopback testing is at 127.0.0.1.

The network addresses of Class B networks consist of two fields, with the remaining two fields used for host addresses. Consequently, Class B networks can have no more than 65,536 (256×256) hosts. The first field of a Class B network is, by definition, in the range 128–191.

The network addresses of Class C networks consist of three fields, with one field used for host addresses. Consequently, Class C networks can have no more than 256 hosts. As you can see, Class A addresses allow many hosts on a small number of networks, Class B addresses allow more networks and fewer hosts, and Class C addresses allow very few hosts and many networks. The first field of a Class C network is, by definition, in the range 192–254.

Although all Internet addresses currently follow this structure, work is proceeding in the IETF (Internet Engineering Task Force) standards group to move to a new hierarchy scheme called IPv6 (Internet Protocol Version 6). You can find more about this protocol at http://www.ipv6.com/. Many vendors are involved in deploying this architecture to their networks and hardware devices, but they are doing so slowly to maintain compatibility with existing systems. An international test bed backbone for IPv6 (called 6bone) is dedicated to aiding the deployment of IPv6 worldwide. It is on the web at http://www.6bone.net/.

Host Addresses

After you have received a network address, you can assign Internet addresses to the hosts on your network. Because most public networks are Class C networks, it is assumed that your network is in this class. For a Class C network, you use the last field to assign each machine on your network a host address. For instance, if your network has been assigned the address 192.11.105 by an authorized agent such as NSI or one of the newer authorizing agents, you use these first three fields and assign the fourth field to your machines. You may use the first valid number, 1, in the fourth field for the first machine to be added to your network, which gives this machine the Internet address 192.11.105.1. As you add machines to your network, you change only the last number. Your other machines will have addresses 192.11.105.2, 192.11.105.3, 192.11.105.4, and so on.

Each of the network classes (A, B, and C) uses the concept of a netmask to define which part of the IP address is the network address and which part is the actual host ID. For example, a Class B network has a default mask of 255.255.0.0. The fields containing the O’s are what define your host, and the others (the first two fields) mask the network ID portion. For example, 135.18.64.100 has a network address portion of 135.18 and a host ID portion of 64.100. The Class A default is 255.0.0.0, and the Class C default mask is 255.255.255.0. You may not have access to all of the addresses within the portion that is normally reserved for the host ID, though. With the ever-increasing demand for Internet addresses for host machines, the pool of numbers is decreasing. Some ISPs use a portion of what would normally be the host ID area for the network. For instance, in a Class C network, the ISP may use a netmask that is not on an 8-bit boundary, such as 192.11.105.192, which has a 26-bit netmask. This leaves only 62 possible IP addresses for hosts on this particular network.Table below shows how the classes and netmasks relate, and shows some sample host IP addresses for each class.

Table: Network Classes and Their Netmasks, Including Host IP Examples

Class

Netmask

Example Host IP Address

A

255.0.0.0

108.15.121.9

B

255.255.0.0

148.22.99.154

C

255.255.255.0

220.18.44.109

Loopback

255.255.255.0

127.0.0.1

Installing and Setting Up TCP/IP

You most likely already have TCP/IP installed on your system if you are running a UNIX variant, but if not, you can install the TCP/IP system on your computer, for instance, using pkgadd. You will need to know the Internet address for your machine and the network that your machine will be part of. The installation procedure prompts you for both of these as it does a basic setup of some of the configuration files.

There may be other dependencies for this package to be installed, so check the documentation that comes with the Internet utilities to be sure that you have everything else that you need.

Network Provider Setup

TCP/IP requires a network provider to communicate with other machines. This network provider can be a high-speed LAN such as Ethernet, or it can be a WAN that communicates via dial-up lines to remote machines and networks. Whichever network provider you use will need to be configured using netcfg (the root program for configuring and managing network interfaces) or ifconfig (configures a network interface).

Your hardware provider may have also supplied a network interface card for your particular configuration. In either situation, consult the documentation that came with your network interface hardware or TCP/IP package for more information on setting up the network provider.

Configuring the Network Interface Card

You use the ifconfig utility to set up your NIC (network interface card), sometimes called an Ethernet card. For example, if you want to configure a 3COM 3C509 card (device e130) on an HP-UX system to be at address 135.16.88.37 on a default net mask and a default broadcast mask f or that network, you would enter

#ifconfig e130  135.16.88.37

For a Linux system, the first Ethernet device is defined as eih0, regardless of the NIC used. The equivalent command would be

#ifconfig eth0 135.16.88.37

Solaris uses le0 as the first Ethernet device for 10 Mb Ethernet NICs, so its equivalent command would be

#ifconfig le0 135.16.88.37

(Note that Solaris uses eri0 for newer 10/100 Mb Ethernet devices and hme0 for the older Ultra 10/100 Mb Ethernet devices.) This would also set the netmask address to its default (255.255.0.0) and the broadcast address to its default (here, 135.16.255.255, since the address is on the 135.16 network). Note that in Solaris, to configure the NIC without having to reboot, where you have previously installed the hardware, you need to initialize, or plumb, the network card using the command

#ifconfig le0 plumb

If you already have an entry in your /etc/hosts file that maps the hostname to the IP address (see the next section), you can use it instead of the IP address. For example, if the previous machine with IP address 135.16.88.97 had the hostname bumble, you would type

#ifconfig devname bumble

where devname is the associated device name for your Ethernet card, as seen in the previous examples (such as e130, eth0, or le0).

The hosts File

To get TCP/IP working on other machines, you must first define the machines that you would like to talk to in the file /etc/hosts. This file contains an entry on a separate line for each machine you want to communicate with. Before you add any hosts, there will already be some entries in this file that are used to do loopback testing. You should add the new machines to the bottom of the file. This is the format of the file:

  • Internet-address host-name host-alias

Here, the first field, Internet-address, contains the number assigned to the machine on the Internet; the second field, host-name, contains the name of the machine; and the third field, host-alias, contains another name, or alias, that the host is known by (such as its initials or a nickname). For example, if you wanted to talk to the machine moon, with alias luna, and Internet address 192.11.105.100, the line in this file for moon would look like this:

192.11.105.100  moon    luna

The most important entry in the hosts file is the entry for your own machine. This entry lets you know which network you belong to and helps you to understand who is in your network. Note that if a machine you need to talk to is not on the same network as your machine, TCP/IP still allows you to talk to it using a gateway (discussed in a later section of this chapter).

Listener Administration

Now that you have TCP/IP configured, you may want to use it as a transport provider for your networking service. If your variant of UNIX supports TLI, you can do this by setting up your TLI listener, which is used to provide access to the STREAMS services from remote machines. Note that Linux does not support TLI. To set up the TLI listener, you must first determine the hexadecimal notation for your Internet address. To create a listener database for TCP/IP, first initialize the listener by typing this:

# nlsadmin −i tcp

This creates the database needed by the listener. Next, tell the listener the hexadecimal form of your Internet address so that it can listen for requests to that address. Do this by running a command of the form

# nlsadmin −1 \xhexadecimal_address tcp

For example, if the hexadecimal number of your listener address is 00020401c00b6920, you prefix this number with \x and append 16 zeros to the number. You type this:

# nlsadmin −1 '\x00020401c00b69200000000000000000' tcp

Every service you want to run over TCP/IP needs to be added to the listener’s database. For instance, if you want to run uucp over TCP/IP, make sure that there is an entry in the database for this service.

You can modify the listener database in two ways, either by using nlsadmin or by using sacadm or pmadm . You can enter service codes for additional services that you want to run over TCP/IP by consulting the administrative guide for each service.

Starting TCP/IP

You must have TCP/IP running on your machine for users to be able to access the network. To start TCP/IP after you load it onto your system, you might need to reboot the machine. This is important on some machines because some of the changes you might have made take effect only if you reboot. To reboot most UNIX variants, you can use the shutdown command with the following options:

# /etc/shutdown −y −g0 −16

Most newer UNIX variants, including Linux and Solaris, normally do not need to be rebooted, because TCP/IP is enabled in the kernel and should start up with your system. If, for any reason, things seem to be working improperly, you may choose to reboot. Most versions of Linux support the shutdown command, and the –r option tells the system to reboot after shutdown is complete. For example,

# shutdown −r now

does an immediate (now) shutdown and then reboots. Linux users may also use the reboot command to perform the same task.

These procedures automatically reboot the machine, bringing it back up to the default run level for which you have your machine configured. To see whether TCP/IP processes are running, type this:

$ ps −ef | grep inetd

This tells you whether the network daemon inetd (the master Internet daemon) is running. The configuration information for this daemon is contained in the file /etc/indetd.conf, which contains daemons for all of the services in your Internet environment, such as the ftp daemon (ftpd), the telnet daemon (telnetd), the talk daemon (talkd), and the finger daemon (fingerd). The inetd daemon should be started by the /etc/init.d/inetinet script for machines running Solaris, HP-UX, or other UNIX variants built on UNIX System V, or by the /etc/rc.d/init.d/inet script on Linux. If you do not see it, you should stop the network by using the command

# /etc/init.d/inetinit stop

and then restart the network by typing this:

# /etc/init.d/inetinit start

If this fails, check your configuration files to make sure that you have not forgotten to do one of the steps previously covered in configuring the machine for TCP/IP. Every time you reboot your machine, TCP/IP will start up if it is configured properly

TCP/IP Security

Allowing remote users to transfer files, log in, and execute programs may make your system vulnerable. TCP/IP provides some very good security capabilities, but nevertheless there have been some notorious security problems in the Internet.

In particular, the files hosts.equiv and .rhosts capabilities provide some protection from access by unauthorized users, but it is difficult to use them to control access adequately, while still allowing authorized users to access the system. You can provide a more secure environment by using the secure shell (ssh). This feature provides encryption of information when you are logged in to a remote machine.

TCP/IP Security Problems

One of the most famous examples of a TCP/IP security problem was the Internet worm of November 1988. The Internet worm took advantage of a bug in some versions of the sendmail program (sendmail administration is discussed later in this chapter) used by many Internet hosts to allow mail to be sent to a user on a remote host.

The worm interrupted the normal execution of hundreds of machines running variants of UNIX, including the BSD System. Fortunately, the bug had already been fixed in the UNIX System V sendmail program, so that machines running UNIX System V were not affected. This worm and other security attacks have shown that it is necessary to protect certain areas by monitoring daemons and processes that could cause a breach in security Two of these are

  • fingerd (the finger service daemon)

  • rwhod (the remote who service daemon)

Both of these daemons supply information to remote users about users on your machine. If you are trying to maintain a secure environment, you may not want to let remote users know who is logging in to your machine. This data could provide information that could be used to guess passwords, for example. The best way to control the use of the daemons is simply not to run them on your system. For example, you can disable the finger daemon, by modifying the line

finger  stream  tc      nowait  nobody  /usr/sbin/in.fingerd    in.fingerd

in the file /etc/inetd.conf to look like

# finger   stream  tc   nowait  nobody  /usr/sbin/in.fingerd   in.fingerd

The pound sign (#) comments the line out.

In general, remember that as long as you are part of a network, you are more susceptible to security breaches than if your machine is isolated. It is possible for someone to set up a machine to masquerade as a machine that you consider trusted. Gateways can pass information about your machine to others whom you do not know, and routers may allow connections to your machine over paths that you may not trust. It is good practice to limit your connectivity into the Internet to only one machine, to disable all services that you know you do not need, and to gateway all of your traffic to the Internet via your own gateway You can then limit the traffic into the Internet or stop it completely by disconnecting the gateway into the Internet.

Utilities for Added Security

There are utilities that are available over the Internet to help you monitor your network traffic and identify intrusions. There are others, such as Tripwire at http://www.tripwiresecunty.com/, which prevents file replacement by intruders, and COPS (Computer Oracle and Password System), which can be downloaded from http://www.ciac.org/ciac/ToolsUnixSysMon.html, which checks file permissions security You can also use a package such as SARA (Security Auditor’s Research Assistant) or SAINT (Security Administrator’s Integrated Network Tool). SARA and SAINT examine TCP/IP ports on other systems on the network to discover common vulnerabilities. (Both SARA and SAINT incorporate an earlier package called SATAN [Security Administrator’s Tool for Analyzing Networks], which was also known as SANTA.) Many other tools have been developed to monitor your network’s security For an up-to-date list of network monitoring tools, go to the CERT web site, http://www.cert.org/. You can find a UNIX security checklist at http://www.cert.org/tech_tips/usc20_fullhtml. (CERT [Computer Emergency Response Team] is a network security body run by Carnegie Mellon University)

You might also want to use a program called tcp_wrappers, created by Wietse Venema, a well-known security expert. Venema has created a number of other security-related routines; the index page for all of his tools is at ftp://ftp.porcupine.org/pub/security/. The tcp_wrappers utility can be used to detect and log information that may indicate network intrusions (including spoofing). It logs the client host name of any incoming attempts to use ftp, telnet, or finger, or else to perform remote executions.

Another useful tool that you can use to identify security vulnerabilities is Nessus, which is a comprehensive vulnerability scanning program. Nessus consists of a daemon, nessusd, which performs the scanning, and a client, nessus, which presents results to the user. You can use Nessus to carry out a port scan using its internal port scanner to determine which ports are open on a target host machine. Once Nessus finds the open ports, it then tries to run different exploits that can take advantage of possible vulnerabilities, on the open ports. To learn about Nessus and to download it free of charge, go to http://www.nessus.org/.

AdministeringAnonymous FTP

The most important use of FTP is to transfer software over the Internet. You will see how you can offer files on your machine via anonymous FTP to remote users.

When you enable anonymous FTP, you give remote users access to files that you choose, without giving these users logins. Many UNIX systems include a script for setting up anonymous FTP. If your system does not provide such a script, you can set up anonymous FTP by following these steps. Note that the directories used to store the information may differ slightly among variants from this example, but the process is the same. To set up anonymous FTP,

  1. Add the user ftp to your /etc/passwd and /etc/shadow files.

  2. Create the subdirectories bin, etc, and pub in /var/home/ftp.

  3. Copy /usr/bin/ls to the subdirectory /var/home/ftp/bin.

  4. Copy the files /etc/passwd, /etc/shadow, and /etc/group to /var/home/ftp/etc.

  5. Edit the copies of /etc/passwd and /etc/shadow so that they contain only the following users: root, daemon, uucp, and ftp.

  6. Edit the copy of /etc/group to contain the group other, which is the group assigned to the user ftp.

  7. Change permissions on the directories and files in the directories under /var/home/ ftp, using the permissions given in table below:

    Permissions Used to Enable Anonymous FTP

    File or Directory

    Owner

    Group

    Mode

    ftp

    ftp

    other

    555

    ftp/bin

    root

    other

    555

    ftp/bin/ls

    root

    other

    111

    ftp/etc

    root

    other

    555

    ftp/etc/passwd

    root

    other

    444

    ftp/etc/shadow

    root

    other

    444

    ftp/etc/group

    root

    other

    444

    ftp/pub

    ftp

    other

    777

  8. Check that there is an entry in /etc/inetd.conf for in.ftpd.

  9. Put files that you want to share in /var/home/ftp/pub.

After you complete all these tasks, remote users will have access to files in the directory /var/home/ftp/pub. Remote users may also write to this directory We offer a word of caution here, however. Making a directory on your machine a repository that others can write to may result in content that drains resources or is inappropriate for the machine (such as MP3 audio files).

Troubleshooting TCP/IP Problems

Some standard tools are built into TCP/IP that allow the administrator to diagnose problems. These include ping, netstat, and ifconfig.

ping

If you are having a problem contacting a machine on the network, you can use ping to test whether the machine is active. ping responds by telling you that the machine is alive or that it is inactive. For example, if you want to check the machine ralph, type this:

$ ping ralph

If ralph is up on the network, you see this:

ralph is alive

But if ralph is not active, you see this:

no answer from ralph

Although a machine may be active, it can still lose packets. You can use the s option to ping to check for this. For example, when you type

$ ping −s ralph

ping continuously sends packets to the machine ralph. It stops sending packets when you hit the BREAK key or when a timeout occurs. After it has stopped sending packets, ping displays output that provides packet-loss statistics.

You can use other options to ping to check whether the data you send is the data that the remote machine gets. This is helpful if you think that data is getting corrupted over the network. One example of this is using the ping command with the –s option, which performs a ping every second, until you end the ping request (usually with a CTRL-C). The results of a successful four-second ping like this for machine dodger, at IP address 135.18.99.6, would be

# ping dodger
64 bytes from dodger (135.18.99.6): icmp_seq=1. time=38. ms
64 bytes from dodger (135.18.99.6): icmp_seq=2. time=25. ms
64 bytes from dodger (135.18.99.6): icmp_seq=3. time=45. ms
64 bytes from dodger (135.18.99.6): icmp_seq=4. time=36. Ms
----dodger PING statistics---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (ms) min/avg/max 25/36/45

You can also specify that you want to send data packets of a different size than standard. Here the default is used (64 bytes), but you may want to diagnose how bigger blocks are handled, particularly if you think your network is slow. For instance, you would type

# ping −s dodger 4096

to request that 4,096 bytes be sent back each time from dodger to see if they all come back. Check your system’s manual page for ping to learn more about its options. If you are a user of Windows9x/NT, the options are very similar to those you would use when running an add-on vendor package such as WSPing32, which is a commercial version of ping for Windows machines with more functionality than just the built-in Windows utility

netstat

When you experience a problem with your network, you need to check the status of your network connection. You can do this using the netstat command. You can look at network traffic, routing table information, protocol statistics, and communication controller status. If you have a problem getting a network connection, check whether all connections are being used, or whether there are old connections that have not been disconnected properly

For instance, to get a listing of statistics for each protocol, type this:

$ netstat −s
ip:
385364 total packets received
0 bad header checksums
0 with size smaller than minimum
0 with data size <>

The preceding example is a report on the connection statistics. If you find many errors in the statistics for any of the protocols, you may have a problem with your network. It is also possible that a machine is sending bad packets into the network. The data gives you a general picture of the state of TCP/IP networking on your machine.

If you want to check out the communication controller, type this:

$ netstat −I
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Collis
1o0 2048 loopback localhost 28 0 28 0 0

The output contains statistics on packets transmitted and received on the network.

If, for example, the number of collisions (abbreviated to “Collis” in the output) is high, you may have a hardware problem. On the other hand, if as you run netstat –i several times you see that the number of input packets (abbreviated to “Ipkts” in the output) is increasing, while the number of output packets (abbreviated to “Opkts” in the output) remains steady, the problem may be that a remote machine is trying to talk to your machine, but your machine does not know how to respond. This may be caused by an incorrect address for the remote machine in the hosts file or by an incorrect address in the /etc/ethers file.

Checking the Configuration of the Network Interface

You can use the ifconfig command to check the configuration of the network interface. For example, to obtain information on the Ethernet interface installed in slot 4, type this:

# /usr/sbin/ifconfig emd4
emd4: flags=3
inet 192.11.105.100 netmask ffffff00 broadcast 192.11.105.255

This tells you that the interface is up, that it is a broadcast network, and that the Internet address for this machine is 192.11.105.

Netcat, the “TCP/IP Swiss Army Knife”

Experienced system and network administrators often identify netcat, the “TCP/IP Swiss Army Knife,” as one of the more useful tools for debugging network problems and for identifying network security vulnerabilities. Basically, netcat is a general-purpose utility that can read and write data across a network, using either the TCP or UDP. It can be thought of as the network analog of the cat command on your local system. Recall that cat command can be used to write to a file or to read from a file on a UNIX system. Netcat can do the same things, but over a network, and can be used, using its various options and as part of scripts, to carry out an amazing variety of tasks over a network. If netcat is not already available on your system, you can download the GNU version of netcat from http://netcat.sourceforge.net/. This version runs without changes on Linux, Solaris, FreeBSD, NetBSD, and Mac OS X, and with minor changes on other UNIX variants. Some distributions of netcat include a set of sample scripts for carrying out basic tasks, including probing remote hosts, copying files over the network, and so on.

When you run netcat (by running either the netcat command or the nc command, depending on the version you have), you can connect to a remote host on a specified port and send your input to the service that answers on that port. For example, if you connect to port 25 on a remote host using netcat, you can determine whether the SMTP daemon is running on this port, as expected. If it is, you can use netcat to interactively test whether SMTP is running properly on this remote host. Similarly, you can interactively test other TCP/IP services, including FTP (port 21), POP3 (port 110), IMAP (port 143), HTTP (port 80), and so on.

The telnet command, which can be used for remote login over a TCP network. Note that telnet does not provide the same functionality as netcat. The netcat command has been designed to be much more useful that the telnet command. Netcat can be set up to listen for incoming connections, while telnet cannot; telnet only supports TCP and not UDP, and netcat can easily be used in a script, while telnet cannot be.

Examples of netcat Use

We will illustrate the use of netcat with two examples. (Here we use the GNU netcat command; other versions of netcat are run using the nc command for netcat. You should check to see which of these two commands is supported on your system. Generally, these two commands take the same options.) First, note that you can use netcat to send a file over a network. To send a file, you need to run netcat on both the host that is sending the file, say host1, and the host that is receiving the file, say host2. For example, on host2 you could run the command

# netcat −1 −p 3000 −v > test

to tell netcat to listen (using the –l option) on port 3000 (using the –p option). On host1, you then run

# cat test | netcat host2 3000 −q 5

to send the file test to netcat, which then sends this file to host2 on port 3000. The –q option tells netcat to quit five seconds after the end of the file (EOF). The –v (verbose) option is used to provide brief diagnostic messages, including when the connection was made and the sending and receiving hosts; the option –vv can be used to provide complete diagnostic messages, including the amount of data transmitted.

Next, we will show how you can use netcat to scan a range of ports on a remote host. For example, you can use

# netcat −v −w 3 −z 192.20.5.55 20–30

to scan all ports between 20 and 30, inclusive, on the remote host with IP address 192.20.5.55. Here the –w option with the argument 3 tells netcat to wait three seconds before reporting that a particular port did not respond, and the –z option tells netcat not to send any data to each of the ports being scanned. (Another important tools for port scanning is the powerful nmap [network mapper] program. See http://www.insecure.org/nmap/ for more information on nmap.)

System administrators and network administrators have found many ways to effectively use netcat for a wide variety of tasks. Unfortunately, malicious hackers have also figured out ways to take advantage of netcat for attacking remote hosts. Because of this, use of netcat is often limited by various security policies and systems.

For more information on netcat, go to http://www.vulnwatch.org/netcat/readme.html. To learn more about netcat and how it can be used by hackers, go to http://www.onlamp.eom/pub/a/onlamp/2003/05/29/netcat.html. There is also a version of netcat that encrypts data sent over connections, called CryptCat; you can learn about CryptCat at http://farm9.org/Cryptcat/.

Advanced Features

Other capabilities can be enabled once your system supports TCP. We will briefly discuss some of these capabilities here. Their configuration can be quite complicated.

Name Server

You can designate a single machine as a name server for your TCP/IP network. When you use a name server, a machine wishing to communicate with another host queries this name server for the address of the remote host. So, the machine itself does not need to know the Internet addresses of every machine it can communicate with. This simplifies administration because you only have to maintain an /etc/hosts file on one machine. All machines in your domain can talk to each other and the rest of the Internet using this name server. Using a name server also provides better security because Internet addresses are only available on the name server, limiting access to addresses to only the people who have access to the name server.

Just because some users in your domain can’t reach your name server doesn’t mean they can’t use the IP address directly to contact a host. Also, it doesn’t prevent them from using other name servers to get the same info. (For example, you can set up your /etc/resolv. conf to point to 138.23.180.127 even though your local name server is 207.217.126.81.)

Router

A router allows your machine to talk to another machine via an intermediate machine. Routers are used when your machine is not on the same network as the one you would like to talk to. You can set up your machine so that it uses a third machine that has access to both your network and the network of the machine you need to talk to. For instance, your machine may have Ethernet hardware, while another machine you need to communicate with can be reached only via PPP. If you have a machine that can run TCP/IP using both Ethernet and PPP, you can set this machine up as a router, which you could use to get to the remote host reachable only via PPP. You would configure your machine to use the router when it attempts to reach this remote system. The users on your machine would not need to know about any of this; to them it seems as if your machine and the remote machine are on the same network.

You need to understand a few more things about routers than we can cover here, but we can discuss some basic concepts. Routers are set up using the same network addressing scheme as for the network card we previously described. The router is assigned a specific IP address. Usually it is the first address on your network. For example, the first router on the 135.18.99 network would be 135.18.99.1. If you have additional routers, you would usually assign them the next available number (135.18.99.2 and so on). Since a router is a device on your network, you can ping it just as you would a UNIX machine. For example, if you want to know the status of the router at address 135.18.99.1, you can type

# ping 135.18.99.1

If you have assigned a name to the router, say snoozy, you can ping the router with the command sequence

# ping snoozy

You will receive responses similar to those shown in the previous section on ping in this chapter.

Networks and Ethers

As you expand the scope of your connectivity, you may want to communicate with networks other than your own local one. You can configure your machine to talk to multiple networks using the /etc/inet/networks file. Here is an example of a line you would add to this file:

mynet   192.11.105       my

The first field is the name of the network, the second is its Internet address, and the third is the optional alias name for this new network.

The file /etc/ethers is used to associate host names with Ethernet addresses. There is also a service called RARP that allows you to use Ethernet addresses instead of Internet addresses, similar to the way DNS (Domain Name Service) maps a machine node name to an IP address. RARP converts a network address into an Internet address. For example, if you know that a machine on your network has an Ethernet address of 800010031234, RARP determines the Internet address of this machine. If you are using the RARP daemon, you need to configure the ethers file so that RARP can map an Ethernet address to an IP address.

There are other files that generally do not require attention, such as /etc/services and /etc/ protocols. If you want to know more about these files, consult the network administration guide for your variant.

PPP ADMINISTRATION

PPP(Point-to-Point Protocol) is a connection-oriented protocol that allow users to connect to UNIX systems over a remote connection using a device such as a modem or a dedicated serial link. To use these protocols, you must have TCP/IP running on both the client machine and the UNIX host to which it wants to connect.

PPP Protocol Administration

PPP (Point-to-Point Protocol) is a serial connection that can be used to support reliable connections. PPP allows you to communicate over a variety of protocols, including TCP/IP. PPP provides excellent error handling and correction facilities. It also allows for intelligent connections between your machine and the UNIX host. PPP can determine the local and remote TCP/IP addresses from a connection. The program that sets up the configuration for the PPP connection is called pppd (PPP daemon).

PPP does not perform a dialing function itself. Instead, it uses a connection-oriented program such as chat . You can specify some of the commonly used options to pppd in the chat script file and provide others on the command line. For example, the command

pppd connect   'chat −f mychat.chat' /dev/cua0 33600

will start PPP on port 1 (cua0) at 33600 baud, using the chat script myscript.chat for other settings as well as actually making the connection. You can set up routine PPP options in a file called /etc/ppp/options. When you start PPP, it will look in this file first for options and only override them if the command line supplies a different value for an option.

PPP also provides a secure method for transmitting information, CHAP (Challenge Handshake Application Protocol). If you need to use authentication to ensure security between two connected systems, you can set up a security file called /etc/ppp/chap-secrets. This file contains the client’s and server’s hostnames, a key, and the range of allowed IP addresses that they can communicate from. When PPP is started with the –auth option, CHAP is used to authenticate the connection and monitor it continuously

No comments: