Referencing Network Services

This section contains the quick reference information related to Fedora Linux network services. The table listing these services (Table C-1) contains the following information:

• Feature: What type of service is it?

• Package names: What software packages must be installed to use the service?

• Start-up scripts: Which start-up scripts launch the service?

• Daemon: What daemon process is running to provide the service?

• Configuration files: What configuration files can you modify to tailor the service to your specific needs?

The descriptions following the table provide additional information about the service. That information includes whether or not the service is started by default and where you can find more information about the service.

The following sections provide some additional information about the services described in Table C-1. (You’ll find the table at the end of the chapter.)

Web server

In most cases, you use the apache software package to create a Web server in Fedora Linux. If apache is installed, you must turn on the service to use it (as root user, type chkconfig httpd on). Start-up will fail unless you have a valid name (and IP address) for your Web server. To define a server name, add a ServerName entry to the httpd.conf file and restart the service.

Users who can access your system from the network will be able to view the contents of the /var/www/html directory. Replace the index.html file and add your own content. If the httpd-manual package is installed, /var/www/manual contains the apache manual.

An alternative to apache is the TUX HTTP server. TUX is a high-performance Web server. The entire protocol stack for TUX runs in the Linux kernel. Configure TUX in the /etc/sysconfig/tux file. The TUX service is off by default. To turn it on, type chkconfig tux on and it will start the next time you start your computer. It will offer the same content that apache does (from the /var/www/html directory).

File servers

File services in Fedora Linux can be provided using FTP servers, Samba (Windows) servers, Network File System (NFS) servers, and NetWare servers. The following sections describe each of these.

FTP servers

The Very Secure FTP daemon (vsftpd) package was designed from scratch to be very scalable and fast. It is geared toward FTP sites that require support for lots of simultaneous users. Configure vsftpd by editing the /etc/vsftpd.conf and /etc/vsftpd.user_list files. The vsftpd package shares the /var/ftp directory structure and listens on port 21 for service requests.

To turn on FTP service, type the following (as root user):

 # service vsftpd start  # chkconfig vsftpd on 

Samba server

The Samba server software supports the Server Message Block (SMB) file- and printer- sharing protocol. SMB is most often used to share resources on local networks consisting of computers running Microsoft Windows. You would not typically share SMB files and printers over a public network, such as the Internet.

Samba services are off by default in Fedora Linux. To have Samba start automatically when you boot your computer, simply type chkconfig smb on as the root user.

In order for Samba to be useful, edit the Samba configuration file, /etc/samba/smb.conf. An easy way to configure this file is with the Samba Server Configuration window (described in Chapter 18).

Netatalk server

The Netatalk server software lets Linux act as an AppleTalk server for Macintosh computers. To use netatalk, you must install the netatalk package and turn on the service by typing chkconfig atalk on. Configuration is done from files in the /etc/atalk directory.

NetWare server

NetWare is an operating system from Novell, Inc. that provides dedicated file and print services to network users. The mars-nwe package lets you set up your computer to emulate a NetWare file server. Although mars-nwe is no longer distributed with Fedora Linux, the package is available from various software repositories.

If you install mars-nwe, by default, NetWare file and print services are off. To turn them on, type chkconfig mars_nwe on. To make the service usable, you must edit the /etc/nwserv.conf file.

Login servers

A variety of login servers are available for use with Fedora Linux. Both telnet and rlogin services can be used to allow users from other computers to log in to Fedora Linux from the network. These days, however, ssh is the preferred login service. For most of these services, you need to remember to allow access to that service from your firewall.

If the telnet-server package is installed, the telnet service is off by default. If telnet is enabled, the xinetd daemon passes all requests for telnet service (by default, port 23) to the in.telnetd daemon to present the telnet login prompt. Once it is on, only users with real logins to the computer can log in to the computer — anonymous users are not supported. Users who log in using telnet are presented with a shell interface for accessing the computer.

Fedora Linux also includes login daemons that provide Kerberos 5 support. Kerberos 5 provides a higher level of security than is available with other login servers. Kerberos 5–enabled login servers include Klogin (Kerberos 5) and EKlogin (Kerberos 5 with encryption).

The rlogin service has been available for UNIX systems for a long time, though it is generally less secure than the other login services described here. The rlogin service is off by default on your Fedora Linux system.

A newer addition to the login servers available with Fedora Linux is the OpenSSH server. This service is on by default. To access this service, use applications that come with the openssh-client software package, such as the ssh, sftp, and slogin remote login commands. Many Linux administrators use OpenSSH tools, as opposed to older remote login tools such as rlogin and telnet because OpenSSH is believed to be more secure.

PermitRootLogin no

E-mail servers

The most common protocols used to download e-mail from a mail server to a client workstation are Post Office Protocol (POP) and Internet Message Protocol (IMAP). If you configure Fedora Linux as your mail server, you can configure the dovecot package to provide POP and IMAP services.

Dovecot is an IMAP/POP3 mail server that works with both maildir and mbox formats. You use IMAP or POP3 if your users get their mail from their own desktop instead of by running their mail clients on the mail server. By default, all POP or IMAP services are off. Choose the POP or IMAP server you would like to use from those provided in the e-mail reader servers listing in Table C-1.

The default mail-transfer agent that comes with Fedora Linux is called sendmail. If sendmail software is installed, the sendmail service is started automatically. However, you must configure various files in the /etc/mail directory for the service to work beyond the localhost.

Postfix is an alternative to sendmail, as is the exim mail transport agent. Using the alternatives feature (described earlier in this appendix and in Chapter 10), you can easily make any of those packages your default mail-transfer agent. Configuration files for postfix are located in the /etc/postfix directory, while exim configuration files are in the /etc/exim directory. Also make sure that you turn sendmail off (chkconfig sendmail off) and turn postfix or exim on (chkconfig postfix on or chkconfig exim on).

The comsat service can be turned on to check when e-mail arrives in users’ mailboxes in Fedora Linux. Though comsat is off by default, if you turn it on you can use the biff or xbiff commands to alert users when e-mail arrives in their mailboxes. To turn comsat on, simply edit the comsat file in /etc/xinetd.d to change the disable = yes entry to disable = no.

News server

Fedora Linux comes with the Internet Network News Server (INN) software to let you set up a Fedora Linux system as a news server. INN can provide your users access to thousands of Internet newsgroups.

By default, INN service is off in Fedora Linux. To turn it on, type chkconfig inn on. To make the service usable, you must edit files in the /etc/news directory.

Print servers

The Common UNIX Printing System (CUPS) print server software is included as the default printer software for the current release of Fedora Linux. As an alternative, the LPR New Generation (LPRng) software is still available but is no longer provided with Fedora Linux.

The Common UNIX Printing System (CUPS) is a recently developed alternative to LPRng and other printing interfaces that were built on facilities originally designed for line printers in the 1970s. CUPS is based on the Internet Printing Protocol (RFC 2616). Although it is compatible with other UNIX/Linux print facilities, CUPS is intended to make it easier to support new printers, protocols, and other devices as they become available.

The CUPS server (cupsd) is set up to run by default. Configuration files for CUPS are located in the /etc/cups directory.

Network administration servers

Some network servers offer services that monitor or configure network configurations. Several of these services, listed in Table C-1, are described in the following sections.

Network Time Protocol server

The Network Time Protocol (NTP) Server synchronizes time among computers on a network.

The Fedora Linux firstboot process lets you turn on the NTP service. To further tune ntp, you must edit the /etc/ntp.conf file. The /etc/ntp.conf file contains information that identifies the addresses of synchronization sources and modes of operation. The /etc/ntp/keys file can be used to turn on authentication.

Portmap server

The portmap server translates Remote Procedure Call (RPC) numbers to TCP/IP and UDP port numbers. Certain network services, such as NFS (nfs) and Wall (rwalld), only work properly if this server is running. RPC numbers are stored in the /etc/rpc file.

SWAT

The Samba Web Administration Tool (SWAT) provides a Web-based interface for configuring Samba file and print services. When properly configured, a Web browser can access the SWAT service (with a root user password). Although this is a well-tested interface, the Samba Server Configuration window is the preferred tool for configuring Samba in Fedora Linux.

By default, the SWAT service is off in Fedora Linux. To turn the service on, edit the /etc/xinetd.d/swat file and change the disable = yes entry to disable = no. This makes the service available to a Web browser on the local host that asks for port number 901 (for example, http://localhost:901). You can remove the line only_from = 127.0.0.1 to allow a Web browser from any computer that has access to your computer on the network to use SWAT. (Of course, a remote user would also need to know your root password.)

Arpwatch server

The Arpwatch service can be turned on to monitor Ethernet/IP activities on your network. Any potential problems (such as two different computers using the same IP address) are logged to the syslog facility (usually to the /var/log/messages file).

By default, the Arpwatch service is turned off. To turn it on, type chkconfig arpwatch on. You can check the /var/log/messages file to see if the Arpwatch services started successfully and watch for changes on your network.

Simple Network Management Protocol server

The Simple Network Management Protocol (SNMP) server lets your Fedora Linux system listen for SNMP requests from the network. With this server running, other computers using SNMP tools can monitor the activities of your computer (based on configuration files set up on your system).

By default, SNMP is turned off. To turn it on, type chkconfig snmpd on and chkconfig snmptrapd on. SNMP configuration can be quite complex. Start by referring to the snmpd.conf man page (type man snmpd.conf). Pay special attention to security issues with SNMP. Refer to the net-snmp project site (http://net-snmp.sourceforge.net) for a tutorial and more information.

Information servers

By distributing such information as host names, user account information, and network addresses, an administrator can more easily manage groups of networked computers. Popular types of servers for managing network information include Network Information System (NIS), Dynamic Host Configuration Protocol (DHCP), and Lightweight Directory Access Protocol (LDAP).

Network Information System servers

Network Information System (NIS) is a software feature developed by Sun Microsystems to manage information needed to configure a group of UNIX (and now Linux) computers on a network. Using NIS, a group of computers can share common passwd, groups, hosts, and other configuration files.

By default, NIS services are off. You can turn on NIS services for your Linux computer as either an NIS client (using shared information) or an NIS server (distributing shared information). NIS client computers need to start the /etc/init.d/ypbind script and identify the NIS servers in the /etc/yp.conf file.

To use Fedora Linux as an NIS server, you must gather up the configuration files you want to share, then start the /etc/init.d/ypserv script. The script runs the /usr/sbin/ypserv daemon, which takes care of the distribution of information to the NIS client computers.

Dynamic Host Configuration Protocol server

Instead of going to each computer on your local network and adding all the TCP/IP information they need in order to work (IP address, netmasks, gateways, and so on), you can configure Fedora Linux as a Dynamic Host Configuration Protocol (DHCP) server to distribute that information. The client computer simply identifies the IP address of the DHCP server so that when the client starts up its network connection, the DHCP server automatically assigns its network address.

By default, DHCP is turned off. To turn it on, type chkconfig dhcpd on. Besides starting the service, you must also configure the /etc/dhcpd.conf file.

Lightweight Directory Access Protocol server

If your organization uses Lightweight Directory Access Protocol (LDAP) databases of information, running the LDAP server that comes with Fedora Linux enables you to access those databases. Likewise, the LDAP server enables you to use LDAP-enabled applications, such as Netscape Roaming Access and sendmail 8.

By default, the LDAP service is turned off. To turn it on, type chkconfig ldap on. In addition to running the start-up script, you must configure files in the /etc/ldap/ directory.

Domain Name System server

A Domain Name System (DNS) server is set up to translate host names to IP addresses on a TCP/IP network. Fedora Linux can be configured as a DNS server using the named daemon.

By default, the DNS server is not configured to start automatically in Fedora Linux. To start a DNS server, type chkconfig named on. In addition to starting the service, you must configure the /etc/named.conf file and configure zone files (in the /var/named directory).

Reverse Address Resolution Protocol server

The Reverse Address Resolution Protocol (RARP) daemon responds to requests from RARP clients that must obtain their own IP addresses. Today, RARP is not used very often.

By default, the RARP package (rarpd-ss981107-18) is not installed by default. When it is installed, the service is off. To start an RARP server, type chkconfig rarpd on. When requests come in for addresses, the /usr/sbin/rarpd daemon checks the /etc/ethers or NIS+ databases for addresses.

Database services

Database servers provide tools for accessing and managing databases of information. The Postgresql service uses the postmaster daemon to handle requests for its services. The MySQL server runs the mysqld daemon to handle access to its databases. These daemons are started from start-up scripts in /etc/init.d: postgresql and mysqld scripts, respectively.

User services

Fedora Linux can provide end users with a variety of network services. These services let users run remote programs, send messages in real time, and get information on active users.

Remote execution servers

Remote execution servers respond to requests from other computers to run commands on the local computer. This can be a security issue, so be careful in configuring these services. Three remote execution service daemons are available with Fedora Linux: Rsh, Rexec, and Kshell.

• The Rsh service (/usr/sbin/in.rshd) accepts requests for remote execution requests that were initiated by the rsh command (from other Linux or UNIX systems). By default, the service is off. The host or user (or both) must be allowed access before remote execution is permitted. Access is configured in the /etc/hosts.equiv file or in the .rhosts file in each user’s home directory.

• The Rexec service (/usr/sbin/in.rexecd) accepts remote execution requests from the rexec command (from other Linux or UNIX systems). By default, the service is off. To allow remote execution, the user making the request must provide a valid user name and password.

• The Kshell service (/usr/kerberos/sbin/kshd) receives remote execution requests from the rsh command. It uses Kerberos authentication and encryption, making it more secure than the alternative in.rshd daemon. By default, the service is off. However, if you turn it on (by editing the /etc/xinetd.d/kshell file and changing the disable = yes entry to disable = no), it takes precedence over the in.rshd daemon.

The OpenSSH service (using the sshd daemon) described earlier can also be used for remote execution. OpenSSH is actually considered to be a more secure way to do remote execution than the other methods just described.

Talk server

Use the in.talk or in.ntalk servers to allow users to communicate using the talk command. The talk command enables users to type messages back and forth in real time. The talk daemon handles requests on port 517, and the ntalk daemon handles requests on port 518.

Both services are turned off by default. To turn on either service, edit the /etc/xinetd.d/talk and/or /etc/xinetd.d/ntalk files and change the disable = yes entry to disable = no.

Finger server

The finger (/usr/sbin/in.fingerd) server lets people use the finger command to request information about active users on Linux or UNIX systems locally or over a network. This service is off by default. If the in.fingerd server accepts a request from a finger command, the output to the user who made the request looks something like the following:

[maple]  Login: jake                  Name: Jake W. Jones  Directory: /home/jake        Shell: /bin/bash  Last login Mon Oct 14 13:34 (PDT) on pts/2 from maple  Mail last read Mon Oct 14 12:10 2000 (PDT) 

The output shows the user’s login name, real name, home directory, and shell. It also shows when the user last logged in and accessed his or her e-mail.

Remote user identification

The rusers server (/usr/sbin/rpc.rusersd) enables users to query the system from a remote computer to list who is currently logged in to the Fedora Linux system. The rusers command can be used to query the rpc.rusersd server.

By default, the rusers service is off. To start the server, type chkconfig rusersd on.

Write-to-All server

The Write-to-All (rwall) server (/user/sbin/rpc.rwalld) accepts requests to broadcast a text message to the screens of all users currently logged in to the Fedora Linux or other UNIX system. The request is made with the rwall command. By default, the rwall service is off. To start an rwall server, type chkconfig rwalld on.

Security services

Fedora Linux provides some services to protect your local network from outside attacks. These services include system logging, virtual private network servers, and caching servers. The following sections describe those services.

System logging

Though not specifically a network service, the system-logging facility (sysklogd package) logs information and error messages from most of the network services (and other services) on your computer. The system-logging daemon (/sbin/syslogd) should be running at all times.

The syslogd daemon is, by default, started at all multiuser run levels (2, 3, 4, and 5). You can change what messages are logged or have logging messages directed to different files by reconfiguring the /etc/syslog.conf file. You can change options used by the syslogd daemon by editing the /etc/sysconfig/syslog file.

Virtual private network servers

By encrypting data that travels across public networks, a virtual private network (VPN) can provide a secure way for users to access your local network from remote locations. Fedora Core 1 came with the Crypto IP Encapsulation (CIPE) virtual private network software. In Fedora Core 3, the IPsec virtual private network service is included.

Proxy/caching server

The Squid server (/usr/sbin/squid) can be used as both a proxy server and a caching server. A proxy server can allow computers on your local network to communicate with the Internet by passing all requests through the proxy server. A caching server stores Web content that has been accessed by a local user on a computer that is physically closer to the user than the originating computer.

By default, the Squid server is off. To start the Squid server, type chkconfig squid on. You must also set up the /etc/squid/squid.conf file to identify who has access to the server and what services they can access.