You have learned that a system does not currently specify the correct default gateway. The correct default gateway address is 192.168.2.1. What commands would you issue to delete the existing gateway address and add a new one?
What command would you issue to assign a second IP address of 192.168.2.55 and a netmask of 255.255.255.0 to your eth1 card?
The arpwatch daemon has discovered several "flip-flops," implying that ARP poisoning has occurred on your network. Where can you read the alerts sent by the daemon?
A remote office has had to swap out a failed NIC in its Linux router. This router must work with an ISP's cable modem to allow the remote office to access the Internet. However, the ISP's cable modem recognizes only the MAC address of the failed card. What command can help you solve this problem?
You have tried to use tcpdump to capture packets and analyze them. However, tcpdump captures only the first few parts of the packet by default, and you want to capture and display the entire packet. You also want to save the capture into a file named cap1.cap. What command allows you to do this?
You have just used the netstat command, and have read the following entry:
tcp 0 6 64-128-206-189.ge:53208 mail1.oreilly.com:imap2 ESTABLISHED What system has opened port 143?
As root, experiment with the tcpdump command. Many examples exist in the manpage for tcpdump. Specifically for the LPI 202 Exam, experiment with the following command:
# tcpdump host host1 and \( host2 or host3 \)
The tcpdump command captures all packets sent between the host named host1 and either the host named host2 or the host named host3. Now, try the following command:
# tcpdump -i eth1 not arp and not '(port ssh)' and not '(port http)'
This command excludes ARP packets, as well as those associated with SSH and standard web traffic. You can add more ports by adding more and not phrases. Notice also that the previous command specifies an interface, in this case the second one on the system. If you are using a standard hub-based network, you will be able to sniff the packets going to and from remote systems. However, if you are on a switch-based network, tcpdump will capture only packets going to and from your local system.
Experiment with the ifconfig command. Use it to add a second IP address. Then ping the new address from both your local system and a remote system. Change your system's MAC address. You can also stop and start interfaces and change the system's IP address. Finally, use ifconfig to change your network interface's IP address. Reboot your system and see whether the change you made remains. Then, review the /etc/network/interfaces file (for Debian-based systems) or the /etc/sysconfig/network-scripts file (for Red Hat/Fedora-based systems).
The arp command allows you to view and manipulate the ARP cache. View the cache by running the arp command without arguments, then use it to add and delete entries. Notice that if you delete an entry, then reconnect to the system, you will see that the deleted system has been added back.
The netcat command (also nc) has become a standard tool. It is ideal for testing to see whether local or remote ports are open. You can also use it as a primitive port scanner and even as a quick and dirty way to transfer files between systems. Use netcat to monitor your systems only.
The arpwatch command monitors MAC address and IP address pairings on a network. These pairings should not change often. Install and run arpwatch if it is not already working. Use an application such as ettercap, or use ifconfig to change a system's MAC address, then see how arpwatch sends the root account on the local system notifications that a pairing has changed. Sudden changes can be evidence that an attacker is trying to spoof connections or engage in packet sniffing on a switch-based network.
The ping command is quite standard. However, familiarize yourself with various options, including ping -c, ping -a, and ping -f. The -f option will work only when run as root. If you want, use tcpdump to collect the flood of packets sent when you use the -f option. Experiment also with specifying packet sizes and different time to live (TTL) settings.
Use wvdialconf and wvdial to configure PPP-based dial-up access for your system. Also, familiarize yourself with the chat program and the contents of a standard chat file. Examples of this file exist in this book, as well as on the Internet. Make sure that you understand the purpose of the chap-secrets and pap-secrets files.
Once you have configured PPP access, configure VPN access using the pptp command. Make sure that you clearly understand the ports used in pptp and how to troubleshoot connections by reviewing files such as /var/log/messages using tail with the -f option.
Linux systems are extremely flexible. For example, it is possible to add a second NIC to your Linux system and use it as a router. Once you have two NICs installed and recognized, configure each with IP addresses. Then enable IP forwarding. You can do this either by changing the value of /proc/sys/net/ipv4/ip_forward to 1 or by editing the /etc/sysctl.conf file. As root, simply add the following line:
net/ipv4/ip_forward=1 Then run the following command: # sysctl -p /etc/sysctl.conf
Once you have done this, your system will forward packets between the two NICs. You can return your system to normal by changing the 1 value to 0 in the /proc/sys/net/ipv4/ip_forward file.
The netstat command is deceptively simple. Familiarize yourself with all of the fields in netstat output. Also, become familiar with the many options to netstat, including -na, -nr, and -M.
