5.1. Useful Commands

5.1. Useful Commands

Consider some programs and commands that can be used to simplify administration tasks and make it more effective. Start with the commands necessary for understanding further material.

5.1.1. netconfig

The netconfig command starts the network-configuration utility (Fig. 5.1). It has a convenient graphical interface, which makes it possible to configure the network parameters without having to deal with the configuration files.

image from book
Figure 5.1: The netconfig window

5.1.2. ping

One of the commands frequently used by administrators is ping . The command sends echo request ICMP packets to the specified system to determine the presence of the other machine.

For example, executing the ping 195.18.1.41 command on my machine displayed the following results:

 PING 195.18.1.41 (195.18.1.41) from 195.18.1.41 : 56(84) bytes of data. 64 bytes from 195.18.1.41: icmp_seq = 1 ttl = 64 time = 0.102 ms 64 bytes from 195.18.1.41: icmp_seq = 2 ttl = 64 time = 0.094 ms 64 bytes from 195.18.1.41: icmp_seq = 3 ttl = 64 time = 0.094 ms 64 bytes from 195.18.1.41: icmp_seq = 4 ttl = 64 time = 0.095 ms --- 195.18.1.41 ping statistics --- 4 packets transmitted, 4 received, 0% loss, time 3013ms rtt min/avg/max/mdev = 0.094/0.096/0.102/0.007 ms 

The first entry displays the IP address of the computer being probed. If you specify the host name when issuing the ping command, you can find its IP address in this way. At the end of the line, the size of the packets to be sent is specified in bytes.

The entries are of the following format:

 64 bytes from 195.18.1.41: icmp_seq = 1 ttl = 64 time = 0.102 ms 

This tells you that 64 bytes were received from the address 195.18.1.41. The parameters after the colon and their functions are the following:

  • icmp_seq The packet number. For each successive packet, this value is incremented by one. If some number is missing, it means that either the ping packet or the reply to it was lost in the Internet. This may be caused by equipment errors, an unreliable cable connection, or one of the routers between the two machines sending the packet the wrong way.

  • ttl The time-to-live value. This is a number that specifies how many routers the packet can pass on the way to the destination before it is considered lost. The default ttl value on most systems is 64, but it can be changed. The value is decremented by one by each router that handles the packet. When it becomes 0, the packet is considered lost and destroyed . Thus, this value can be used to approximately determine the number of routers on the way to the packet's destination.

  • time The round-trip time. This parameter provides information about the speed of the link. The stability of the link can also be evaluated based on how much this value varies for each packet. Note that the round-trip time for the first packet is almost always longer than that of the successive packets. The rest of the packets should have about the same round-trip time.

If a packet or the reply to it is lost, the program issues a corresponding message. About seven to ten packets are enough to form an idea about the link's quality; the command can then be terminated by pressing the <Ctrl>+<C> key combination. This will display brief statistics about the ping session: the number of packets sent, received, and lost along, with the minimal, average, and maximum round-trip time.

The main switches of the ping command are the following:

  • -cn Send n packets and stop. For example, to send five packets, execute the ping command as follows : ping-c5195.10.14.18 .

  • -f Flood ping. Packets are sent without waiting for the reply. For example, to send 50 packets in this way, execute the ping command as follows: ping-f -c 50 195.10.14.18 . Using this switch with a large number of large packets can put a great load on the network and the computer being pinged, and it may even cause a DoS condition on less powerful systems.

  • -sn Specify the packet size. For example, a 1000-byte packet is sent by this command: ping -s 1000 195.10.14.18 . Some older operating system versions contained bugs and would hang when a too-large packet was received. These bugs have been fixed in modern systems.

These are the most often used switches. Additional information on the ping command can be obtained in the pingman page by executing the manping command.

Note 

Not all servers can answer echo requests . Some servers may have their firewall configured not to let ICMP traffic through. In this case, a ping request will produce no response, although the server is functioning normally and can accept other types of packets without any problems.

5.1.3. netstat

The netstat command displays all current connections to the server. The result of its execution looks similar to the following:

 Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address    Foreign Address     State tcp        0      0 FlencvM:ftp      192.168.77.10:3962  ESTABLISHED tcp        0      0 FlenovM:ftp-data 192.168.77.10:3964  TIME_WAIT 

All information is presented in columns . Consider each of them:

  • Proto The protocol used by the connection. Most often, this will be unix or tcp .

  • Recv-Q The number of bytes the user program has not copied .

  • Send-Q The number of bytes the remote computer did not receive.

  • Local address The address of the local computer in the computer:port format. The port can be specified by either its name or the numerical identifier. In the preceding example, the port in the first entry is specified as ftp , which corresponds to port 21.

  • Foreign address The address of the remote computer in the IP:port format.

  • State The state of the connection.

This command uses numerous parameters; their complete description can be viewed in the help file by executing the man netstat command.

If you suspect that your system has been penetrated, you can use this command to determine, which of the services were used to carry out the penetration and which resources the hackers may be using. For example, if the hackers entered through the FTP service, they are most likely working with files and may be uploading their files to expand their takeover of the system, modifying or deleting system files, or downloading files containing information of interest to them.

5.1.4. lsof

The lsof command is used to display open files. The command is quite powerful and uses various switches. One of its most interesting features is viewing of the open ports by executing the command with the -i switch:

 lsof -i 

More detailed information about this command can be found in its man page.

5.1.5. Telnet

The might of Linux and its text console consists of being able to execute commands not only directly at the terminal but also remotely. All you have to do for this is to connect to the Telnet server port with help of a Telnet client.

There are few utilities in Windows that can operate in the command line; therefore, this system requires, and widely uses, graphical mode. The command line in Windows offers rather limited capabilities. To solve this problem, a method of terminal access was created that makes it possible to see the contents of the server's display on the client's screen and work with them as if working directly at the server. But this method is traffic- intensive and is inconvenient over slow communications channels.

Compared with the graphical mode of any operating system, the Linux command line virtually does not use any traffic and can work reasonably well even over the slowest channels, such as cellular phone General Packet Radio Services (GPRS) or home modem connections, which have rather slow speeds.

As you by now understand, the Telnet software consists of the server and the client parts . When a Telnet server is started, port 23 is opened, to which a client computer can connect and execute any commands allowed by the Telnet server.

But that's not all: a Telnet client can be used to connect to other servers. For example, a connection can be made to port 25 and send email messages from the command line by executing Simple Mail Transfer Protocol (SMTP) server commands.

If you have an FTP server installed, you can execute the following command right now:

 telnet localhost 21 

In this case, you are connecting to the FTP server on the local computer, as is specified by the localhost parameter. To connect to the FTP server on a remote computer, you have to specify its address in place of the localhost parameter. The second parameter is the port that the server uses. The FTP server receives control commands on port 21, so this port was specified.

I recommend using a Telnet client only for configuring and debugging services but not for controlling the system. Thus, disable Telnet on all of the network's machines. The utility is not secure because it sends plaintext data, and all attempts to make Telnet secure have failed. One way to secure Telnet is to use it through an Open Secure Sockets Layer (OpenSSL) encrypted channel. But there is another popular method of controlling a server: using the Open Secure SHell (OpenSSH) protocol, which is considered in Section 5.3 .

Thus, you need a Telnet client, but the Telnet server should be removed from the system.

If you do need to use a Telnet server for some reason, you should do this using a secure communications protocol employing public and private keys (see Section 5.2 ). Then the Telnet traffic will travel encrypted over the network; however, you will still have to under-take additional security measures.

If you have a Telnet server installed, try to connect to it by issuing the telnet localhost command. The system will respond with a message similar to the following:

 Trying 127.0.0.1 Connected to localhost Escape character is '^]'. ASPLinux release 7.3 (Vostok) Kernel 2.4.18-15asp on an i686 Login: 

Do you notice anything dangerous in the information displayed? Myself, I see detailed information about the distributive and kernel versions. All this information becomes available to any user even before he or she registers in the system. If hackers see open port 23, they will not have to take pains of learning your operating system and kernel version; all they will have to do is to connect to Telnet to obtain this information.

Telnet being too talkative is the huge security hole that has to be plugged as soon as possible. The prompt messages displayed upon connecting are stored in the /etc/issue and /etc/issue.net files. You can change the prompt messages as follows:

 echo Text > /etc/issue echo Text > /etc/issue.net 

Here Text is the text of the new prompt message. You can specify a wrong kernel version to confuse hackers:

 echo Debian Linux > /etc/issue echo Kernel 2.4.4 on an i686 > /etc/issue.net 

So, whatever distribution and kernel version you may have installed, any hacker trying to connect to your computer over Telnet will think that you are using the 2.4.4 old Debian core .

The contents of the files, however, will be restored after the next reboot and Telnet will again show the distribution and core information in the welcome message. You can avoid this by setting the files' -i attribute, which prevents file modifications:

 chattr +i /etc/issue chattr +i /etc/issue.net 

5.1.6. r Commands

There are so-called r commands in Linux: rlogin, rsh, rcp, rsync , and rdist . I will not consider them because they are obsolete and present a great security danger. These commands allow remote connection to the system and send their data in plaintext. Although you may need a Telnet client to test services, you have no need for these commands. I only mentioned them so that you will delete them from the system to avoid the temptation of using them yourself and to prevent hackers from exploiting them.



Hacker Linux Uncovered
Hacker Linux Uncovered
ISBN: 1931769508
EAN: 2147483647
Year: 2004
Pages: 141

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net