| < Day Day Up > |
|
1. | You have a growing network of Linux computers, and have to maintain users and passwords on each of these computers on a daily basis. You're having to update administrative files such as /etc/passwd on a number of computers. What can you do to simplify your task? |
|
Answers
1. | You can set up an NIS server to maintain a common database of usernames and passwords. This should include at least the basic password database files, such as /etc/passwd, /etc/group, /etc/shadow, and /etc/gshadow, as defined in the /var/yp/Makefile configuration file. Before you can set up an NIS server, you need to make sure you have the packages that you need, specifically the ypserv and yp-tools RPM packages. You can check and install these packages using the rpm command, as described throughout the book. Once installed, you'll want to start the ypserv service in the /etc/rc.d/init.d directory. You'll also want to use the chkconfig command to make sure this service starts the next time you boot this computer. You'll need to set up an NIS domain name with the domainname command. You can then configure the NIS master server with the following command: # /var/lib/yp/ypinit -m This command assumes the local computer should also be configured as an NIS client on the given network. You're then prompted to enter the hostnames of other computers that you want to add to the NIS domain. On a larger network, it can be helpful to have a backup for the NIS master server. If the NIS master server hostname is NISmaster, you can set this up with the following command: # /var/lib/yp/ypinit -s NISmaster You can then set up clients by configuring the ypbind service on each computer on the NIS domain. Make sure that the ypbind service starts the next time each computer restarts with a command such as: # chkconfig --level 35 ypbind on |
2. | You want to set up a RHEL 3 computer as a secure Web server. To keep that system secure, you'll want to configure an appropriate firewall, and disable any services that you don't need. What should you do? |
|
Answers
2. | If you want to set up a RHEL 3 computer as a secure Web server, it's a straightforward process. You'll want to set up a firewall to block all but the most essential ports. This should include TCP/IP ports 80 and 443, which allow outside computers to access your regular and secure Web services. The easiest way to set this up is with the text-mode Red Hat Security Level configuration tool, which you can start with the lokkit no change to this in RHEL?or redhat-config-securitylevel-tui commands (lokkit is now a 'front-end' to redhat-config-securitylevel-tui). Once you're in the Red Hat tool, take the following steps:
|
3. | You want to make sure even the root user has to enter the root password when opening Red Hat administrative tools. You can do this by modifying the appropriate file in the /etc/pam.d directory. Try this out with the Red Hat Security Configuration tool. |
|
Answers
3. | To make lab work, you'll need to modify the Security Level Configuration tool using the redhat-config-securitylevel file in the /etc/pam.d directory. Open this file in the text editor of your choice. The first two commands allow users to start this tool automatically: auth sufficient pam_rootok.so auth sufficient pam_timestamp.so The first command checks if you're the root user. The second command checks to see if you've opened the given tool recently, based on the conditions of the pam_timestamp module. If you deleted (or commented out) these commands, all users, including the root user, will have to enter the root password when opening this tool. To do so, take the following steps:
|
4. | In this lab, you'll see how you can limit access to specific users through the PAM listfile module. In this lab, you'll limit access to the Secure Shell that's covered in Chapter 11. Assume that you have four users on your system: michael, donna, randy, and nancy, and want to limit access to randy and nancy. What do you need to do to make this happen? |
|
Answers
4. | To limit access to a PAM configured tool to specific users, you need a bit of help from the PAM listfile.so module, /etc/security/pam_listfile.so. With the following steps, I'm assuming that you need to configure the four specified users; you can configure existing users of your choice.
|
5. | You want to set up Telnet service on your internal LAN, accessible only to one specific IP address. You want to block access from outside the LAN. Assume that your LAN's network address is 192.168.1.0, and the IP address of the computer that should get access is 192.168.1.33. For the purpose of this lab, feel free to substitute the IP address of a second Linux computer on your network. What do you do? |
|
Answers
5. | When you set up any xinetd service such as Telnet, there are several steps in the process. You'll need to modify the xinetd Telnet configuration file, and set up filtering in one of three ways: in the /etc/xinetd.d/telnet configuration file, through tcp_wrappers, or the appropriate firewall commands:
|
6. | You want to set up a secure Web server on your corporate LAN that supports inbound requests from your LAN and the Internet, but you do not want any of these requests from the Internet to get into your intranet. What can you do? |
|
Answers
6. | Scenario 1: Cost is not an object. This means you can build a DMZ using two firewalls and a separate Web server, all running Linux. You should have the Web server dedicated only to the Web. You configure two more Linux hosts, each with two network cards, and essentially isolate the intranet behind one firewall. You then put the Web server in the middle, placing the second firewall between the Web server and the Internet. You configure the firewall on the intranet with IP masquerading to ensure anonymity for all your intranet hosts. Scenario 2: You have one old computer available, and the Web server is a separate computer. Use your one computer as the firewall between you and the Internet and only forward HTTP packets to the Web server IP address directly; use NAT for all intranet requests going out to the Internet for HTTP and FTP. Disallow all other services. |
| < Day Day Up > |
|