Linux System Administration
Transcription
Linux System Administration
Linux System Administration Presenter : Raj Singh IC Design Group CEERI Pilani – 333 031 Phone : Fax : Email : 01596-242359 01596-242294 [email protected] Linux System Administration Introduction What is System Administration ? System administration is the management of a mix of activities. Installation of operating system(s) and software packages, Updating operating system(s), Maintaining running systems and peripherals, User accounts management, Monitoring systems, Performance tuning, Securing data/system/network, Backups, Answering user questions, Network services, Adding new systems and software packages, Malware detection and removal, Automating tasks, Programming, Fault detection, Trouble-shooting, UPS management, Respecting confidentiality, Constant vigilance, etc. Ability to switch tasks, optimize resources and service users. These are also the characteristics of Operating Systems ! System administration is like keeping trains on time. No one notices if trains are on time and complain when they are late. It is a thankless job. c CEERI, Pilani IC Design Group 1 Linux System Administration Introduction Some Observations • Ethical behaviour. • Policies and guidelines. • Frustrating and challenging. • Balance between authority/responsibility vs. service/cooperation. • Pro-actively solve issues before they become problems. • Record keeping, labeling, and documentation is a necessity. • Expert/power user. Familiarity with most system commands, scripting and programming. • Knowledge of hardware, software, communications, networking, security, ground-neutral, ... • Many non-technical aspects e.g. rearranging furniture, role of a “detective,” interfacing to finance/purchase, . . . c CEERI, Pilani IC Design Group 2 Linux System Administration Basic Strategies System Administration Basic Strategies • Plan. Think it through. • Should be reversible. Archive/copy configuration files elsewhere. • Incremental change. • Test changes before implementation. • Document (critical steps/commands/decisions with dates). Attention to detail. • Continuous technical knowledge update. • Regular activity/tasks schedule : daily, weekly, monthly, and yearly routine. • Automate as many tasks as possible. c CEERI, Pilani IC Design Group 3 Linux System Administration Pre-Installation Steps Pre-Installation Steps • What is the usage profile of the system ? e.g. web server, mail server, DNS/name server, print server, desktop, programming system, development system, backup server, NFS server, FTP server, . . . • CPU type, Main memory size (typically now, 1 GB or more), USB ports, Serial / Parallel ports, mouse type, . . . • Decide on disk partitions, their sizes and partitioning strategy. Typically now, Disk size of 20-180 GB. /, /boot, /home, swap, /usr, /var, ... c CEERI, Pilani IC Design Group 4 Linux System Administration Pre-Installation Steps Pre-installation Steps • Know details about networking and LAN environment. IP number / DHCP, Hostname, MAC / network adapter card, Gateway / router, Name servers, IPv4 / IPv6, . . . • Know details about Graphics card, Graphics memory, Monitor type, . . . • Names of the users and their login names, root and password. • Timezone, date and time. c CEERI, Pilani IC Design Group 5 Linux System Administration Sys Admin Tasks System Administration Tasks GUI vs. Command-line discussion. Necessity of being familiar with vi or vim. 1. Security, firewall, networking : /etc/hosts, /etc/host.conf, TCPwrapper files (hosts.allow, hosts.deny), OpenSSH files, /etc/sysconfig/iptables, SELinux, . . . 2. Information/messages logging. /etc/syslog.conf. Creating files in /var/log/. 3. Log file rotation : /etc/logorotate.conf, /etc/logrotate.d/. 4. Cron file : /etc/crontab. 5. Configuring DNS/BIND : /etc/named.conf, /etc/resolv.conf, /var/named/. 6. Configuring mail system : sendmail. /etc/mail/, /etc/aliases. Also, .procmailrc, spamassassin, alpine/pine, mutt, . . . c CEERI, Pilani IC Design Group 6 Linux System Administration Sys Admin Tasks System Administration Tasks 7. Creating user accounts : /etc/passwd, /etc/group, /etc/skel/. 8. Disk quota setting : edquota, repquota. 9. Disabling/enabling services : named, kudzu, ... : using chkconfig. 10. Kernel modules : /etc/modprobe.conf. 11. Web server : /etc/httpd/. 12. FTP server : /etc/vsftd/ 13. System information messages to users : /etc/issue, /etc/issue.net, /etc/motd, /etc/lom. 14. Add other “external” packages e.g. OpenOffice, Acrobat Reader, ClamAV. 15. Remove some unwanted packages : wvdial, rp-pppoe, . . . 16. Adding peripherals : (printers, /etc/cups/). c CEERI, Pilani IC Design Group 7 Linux System Administration Sys Admin Tasks /etc/hosts # # Updated April, 2004 by I. M. Root. 127.0.0.1 localhost localhost.localdomain # # LAN/WAN Facility Systems 202.41.xxx.x ernet-router router-ernet router1 # (Net Devata, Cisco, 20xx) # # Internal LAN 192.168.1.1 my-pix # (Lan Shashtri, Cisco, 21xx) ... # # VLSI Lab (SMDP-II) 192.168.6.1 switch-smdp2 smdp2-switch # (Lab Engg, Cisco, 26xx) 192.168.6.11 smdp-server1 # Opteron ... 192.168.6.21 smdp-pc1 # Intel ... 192.168.6.41 smdp-hplj # HP-LJ Printer c CEERI, Pilani IC Design Group 8 Linux System Administration Sys Admin Tasks /etc/host.conf order hosts,bind multi on nospoof on spoofalert on /etc/hosts.allow # One needs to edit and tailor this file -- Raj Singh, October, 2008 ALL:smdp-server1,smdp-server2,smdp-server3,smdp-pc1,smdp-pc2 httpd:ALL vsftpd:192.168.6.0/255.255.255.0 sendmail:192.168.6.,localhost /etc/hosts.deny ALL:ALL c CEERI, Pilani IC Design Group 9 Linux System Administration Sys Admin Tasks /etc/sysconfig/network HOSTNAME=smdp-pc1.xyz.ac.in GATEWAY=192.168.1.1 NETWORKING=yes NETWORKING_IPV6=no /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 BOOTPROTO=static HWADDR=00:08:A2:7D:7C:42 IPADDR=192.168.6.21 NETMASK=255.255.0.0 NETWORK=192.168.0.0 BROADCAST=192.168.255.255 ONBOOT=yes TYPE=Ethernet IPV6INIT=no c CEERI, Pilani IC Design Group 10 Linux System Administration Sys Admin Tasks /etc/sysconfig/iptables # Generated by iptables-save v1.2.11 on ... *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [10516:3329244] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --sport 135:139 -j DROP -A RH-Firewall-1-INPUT -i eth0 -p udp -m udp --sport 135:139 -j DROP ... -A RH-Firewall-1-INPUT -s ! 192.168.6.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 22 -A RH-Firewall-1-INPUT -s ! 192.168.6.0/255.255.255.0 -i eth0 -p udp -m udp --sport 22 ... -A RH-Firewall-1-INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP -A RH-Firewall-1-INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP -A RH-Firewall-1-INPUT -s 24.208.0.0/255.252.0.0 -i eth0 -j DROP ... -A RH-Firewall-1-INPUT -i lo -j ACCEPT COMMIT # Completed on ... c CEERI, Pilani IC Design Group 11 Linux System Administration Sys Admin Tasks /etc/syslog.conf # Log all kernel messages to the dev/tty12 instead of console. kern.*;local1.* /dev/tty12 *.info;mail.none;daemon.none;authpriv.none;auth.none /var/log/messages # Added by Raj Singh on October 11, 2008. *.warn;*.err;*.alert /var/log/syslog # The authpriv file has restricted access. authpriv.*;auth.* /var/log/secure # Log all the daemon messages in one place. daemon.* /var/log/daemons # Log all the mail messages in one place. mail.* /var/log/maillog ... # Save level2 messages also to syslog local2.* c CEERI, Pilani /var/log/syslog IC Design Group 12 Linux System Administration Sys Admin Tasks /etc/logrotate.conf # rotate log files weekly weekly # keep 4 weeks worth of backlogs rotate 4 # create new (empty) log files after rotating old ones create # uncomment this if you want your log files compressed compress # RPM packages drop log rotation information into this directory include /etc/logrotate.d # no packages own wtmp -- we’ll rotate them here /var/log/wtmp { monthly create 0664 root utmp rotate 1 } # system-specific logs may be also be configured here. /var/log/daemons { create 0600 root root rotate 1 } c CEERI, Pilani IC Design Group 13 Linux System Administration Sys Admin Tasks /etc/crontab ... # run-parts #01 * * * * 37 11 * * * 43 12 * * 1 09 13 1 * * root root root root run-parts run-parts run-parts run-parts /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly # Remove /tmp, /var/tmp files not accessed in 5 days (120 hours) #21 13 * * * root /usr/sbin/tmpwatch 120 /tmp /var/tmp ... /etc/resolv.conf domain xyz.ac.in nameserver 192.168.1.250 nameserver 218.248.240.21 nameserver 202.141.1.132 #nameserver 220.226.205.253 c CEERI, Pilani IC Design Group 14 Linux System Administration Sys Admin Tasks /etc/named.conf (for Master Name Server) ... // Set up our ACLs acl "xfer" {// Allow no transfers. none; }; acl "trusted" {// Place our internal subnets in here for DNS queries. 192.168.0.0/16; localhost; }; acl "bogon" {// Filter out the bogon networks. 0.0.0.0/8; 1.0.0.0/8; ... // Setup logging logging { channel "default_syslog" {// Send most of the named messages to syslog. syslog local2; severity debug; c CEERI, Pilani IC Design Group 15 Linux System Administration Sys Admin Tasks }; channel audit_log {// Send the security related messages to a separate file. file "/var/log/named.log"; print-time yes; }; category default { audit_log; }; category general { audit_log; }; category security { audit_log; default_syslog; }; ... options { directory "/var/named/data"; ... allow-transfer {// Zone transfers limited to "xfer" ACL. xfer; }; allow-query {// Accept queries from "trusted" ACL. trusted; }; blackhole {// Deny anything from "bogon" ACL. bogon; }; c CEERI, Pilani IC Design Group 16 Linux System Administration Sys Admin Tasks }; ... zone "." { type hint; file "db.cache"; }; zone "0.0.127.in-addr.arpa" { type master; file "db.local"; allow-query { any; }; allow-transfer { none; }; }; zone "xyz.ac.in" { type master; file "db.xyz"; }; zone "1.168.192.in-addr.arpa" { type master; file "db.rev1"; }; c CEERI, Pilani IC Design Group 17 Linux System Administration Sys Admin Tasks ... zone "6.168.192.in-addr.arpa" { type master; file "db.rev6"; }; ... // named-checkconf - integrity check the conf file. // named-checkzone - integrity check the zone files. c CEERI, Pilani IC Design Group 18 Linux System Administration Sys Admin Tasks /etc/mail/sendmail.cf ... # Configuration version number DZ8.13.1-DAK-XYZ DMxyz.ac.in ... # SMTP daemon options # O DaemonPortOptions=Port=smtp,Addr=127.0.0.1,Name=MTA O DaemonPortOptions=Port=smtp,Name=MTA ... # privacy flags #O PrivacyOptions=authwarnings,novrfy,noexpn,restrictqrun O PrivacyOptions=goaway,restrictqrun ... O Timeout.queuereturn=12d O Timeout.queuewarn=7d ... c CEERI, Pilani IC Design Group 19 Linux System Administration Sys Admin Tasks /etc/mail/access ... # Hosts in XYZ 192.168.2.2 ... # Hosts in VLSI Lab 192.168.6 ... # Hosts Outside XYZ 202.41 yahoo.com ... # Deny 172.16 10 ... # Discard wanadoo.fr hinet.net OK RELAY RELAY RELAY 550 Reserved Address Mail Reject 550 Reserved Address Mail Reject DISCARD DISCARD ... c CEERI, Pilani IC Design Group 20 Linux System Administration Sys Admin Tasks Configuration Files of Various Software Packages • Many other configuration files need to be checked e.g. sysctl.conf, modprobe.conf, DIR COLORS, updatedb.conf, nsswitch.conf, ... • Each software package/tool has its own configuration file(s) e.g. vsftp, Apache/httpd, ClamAV, alpine, mutt, elinks, yum, . . . • GUI versions for setting many of the configuration files exist. • Configuration files’ variables, styles and formats are different for each software package. • There is no short-cut to reading and understanding working and documentation of each software package. /usr/share/doc/, man, info. • Use Internet resources and websites with care. c CEERI, Pilani IC Design Group 21 Linux System Administration Summary Summary of System Administration Tasks • Installation and upkeep of operating system(s), software packages, services, printers and other peripherals, UPS system, . . . • User accounts management. /etc/passwd, LDAP, NIS, . . . • Security and firewall. SSH, NFS, PAM, iptables, . . . • Managing disks and filesystems. NFS, rsync, Disk quota, . . . • Monitoring and performance tuning. Log files. Processes and daemons. c CEERI, Pilani IC Design Group 22 Linux System Administration Summary Summary of System Administration Tasks • Network configuration and management. Ethernet, SNMP, ping, netstat, wireshark, . . . • Electronic mail. SpamAssassin, ClamAV. • Backup and restore. • Automating tasks and scripting/programming. • DNS/BIND/named, FTP, Web server, Samba, DHCP, . . . • License servers management. c CEERI, Pilani IC Design Group 23 Linux System Administration Desirable Qualities Desirable Qualities in a System Administrator • Ethical and trustworthy. • Patience and Persistence. • Adherence to routine. • Ingenuity, quickness and cleverness. • Flexibility. • Attention to detail. • Sense of adventure. • Becoming invisible. • Dash of humor and fun. • Thick skin. c CEERI, Pilani IC Design Group 24