Networking Command
For Windows:
1. ARP Displays, adds and removes arp information from network devices Syntax ARP -s inet_addr eth_adr [if_addr] ARP -d inet_addr [if_addr] ARP -a [inet_addr] [-N if_addr] -a Displays current ARP entries by interrogating the current protocol data. If inet_addr is specified, the IP and Physical addresses for only the specified computer are displayed. If more than one network interface uses ARP, entries for each ARP table are displayed. -g Same as ʹa inet_addr Specifies an Internet address. -N if addr Displays the ARP entries for the network interface specified by if_addr. -d Deletes the host specified by inet_addr. -s Adds the host and associates the Internet address inet_addr with the Physical address eth_addr. The Physical address is given as 6 hexadecimal bytes seperated by hyphens. The entry is permanent. eth_addr Specifies a physical address if_addr If present, this specifies the Internet address of the interface whose address translation table should be modified. If not present, the first applicable interface will be used. Examples arp -a Interface 220.0.0.80 Internet Address Physical Address Type 220.0.0.160 00-50-04-62-F7-23 static The Physical Address or MAC address as shown above in the format aa-bb-cc-dd-ee-ff is the unique manufacturer identification number. This number should always be an unique address. .
2. HOSTNAME Display the hostname of the machine the command is being run on. Additional information about the term hostname can be found on our hostname dictionary definition. Syntax:-hostname Examples hostname Running the command would display the hostname for the computer.
19 3. IPCONFIG To display the network settings currently assigned and given by a network. This command can be utilized to verify a network connection as well as to verify network settings. Syntax:-ipconfig Examples Ipconfig Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : hsd1.ut.comcast.net. IP Address...... : 192.168.201.245 Subnet Mask ...... : 255.255.255.0 Default Gateway ...... : 192.168.201.1
4. PING To determining TCP/IP Networks IP address as well as determine issues with the network and assists in resolving them. Syntax Ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS] [-r count] [-s count] [[-j host-list] | [-k host-list]]
[-w timeout] destination-list
Options:
-t Pings the specified host until stopped. To see statistics and continue - type Control- Break;To stop - type Control-C. -a Resolve addresses to hostnames. -n count Number of echo requests to send. -l size Send buffer size. -f Set Don't Fragment flag in packet. -i TTL Time To Live. -v TOS Type Of Service. -r count Record route for count hops. -s count Timestamp for count hops. -j host-list Loose source route along host-list. -k host-list Strict source route along host-list. -w timeout Timeout in milliseconds to wait for each reply.
20 Example ping computerhope.com PING computerhope.com (204.228.150.3) 56(84) bytes of data. 64 bytes from www.computerhope.com (204.228.150.3): icmp_seq=1 ttl=63 time=0.267 ms --- computerhope.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.267/0.267/0.267/0.000 ms
5. NETSTAT Used to display the TCP/IP network protocol statistics and information. Syntax NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval] Option -a Displays all connections and listening ports. -e Displays Ethernet statistics. This may be combined with the -s option. -n Displays addresses and port numbers in numerical form. -p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP. -r Displays the routing table. -s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default. interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once. Examples Netstat
Proto Local Address Foreign Address State TCP hope:4409 www.computerhope.com:telnet ESTABLISHED TCP hope:3708 multicity.com:80 CLOSE_WAIT TCP hope:4750 www.google.com:80 CLOSE_WAIT
6. ROUTE
To manually configure the routes in the routing table. Syntax ROUTE [-f] [-p] [command [destination] [MASK netmask] [gateway] [METRIC metric] [IF interface] Option -f Clears the routing tables of all gateway entries. If this is used in conjunction with one of the commands, the tables are cleared prior to running the command. -p When used with the ADD command, makes a route persistent across boots of the system.
21 By default, routes are not preserved when the system is restarted. When used with the PRINT command, displays the list of registered persistent routes. Ignored for all other commands, which always affect the appropriate persistent routes. This option is not supported Windows'95. command command One of these: PRINT Prints a route ADD Adds a route DELETE Deletes a route CHANGE Modifies an existing route destination destination Specifies the host. MASK Specifies that the next parameter is the 'netmask' value. netmask Specifies a subnet mask value for this route entry. If not specified, it defaults to 255.255.255.255. gateway Specifies gateway. interface the interface number for the specified route. METRIC Specifies the metric, ie. cost for the destination.
7. TRACERT to visually see a network packet being sent and received and the amount of hops required for that packet to get to its destination. Syntax tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name Options: -d Do not resolve addresses to hostnames. -h maximum_hops Maximum number of hops to search for target. -j host-list Loose source route along host-list. -w timeout Wait timeout milliseconds for each reply. Example tracert computerhope.com 1169 ms 190 ms 160 ms slc1-tc.xmission.com [166.70.1.20] 2159 ms 160 ms 190 ms cisco0-tc.xmission.com [166.70.1.1] 3165 ms 189 ms 159 ms www.computerhope.com [166.70.10.23]
22 FOR LINUX/UNIX
1. FINGER Lists information about the user. Syntax finger [-b] [-f] [-h] [-i] [-l] [-m] [-p] [-q] [-s] [-w] [username] -b Suppress printing the user's home directory and shell in a long format printout. -f Suppress printing the header that is normally printed in a non-long format printout. -h Suppress printing of the .project file in a long format printout. -i Force "idle" output format, which is similar to short format except that only the login name, terminal, login time, and idle time are printed. -l Force long output format. -m Match arguments only on user name (not first or last name). -p Suppress printing of the .plan file in a long format printout. -q Force quick output format, which is similar to short format except that only the login name, terminal, and login time are printed. -s Force short output format. -w Suppress printing the full name in a short format printout. Examples finger -b -p ch - Would display the following information about the user ch. Login name: admin In real life: Computer Hope On since Feb 11 23:37:16 on pts/7 from domain.computerhope.com 28 seconds Idle Time Unread mail since Mon Feb 12 00:22:52 2001
2. PING Sends ICMP ECHO_REQUEST packets to network hosts. Syntax ping -s [-d] [-l] [-L] [-n] [-r] [-R] [-v] [ -i interface_address ] [-I interval] [-t ttl] host [packetsize] [count] -d Set the SO_DEBUG socket option. -l Loose source route. Use this option in the IP header to send the packet to the given host and back again. Usually specified with the -R option. -L Turn off loopback of multicast packets. Normally, if there are members in the host group on the out- going interface, a copy of the multicast packets will be delivered to the local machine. -n Show network addresses as numbers. ping normally displays addresses as host names.
23 -r Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. This option can be used to ping a local host through an interface that has been dropped by the router daemon. -R Record route. Sets the IP record route option, which will store the route of the packet inside the IP header. The contents of the record route will only be printed if the -v option is given, and only be set on return packets if the target host preserves the record route option across echos, or the -l option is given. -v Verbose output. List any ICMP packets, other than ECHO_RESPONSE, that are received. -i Specify the outgoing interface address to use for multicast packets. The default interface_address interface address for multicast packets is determined from the (unicast) routing tables. -I interval Specify the interval between successive transmissions. The default is one second. -t ttl Specify the IP time to live for unicast and multicast packets. The default time to live for unicast packets is set with ndd (using the icmp_def_ttl variable). The default time to live for multicast is one hop. Host The network host. packetsize Specified size of packetsize. Default is 64. Count Amount of times to send the ping request. Examples ping computerhope.com - Would ping the host computerhope.com to see if it is alive. ping computerhope.com -c 1 - Would ping the host computerhope.com once and return to the command line as shown below. PING computerhope.com (204.228.150.3) 56(84) bytes of data. 64 bytes from www.computerhope.com (204.228.150.3): icmp_seq=1 ttl=63 time=0.267 ms
--- computerhope.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.267/0.267/0.267/0.000 ms
3. NETSTAT Shows network status. Syntax netstat [-a] [-n] [-v] netstat [-g | -m | -p | -s | -f address_family ] [-n] [-P protocol] netstat [ -i ] [ -I interface ] [ interval ] netstat -r [-a] [-n] [-v ] netstat -M [-n] [-s ] netstat -D [ -I interface ] -a Show the state of all sockets and all routing table entries; normally, sockets used by server processes are not shown and only interface, host, network, and default
24 routes are shown. -n Show network addresses as numbers. netstat normally displays addresses as symbols. This option may be used with any of the display formats. -v Verbose. Show additional information for the sockets and the routing table. -g Show the multicast group memberships for all interfaces. -m Show the STREAMS statistics. -p Show the address resolution (ARP) tables. -s Show per-protocol statistics. When used with the -M option, show multicast routing statistics instead. -i Show the state of the interfaces that are used for TCP/IP traffic. -r Show the routing tables. -M Show the multicast routing tables. When used with the -s option, show multicast routing statistics instead. -d Show the state of all interfaces that are under Dynamic Host Configuration Protocol (DHCP) control. -D Show the status of DHCP configured interfaces. -f address_family imit statistics or address control block reports to those of the specified address_family, which can be one of: inet For the AF_INET address family unix For the AF_Unix address family -P protocol Limit display of statistics or state of all sockets to those applicable to protocol. - I interface Show the state of a particular interface. interface can be any valid interface such as ie0 or le0. Examples netstat Displays generic net statistics of the host you are currently connected to. netstat -an Shows all connections to the server including the source and destination ips and ports if you have proper permissions. netstat -rn Displays routing table for all ips bound to the server. netstat -an |grep :80 Display the amount of active connections on port 80. netstat -natp Display active Internet connections.
25
4. HOST DNS lookup utility. Examples This command is often used to perform a reverse lookup on an IP address as shown in the below example. host 204.228.150.3 3.150.228.204.in-addr.arpa domain name pointer www.computerhope.com.
5. TRACEROUTE traceroute is a computer network tool used to show the route taken by packets across an Internet Protocol (IP) network. Syntax traceroute [-d] [-F] [-I] [-n] [-v] [-x] [-f first_ttl] [-g gateway [-g gateway] | -r] [-i iface] [-m max_ttl] [-p port] [-q nqueries] [-s src_addr] [-t tos] [-w waittime ] host [packetlen] Option -d Set the SO_DEBUG socket option. -F Set the "don't fragment" bit. -I Use ICMP ECHO instead of UDP datagrams. -n Print hop addresses numerically rather than symbolically and numerically. This saves a nameserver address-to-name lookup for each gateway found on the path. -v Verbose output. For each hop, the size and the destination of the response packets is displayed. Also ICMP packets received other than TIME_EXCEEDED and UNREACHABLE are listed as well. -x Prevent traceroute from calculating checksums. Note that checksums are usually required for the last hop when using ICMP ECHO probes. See the -I option. -f first_ttl Set the starting ttl value to first_ttl, to override the default value 1. traceroute skips processing for those intermediate gateways which are less than first_ttl hops away. -g gateway Specify a loose source route gateway. The user can specify more than one gateway by using -g for each gateway. The maximum that can be set is 8. -r Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned. This option can be used to send probes to a local host through an interface that has been dropped by the router daemon. -i iface Specify a network interface to obtain the source IP address for outgoing probe packets. This is normally only useful on a multi-homed host. The -s option is also another way to do this. Note that this option does not provide a way to specify the interface on which the probe packets are sent. -m max_ttl Set the maximum ttl used in outgoing probe packets. The default is 30 hops, which is the same default used for TCP connections.
26 -p port Set the base UDP port number used in probes. The default is 33434. traceroute hopes that nothing is listening on UDP ports (base+(nhops- 1)*nqueries) to (base+(nhops*nqueries)-1)at the destination host, so that an ICMP PORT_UNREACHABLE message will be returned to terminate the route tracing. If something is listening on a port in the default range, this option can be used to select an unused port range.nhops is defined as the number of hops between the source and the destination. -q nqueries Set the desired number of probe queries. The default is 3. -s src_addr Use the following address, which usually is given as an IP address, not a hostname, as the source address in outgoing probe packets. On multi-homed hosts, those with more than one IP address, this option can be used to force the source address to be something other than the IP address traceroute picks by default. If the IP address is not one of this machine's interface addresses, an error is returned and nothing is sent. When used together with the -i option, the given IP address should be configured on the specified interface. Otherwise, an error will be returned. -t tos Set the tos(type-of-service) in probe packets to the specified value. The default is zero. The value must be an integer in the range from 0 to 255. Gateways along the path may route the probe packet differently depending upon the tos value set in the probe packet. -w waittime Set the time, in seconds, to wait for a response to a probe. The default is five (5) seconds. host The network host.
Examples
27
6. WHOIS Internet user name directory service. Syntax whois [ -h host ] identifier -h host Host which holds the identification information. Identifier Name or host you wish to identify Examples whois computerhope.com - doing a whois on computerhope.com, for example, will list information similar to the following. Whois Server Version 1.3 Domain names in the .com, .net, and .org domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: COMPUTERHOPE.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: www.networksolutions.com Name Server: NS.XMISSION.COM Name Server: NS2.XMISSION.COM Name Server: NS1.XMISSION.COM Updated Date: 21-jun-2000 >>> Last update of whois database: Thu, 22 Feb 2001 07:49:41 EST <<<
7. IFCONFIG Ifconfig (short for interface configuration) is a system administration utility in Unix-like operating systems to configure, control, and query TCP/IP network interface parameters from a command line interface (CLI) Usage Common uses for ifconfig include setting an interface's IP address and netmask, and disabling or enabling a given interface.[1] At boot time, many UNIX-like operating systems initialize their network interfaces with shell-scripts that call ifconfig. As an interactive tool, system administrators routinely use the utility to display and analyze network interface parameters. The following example output samples display the state of a single active interface each on a Linux- based host (interface eth0) . eth0 Link encap:Ethernet HWaddr 00:0F:20:CF:8B:42 inet addr:217.149.127.10 Bcast:217.149.127.63 Mask:255.255.255.192 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2472694671 errors:1 dropped:0 overruns:0 frame:0 TX packets:44641779 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1761467179 (1679.8 Mb) TX bytes:2870928587 (2737.9 Mb) Interrupt:28
28 8. nmap
About nmap Short for network mapper, nmap is a network exploration tool and security / port scanner.
Syntax nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: -iL Input from list of hosts/networks -iR Choose random targets --exclude Exclude hosts/networks
29 -F Fast - Scan only the ports listed in the nmap-services file) -r Scan ports consecutively - don't randomize SERVICE/VERSION DETECTION: -sV Probe open ports to determine service/version info --version-intensity Set from 0 (light) to 9 (try all probes)
30 -g/--source-port Use given port number
31 Examples nmap -P0 204.228.150.3
Running the above port scan on the Computer Hope IP address would give information similar to the below example. Keep in mind that with the above command it's -P
9. tcpdump
About tcpdump Dump traffic on a network.
Syntax Tcpdump [ -AdDeflLnNOpqRStuUvxX ] [ -c count ] [ -C file_size ] [ -F file ] [ -i interface ] [ -m module ] [ -M secret ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -W filecount ] [ -E spi@ipaddr algo:secret,... ] [ -y datalinktype ] [ -Z user ] [ expression ] y -A:- Print each packet (minus its link level header) in ASCII. Handy for capturing web pages. y -c:- Exit after receiving count packets. y -C:- Before writing a raw packet to a savefile, check whether the file is currently larger than file_size and, if so close the current savefile and open a new one. Savefiles after the first savefile will have the name specified with the -w flag, with a number after it, starting at 1 and continuing upward. The units of file_size are millions of bytes (1,000,000 bytes, not 1,048,576 bytes). y -d:- Dump the compiled packet-matching code in a human readable form to standard output and stop. y -dd:- Dump packet-matching code as a C program fragment. y -ddd:- Dump packet-matching code as decimal numbers (preceded with a count). y -e:- Print the link-level header on each dump line. y -F:- Use file as input for the filter expression. An additional expression given on the command line is ignored. y -i:- Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Ties are broken by choosing the earliest match.
32 y On Linux systems with 2.2 or later kernels, an interface argument of "any'' can be used to capture packets from all interfaces. Note that captures on the "any'' device will not be done in promiscuous mode. y If the -D flag is supported, an interface number as printed by that flag can be used as the interface argument. y -l;- Make stdout line buffered. Useful if you want to see the data while capturing it. E.g., "tcpdump -l | tee dat'' or "tcpdump -l > dat & tail -f dat''. y -L:- List the known data link types for the interface and exit. y -m:- Load SMI MIB module definitions from file module. This option can be used several times to load several MIB modules into tcpdump. y -M:- Use secret as a shared secret for validating the digests found in TCP segments with the TCP-MD5 option (RFC 2385), if present. y -n:- Don't convert addresses (i.e., host addresses, port numbers, etc.) to names. y -N:- Don't print domain name qualification of host names. E.g., if you give this flag then tcpdump will print "nic'' instead of "nic.ddn.mil''. y -X:- When parsing and printing, in addition to printing the headers of each packet, print the data of each packet (minus its link level header) in hex and ASCII. This is very handy for analyzing new protocols.:- y -XX:- When parsing and printing, in addition to printing the headers of each packet, print the data of each packet, including its link level header, in hex and ASCII. y -y :-Set the data link type to use while capturing packets to datalinktype. y -Z:- Drops privileges (if root) and changes user ID to user and the group ID to the primary group of user. This behavior can also be enabled by default at compile time.
Example tcpdump host hope In the above example tcpdump would print all packets arriving at or departing from hope. tcpdump -i eth0 Capture data on eth0 interface. tcpdump host helios and \( hot or ace \) Print traffic between helios and either hot or ace. tcpdump 'gateway snup and (port ftp or ftp-data)' Print all ftp traffic through Internet gateway snup: (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses). tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12 2]&0xf0)>>2)) != 0)' To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)
33 10. dig
About dig DNS lookup utility.
Syntax dig [@server] [-b address] [-c class] [-f filename] [-k filename] [-p port#] [-t type] [-x addr] [-y name:key] [-4] [-6] [name] [type] [class] [queryopt...] dig [-h] dig [global-queryopt...] [query...] Options You may use the following option flags with dig: -b address Set the source IP address for the query. -c class Set the class of query. The default value is IN (internet), but you can choose HS for Hesiod or CH for CHAOSNET. -f filename Operate in batch mode, performing the queries in the file you specify. -p portnumber Choose the port number for the query. The default value is the standard DNS port, 53. -t type Set the type of query, as with the query argument. The default value is A, but you may use any valid BIND9 query. -x addr Use the -x flag for reverse lookups, specifying an IPv4 or IPv6 address. You do not need the name, class, or type arguments if you use the -x flag. -k filename Specify a TSIG keyfile; used for signed transactions. You can also use the -y key, although this is less secure. -y keyname: keyvalue Enter the actual key name and value when conducting a signed transaction. Because the key and value can be seen in the output of ps, this is not recommended for use on multiuser systems; use - k instead. Query options There are a large number of query options for dig. Each query option is preceded by +, and many have an opposite version beginning with no. For example, the tcp flag is passed as +tcp, and negated with +notcp. Because there are so many options, only a few are discussed here. For greater detail, see the dig manpage. +tcp, +notcp Use (or do not use) the TCP protocol instead of the default UDP. +domain>=searchdomain Perform a search in the domain specified; this is equivalent to using the +search option and having "searchdomain" as the sole entry in the search list or domain directive of /etc/resolv.conf. +search, +nosearch Use (or do not use) the search list provided in /etc/resolv.conf. The default is not to use the search list. +time=t
34 Timeout for queries, in seconds. The default is 5, and the minimum is 1. +tries=n The number of times to retry UDP queries. The default is 3, and the minimum is 1.
Examples dig computerhope.com Typing in the above command would display information similar to the below example. ; <<>> DiG 9.3.4 <<>> computerhope.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33836 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;computerhope.com. IN A ;; ANSWER SECTION: computerhope.com. 2979 IN A 204.228.150.3 ;; AUTHORITY SECTION: computerhope.com. 2979 IN NS ns2.xmission.com. computerhope.com. 2979 IN NS ns.xmission.com. computerhope.com. 2979 IN NS ns1.xmission.com. ;; ADDITIONAL SECTION: ns.xmission.com. 71493 IN A 166.70.254.2 ns1.xmission.com. 154190 IN A 204.228.159.2 ns2.xmission.com. 82226 IN A 207.135.133.2 ;; Query time: 3 msec ;; SERVER: 198.60.22.2#53(198.60.22.2) ;; WHEN: Wed Oct 17 05:58:53 2007 ;; MSG SIZE rcvd: 160
35 SELinux security: Security-Enhanced Linux
The SELinux model provides an approach by which secrecy and integrity properties may be achieved with least privilege permissions and containment of services [16]. The system administrators create a policy that is restrictive with respect to granting rights that violate secrecy and integrity properties and we use the notions of least privilege and containment to minimize the damage due to compromises where these occur. Linux security implementation In the early days of SELinux, while it was still a set of patches, it provided its own security framework. This was problematic because it locked GNU/Linux into a single access-control architecture. Instead of adopting a single approach, the Linux kernel inherited a generic framework that separated policy from enforcement. This solution was the Linux Security Module (LSM) framework. The LSM provides a general-purpose framework for security that allows security models to be implemented as loadable kernel modules (see Figure 1).
Figure 1. Security policy and enforcement are independent using SELinux.
Kernel code is modified prior to accessing internal objects to invoke a hook that represents an enforcement function, which implements the security policy. This function validates that the operation may proceed based on the predefined policies. The security functions are stored in a security operations structure that covers the fundamental operations that must be protected. For example, the security_socket_create hook (security_ops->socket_create) checks permissions prior to creating a new socket and considers the protocol family, the type, the protocol, and whether the socket is created within the kernel or in user-space. Listing 1 provides a sample of the code from the socket.c for socket creation (see ./linux/net/socket.c).
Listing 1. Kernel code for socket creation
static int __sock_create(int family, int type, int protocol, struct socket **res, int kern) { int err; struct socket *sock;
/*
36 * Check protocol is in range */ if (family < 0 || family >= NPROTO) return -EAFNOSUPPORT; if (type < 0 || type >= SOCK_MAX) return -EINVAL;
err = security_socket_create(family, type, protocol, kern); if (err) return err;
...
The function security_socket_create is defined in ./linux/include/linux/security.h. It provides indirection from the call security_socket_create to the function that's dynamically installed in the security_ops structure (see Listing 2).
Listing 2. Indirect call for the socket-creation check static inline int security_socket_create (int family, int type, int protocol, int kern) { return security_ops->socket_create(family, type, protocol, kern); }
The function in the security_ops structure is installed by the security module. In this case, the hooks are defined in the loadable kernel module for SELinux. Each SELinux call is defined within the hooks file that completes the indirection from the kernel function to the dynamic call for the particular security module (see Listing 3 from .../linux/security/selinux/hooks.c).
Listing 3. The SELinux socket-creation check static int selinux_socket_create(int family, int type, int protocol, int kern) { int err = 0; struct task_security_struct *tsec;
if (kern) goto out;
tsec = current->security; err = avc_has_perm(tsec->sid, tsec->sid, socket_type_to_security_class(family, type, protocol), SOCKET__CREATE, NULL); out: return err; }
37 At the core of Listing 3 is the call to validate that the current operation is permitted for current task (as defined by current->security, where current represents the currently executing task). The Access Vector Cache (AVC) is a cache of previous SELinux decisions (to increase the process's performance). This call includes the source security identifier (sid), the security class (constructed from the details of the requested operation), the particular socket call, and optional auxiliary audit data. If the decision isn't found in the cache, then the security server is invoked to obtain the decision (this process is shown in Figure 2).
Figure 2. Layered Linux security process
The callback hooks initialized into security_ops are defined dynamically as a loadable kernel module (through register_security()) but otherwise contain dummy stub functions in the event that no security module is loaded (see ./linux/security/dummy.c). These stub functions implement the standard Linux DAC policy. The callback hooks exist at all points where object mediation must be provided for security. These include task management (creation, signaling, waiting), program loading (execve), file system management (superblock, inode, and filehooks), IPC (message queues, shared memory, and semaphore operations), module hooks (insertion and removal), and network hooks (covering sockets, netlink, network devices, and other protocol interfaces). You can learn more about the various hooks in the Resources section or by reviewing the security.h file.
38 Configuring Network server
1 Peer to Peer network model Before configuring a computer network, you have to decide that, which networking model you require. There are two main types of network models. Peer to peer and client-server network model. In the peer to peer network model you simply use the same Workgroup for all the computers and a unique name for each computer. Additionally, you will have to give a unique IP address of the same class A, B, or C for all the computers in your network and its related subnet mask e.g if you decide to use class A IP address for your three computers in your Peer to Peer network then your IP address/Subnet mask settings can be as follows. Computer Name IP Address Subnet Mask Workgroup PC1 100.100.100.1 255.0.0.0 Officenetwork PC2 100.100.100.2 255.0.0.0 Officenetwork PC3 100.100.100.3 255.0.0.0 Officenetwor For doing this right click on My Computer and then click Properties then go to the Network Identification section and set these. In a peer to peer network all computers acts as a client because there is not centralized server. Peer to peer network is used where not security is required in the network. If a computer fails to work then all other computers work normally in peer to peer network.
2 Client/Server Network Model In the client/server network model a computer plays a centralized role and is known as a server all other computers in the network are known as clients. All client computers access the server simultaneously for files, database, docs, spreadsheets, web pages and resources like hard diver, printer, fax modem, CD/DVD ROM and others. In other words, all the client computes depends on the server and if server fails to respond or crash then networking/communication between the server and the client computes stops.
Configuration Steps 1. Choose a unique name for each client computer 2. Choose unique IP address for each computer and relevant. 3. Use the same domain name for all client PCs.
Network/System administrators are required to do these administrative tasks on the server and client computers. Any shared resources on the network either on the server or the clients can be access through the My Network Places in the Windows 2000 platform. There is another way to connect to the shared resources by giving this command in the run \\ComputerName\SharedDriveLetter. Network configurations steps can be implemented by right clicking the My Computer>Properties> For giving the IP address you will have to right click on the My Network places>properties>Local Area Connection>Properties>Internet Protocols (TCP/IP)>Properties and then give the IP address and subnet mask of the same range and class for all the computers in the network.
39 TCP Wrapper Configuration
Here we'll discuss a simple yet effective method of reducing the risk of unwanted network access, using a tool called TCP wrappers. This mechanism "wraps" an existing service (such as the mail server), screening the network connections that are made to it and refusing connections from unauthorized sites. This is a simple way of adding access control to services that weren't originally designed for it, and is most commonly used in conjunction with the inetd or xinetd daemons. TCP wrappers are somewhat equivalent to the security guards, or "bouncers," that we might find protecting the entrance to large parties or nightclubs. When we approach a venue you first encounter the security guard, who may ask you your name and address. The guard then consults a guest list, and if you're approved, the guard moves aside and allows you entry to the party. When a network connection is made to a service protected by TCP wrappers, the wrapper is the first thing encountered. The wrapper checks the source of the network connection using the source hostname or address and consults a list that describes who is allowed access. If the source matches an entry on the list, the wrapper moves out of the way and allows the network connection access to the actual daemon program. There are two ways to use TCP wrappers, depending on your Linux distribution and configuration. If you are using the inetd daemon for managing services (check to see if the file /etc/inetd.conf exists), TCP wrappers are implemented using a special daemon called tcpd. If you are using the xinetd daemon instead (check for the directory /etc/xinetd.d), xinetd is usually configured to use TCP wrappers directly. We'll describe each case in the following sections.
Using TCP Wrappers with inetd If your system uses the inetd daemon to launch network services, it may be necessary to edit your /etc/inetd.conf file to use TCP wrappers. Let's use the finger daemon, in.fingerd, as an example. The basic idea is that instead of running the actual in.fingerd daemon, inetd launches the tcpd daemon instead. tcpd performs the TCP wrapper operation and then runs in.fingerd in its place if the connection is accepted. Configuring TCP wrappers requires a very simple change to /etc/inetd.conf. For the finger daemon, you might have an entry in this file, such as: # /etc/in.fingerd finger daemon finger stream tcp nowait root /usr/sbin/in.fingerd in.fingerd To protect the finger daemon using tcpd, simply modify the /etc/inetd.conf entry, as so: # /etc/in.fingerd finger daemon finger stream tcp nowait root /usr/sbin/tcpd /usr/sbin/in.fingerd Here we've caused the tcpd command to be executed instead of the actual in.fingerd command. The full pathname of the finger daemon is passed to tcpd as an argument, and tcpd uses this argument to launch the real daemon after it has confirmed that access should be allowed. You'll need to make this change for each daemon program you wish to protect. On most Linux systems you may find that tcpd is already configured, so these changes won't be necessary.
Using TCP Wrappers with xinetd xinetd is a replacement for inetd that some distributions (such as Red Hat) are adopting. In most cases, xinetd has built-in support for TCP wrappers, so all you'll need to do is modify the TCP wrapper configuration files (/etc/hosts.allow and /etc/hosts.deny) as described in the next section. If you are installing xinetd yourself, be sure to compile support for TCP wrappers; this is described in the xinetd documentation.
40 ssh_config
ssh_config - OpenSSH SSH client configuration files
Synopsis ~/.ssh/config /etc/ssh/ssh_config Description ssh obtains configuration data from the following sources in the following order:
1. command-line options 2. user's configuration file (~/.ssh/config) 3. system-wide configuration file (/etc/ssh/ssh_config)
For each parameter, the first obtained value will be used. The configuration files contain sections separated by ''Host'' specifications, and that section is only applied for hosts that match one of the patterns given in the specification. The matched host name is the one given on the command line. Since the first obtained value for each parameter is used, more host-specific declarations should be given near the beginning of the file, and general defaults at the end. The configuration file has the following format: Empty lines and lines starting with '#' are comments. Otherwise a line is of the format ''keyword arguments''. Configuration options may be separated by whitespace or optional whitespace and exactly one '='; the latter format is useful to avoid the need to quote whitespace when specifying configuration options using the ssh, scp and sftp -o option.
41