SuSE Linux / System- und Reference-Handbuch - Redes
Contents
1. Floppy Disk The rescue system can also be started from the floppy disk especially if the computer only has a small amount of working mem ory Regardless of the medium chosen the rescue system will be decompressed loaded onto a RAM floppy disk as a new root file system mounted and started Now it is ready for use 9 3 1 Working with the Rescue System The rescue system provides three virtual consoles on keys ait F1 to it 3 Here root may log in without a password accesses the system console where you can view the kernel and syslog messages A shell and lots of other useful utilities net tools such as the mount program can be found in the bin directory In sbin find important file and network utilities for reviewing and repairing the file system e g e2fsck Furthermore this directory contains the most important binaries for system main tenance such as fdisk mkfs mkswap mount mount init and shutdown as well as ifconfig route and netstat for maintaining the network An editor vi is located in usr bin Also tools like grep find and less along with telnet are available 120 9 3 The SuSE Rescue System Accessing Your Normal System To mount your SuSE Linux system using the rescue system use the mountpoint mnt You can also use or create another directory As an example assume your normal system is put together according to the etc stab shown in the example File2. ID Request Provided you have the right software you can also configure Squid so that it asks every user who wants to surf for his ID In Linux the pro gram pident is used for this purpose The related software is available in the Internet as a free download for Windows clients Blocking undesired URLs Undesired URLs can be blocked for certain users by way of properly set up ACLs and with a separate program such as Squid Guard in conjunction with proxy authentication Contents or certain script languages embedded in HTML Java Script VBscript however cannot be filtered censored or blocked by Squid or SquidGuard in any way Fine tuning With a little experience you can further improve your proxy s per formance by synchronizing the desired cache size with the memory capacity of your system Using multiple caches also conserves your system s memory since objects can then be swapped with other caches More Information on Squid Visit the home page of Squid http www squid cache org Here you will find well versed information on the topics of Multiple Cache Usage Tun ing the Cache Setting Up ACLs and Setup of the Configuration file http squid visolve com squid24s1 contents htmis especially recommended for this and includes extensive explanations of all the different configuration op tions and much more Information on using a cache manager can be found at http www squid cache org Doc FAQ FAQ 9 html
3. The Linux Experts Partition your hard disk s This is intended for experts If you are sda 3 not familiar with the 0 19 156 8MB F Linux native ReiserFS concepts of hard disk idevisda2 20 39 156 8MB Linux swap sj partitions and how to Vdewsda3 401110 82GB Extended use them you might VdewsdaS 40 170 1 0GB Linux LVM want to go back and 171 301 1 0GB Linux LVM See ulema 302 563 20GB Linux LVM R 2 564 825 20GB Linux LYM Please note that 826 1110 2 1 GB Linux LYM nothing will be 0 262 20GB IBM DORS 32160 en z ann 0 63 502 0MB DOS ard disk until you 3 0 274 21GB SEAGATE ST32272N confirm the entire 0 274 216R linux native Mm installation in the last z installation dialog Create J Delete Edit Reset and Re Read J Abort Installation Until that point you can safely abort the installation Note In YaST2 at least the Root or file system must be located on a normal partition such as on an ext 2 or a reiserFS partition Create a primary partition on dev sdb First please choose the tune of the new partition and whether gt Size ___ Format this partition should be formatted or not Start cylinder Do not format Then you must enter 64 File sytem ID ine mpun ponite boot Just var End Ox8e Linux LVM Now you can enter ia the location of the new partition on your 9 or 9M or 3 2G
4. 120 SuSEfirewall 44 SYSLINUX 113 SYSIOS nun nen 120 system updating with YaST2 39 system protocol 63 T TEPID nee 40 POS en ae 41 telnet ers een 120 U UST sen 86 users managing with YaST2 52 Vv Variable SALICE_HOME 98 Veen 120 W Windows SMB ss rn 87 Windows 22222ccc22 87 workstation configuration 69 X X 132 configuring in YaST2 group management hardware information 7 installation source ii 58 63 64 67 99 100 Internet configuration driver installation YaST2 2 7 11 17 19 25 27 30 31 35 39 42 44 46 48 67 82 83 89 105 117 crypto file system Online Update 58 Online Update in the console 58 Pfinter aussage 37 re config editor 64 Samba u 38 00 47 SECUNIY aaa 54 sendmail 51 SLCS variables 64 software installation 56 software removal 56 Update u needs 59 user management 52 X configuration 39 YOU 58 133
5. Edit and Delete partitions in this screen See Figure 3 8 on the following page A suggestion for partitioning your hard disk might be 2 GBytes swap double the RAM size max 1 GByte home user directories has its own directory under home Per user about 2 GByte shared shared directory is accessible network wide 17 3 Installation with YaST2 The Linux Experts SuSE Partition your hard disk s This is intended for experts If you are id not familiar with the 01113 85GB concepts of hard disk 01113 85GB IBMDNES 309170 xEW partitions and how to 0 16 133 3MB Linux swap use them you might 17 599 4 4GB Linux native want to go back and 4 h Select le 600 111 3 9GB Linux native partitioning Please note that nothing will be written to your hard disk until you confirm the entire installation in the last installation dialog Until that point you can safely abort the installation Figure 3 8 Selecting Partitions If you want to expand the home directory later you can do this dynamically with LVM see Section 3 8 on the next page The parameters for each partition on your system must be defined by hand e Define the size of each partition Enter it directly in MBytes or in hard disk cylinders e Decide on a format You can choose between ext2 or reiserFS Choose reiserFS if you want to use the advantages of this journaling file system e Define a mountpoint for each partiti
6. The Linux Experts m vast SuSE D D I IODD Please select where Preparing Hard Disk Step 2 on your hard disk SuSE Linux is to be installed You can either use p Installing on EL ark 2 SCSI 8 54 GB dew sdb IBM DNES 303170 xXEW artitions or free lan shown The Choose partitions that can be erased selected space must to make room for SUSE Linux be contiguous You must start your Use entire hard disk selection with the highest numbered Bi 133 34 MB Linux swap dew sdb1 Bann M2 4 47 GB Linux native Idev sdb2 Rae M 3 3 94 GB Linux native dev sdb3 Notice If you select a region that is not shown as free you might loose existing J data on your hard ea Abort Installation TEN Figure 3 7 Selecting the partitions where SuSE Linux is to be installed During the installation procedure YaST2 will verify whether there is enough space on the hard disk designated for the SuSE Linux installation If there is not sufficient memory you will be prompted to make another selection The installation of SuSE Linux Connectivity Server requires about 800 MB hard disk space 3 7 2 Note for Advanced Partitioning Only select this option if you are familiar with terms such as partitioning mount points or file systems The default partitioning has already been configured for your system profile in YaST2 But still proceed with caution when partitioning your system You can Add
7. Choosing Directories to Exclude The dialog consists of three parts see Figure 4 31 1 Choosing the files to back up Here tell YaST which directories should be excluded from the backup Pre defined are tmp dev and proc Add mounted CD ROMs or NFS mounted file systems to this list The less you want to be backed up the faster it will run since unnecessary comparisons with package lists are omit ted Using and add new directories or remove them Pressing 10 leads to the next step Searching In this step YaST searches for files which should be backed up The number and size of the packages found are updated while searching After this has been done there will be a list with all the files that have been found Here you can still deselect files using space Entering commands Decide how those files are going to be saved You can give archive names options and more This back up mechanism can only work if the dates of the files have not been otherwise changed Furthermore this function requires considerable RAM File names of an ordinary CD take up to 6 MB RAM Also you need enough free disk space to save the backup archive Compressing the archive will lead to a file reduced in size approximately half of the original The best way to do backups is to use a tape 66 4 7 Important Variables in the rc config Editor 4 7 Important Variables in the rc config Editor If you want obt
8. Other network card modules include 8139two eepro 100 ne2000 e Basic IP configuration This tag is defined in the network section in our example in the file usr lib alice sample info simple sample de network tcf There is one line per interface which looks like lt Interface gt lt IP address gt lt netmask gt lt broadcast address gt An example etho 192 1681200 255 255 255 0 192 168 1 255 After these adjustments have been made the respective boot floppy is created by first mounting the CD ROM DVD to media cdromas root then the floppy created with usr lib alice util make_inst_disk url file media cdrom simple sample de Afterwards another configuration disk must be created This is done with usr lib alice util make_config_disk dev fd0 After generating both floppies installation of the new machine may begin Insert the boot floppy into the drive e Insert the CD ROM DVD e Make sure you are not booting from CD ROM DVD note the boot sequence in the BIOS settings e Wait until YaST asks you whether partitioning should be performed If you confirm this step with yes the hard disk will be reformatted 99 lt NET_IP_CONFIG gt eth0 10 70 132 33 255 e255 5050 10 7 0 2555255 lt NET_IP_CONFIG gt Caution Be Normally repartitioning will cause all previously saved data to be lost e YaST now carries out the installation The boot floppy should now be re moved and the configura
9. Q partition After that Eatse you can either amp Crypt file system Eee Qentanding jusr localsecret rupt fle sy cylinder number or an offset from the first cylinder e g 66 1t is Figure 3 15 YaST2 Defining the Crypto File System 3 10 Boot Manager for System Start Up A boot mechanism is necessary for Linux to be able to start at all The point in the system to which the boot manager LILO LInux LOader is to be installed must be defined here as well as whether another boot concept should be applied Normally the SuSE Linux Connectivity Server is the only system installed on the machine and is also only installed on a single hard disk If this is the case it is best to install LILO to the boot sector MBR of the hard disk Otherwise there is always the reliable method of creating a boot disk The menu Other configuration also provides other options see Figure 3 17 on page 26 After installing LILO can be reconfigured with the help of YaST2 or another boot floppy generated More information can be found in Chapter 4 5 7 on page 61 LILO Other Boot Configuration YaST2 now provides four options to select To C in the MBR of the first hard disk If SuSE Linux is to be installed as standalone operating system LILO should definitely be in stalled to the MBR Master Boot Record In the MBR LILO can also act as boot manager for multiple operating sys tems Only select this opt
10. Files are prepared on local computer and Connection for printer r Select the printer type Local printers Parallel printer QO USB printer QO Serial printer LPD protocol network printing Eorwarding queue to a remote LPD Prefilter queue for an LPD forwarding queue Other network printing SambaWindows printer Novell printer raw data is sent to the remote host with the printer Samba Windows Printer Remote printer Figure 4 3 YaST2 Selecting the Printer Type Integrating a printer from a Samba or a Novell network is similar Once again you will have to specify a print server or select one from the list The difference to the Linux network is that in this case user information does not need to be known or specified If you want to connect a local printer to your parallel port select the item Printer on Parallel Port after clicking on Add then click on Next Now choose the parallel port connection With Test you can again review the printer con nection If the test was successful a list of the most popular commercial printers will be displayed in the next window Select your model Information is available about the Linux support depending on the printer model and for GDI printers information on where to obtain a Linux driver see Chapter 4 4 on the facing page Local printers can also be integrated into a serial or a USB interface the same way GDI Printe
11. If you suspect someone is trying to find out your password check the entries in the system log files in var log Add user settings Every user has a numerical as well as an alphabetical user id The correla tion between these is established via the file etc passwd and should be as unique as possible Using the data in this screen define the range of numbers assigned to the numerical part of the user ID when a new user is added A minimum of 500 is reasonable for users and should not fall short of this Miscellaneous settings For Setting of file permissions there are three selection options Easy Secure and Paranoid The first one should be sufficient for most users The YaST2 help text will provide information on the three secu rity levels The Paranoid setting is extremely restrictive and should serve The Linux Experts SuSE Linus istammultlisen User and group administration system Several User administration Group administration different users can be logged in the system at the same time To avoid confusion each user must have a unique identity if they want ta use Linux Furthermore every user at least belongs to one group In this dialog you can get information about existing groups To shift to the user dialog push the radio eitaniisere O Also view system groups administration To create anew group push the button z Figure 4 20 Group
12. The Calamaris is also relevant in this context Calamaris is a Perl script which generates cache reports in HTML or in ASCII format http Calamaris Cord ide If you need information on SquidGuard you can find all kinds of useful tidbits at the project home page General information at http www squidguard org e Sample configuration and explanations at http www squidguard org config Furthermore mailing lists for Squid can be found at squid users squid cache org The mailing list archive is located at http www squid cache org mail archive squid users 92 6 5 Intranet Server 6 5 Intranet Server In conclusion a few words about the Intranet server which will run on your system Apache This will provide essential services for network internal presentations of some services and also internal documents 6 5 1 Apache A if not the prestigious project of the open source scene is the web server Apache About 60 of all web servers around the world run on this free soft ware quite obviously underscoring the fact that open source products can indeed operate smoothly in the professional arena Apache was originally conceived as a type of makeshift solution for enhancing the NSCD 1 3 web server featuring important innovations and bug fixes Hence the name a patchy server which has more to do with its patchwork struc ture than with a North American Indian tribe Apache as Intra
13. In more concrete terms certain permissions must be given to the client program With the X Window System there are two ways to do this called host based access control and cookie based access control The former relies on the IP address of the host where the client is supposed to run the pro gram to control this is xhost What xhost does is to enter the IP address of a legitimate client into a tiny database belonging to the X server Note however that relying on IP addresses for authentication is not very secure For example if there were a second user working on the host sending the client program that user would have access to the X server as well just like someone stealing the IP address Because of these shortcomings we will not describe this authentica tion method in more detail here but you can learn about the way it functions if you read the man page of xhost which includes a similar warning In the case of cookie based access control a character string is generated which is only known to the X server and to the legitimate user just like an ID card of some kind This cookie the word goes back not to ordinary cookies but to Chinese fortune cookies which contain an epigram is stored on login in the file Xauthority in the user s home directory and is available to any X Window client wanting to use the X server to display a window The file xauthority can be examined by the user with the tool xauth If you were to rename Xa
14. R TAWTIE ns 114 rawrite exe onen 114 registration 00 7 rescue disks 61 rescue floppy 119 rescue system 119 100 essen 120 RPM security 00 111 S Samba 0 47 87 Samba Project 87 security on nennen 88 101 attacks 108 109 booting 102 104 bugs and 105 108 DNS au 4144 20 2 109 file TAGE iis eos ca etn pend daw 105 local zaonenn eanan 103 networks 107 passwords 103 permissions 104 protocols and 102 reporting problems 112 RPM signatures 11T serial terminals 102 teple ienen rioni 112 tips and tricks 110 VITUSES 2 2 eee eee eee 106 WOIMS none 110 X and nase 107 YaST2 and 54 series Darin 97 SCLVED An nee 1 SUID sic ereit tetis 113 114 SEID una aaa 113 shutdown 2222222200 120 SLCS network card 45 registration 7 Samba 47 server services 47 SLCS variables see YaST2 rc config editor SMB nu 87 smbclient 2 88 smbd u a 88 smbpasswd 88 smbstatus 000 88 smbt r u a 88 software installing with YaST2 56 removing with YaST2 56 o ENS ar veacdeteeuteryast 90 92 start protocol 63 SUPPO 3 4 63 2 au needs 4 SuSEconfig
15. Recently BIOS versions are available which enable you to start operating systems above the 1024 cylinder limit The current LILO version can use this BIOS extension YaST and YaST2 will inform you accordingly of these options for your BIOS while configuring LILO If your BIOS does not include this extension continue reading here 117 9 Troubleshooting 118 As emphasized before on on page the entire LILO machinery including all data needed for booting must be able to process BIOS calls which means it must reside below the 1024 cylinder limit on the hard disk The sections of the hard disk that can be used called allowed sections have already been discussed This restriction affects only the boot up machinery It is not required that LILO be installed on the Linux root partition It is even possible but quite dangerous to put the boot machinery onto partitions of other operating systems to which Linux has read and write access Caution Never install the LILO boot sector onto an unknown partition because you will severely damage the file system The best method is to create a primary partition within the allowed section and to install all LILO files including the LILO boot sector into this partition This will be in most cases the Linux root partition You can also add it to boot with YaST The only condition is that there has to be enough space for boot b map message and the Linux kerne
16. Server Open the YaST2 Control Center and select the option NFS Client un der Network Advanced In the screen which appears directories from your SuSE Linux Connectivity Servers can be integrated into the file system of the client As a standard the directories home where all personal home directories of the SuSE Linux Connectivity Server client are stored and shared the public file area accessible to everybody can both be exported via NFS In order to integrate these two new directories select New and enter the IP ad dress of your SuSE Linux Connectivity Server as NFS Server Hostname usu ally 192 168 0 1 Specify home or shared as Remote Filesystem If home and shared are not otherwise required by the client host we advise you to enter them as mountpoint under Mountpoint local You can of course also specify any other directory available on the client Ignore the Op tions section if you wish If necessary this section may be used by experts to perform some fine tuning functions When you are finished with the settings confirm and save them with Finish The file directories of your SuSE Linux Connectivity Server will now be inte grated under the mountpoints configured in the Control Center NIS Configuration After installing the NFS it is advisable to activate an NIS as well NIS is also known as the Yellow Pages YP and is in charge of ensuring t
17. block size If the superblock is not found e2fsck will terminate with a fatal error 123 9 Troubleshooting This option causes e2fsck to run the badblocks 8 program to find any blocks which are bad on the file system and then marks them as bad by adding them to the bad block inode This option causes e2fsck to write completion information to the specified file descriptor so that the progress of the file system check can be monitored This option is typically used by pro grams which are running e2fsck If the file descriptor specified is 0 e2fsck will print a com pletion bar as it goes about its business This requires that e2fsck is running on a video console or terminal Print debugging output useless unless you are debugging e2fsck Force checking even if the file system seems clean Flush the file system device s buffer caches before beginning Only really useful for doing e2fsck time trials j external journal Set the pathname where the external journal for this file system can be found 1 filename Add the blocks listed in the file specified by filename to the list of bad blocks The format of this file is the same as the one generated by the badblocks 8 program L filename 124 Set the bad blocks list to be the list of blocks specified by filename This option is the same as the l option except the bad blocks list is cleared before the blocks listed in the file are added to the bad blo
18. enter the corresponding NT domains in the Client for Microsoft networks Properties NT Domains menu The NT domains are taken from the Samba configuration see Section 4 4 1 on page 48 default workgroup If your SuSE Linux Connectivity Server was configured as a domain controller the default setting all user administration takes place on this server Every user created is then be recognizable by the Windows clients You will not need any further settings as they will be automatically loaded by the DHCP from the server As usual after the configuration of the ID data you will again have to restart Windows If due to particular system settings this data cannot be automatically incor porated by Windows determine whether the IP number of the server has been specified for the Wins DNS server as well as for the gateway By default this is usually 192 168 0 1 A Preliminary Test After restarting Windows you will be asked for a user name and a password Log in as user with the same characteristics you established in the YaST2 user module If you have not created any user in the YaST2 Control Center you can find detailed instructions in Chapter 4 5 1 on page 53 After booting click Network Neighborhood Atmost you will have to wait a few seconds until your SuSE Linux Connectivity Server appears under the names you configured during the installation Click on the corresponding name and a window will
19. gid user groups on ss po ts your system Here is what the Enter a password different entries mean Group name Re enter the password for verificatic Here the name O of the group is entered Please be careful not to use long names Normal lengths are between one Figure 4 19 Adding a New Group with YaST2 Members of this group memberi member2 ctr1 ait Gel be interpreted Usually this combination entered in the text console causes the system to restart Leave it at that unless your machine or server is publicly accessible and you are afraid that someone could carry out this action without authorization If you select Stop this key combination will cause the system to shut down With Ignore this key combination will lose its affect entirely Secondly Who is permitted to shut down the system from KDM KDE Display Manager the graphical login Only root the system administrator All users Nobody or Local users If Nobody is selected the system can only be shut down via the text console Login Typically following a failed login attempt there is a waiting period lasting a few seconds before another login is possible The purpose of this is to make it more difficult for password sniffers In addition you will have the option of activating the items Record failed login attempts and Record successful login attempts
20. 3 1 The Opening Screen in SuSE Linux 3 2 1 Other Installation Options If you press any key before the wait time is up automatic startup will be disabled whereby you can take your time in selecting other options These are especially useful given the default settings if problems exist in the graphical display As the actual launching of the installation to the hard disk is initially preceded by some dialogs and specific queries you can always cancel in case there are problems and then choose different options following a reboot A Different Graphics Mode for YaST2 Choose the standard VGA 640x480 graphics mode compatible to any graphics card using the function keys In the worst case scenario you can also select pure text mode In the text mode YaST2 screen skip from one menu item to the next using the key and inside a menu using the T and keys takes you to the next screen Other Ways to Install Select other systems with Q and Q e If you choose Manual Installation you have more options available to you in particular in selecting device drivers to be installed However 12 3 3 YaST2 Takes Over drivers will not be automatically loaded This is normally only relevant for experts e A Rescue System helps you safely start your computer if there are prob lems on your system More information on the rescue system can be obtained in Chapter 9 3 on page 119 Memory Test starts a very exte
21. Administration with YaST2 1D 65534 rooLwwwrun squidgnats ircvscannobody users 100 games adabas virtuoso nps skyrixwnn pop Ai a gt as the basic level of operation for system administrator settings If you select Paranoid take into account possible disturbances and malfunctions when using certain programs because you will no longer have the permissions to access various files Also in this dialog define which users can start the up datedb program This program which automatically runs either on a daily basis or after booting generates a database locatedb where the location of each file on your computer is stored locatedb can be searched by running the locate command If you select Nobody any user can find only the paths in the database which can be seen by any other unprivileged user If root is selected all local files will be indexed since the user root as superuser may access all directories Another option is to activate the item Omit current directory from the path of user root a reasonable selection Finally there is the option Disable telnet login for user root Itis also a good idea to choose this item If not any user on the network can log in to your machine as root via telnet through which the root password is deciphered to plain text With Finish this configuration is complete 4 5 3 Install and Remove Software This module e
22. IBM Microsoft released the protocol so that other software manufacturers could establish connections to a Microsoft domain network Hosts of other operating systems can communicate with hosts in a Microsoft domain network over SMB Samba sets the SMB protocol on top of the TCP IP protocol meaning that the TCP IP protocol must be likewise installed on all clients Linux can take on the client role as well as the server role regardless of whether it involves file sharing or print sharing Samba enables Windows ma chines to access a Linux file server and to read and store files there Linux machines can in turn also mount file systems distributed by Windows servers shares and have read and write access to them The good thing about this solution the Linux server when accessing the net work acts as if it were a Windows machine itself To put it more precisely it presents itself to all the integrated Microsoft hosts in the network as a Windows NT 4 2 server This way the Microsoft users in the heterogenous network never has the impression that he is on foreign turf Everything appears as it always has so no costs are incurred by training measures Scope of Services Samba aids Linux computers in providing several services from the Microsoft world These include e File servers e Print servers 87 6 Network Services Behind the Scenes e Primary domain controllers e Primary WINS servers e Windows 95
23. LILO Configuration file Start LILO global Section boot dev hda Installation target backup mnt LINUX hda xxxx backup of old MBR install mnt LINUX boot b Of course LILO and map mnt LINUX map map file are in mnt LINUX message mnt LINUX message optional prompt timeout 100 Wait at prompt 10 s vga normal End LILO global section Linux bootable partition config begins image mnt LINUX First_Kernel default root dev Your_Root_Device Root partition label linux Linux bootable partition config ends System section for other kernels End Linux DOS bootable partition config begins other dev hdal MSDOS system drive label dos loader mnt LINUX chain b table dev hda DOS bootable partition config ends File 9 2 1 lilo conf for Other Partitions Install LILO with this lilo conf earth sbin lilo C mnt LINUX lilo conf After that LILO should work Boot MS DOS and protect the LILO files as well as possible against write access any write access disables LILO To accomplish this assign to all files in x LINUX where the x is the DOS drive mounted to mnt the DOS attributes system and hide In conclusion we point you toward two HOWTOs in usr share doc howto en mini LILO gz and Large Disk gz 9 3 The SuSE Rescue System The rescue system is launched using the SuSE boot disk or from your bootable SuSE Linux CD 1 It is required that
24. Next Depending on whether you decided to make use the domain controller function ality of the Samba server or you prefer to use a work group without a domain click the option which suits you Confirm with Next When you set up a domain you will be shown a short information page which you will confirm with Next again If on the contrary you are configuring a work group you will only have to add it before completing the setup by clicking on Finish If you decided to use a domain system you will now also have to indicate your user name and password as configured on your Linux system beside the name of the domain The Test Can Now Begin After restarting the Windows 2000 system should now be properly configured for accessing SuSE Linux Connectivity Server First in order to perform a func tion test you will need to log in after start up with a user name recognized by the server and Windows 2000 along with a valid password If you have not set 5 1 Access to the File Server up any users yet do this now and if necessary log in on the Windows 2000 computer with the relevant information Tip The configuration of a user on the SuSE Linux Connectivity Server is de scribed in Chapter 4 5 1 on page 53 in more detail If you have Windows 2000 you can add a new user in the control panel under Configure User and Password After logging in click on Network Neighborhood and choose
25. Server will be the only system on your machine and installation will only take place on a single hard disk In this case simply choose the hard disk then Entire hard disk YaST2 will subse quently carry out the appropriate partitioning whereby all data existing on the hard disk may be deleted in order to make the entire disk space available for the SuSE Linux Connectivity Server The Linux Experts M Yasi OALD O 9 O D 8 Preparing Hard Disk Step 1 SuSE All hard disks that have been automatically detected on your system are shown here Please select the hard disk on which to install SuSE Linux Under certain conditions not all of your hard disks can be auto detected properly If you wish to install SUSE Linux on such a hard disk you might want to use YaST1 as described in the manual For experts there is the custom partitioning option Choose a hard disk O 4 1 SCSI 8 51 GB dev sda IBM DDRS 39130D Q 2 2 SCSI 2 01 GB dev sdb IBM DORS 32160 3 3 SCSI 2 11 GB dev sdc SEAGATE ST32272N Custom partitioning for experts Custom partitioning with LVM for experts Back J Abort Installation J Figure 3 6 Selecting the hard disk where SuSE Linux is to be installed If the system requires customized partitioning however or you want to use a log ical volume manager partition your own hard disk by selecting the option Ad vanced settings m
26. TCP IP as well as the Client for Microsoft Networks are selected and close the window with OK Verifying Network Identification Close the device manager and select the tab Network Identification in the open System Properties window Windows 2000 will now show you the name chosen for your PC usually a com bination of letters and numbers as well as the configured work group or domain If this information corresponds to the settings on the server important and if 73 5 Workstation Configuration 74 Local Area Connection Properties 2 x General Connect using EF Realtek ATL8139A PCI Fast Ethernet Adapter Components checked are used by this connection a Client for Microsoft Networks a File and Printer Sharing for Microsoft Networks Y Internet Protocol TCP IP lt lt K Install Uninstall Properties Description Allows your computer to access resources on a Microsoft network I Show icon in taskbar when connected Figure 5 2 Network Configuration in Windows 2000 you are satisfied with the network host name less important close this window by clicking OK If work groups or domains do not correspond to those of the SuSE Linux Con nectivity Server click the button Network Authentication An assistant will appear where you will first indicate that this computer belongs to the Company Network then click
27. been scrutinized by countless testers by way of the open source developer model Security related issues are expediently remedied and the related updates are made available over the Internet Open source software supports a wide variety of hardware This way you do not have to depend on the manufacturer and are even able to get relatively low performance older hardware working for you providing a longer useful life for your hardware and the relative independence you will enjoy overall from innovation cycles will turn out to be an excellent advantage Open source is based on open standards If you are for instance dependent on long term data archiving you will benefit from the use of non proprietary manufacturer independent file formats By supporting open and standardized communication protocols your Linux system will easily master data exchange with other systems regardless of operating system and manufacturer If any one of these points mentioned above are areas of concern for you you will definitely be right on the mark by choosing an open source solution 2 Support and Services 2 Support and Services 2 1 No Product Support or Maintenance without Registration In order to be able to guarantee the best product support possible only requests form registered users will be responded to On the back of the CD cover you will find two stickers each labeled with a product registration code This code is unique and serves
28. beyond the end of that buffer area which under certain circumstances makes it possible that a program will execute program sequences influenced by the user and not by the programmer rather than just processing user data A bug of this kind may have serious consequences in particular if the program is being executed with special privileges Format string bugs work in a slightly different way but again it is the user input which could lead the program astray In most cases these programming errors are exploited with programs executed with special permissions setuid and setgid programs which also means that you can protect your data and your system from such bugs by removing the corresponding execution privileges from programs Again the best way is to apply a policy of using the lowest possible privileges Given that buffer overflows and format string bugs are bugs related to the han dling of user data they are not only exploitable if access has been given to a local account Many of the bugs that have been reported can also be exploited over a network link Accordingly buffer overflows and format string bugs should be classified as being relevant for both local and network security Viruses Contrary to what some people will tell you there are viruses that run on Linux However the viruses that are known were released by their authors as proof of concept meaning that they were written to prove that the technique
29. company s socket Enter an MSN Multiple Subscriber Number if provided by your phone company Otherwise leave it blank and the ISDN card should work 2 The ISDN card is connected to a PBX a The telephone system s protocol is Euro ISDN EDSS1 usually for small phone systems for households These phone systems have an internal SO bus and use internal numbers for the connected devices In this case spec ify the internal number as MSN Further information can be obtained from your phone system documentation One of the MSNs available for your phone system should work as long as this MSN is allowed external access If all else fails a single zero might work as well b The phone system s protocol for the internal ports is 1TR6 mostly the case for large corporate telephone systems the MSN is known here as EAZ and is usually the extension Usually you only need to enter the last digit of the EAZ for the Linux configuration If all else fails try the digits 1 2 3 4 5 6 7 8 or 9 Choose a dial mode as follows Manual Automatic or Off Look at page 42 regarding the Automatic dial mode It is best to choose Manual 43 4 SLCS Server Configuration with 44 YaST2 because afterwards you can conveniently dial into the Internet using kinternet for example Dial in a command line with usr sbin isdnctrl dial ipppO and hang up with usr sbin isdnctrl hangup
30. configure Win dows and Linux PCs for the use of SuSE Linux Connectivity Servers Before going through all the steps of a workstation configuration for SuSE Linux Connectivity Servers data server and Internet functions please make sure that every PC has a network card on and is connected to the server with the right cable There is nothing more frustrating than spending hours searching for the causes of error in applications just to eventually realize that the network cable was not properly connected Tip ST Many network cards are equipped with an LED which signals that the card is properly connected 5 1 Access to the File Server 5 1 1 Windows 95 98 ME Configuration of the Network Card The first step is complete The card and cable are connected properly Now we just need to make sure that the card is recognized to by the system If your PC was previously integrated in a network you can of course skip this part and move on to the next step Select Settings Control Panel in the start menu then click on Sys tem and select the tab sheet Device Manager to get an overview of all hard ware devices available on your PC The item Network Cards should now appear in the list which should indicate the card mounted on your computer along with its manufacturer and model Please be aware that items like the DialUp Adapter or IrDA Infrared Port in lap tops have nothing to do with
31. g to cdrom earth mount tiso9660 dev cdrom cdrom Change to the disks directory on CD earth cd cdrom disks Create the boot disk with earth dd if cdrom disks bootdisk of dev fd0 bs 8k earth dd if cdrom disks aboot_xx of dev fd0 bs 8k earth dd if cdrom disks bootdisk32 of dev fd0 bs 8k You also need to create the root disk which contains the root file system needed by the installation tools Create this disk with the command earth dd if cdrom disks rootdisk32 of dev fd0 bs 8k In the README file in the directory disks In the file syst ypes txt read about what features specific kernels have These files can be read with more or less If you need a different kernel another disk image can be used in place of bootdisk If problems arise k_i386 can be implemented as a fallback kernel 9 2 LILO Problems Some Guidelines Some simple guidelines at the beginning will avoid most LILO problems in ad vance this is taken from the LILO user manual Don t panic If anything does not work try to find the error or the cause first Check the diagnosis before you start fixing the problem Always have an up to date and tested boot disk at hand SuSE Linux con tains a full Linux system on its boot disk and installation CD for the rescue system see Section 9 3 on page 119 to allow you to reach all your Linux partitions Tools are included for repairing almost any problems that c
32. is completed and the network rebooted The following configurations are possible no If no is specified or if this field is left blank the Personal Fire wall will not be active All incoming connections will be accepted No filtering takes places yes Personal Firewall affects all interfaces other than lo the loopback interface localhost Thus connections originating from inside the network will be blocked The individual packets which are accepted are those directed to localhost iface Here interfaces on which connections should be blocked are explic itly given here and divided by blank spaces masq Packets which make it to a machine but is not permissible for one of its interfaces will be masked before being forwarded Here the name of the interface is specified over which masked packets are to gain access to the outside and where incoming connections are to be rejected Interface name and masq must be separated from one another by a blank space Table 6 3 Configuration of the Personal Firewall When configuring your Internet access via Modem or ISDN the YaST2 screens Connection parameters and ISDN connection parameters will ask you whether the firewall should be activated Selecting this option is the same as entering masq Interface Name in the etc rc config d security rc 89 6 Network Services Behind the 90 Scenes config file By way of masquerading all network packets co
33. it However between checking and file creation there is a short moment which can be used by an attacker to create a symbolic link a pointer to another file The program may then be tricked into following the symbolic link overwriting the target file with its own permissions This is called a race because the interval during which the attacker can create a symlink is very short The race is only possible if the checking and file cre ation procedure is not atomic indivisible If the race is allowed to take place at all there is a chance that it may be won by the attacker It is all a matter of probability Buffer overflows and format string bugs Special care must be taken whenever a program is supposed to process data which can or could be changed by a user but this is more of an issue for the programmer of an application than for regular users The programmer has to make sure that his application will interpret data in the correct way without writing them into memory areas that are too small to hold them Also the pro gram should hand over data in a consistent manner using the interfaces defined for that purpose 105 8 Security and Confidentiality A buffer overflow can happen if the actual size of a memory buffer is not taken into account when writing to that buffer There are cases where this data as generated by the user uses up some more space than what is available in the buffer As a result data is written
34. look at the current desktop settings for the X Window System If you don t like them you can Change the settings You can select Text mode only to skip X Window configuration altogether If you do that you can always run Sax or SaxZlater If you choose Graphical desktop environment the Current settings will be tested once you select Next Follow the instructions that appear Figure 3 22 Monitor settings By clicking Change you will have the option of configuring the graphical interface Figure 3 23 on the next page Note If 3D acceleration is listed you must click on Change in order to deacti vate it since this could lead to problems and is not required by the server anyway You can set the screen resolution and color depth for the graphical mode You can even define the image repetition rate By clicking on the Test button you 29 3 Installation with YaST2 Please choose the desktop settings for the x Window System Resolution a Graphics Card number of Colors Refresh Elsa AG Erazor II SGRAM Rate and whether to use 3D ZIENEN XFreeB6 4 nv Monitor depending on your hardware WAMA VISION MASTER 450 You can and should Test the If you don t explicitly perform the test it will automatically be started when you select Next The Resolution indicates the number of pixels horizontally and vertically Colors Indicates how many colors can be displayed sim
35. no in the line 60 earth root YAST2_LOADFTPSERVER yes The patches can now be installed with earth root yast2 online_update auto install This command installs all fetched patches To just install a group use the same options as in auto get This method can be fully automated The system administrator is able to down load the packages overnight for example and then install the ones he needs the next morning 4 5 6 System Update Use this module to update and improve your system It can be started at different stages in the process YaST2 recognizes which packages need to be updated or you can decide on your own which package should be updated However the base system itself cannot be updated using this method but instead can only be updated by booting from the installation medium e g a CD Keep in mind that the older the previous version is and the more the package configuration differs from the standard the more difficult it will be to update it Under rare circum stances the old configuration cannot be correctly processed In this case config ure from scratch Furthermore the existing configuration should be backed up before it is updated The Linux Experts A Yash we SuSE SuSE Linux has got Add new features many new features since the last Version If you want to install r Do you want to add new features these new features N please select which Update only installed prog
36. not on a local network that connect to the Internet via modem T DSL ADSL or ISDN e Use UUCP to send mail UUCP means Unix to Unix Copy Program In the past it was often used for sending e mails This protocol is for dial up connections and is not used as much these days 52 e Expert mode for sendmail configuration Proceeds to a custom configuration screen for expert settings with Next G e Do not install etc sendmail cf Select this item if a configuration already exists and it should not be changed The file etc rc config d sendmail rc config is key for configuring sendmail YaST2 configures this automatically according to the items selected You can only indirectly access the contents of this file in the expert mode where you can make changes to it by hand The file etc sendmail cf is generated with the help of a script read by sendmail Exit the configuration with Finish The Linux Experts uSE Configuration of sendmail Sendmail needs a configuration file etc sendmail cf You will probably find one of the configurations below suits your needs If you have special requirements that these do not cover you may create your own Please have a look at usr share sendmail one ofthe pre existing configurations may well fit your requirements ATTENTION If you plan to install your own modified Se eng
37. obtain support for installing patches from SuSE Enterprise Support Services You also have the option of optimizing your maintenance service with an update service In addition you will receive all patches and fixes for your SuSE Linux product quarterly shipped on CD Your registration automatically entitles you to SuSE Linux Connectivity Server Maintenance for a period of 12 months Thus you will be guaranteed a stable and tested system 2 5 The fastest way to help Register your product online at our web site http support suse de en and send your request by e mail to slcs support suse de Please give your customer information in the e mail text before describing the problem Note the usage capitalization and lower case spelling in your customer information This way your e mail can be automatically processed see Exam ple 2 5 Do not use any unnecessary attachments and if you need to insert configuration files enter them directly in ASCII format in the request letter Example FIRSTNAME John LASTNAME Doe COMPANY Doe amp Co Inc STREET Easy Street 7 CITY Nowhereville ZIP 12345 COUNTRY USA REGCODE lt Product registration code gt EMAIL doe doe inc com My Problem problem description My Hardware hardware description lt doe doe inc com gt File 2 5 1 Support Request by E Mail 2 Support and Services 2 6 How Do I Reach the Support Team You can reach the Support Team vi
38. of selecting one of several possible packages YaST2 evaluates the memory needed each time you choose an additional pack age Ifthe disk space is not sufficient you will be informed by a warning window and one or more packages will have to be deselected If you exit the dialog with cancel your selection will not be saved and no actions will be carried out With ox the installation or removal of packages will be initiated In the installation window see the actions taking place via the progress bar Once all packages have been processed the installation will be completed by SuSEconfig This can take some time The hard disk normally becomes very active at this point Caution w You have the option of marking installed packages to be removed these will be labeled with a Be aware of the warning messages while you are doing this Do not remove any packages belonging to the Linux base system series a 4 5 4 Change Installation Source The installation source is the medium on which the software to be installed is made available Install from a CD the usual route from a network server or from the hard disk Read about this in the extensive YaST2 help text When you exit the module with Save and exit the settings will be saved and will be 58 The Linux Experts SuSE Package Selection Select a group Select or deselect a package with double click Group Package size Description
39. system apart from each other especially from root Network security on the other hand means that the system needs to be protected from an attack originating in the network The typical login procedure requiring a user name and a password for user au thentication is a local security issue However in the particular case of logging in over a network we need to differentiate between both security aspects What happens until the actual authentication is network security and anything that hap pens afterwards is local security X Window System X11 authentication As mentioned at the beginning network transparency is one of the central char acteristics of a UNIX system X11 the windowing system of UNIX operating systems can make use of this feature in an impressive way With X11 it is basi cally no problem to log in at a remote host and start a graphical program that will then be sent over the network to be displayed on your computer The protocol to communicate between the X application and the X server which is the local process that draws the windows with the help of your video card is relatively lightweight as far as bandwidth usage is concerned This is because the protocol was designed in the eighties when network bandwidth was still a scarce resource Now if we want an X client to be displayed remotely using our X server the latter is supposed to protect the resource managed by it i e the display from unauthorized access
40. to verify whether you are authorized to receive these services When you send us your data in an online form at https support suse de en register you can become a registered user with access which includes product support and maintenance You can also send us your registration with the enclosed registration card by mail To do this affix a registration code sticker in the designated field on the registration card We recommend that you leave the second label on the product so that you can always have the registration code at hand if you need to consult our support services 2 2 Support Services for SuSE Linux Connectivity Server The product support already included in the purchase price of the SuSE Linux Connectivity Servers is good for a period of 30 days after the registration date and covers the services listed below This support is not intended as training material nor as an introduction to SuSE Linux itself but as a guide for the basic installation of the system Support can therefore be requested only in respect to configuration problems not pertaining to conceptual questions 2 3 Product Support Product support covers the basic installation of the SuSE Linux Connectivity Servers on a machine as well as the configuration of the basic hardware and the following peripherals using the configuration tool YaST2 2 Support and Services Local Printer over Ipd Network Card Ethernet Modem ISDN DSL Product s
41. to your own machine without much effort in the way of configuration At the same time however connections originating from your own machine to hosts on the Internet are allowed The Personal Firewall is well suited and more than sufficient for meeting customary demands Only the name of the network interface pppO ippp0 ethO can be configured in the file ete rc config d security rc config where in particular connection requests are denied YaST2 will take care of this for you if you click on the item Enable firewall in the corresponding dialogs The following will be filtered out by the personal firewall e All TCP connection requests The security is based on the fact that the per sonal firewall will always block the first incoming TCP packet prevents a proper TCP connection from being established Those TCP packets which are not a part of an existing TCP connection and are not TCP connection requests will be discarded in any case All UDP packets except for those on port 53 from one of the configured name servers normally only the provider s name server usually automat ically configured when the Internet connection is set up refer to Internet Connection and Local Network on page 42 e Some of the less conventional ICMP packets All filter rules only apply to the configured interfaces and nothing else Some services can lead to side effects Among these are IRC CTCP FTP PORT mode passive FTP used
42. want to use the perhaps slower If you are not running any other Unix Linux system you can use the If you are not running any other Unix Linux system you can use the DOS program rawrite exe CD 1 directory dosutils rawrite to write the disk at the boot prompt The standard disk images are contained on CD 1 in the directory disks Read the file README The image bootdisk or scsi01 is the usual choice for the standard disk Read the file there systypes txt All the actual kernels can be found in the directory suse images without extensions Also read the README file there If you need the standard disk which is supplied with every SuSE Linux e g the aboot floppy disk the standard disk for 32 bit systems proceed as follows It is assumed that you are in the directory of the CD Q gt dosutils rawrite rawrite disks bootdisk You also need to create the root disk which contains the root file system needed by the installation tools If you need a specific type of support another disk image should be used instead of bootdisk If problems arise k_i386 can be implemented as a fallback kernel 9 1 2 Creating a Boot Disk with UNIX Requirements You need access to a Unix or Linux system with an accessible CD ROM drive and a formatted disk To create a boot disk 1 If you need to format the disks first earth fdformat dev fd0u1440 2 9 2 LILO Problems Mount the first CD disk 1 e
43. will then critically examine the code of another developer group However freely accessible program source codes can also give computer crimi nals the opportunity to track down security gaps and take advantage of them But all in all the positives of open source outweigh the negatives since the re spective codes are getting better all the time under the close scrutiny of numerous co programmers as well as in terms of continuing development A Wide Variety of Applications Some of the greatest achievements of open software is the sheer volume of ap plications available to an unlimited number of users at no further cost There is not just one standard solution to meet whichever needs may arise but a wide array you as user have the freedom to pick the alternatives which work best for you You can of course also participate in optimizing existing solutions by contributing your ideas and programming skills This degree of freedom and flexibility was previously unknown to the world of software Switching to Linux in larger companies can still be problematic for larger com panies due to the continuing lack of open source solutions for certain specialized types of applications or due to existing programs not being able to function in Linux Met with increasing acceptance in a variety of industries as well as by the public it is only a question of time until these alternatives do exist and commer cial solution providers port their s
44. www isc org products DHCP Instructions containing advice relating to concrete scenarios can be found in the corresponding man pages e General information on the DHCP server daemon man dhepd Information on its configuration man dhcpd conf andman dhcpd leases e Options to pass to DHCP clients man dhcp options 6 1 3 NIS If several UNIX systems have to access common resources in a network one has to be certain for example that user and group names are in sync on all hosts The network should be transparent for the user No matter on which host a user is working he should encounter the same environment The NIS and NFS services make this possible NFS is responsible fro file system sharing over the network It is described in more detail in Section 6 2 1 on the facing page NIS Network Information Service can be characterized as a database service which enables access to information pertaining to important system files network wide NIS comes into play by distributing the following files etc passwd despite this file s name it actually only contains data as to login user ID group ID home directly and the user s default shell etc shadow encrypted passwords are located here In addition this file con tains information on how many days a password is valid etc group is a list of all network wide groups which includes the group ID and may also contain optional information as the group s members The advantag
45. 5 Lam90 Lef96 Moh98 OT92 Per94 handbuch 6th edition LunetIX Softfair 1996 ISBN 3 929764 05 9 HOFFMANN Erwin EMail Gateway mit qmail In iX 12 1997 S 108ff H LZER Matthias R HRIG Bernhard KDE Das K Desktop Environment Computer amp Literatur 1998 ISBN 3 932311 50 7 HoLZ Helmut SCHMITT Bernd TIKART Andreas Linux fiir Internet amp Intranet International Thomson Publishing 1997 ISBN 3 8266 0342 7 HUNT Craig TCP IP Netzwerk Administration O Reilly amp Associates Inc 1995 ISBN 3 930673 02 9 JOHNSON Michael K TROAN Erik W Anwendungen entwickeln unter Linux Addison Wesley GmbH 1998 ISBN 3 8273 1449 6 KIENLE Micheal TIS Toolkit fiir anwendungsorientierte Firewall Systeme In ix 8 1995 S 140ff KIRCH Olaf LINUX Network Administrator s Guide O Reilly amp Associates Inc 1995 ISBN 1 56592 087 2 KOFLER Michael Linux Installation Konfiguration Anwendung 4th edition Addison Wesley GmbH 1999 ISBN 3 8273 1475 5 KRIENKE Reiner Kommunikation unter Linux SuSE PRESS 2000 ISBN 3 934678 23 8 KUNITZ Ulrich Sicherheit fast kostenlos Einrichtung eines kostenlosen Firewall Systems In iX 9 1995 S 176ff LAMB Linda Learning the vi Editor O Reilly amp Associates Inc 1990 ISBN 0 937175 67 6 LEFFLER Sam HylaFAX Home Page 1996 MORR James UNIX Windows Integration
46. 9 3 1 dev sdb5 swap swap defaults 0 0 dev sdb3 i ext2 defaults al a dev sdb6 usr ext2 defaults 1 File 9 3 1 Example etc fstab Caution gt Pay attention to the order of steps outlined in the following section for mount ing the various devices To access your entire system mount it step by step in the mnt directory using the following commands earth mount dev sdb3 mnt earth mount dev sdb6 mnt usr Now you can access your entire system and for example correct mistakes in configuration files such as etc fstab etc passwd and etc inittab The configuration files are now located in the mnt etc directory instead of in etc To recover even completely lost partitions with the fdisk program by simply set ting it up again determine where on the hard disk the partitions were previously located and make a hardcopy printout of the etc fstab directory as well as the output of the command earth fdisk 1 dev lt disk gt Instead of the lt disk gt variable insert in order the device names of your hard disks i e hda Repairing File Systems Damaged file systems are tricky problems for the rescue system This could hap pen after an unscheduled shutdown caused by power failure or a system crash Generally file systems cannot be repaired on a running system If you encounter really severe problems you may not even be able to mount your root file system and have the system boot end ina kernel pa
47. 98 authentication One application does not take care of all these tasks in Linux these jobs are done by two daemons or background processes on the Samba server e smbd manages resources file print and browser services and is responsible for user authentication as well as SMB data transfer e nmbd is responsible for the name resolution over the NetBIOS and WINS name requests issued by Windows clients As a Samba client i e a Linux machine which is to have access to a Windows machine a Linux client uses the following programs e smbclient enables Windows file system access e smbtar lets you save SMB shares to Unix tape drives e nmblookup name resolution for NetBIOS names e smbpasswd SMB user password management e smbstatus information on open SMB connections All these applications are Samba Suite components and more or less work for you in the background Further Information Meanwhile there are books and web pages which handle the topic of Samba but there is also quite a bit of useful and relevant information on Samba available Take a look at usr share doc packages samba You will be greeted with a wealth of information here In addition the complete version of the book Us ing Samba by Robert Eckstein David Collier Brown and Peter Kelly is located under usr share doc packages samba htmldocs using_samba Furthermore the Samba project web sites have something for you http de samba org samba
48. Amusements Games i 0 05 MB 0 1 242 abuse 5 40 MB 2 0 63 Applications Archiving anachron 5 29 MB 0 5 224 Applications Clustering armagetron 2 09 MB 0 1 4 3 53 bb 0 56 MB 1 2 216 bsdgames 1 40 MB ea i crafty 1 24 MB 17 9 138 csmash 4 35 MB 0 6 0 25 empire 0 12 MB 5 0 303 eressea 3 43 MB 05 57 frotz 0 09 MB 2 32R2 260 geki2 2 26 MB 0 9 0 20 a gnomehack 1 50 MB 3 3 1 60 boot 44 48 MB 5 SelecvDeselect mounts work 32 57 GB E Required 57 26 MB ia Figure 4 22 YaST2 Installing and Removing Software applied to the configuration modules Install Remove Software System Update and Boot and kernel configuration These modules provide the option of continuing with Install to install additional packages later or to remove them The Linux Experts SuSE Software Source Media Software packages can be installed from he eD ya Newors am r Select location of source rom isk Even i you just want to Q cD installation remove some packages YaST will Network still need some JP address or name of server information from the dist source media CD installation always Directory on the server starts with the first disy7 2 1386 CD insert CD 1 before proceeding Harddisk You can 9 Har ddisk copy your SUSE CDs Directory to the harddisk and R use that source for installation Insert the pathname where the contents of first CD is located e g Abort Save and Ex
49. B Format hard disk EilEsuterm Please enter the Mount Point Ext starting cylinder number of the a paron ater ns Dj n a A E you can either specify an ending cylinder number or an Figure 3 10 YaST2 Creating a LVM Partition 3 8 3 LVM Setting Up Physical Volumes This dialog manages the LVM volume groups often abbreviated to VG If there is no volume group yet on your system you will be prompted by a pop up window to create one System is the name suggested for the volume group where your SuSE Linux system files are located What is known as the phys ical extent size often abbreviated to PE size defines the maximum size of a 20 3 8 Logical Volume Manager LVM physical and logical volume in this volume group This value is usually set to 4 megabytes This allows for a maximum size of 256 gigabytes for a physical and logical volume You should therefore only increase the physical extent size e g to 8 16 or 32 megabytes if you need logical volumes larger than 256 gigabytes Lk Lancet Figure 3 11 YaST2 Creating a Volume Group In the following dialog all partitions are listed that either have Linux LVM or the Linux native types All swap and DOS partitions will therefore not be shown If a partition is already assigned to a volume group the name of the volume group will be listed Unassigned partitions bear the label Tha Linux Experts Add part
50. CH Karl SuSE Linux System und Anwendungen im Uberblick SuSE PRESS 2001 ISBN 3 934678 4 1 6 DAWSON Terry RUBINI Alessandro NET 3 HOWTO v1 4 August 1998 see file usr share doc howto en NET 3 HOWTO gz DAWSON Terry RUBINI Alessandro NET3 4 HOWTO v1 5 August 1999 see file usr share doc howto en NET3 4 HOWTO gz ECKEL George HARE Chris Linux Internet Server Carl Hanser Verlag 1998 ISBN 3 446 19044 9 FRISCH leen Essential System Administration O Reilly amp Associates Inc 1993 ISBN 0 937175 80 3 FISHER Stefan WALTHER Ulrich Linux Netzwerke SuSE PRESS 2000 ISBN 3 934678 20 3 GILLY Daniel UNIX in a nutshell System V Edition O Reilly amp Associates Inc 1992 ISBN 1 56592 001 5 127 Bibliography Gri94 GS93 Hei96 Her92 GRIEGER W Wer hat Angst vorm Emacs Addison Wesley GmbH 1994 ISBN 3 893 19 620 X GARFINKEL Simson SPAFFORD Gene Practical UNIX Security O Reilly amp Asso ciates Inc 1993 ISBN 0 937175 72 2 HEIN Jochen Linux Companion zur Systemadministration Addison Wesley GmbH 1996 ISBN 3 89319 869 5 HEROLD H UNIX Grundlagen Addison Wesley GmbH 1992 ISBN 3 89319 542 8 HHMK96 HETZE Sebastian HOHNDEL Dirk MULLER Martin KIRCH Olaf Linux Anwender Hof97 HR98 HST97 Hun95 JT98 Kie95 Kir95 Kof99 Kri00 Kun9
51. E Required Settings After having restarted your computer all previously installed protocols and ser vices should now be activated The next step will include a couple of settings which will enable you to have access to the file server 70 5 1 Access to the File Server Double click on Network in the control panel and make first sure that the Primary Network Registration is on Client for Microsoft Networks Now select the tab Identification Here you will have to enter some more information The host name and description are both self explanatory except that the former should not contain any more than 15 characters nor spaces Note The most crucial aspect is configuring the work group The information you type here must correspond to the group that you have already configured during the installation of the SLCS You could call it for example work group If clients and servers have different work group names the server cannot be successfully accessed _ A If the SuSE Linux Connectivity Server us configured as a domain you will now have to select the tab Access control and change from share level access control to user level access control then indicate the name of the configured domain under Obtain list of Users and Groups from The domain name is derived from the network configuration see Section 4 3 on page 45 default slcsnet If you have Windows
52. HELENS continue e Format partition sdb1 23 5 MB for boot You will need your user e Format partition sdb3 8 2 GB for name your user password e Format partition sdb2 258 8 MB for swap and most importantly the root password to work with Boot Manager your installed system Do not 2 frais Beeren The Un boot meneg r il be installed in the master boot record MBR not write them on a post it note on your screen either Software TA iea common secuit 1343 MB software will be installed If you are satisfied with the User Account Pa nee ae User bdefaut will be created installation This initiates the actual installation your hard disk will be prepared according to the settings made in the previous dialogs and the software will be installed Save settings to floppy disk To change any of the settings use back to move back to the respective dialog ie Abort installation Figure 3 19 List of changes made Caution A All data on the partitions you have specified for SuSE Linux will in the next step be deleted irrevocably If you have chosen the entire hard disk all other operating systems and data here will be erased 3 14 Preparing the Hard Disk YaST2 will now begin its work YaST2 will create the selected partitions and format them Depending on your system configuration this may take some time 3 15 Installation of Software Packages Once you have started the install
53. ISDN card is 4 3 Network Card ISDN low level configuration r Select your ISDN card lO address C 0x220 gt Askey PCI Voice W6692 Askey PCI CCD HFC Be Askey PCI W6692 CE AsusCom ISA IPAC e ISDN module options only needed in special cases r Selection of ISDN protocol Euro ISDN EDSS1 Q 1TR6 Q Leased line Onn Cee Figure 4 5 YaST2 ISDN Configuration for data transfer This is usually the case for what are known as ISDN terminal adapters The Linux Experts SuSE Please enter all modem configuration values Modem name is an arbitrary string to identify your modem If you are on PBX you probably have to enter a dial prefix Often this is The field device says to which port your modem is attached dewittySo devittyS1 etc refers to serial ports and usually correspond to COM1 come etc in DOS Windows devittyACMO devittyACM1 refers to 7 Modem parameters Device devimodem Modem name Dial prefix if needed modemo J Dial mode r Special settings Tone dialing BZ Speaker on Q Pulse dialing D Detect Dialtone Figure 4 6 YaST2 Modem Configuration 4 3 Network Card With the help of YaST2 you can configure additional network cards under Net zwerk Basic following installation 45 4 SLCS Server Configuratio
54. International Thomson Publishing 1998 ISBN 3 8266 4032 2 O REILLY Tim TODINO Grace Managing UUCP and Usenet O Reilly amp Associates Inc 1992 ISBN 0 937175 93 5 PERLMAN G Unix For Software Developers Prentice Hall 1994 ISBN 13 932997 8 128 POL97 Pug94 Rub98 SB92 Sch98 Sto98 The96 TSP93 Wel94 WK95 WK98 Bibliography PEEK Jerry O REILLY Tim LOUKIDES Mike Unix Power Tools 2nd edition Se bastopol O Reilly amp Associates Inc 1997 PUGH K UNIX For The MS DOS User Prentice Hall 1994 ISBN 13 146077 3 RUBINI Alessandro Linux Ger tetreiber O Reilly amp Associates Inc 1998 ISBN 3 89721 122 X SCHOONOVER M BOWIE J GNU Emacs Addison Wesley GmbH 1992 ISBN 0 201 56345 2 SCHEIDERER J rgen Sicherheit Kostenlos Firewall mit Linux In iX 12 1998 STOLL Clifford Kuckucksei Die Jagd auf die deutschen Hacker die das Pentagon knack ten Fischer TB Vlg 1998 ISBN 3596139848 THE XFREE86 TEAM XF86Config 4 5 Configuration File for Xfree86 1996 Manual Page zu XFree86 TODINO Grace STRANG John PEEK Jerry Learning the UNIX operating system O Reilly amp Associates Inc 1993 ISBN 1 56592 060 0 WELSH Matt Linux Installation and Getting Started 2 Aulf SuSE GmbH 1994 ISBN 3 930419 03 3 WELSH Matt KAUFMAN Lars Running Linux
55. Neighboring Computers In the new window you should now see your SuSE Linux Connec tivity Server underneath the name assigned during installation Double click the server name and you will receive a list of all available files or shares where you can save your preferred data from now on Linking Drives You will probably want to avoid having to go through the network neighborhood every time you just want to quickly open or save a file on the server The solution for this is simple link local drive letters to a network drive In order to assign a user friendly drive letter such as E to a network drive such as slcs SharedVolume select Workstation Network Drives and enter the necessary data Extras Connect If you would like the connections to remain active even after the next login simply select the option Restore Connection at Next Login 5 1 3 With MacOS In no other operating system is configuring MacOS clients to access your SuSE Linux Connectivity Server so easy Click on the Apple button and select Choice If it is a MacOS 9 you will have to select AppleShare before typing the server address For MacOS X it will suffice to enter the IP address of your SuSE Linux Connectivity Servers usually 192 168 0 1 Right after confirming by clicking ok MacOS will invite you to enter a user name and password This login User name amp Password must correspond to the in
56. O Reilly amp Associates Inc 1995 ISBN 1 56592 100 3 WELSH Matt KAUFMAN Lars Linux Wegweiser zur Installation amp Konfiguration 2nd edition O Reilly amp Associates Inc 1998 ISBN 3 930673 58 4 129 Bibliography 130 Index symbols etc init d nfsserver 86 etc init d portmap 86 SALICE_HOME 005 98 1024 Zylinder LILO problems Le A access to file server with MacOS 7 with Windows 2000 72 with Windows 95 98 ME 69 administrator account 26 lives o7 ALICE a2 100 Andrew Tridgell 87 Apache ssssiscisidoiine 91 93 applications 3 B backups creating with YaST 63 ASH Yuan 86 bindend 81 BIND 2 82 DINOS enema ia eet cess oe 83 boot disk creating with Unix 114 boot disks 61 creating in DOS 113 creating with rawrite 114 creating with setup 113 boot manager 24 boot modes 60 boot settings 54 booting 00 123 C Cache Manager 91 Calamaris 92 check on ana 123 client configuration 69 configuration files lilo conf 104 permissions 111 permissions local 105 re config 0 105 configuring NAS TD elas nee 33 CEASE neegeele 123 D DHCP u aaaeanea 83 DNS scen
57. Once it is installed SuSE Linux Connectiv ity Server will run as a primary NT domain server or primary domain controller PDC for short under the domain name workgroup If you want to change the values anyway first the Samba server s basic config uration must be defined Here specify whether the server should function as a work group server or as primary domain controller Next enter the appropriate name for the work group or domain The descrip tion string serves to make the identification of the server easier when browsing through the network The Linux Experts Fd p gt ya SuSE Initial Samba Server Setup Initial settings for Samba server Choose if this server should act as a Workgroup server or a primary Domain controller PDC Server type If a PDC is already workgroup workgroups running in the network Domain PDC workgroup choosen Workgroup should be Then enter the Server description appropriate workgroup Descriptive string or domain name SuSE Linux Connectivity Sever The server description facilitates the identification of the server among others when browsing the network za Figure 4 10 Samba Basic Configuration Section 6 2 2 on page 87 provides more details Further information can be found in the Samba book BD00 4 4 2 NFS Server Configuration YaST2 enables you to quickly turn any host on your network into an NFS server This is a s
58. Roman Drahtmiiller Viviane Glanz Roland Haidl Jana J ger Jordi Jaen Pallares Karine Nguyen Edith Parzefall Peter Reinhart Marc Riihrschneck Thomas Schraitle Martin Sommer SuSE Linux Connectivity Server Installation Configuration Administration SuSE GmbH O Schanz ckerstr 10 D 90443 N rnberg Phone 09 11 74053 520 Enterprise Sales 0421 5 262300 Support for hours see the documentation e mail suse suse de u WWW http www suse de Roman Drahtmiiller Viviane Glanz Roland Haidl Jana J ger Jordi Jaen Pallares Karine Nguyen Edith Parzefall Peter Reinhart Marc R hrschneck Thomas Schraitle Martin Sommer SuSE Linux Connectivity Server Ist Edition 2001 c SuSE GmbH Copyright This product is the intellectual property of SuSE GmbH It may only be copied in its entirety or in excerpts only if each copy is marked with this copyright label Layout IATRX 2 Geeko icons by Rolf Vogt English Translation Rebecca Ellis Linux is a trademark of Linus Torvalds XFree86 is a trademark of The XFreeS6 Project Inc Windows Windows 95 Windows 98 Windows ME Windows NT and Windows 2000 are registered trademarks of the Microsoft Corporation UNIX is a registered trademark of X Open Company Limited Other registered trademarks included herein are T Online by Deutsche Telekom SuSE and YaST by SuSE GmbH All product names are used without guarantee of free usability and may not include trad
59. Server Services If at a later point you want to configure more NIS servers slave servers in your network the box Active NIS Slave Server exists must be acti vated In addition Fast Map Distribution should also be activated which will speed up the data transfer from the master to the slave server If you want to allow users in your network to be able to change their passwords with the command yppasswd that is not just to change their local passwords but also those stored on the NIS server enable this option as well thereby activating the checkboxes Allow modification of GECOS entries and Allow modification of the SHELL entry GECOS means that the user can also change his name and address settings with the command ypchfn SHELL also means that the user can modify his default shell with the com mand ypchsh for instance from bash to sh Under other global settings a menu will appear Figure 4 14 where the default directory etc can be changed In addition passwords and groups can be consolidated here The setting should be left at yes so that the files etc passwd and etc shadow as well as etc group and etc gshadow can be synchronized Furthermore the smallest user and group number can set OK returns you to the previous screen Now click on Next The Linux Experts 3 2 SuSE NIS Master Server Details Setup You can change NIS server s
60. The current values will be shown for the graphical interface the screen resolution color depth image repetition rate vendor and monitor type if this has been auto detected and possibly an already existing 3D acceleration Click Change to configure the monitor If you have a graphics card with a 3D chip enable 3D acceleration here Depending on the hardware you are using 39 4 SLCS Server Configuration with YaST2 when selecting the color depth you will have the option of choosing 16 256 32768 65536 and 16 7 million colors at 8 16 or 24 bits At least 256 colors is recommended Test the settings by clicking Test If you click Next right afterwards the test runs automatically If you are not getting a still picture stop the test immediately with and reduce the values Use the test image to adjust the dimensions and position of the screen display Test it using the small white squares located in the four corners of the test screen These should be fully visible without color distortions for an optimal screen position If your monitor is not automatically recognized you will be taken to the moni tor selection dialog Also reach this dialog with Set monitor specifica tions The vendor and device list offers a large selection of models where you will most likely find your monitor manually enter the values for your monitor or choose the default settings VESA modes Caution v Be extr
61. You can only guard against this by educating people and by dealing with language and information in a conscious way Before breaking into computer systems attackers often try to target receptionists service people working with the company or even family members and in many cases such an attack based on social engineering will only be discovered at a much later time A person wanting to obtain unauthorized access to your data could also use the traditional way and try to get at your hardware directly Therefore the machine should be protected against any tampering so that no one can remove replace or cripple its components This also applies to backups and even any network cable or the power cord Likewise it might be necessary to secure the boot procedure as there are some well known key combinations which invoke special reactions during booting Protect yourself against this by setting passwords for the BIOS and the bootloader Serial terminals connected to serial ports are still used in many places but are rarely installed with new systems anymore With regard to data access serial terminals are a special case Unlike network interfaces they do not rely on a network protocol to communicate with the host A simple cable or maybe an infrared port is used to send plain characters back and forth between the devices The cable itself is the weakest point of such a system with an older printer connected to it it is really easy to record any
62. _print kompatibel ht For some Lexmark GDI printers Linux printer drivers are available but there may be different kind of hardware Mm mI Fujitsu Hewlett Packard Kyocera Kyocera Mita Figure 4 4 YaST2 Selection of the Local Printer with Infobox With GDI printers the manufacturer does without a standard protocol completely and controls the printer directly with control sequences of the specific model However there are printers on the market which can act both as GDI printers and also work with proper printer languages 4 1 2 Graphical Interface X11 The graphical interface the X11 System provides the user with the basis for working in a graphical environment as the graphical user environment such as the KDE desktop runs on top of the graphical interface The X11 settings are saved in files which vary according to the XFree86 version being used XFree86 3 x etc XF86Config XFree86 4 x etc X11 XF86Config The graphical interface is usually configured during installation However if you still want to improve the values or connect another monitor to a running system use this YaST2 module The current configuration with be backed up before changes are made The start screen will allow restoration of a saved pre vious X11 configuration Then you will be taken to the same dialog as in the SuSE Linux installation You have the choice between text mode and the graph ical interface
63. a rameter settings are only needed if you are using more than one network card or if the network hardware is not automatically recognized In this case select the item New to specify a new driver module In this dialog set the network card type and if you have an ISA card the inter rupt to implement and the IO address For some network drivers you can also specify special parameters such as the interface to use or whether you to have an RJ 45 or a BNC connection on your card For this refer to the driver module documentation After entering the hardware parameters configure additional network interface data Select the item Interface in the dialog Network base configura tion to activate the network card just set up and assign it an IP address Select the card number then click on Edit A new dialog will appear where you can 46 4 3 Network Card The Linux Experts SuSE Here you can set up Network manual setup your networking device r Network interface The values will be written 5 into etc ER Network device Device number Options for the module Saig should be written in format optior value and E li each entry should be Kerselimeeke space separated e g Name of the module 9 226 irg 5 Note If de4x5 you will configure two cards with the same Options module name options will be merged during saving O PCMCIA You can get a list of available network cards by pressing the Li
64. a the following contact information and dur ing these hours of operation e E mail slcs support suse de Processing weekdays e WWW e mail http support suse de en Processing weekdays Phone calls answered by Enterprise Support Services Phone 49 0 421 526 23 40 Open Monday through Friday 9 00 a m 6 00 p m except for legal holi days Fax 49 0 911 7405 34 77 Processing weekdays More information on our extended support services can be obtained at http support suse de en 10 3 Installation with YaST2 3 Installation with YaST2 On the following pages you will find instructions for installing SuSE Linux Connectivity Servers with YaST2 This first chapter focuses on the following topics starting the installation system graphical installation with YaST2 hard disk partitioning configuration of the boot mode along with the graphical interface and a basic network configuration ra Note The SuSE Linux Connectivity Server is immediately ready to be imple mented following installation All key server services are activated using default values so that no further configuration steps must be carried out un der normal circumstances If other servers are already up and running on the local network conflicts could result In this case we recommend that you configure SuSE Linux Connectivity Server independent of your local network J 3 1 Starting Your System from CD ROM To s
65. ain more functionality for your SuSE Linux Connectivity Server you can directly control its behavior using the rc config editor However this should only be an exception and is only intended for experts After opening the YaST2 rc config editor the related variables for the SuSE Linux Connectivity Server will be shown in their own group all beginning with SLCS At present the following variables can be accessed SLCS_SMB_PDC Should the samba server act as primary domain controller PDC SLCS_SMB_NAME The Samba server description SLCS_PUBLIC_FILESPACE This is the path to the shared directory shared volume This name must not contain spaces SLCS_PUBLIC_FILESPACE_NAME Description of the shared volume SLCS_PRINTER_NAME Description of our network printer SLCS_WORKGROUP Samba workgroup name or domain name SLCS_ADD_PUBLIC_EXPORTS Additional directories to export for nfs ne tatalk smb SLCS_NETWORK_DEVICE Local Intranet network device to be used SLCS_SQUID_CACHE_DISK Cache size in MB on disk used by the squid HTTP proxy on the hard disk SLCS_SQUID_CACHE_MEM Cache size in MB in RAM used by the squid HTTP proxy SLCS_NS_FORWARDERS Additional name servers 67 4 SLCS Server Configuration with YaST2 68 5 Workstation Configuration 5 Workstation Configuration In the following chapter we would like to explain how to easily
66. ame After you have entered your provider s name server IP address in the YaST2 screen Hostname name server configuration during installation your name server will also be able to resolve the remaining addresses in the rest of the Internet You will know your name server is working when external as well as internal addresses can be resolved using the host program Further Information e Documentation on package bind8 file usr share doc packages bind8 html index html e A sample configuration can be found at usr share doc packages bind8 sample config e The manpage for named man 8 named where the relevant RFCs are named and in particular manpage for named conf man 5 named conf 6 1 2 DHCP Dynamic Host Configuration Protocol is responsible for creating network set tings from a central point on a server instead of configuring these on all the different workstations A client configured with DHCP does not have any static addresses of its own but instead independently configures them according to the rules set by the DHCP servers This enables every client to be identified based on the hardware address of its network card constantly updated with the same settings as well as any inter ested host to be dynamically assigned addresses out of a certain pool In this case the DHCP server will attempt to assign each client the same address for each request even over a longer time period of course th
67. ame Click the Finish button to save your changes and finish network configuration sicsnet Figure 3 26 Host and Domain Name 31 3 Installation with YaST2 The host name is the name the computer has in the network such as slcs The name should not contain any more than eight characters and may not be given more than once in a local network The domain selected here describes the local network and is predefined by the value slcsnet It is wholly independent of NT domains as well as the Inter net domain The local domain is responsible for identifying the host when the TCP IP protocol is being used and will automatically be forwarded to the clients connected to the local network NT domains by default set to workgroup have a similar function but only apply to the proprietary SMB protocol such as that used by Microsoft Windows The Internet domain serves to identify a network in the Internet and must there fore be registered However since this involves only a local network which is not reachable from the outside thanks to the firewall the Internet domain is irrelevant in this context 3 18 Finishing the Installation As soon as the SuSE Linux Connectivity Server basic configuration is completed the Linux system will reboot to its final operational state at which point numer ous messages will be reissued on the screen Once installation is finished SuSEconfig will run in order to initialize the runn
68. an occur Read the complete LILO documentation especially if the system does not do what you want it to do Check etc lilo conf before using the map installer sbin 1lilo Be careful if you are using a large hard disk or multiple ones Be aware of the 1024 cylinder limit 115 9 Troubleshooting e Try with and without the linear option normally it should be better with out 9 2 1 Diagnosis of Errors LILO Start Messages This is mainly Section 5 2 1 from Alm96 When LILO loads itself it displays the word LILO Each letter is printed before or after performing some specific action If LILO fails at some point the letters printed so far can be used to identify the problem nothing No part of LILO has been loaded Either LILO is not installed at all or the partition on which its boot sector is located is not active L error The first stage boot loader has been loaded and started but it can not load the second stage boot loader boot boot b The two digit error codes indicate the type of problem This condition usually indicates a media failure or a geometry mismatch LI The second stage has been invoked but could not be started This can ei ther be caused by a geometry mismatch or by moving boot boot b with out reinstalling LILO LIL The second stage of boot loader has been started but it cannot load the descriptor table from the map file This is typically due to a physical
69. anaging UsersandGroups 53 4 52 System Security s spece wen 55 4 5 3 Install and Remove Software 2 222220 57 4 5 4 Change Installation Source a aooaa aa 58 4 5 3 Online Update 20 0024 6 zus ones 59 4 5 6 SystemUpdate 200 61 4 5 7 Boat Mode aus 2 4 ee dave Ree bale eu 61 4 5 8 Creating a Boot Rescue or Module Disk 62 4 6 Miscelaneos e eos Keen BR ee 63 4 6 1 Hardware Information 4 62 Start Protocol s e cope mekess maera 463 System Protocol u pe eed e m en a E E 4 6 4 Loading the Vendor s Driver CD 40 3 Creatine Backups 22 020002 Rennen 4 7 Important Variables in the rc config Editor Workstation Configuration 3 1 Access to the File Server o lt seag Cantek sera en 5 1 1 Windows 95 98 ME 222 2 ce ce ea nenn 5 12 Windows 2000 2 2222 ee ee a 3 13 With MacOS 4220 Sa nn ann a 5 2 Internet Access u un een Senn re G 5 3 Configuration of SuSE Linux Clients 2 2 2 22200 Network Services Behind the Scenes 6 1 Basic Functions or Kuna nern anne E 6 1 1 Domain Name Service Gul DHCP 2 446 ae m ai ee ee A Gl IND 23 0 2 4 eee ee oe ee ees 4 6 2 Fileand Print Service 2 2 05 6 2 1 NFS Shared File Systems 622 Samba en Renee 0 3 SEUI ne lee re ee 0 3 1 Firewall eree ER nee rem 6 4 Proxy Server Squid caa
70. anual partitioning or Customized partition ing with LVM for experts Further information on configuring LVM can be found in Section 3 8 on page 19 Note Changes will not be applied to your hard disk until you have configured all installation settings and confirmed them in the designated dialog window with yes You can always return to the previous configuration screen to reset the changes you made while installing with YaST2 by clicking Back Default partitioning incorporates three primary partitions a boot partition for the Linux kernel approx 20 MB in the boot cylinder of the hard disk a swap partition fitted to the size of your RAM and a or root partition for all system and user files which take up the remaining hard disk memory 3 7 1 Selecting Partitions Once the hard disk where SuSE Linux is to be installed has been selected YaST2 will list all the partitions located on the selected hard disk Diagram 3 7 on the next page Decide whether to Use entire hard disk for SuSE Linux Connectivity Server and which partitions to delete in order to make more 16 3 7 Selecting the Hard Disk room for the SuSE Linux System Consult the YaST2 help guide to find out more about partition selection Caution All data on the selected partition for installation will be erased You will likewise lose all hard disk data if you select the menu item Use entire hard disk
71. ard sets which hosts can access the selected directory It can be single host Add directory nelgroups wile cards or IE networks fusr game bin Please have a look at Hosts wild card Options man exports for further information rw Cam CO A Figure 4 12 YaST2 NFS Server Enter Export Directories and Hosts Exit completes the configuration 49 4 SLCS Server Configuration with YaST2 4 4 3 NIS Network Information Service What is NIS As soon as several Unix systems are to access shared resources in a network user and group data has to be synchronous between hosts The network should be transparent for the user Regardless of which host he is working on the user will always encounter the same environment This is possible due to the services NIS and NFS NFS is responsible for distributing file systems in the network It was already described above in Section 4 4 2 on page 48 NIS Network Information Service can be described as a database service enabling access to information from the etc passwd etc shadow and etc group files network wide NIS can also be implemented for additional tasks as well such as for etc hosts or etc services However this will not be discussed in detail here A common term for NIS is yP which is derived from yellow pages meaning the yellow pages of the network YaST2 NIS configuration For installation select Network Advanced in YaST2 the
72. ation and later for the installed system Click Next to continue with the next dialog To change previous settings from a later dialog use Back and Next to switch back and forth between the installation dialogs Nothing will happen to your computer until you confirm all your settings in the last installation dialog You can select Abort Installation at any time to abort the installation process Figure 3 3 Selecting the language If your mouse cursor still doesn t work press the key repeatedly until the Next button appears then press the key 3 5 Mouse Pointer If YaST2 didn t recognize your mouse type automatically an entry screen will appear as shown in Figure 3 4 YaST2 could not identify your mouse Choose the mouse type attached to your computer Use the arrow keys to PS 2 mouse Aux port Microsoft compatible serial mouse ttyS0 COM1 Microsoft compatible serial mouse ttyS1 COM2 SL tie Microsoft Intellimouse 3 buttons and wheel ttySo COM1 move hit the Tabkey Microsoft Intellimouse 3 buttons and wheel ttyS1 COM2 maybe repeatedly until Mouse Systems serial mouse ttyS0 COM1 it does Mouse Systems serial mouse ttyS1 COM2 sethestesth honte Mouse Man protocol serial Logitech mouse ttyS0 COM1 Mouse Man protocol serial Logitech mouse ttyS1 COM2 Old Logitech serial mouse series 9 ttySO COM1 EEA NONE uel Old Logitech serial mouse seri
73. ation process the selected packages of the Linux base system are copied from CD or DVD and written to your hard disk On this 27 3 Installation with YaST2 screen you can monitor the progress of the various tasks Figure 3 20 The Linux Experts Yash SuSE 2998 8 The selected software Installing 137 software packages will be installed And if you re feeling bored watching this screen take the time to browse through appendix F of the manual this appendix ash ash shell tries to answer STULL 54 ee Fr 3 packages processed 7 5 2 Don t hesitate to have a look at the SuSE Suppon Disk Usage Database mmmn 10 http sdb suse de if you want to know more about the software coming with SuSE Linux Figure 3 20 Package installation Depending on the system configuration the installation can be somewhat time consuming To complete the installation of software packages LILO is installed and a Linux base system started Several messages will then appear on the screen Note Depending on the configuration you selected for the installation of LILO you might be prompted to insert a disk to create a boot floppy Please note when doing this that all data stored on the medium will be deleted 3 16 Monitor Settings If the installed monitor has not been automatically recognized select the model from the list shown refer to Figure 3 21 on the next page Some technical data re
74. be selected as the other choices are at least for per sonal computers irrelevant Next and Finish complete the configuration 4 2 5 Modem Normally these days companies no longer have dialup connections to the In ternet over a modem but rather over DSL ISDN or a leased line There are still ways to implement a modem dialup connection Figure 4 6 on the facing page but its configuration will only be briefly touched on here Its configura tion is for the most part intuitive and is carried out in much the same way as the configuration for ISDN as described in Section 4 2 4 on the page before Settings for the modem can be made in respect to Baud rate and initialization strings in the Details menu where changes can be made provided that you are familiar enough with what you are doing However it is generally not nec essary to do this You should only make changes in this menu if your modem was not auto detected in which case it would have to be specially configured Please select ISDN card from the list You can pass some extra option values to the kernel module 10 address IRQ and MemBase are card hardware attributes which usually should be correctly detected for newer card models if you have an older card model please have a look into your technical manual or contact your salesman ISDN protocol In most cases the protocol is Euro ISDN especially use this if your
75. browser and select Edit Settings on the menu bar In the window which ensues select Advanced Proxy Under Automatic Proxy Configuration File enter http lt Name of your SLCS Server gt proxy pac This file stored on the SuSE Linux Connectivity Server will from now on be read by Netscape each time it starts and contains all relevant proxy settings with Microsoft Internet Explorer In order to configure Microsoft Internet Explorer for the use of a proxy service select the item Internet Options in the menu Extras Under the tab Connections select LAN Settings and activate the selec tion box at Use Proxy Server For an address enter the SuSE Linux Con nectivity Server name i e server suse net or the IP address usually 192 168 0 1 As Connection set 3128 with MacOS MacOS is just as easy to configure for the use of a proxy server Open the menu System Settings and select Network Before choosing Proxies in the window in front of you make first sure that your Connection in the upper part of the window is Ethernet and not modem Configure your web and FTP 76 5 3 Configuration of SuSE Linux Clients A network proxy is used to provide additional security between jem computer and the Internet usually along with a firewall and or to increase performance between networks by reducing redundant traf
76. by customary browsers works printer services real audio real video cucme napster ICQ and a few others Automatic Dial Up Dial on Demand If you click on Dial on demand or Automatic Dial in in the YaST2 modules the Internet connection will be made automatically when required for example when you enter an external URL in the browser Dial on demand is only recommended if you have a flat rate Internet connection as processes run ning in the background such as frequent e mail retrieval require regular dialing into the Internet 4 2 3 Internet Connection and Local Network In every Internet connection there is a normal TCP IP connection between the local host and a host at the Internet provider Normally use the DNS of your ISP The network is configured so that the connection to the Internet provider is used for all TCP IP data not intended for the local host This is normally correct 4 2 Internet Access because the local host does not usually function as a DNS server and does not have any other network connections so all TCP IP data is Internet related There are usually no problems on the network with the TCP IP connection to the Internet provider if there is only one local host An exception is if for example a firewall has been configured so that no data can be transferred at all 4 2 4 ISDN ISDN configuration can be found under Network Basic If your ISDN card is successfully auto de
77. cks list Open the file system read only and assume an answer of No to all questions Allows e2fsck to be used non interactively Note if the c 1 or L options are specified in addition to the n option then the file system will be opened read write to permit the bad blocks list to be updated However no other changes will be made to the file system Automatically repair preen the file system without any questions This option does nothing at all it is provided only for backwards compatibility This option will byte swap the file system so that it is using the normalized standard byte order which is i386 or little endian If the filesys tem is already in the standard byte order e2fsck will take no action 9 3 The SuSE Rescue System This option will byte swap the filesys tem regard less of its current byte order t Print timing statistics for e2fsck If this option is used twice additional timing statistics are printed on a pass by pass basis Mi Verbose mode V Print version information and exit y Assume an answer of Yes to all questions allows e2fsck to be used non interactively EXIT CODE The exit code returned by e2fsck is the sum of the follow ing conditions 0 No errors 1 File system errors corrected 2 File system errors corrected system should be rebooted if file system was mounted 4 File system errors left uncorrected 8 Operational error 16 Usage or s
78. cros TTTTT 40 Figure 4 2 YaST2 Initializing the Printer Configuration Tool Next a list of active printers already connected to your computer or to your network will be shown Now click on Add and choose whether you want to install a local printer a printer from the Linux network or from another network Novell or Samba Figure 4 3 on the next page Select the desired category then click Next If you want to configure a printer integrated into your network for example you must specify a print server With a click on the double arrow next to the text field you will be presented with a list of available hosts and printer names If you want to use a print server or network printer not included in the list you will have to know its name and IP address As soon as you have selected or specified one you can select Test to check to see whether it is in fact a printer or print 37 4 SLCS Server Configuration with YaST2 server as well as whether it can be reached If the print server was properly detected YaST2 will prompt you in the following dialog to give a name If on the other hand no print server was detected an error message will appear instead The Linux Experts uSE Parallel USB Serial port Printers connected to local port Forwarding queue to remote LPD Files to print are sent directly to the remote printer Prefilter queue for a LPD forwarding queue
79. ct the item Extras Link Network Drives on Win dows Explorer This will open a window which allows you to link a directory you will have specified under Path to a drive letter For instance if you link server public to E you will be able to access the contents of the SuSE Linux Connectivity Server public directory as virtual drive E Please remember that this connection will be canceled at the first shutdown and will not be available at the next start of your Windows system If you would rather have this drive automatically reconnected the next time the computer is rebooted select the item Restore Connection at Next Start 5 1 2 Windows 2000 Configuring Windows 2000 for the data service of the SuSE Linux Connectivity Server does not particularly differ from the configuration we performed in the previous chapter for Windows 95 98 or ME It goes without saying that even Windows 2000 cannot access to the SuSE Linux Connectivity Server without a functioning network card and that even professional Microsoft operating systems depend on certain protocols and settings 72 5 1 Access to the File Server Tip Please beware that Windows 2000 requires you to be registered either as Administrator or as a user of the Administrators group in order for you to perform such settings of the network configuration Configuring the Network Card Before making sure that all necessary prot
80. e Sendmail Configuration Host with permanent network connection SMTP Q Single user machine without network connection Host with temporarily network connection Modem or ISDN Q Use UUCP to send mail Q Expert mode for sendmail configuration Do not install etc sendmail cf Back Figure 4 16 YaST2 Sendmail Configuration 4 5 System 4 5 1 Managing Users and Groups Creating New Users A basic aspect of Linux is that it is a multiuser system Consequently several users can work independently of one another on the same Linux system Each user has a user account consisting of a user and login name and a personal password for logging in to the system All users have their own home directories where personal files and configurations are stored In this module located under Security amp Users easily add new users by sim ply filling out the fields as indicated then clicking Add New users can log in to the system using their own login names and passwords Details offers several options for specialized settings which should be left alone if you are not familiar with it Find a selection list of default groups the 53 4 SLCS Server Configuration with YaST2 home directory path which can be changed the user ID and a list of login shells Define additional group affiliations below If a new user is should access to the modem dialout and uucp unix to unix copy pro
81. e text string entered is not simply matched with the saved pattern If this were the case all accounts on your system would be compromised as soon as someone got access to the corresponding file Instead the stored password is encrypted and each time it is entered is encrypted again and the two encrypted strings are compared Naturally this will only work if the encrypted password cannot be reverse computed into the original text string This is actually achieved by a special kind of algorithm also called trapdoor algorithm because it only works in one direction An attacker who has obtained the encrypted string will not be able to get your password by simply applying the same algorithm again Instead it would be necessary to test all the possible character combinations until 103 8 Security and Confidentiality a combination is found which looks like your password when encrypted As you can imagine with passwords that are eight characters long there are quite a number of possible combinations to calculate In the seventies it was argued that this method would be more secure than others due to the relative slowness of the algorithm used which took a few seconds to encrypt just one password In the meantime however PCs have become power ful enough to do several hundred thousand or even millions of encryptions per second Because of this encrypted passwords should not be visible to regular users etc shadow cannot beread b
82. e 81 security and 109 Domain Name Service see DNS drivers installing with YaST2 63 drives Ines rn 72 dumpe2fs 121 Dynamic Host Configuration Protocol see DHCP E e mail configuring on network with YaST 2 2 204 ur 51 C2ISCK S 120 122 Manual Page 123 emergency system 119 CXPOMS cides nonce dae ates 86 SxPOPUS niit 48 F fdisk 2 oiescdacennten 120 121 file service nasse 85 file systems repairing 121 find 22 05 asien 120 firewall Aussee 44 88 firewalls YaST2 and 41 free software 5 G GDI printers 38 GNU General Public License see GPL GPL tange es oes 3 STEP ran 120 groups managing with YaST2 53 H hardware information 62 YaST2 and 36 host esse 83 host name 32 I ifconfig 00 120 WN acto ae Bere 120 installation sources 57 Internet connection configuration in YaST ee 40 networks and 42 Internet access 76 access controls 32 Intranet server 92 IP addresses 40 ISDN YaST2 and 43 K kemel 3 aaa 1 keyboard configuring with YaST2 40 kinternet 0 43 L LESS Aue 120 LILO 24 26 28 60 61 115 119 problems 1024 cylinder limit 117 131 start mes
83. e Ts o lt tytso mit edu gt SEE ALSO mke2fs 8 tune2fs 8 dumpe2fs 8 debugfs 8 E2fsprogs version 1 23 August 2001 3 126 Bibliography Bibliography Alm96 Bai97 ALMESBERGER Werner LILO User s guide 1996 see file usr share doc lilo user dvi BAILEY Edward C Maximum RPM Red Hat 1997 ISBN 1 888172 78 9 BBD 97 BECK Michael B HME Harald DZIADZKA Mirko KUNITZ Ulrich MAGNUS Robert BD98 BD00 CAR93 CB96 CR91 CZ96 Deu01 DR98 DR99 EH98 Fri93 FWOO Gil92 VERWORNER Dirk Linux Kernel Programmierung 4th edition Addison Wesley GmbH 1997 ISBN 3 8273 1 144 6 BORKNER DELCARLO Olaf Linux im kommerziellen Einsatz Carl Hanser Verlag 1998 ISBN 3 446 19465 7 BORKNER DELCARLO Olaf Das Samba Buch 2nd edition SuSE PRESS 2000 ISBN 3 934678 22 X COSTALES Bryan ALLMAN Eric RICKERT Neil sendmail O Reilly amp Associates Inc 1993 ISBN 1 56592 056 2 CHESWICK William R BELLOVIN Steven M Firewalls und Sicherheit im Internet Addison Wesley GmbH 1996 ISBN 3 89319 875 x CAMERON Debra ROSENBLATT Bill Learning GNU Emacs O Reilly amp Associates Inc 1991 ISBN 0 937175 84 6 CHAPMAN Brent ZWICKY Elisabeth D Einrichten von Internet Firewalls Sicherheit im Internet gew hrleisten O Reilly amp Associates Inc 1996 ISBN 3 930673312 DEUTS
84. e X server To change the language for YaST2 select System then Choose language in the YaST2 Control Center Select the desired language then exit YaST2 and restart it 35 4 SLCS Server Configuration with YaST2 The YaST2 Control Center Next the YaST2 Control Center will appear The area to the left of the screen is divided into Hardware Network Basic Network Advanced Se curity Users software System and Miscellaneous If you click one of the icons the respective contents will be listed to the right For example click on Sound and a window will open where you can make configurations for your sound card Configuration takes places in several steps YaST2 guides you through all the dialogs with Next In the left portion of the screen a help text is displayed regarding the respective topic explaining the entries required Once you have completed the necessary entries use Finish to complete the last configuration dialog The configuration is then saved ADSL E German T DSL gS Modem configuration 8 ri a services 8 ISDN configuration ae 5 N Hostname amp DNS DJ Hawar amp Misc EI Network Advanced a Network Basic A Software oe System Configure your T DSL modem dh Figure 4 1 YaST2 System Configuration and Administration 4 1 Hardware Before starting the software configuration for new hardware the hardware itself ne
85. e first network card in Linux 30 3 17 Network Card If you have more than one network card they will usually be located in the upper slot on the computer normally the outer one to the left on PCs If YaST2 did not automatically recognize the network card it can still be config ured manually by clicking Use non recognized card if it exists YaST2 allows you to enter the driver name by hand or the kernel module which is required by your network card Clicking Select from list will give you the option of choosing a driver from this list Here set up your networking device The values will be written into Zeteymodules conf Options forthe module should be written in the format value and each entry should be space separated e g 10 220 Irg 5 Note If two cards are configured with the same module name options will be merged while saving You can get a list of available network cards by pressing the List button Figure 3 25 Network Card Manual Configuration Assigning a Host Name The name which defines your computer in the network must be entered in this YaST2 screen This name consists of the actual host name and the domain name a9 Any part of this name may contain letters numbers and the symbol The domain name is made up of several components separated by periods Enter the host name and domain name for your computer The domain name will be also used as the NIS domain n
86. e of this type of centralized solution almost all system wide data only needs to be maintained at one single location in the network NIS makes any changes public without having to update each host each time a change is made Further Information on NIS Not only can you find information in your own system at usr share doc packages ypbind or inthe man pages Linux NIS YP NYS NIS HOWTO can also be found at http www linuxdoc org HOWTO NIS HOWTO index html 6 2 File and Print Service 6 2 File and Print Service The main job of your server is to manage files and directories as well as print jobs regardless of what type of operating system the client has Linux clients are supplied with files and directories over NFS the Network File System Print jobs can be processed by a printer connected to the network Windows clients are connected to your Linux server via Samba which enables these clients to mount file systems shares and use the integrated network printer 6 2 1 NFS Shared File Systems As already mentioned in Section 6 1 3 on the preceding page the purpose of NFS is along with NIS to make a network transparent to the user NFS enables the distribution of file systems over a network Regardless of which host a user is working on in the network he will alway encounters the same environment In this manner by way of NFS those using your server can have access to your personal home directory
87. e requirements and consequently obtained an executable operating system tailored to his own hardware During the continuing course of the commercialization of the UNIX market this tradition was slowly forgot ten One of the few exceptions to this phenomenon is Richard Stallman s GNU project Linux represents a sort of reawakening of this tradition Open source allows program code to be easily ported to new platforms Anyone can take the Linux source code and do what he deems sensible with it He does not have to just put up with any software errors but can fix them himself and thus contribute to improving the code s foundations as well as profit from the contribution of other like minded folks Open and free source code has an immense significance for a successful develop ment process The following points illustrate just why the open source principle is so important e Significantly more developers and testers exist for open source as do for a closed project e Although several programmers at a time are working on one product regular communication strict control mechanisms and a small coordinator team all ensure that too many cooks are not spoiling the recipe e The open availability of the source code and the large number of potential developers lessens the dependency on just one contact person 1 3 The Philosophy Behind It e Tracking and fixing bugs is faster and more efficient e There is better feedback be
88. e your SuSE Linux system with additional hard ware components such as a printer or sound card configure system services and the network and install or remove software Many Paths to YaST2 Via the K Menu there are several ways of accessing YaST2 via the Control Center via SuSE Administration Configuration and via Preferences Otherwise change to user root su then enter the root password in the shell and enter yast2 In the K menu pop up menus directly click on the configuration module needed YaST2 will open a small dialog once it is loaded Here enter the password for user root the system administrator The configuration then will be carried out as user root because only root is permitted to make changes to the Linux system files Note As areminder you should only be logged in on the computer as root for ad ministrative tasks such as maintenance and system repairs Being logged in as root is too risky for daily operation since root can irrevocably delete all files If for whatever reason you are not able to run YaST2 as described above there is a slightly more complicated way to do this Enter the following in a shell on the graphical desktop xhost S n enter root password export DISPLAY 0 0 yast2 After exiting YaST2 switch back to normal user from root with exit and then enter xhost to reactivate the access controls for th
89. eds to be installed Follow the instructions provided by the vendor Switch on external devices such as printers or modems and open the respective module in YaST2 Most of the hardware is auto detected by YaST2 so only a few additional settings have to be done manually to get the hardware running If auto detection fails YaST2 provides a list of devices from which to select the appropriate device Consult your hardware documentation if the information printed on the device itself is not sufficient 36 4 1 Hardware Note Beware of model descriptions Try a similar description if you do not find your model in the device list In some cases however exact specifications to the number or letter are absolutely necessary since more general descriptions cannot always guar antee compatibility Unfortunately even similar hardware does not always understand the same language XN A 4 1 1 Printer Configuration Add and configure local and network printers with ease in YaST2 To do this click on Printer in the start screen YaST2 will now load the necessary set tings for printer configuration Figure 4 2 SuSE Initializing printer configuration tool Printer configuration tool Change the settings of printers on your system You can set up both local and network printers Load printer database Load macros Check environment Load current settings Autodetected printers rrr E Loading ma
90. em and package alice series n on the workstation 97 98 The configuration is stored under the root directory in SALICE_HOME e g home myuser projects alice As previously mentioned the machines are categorized into classes while retaining different distinguishing characteris tics For this reason three directories are located in SALICE_HOME 1 The classes directory All the classes are stored here 2 The info directory Special settings for each machine are stored here 3 The templates directory The default settings are found here A sample configuration can be found under usr lib alice samples In order to maintain a better overview of the configuration settings for the classes as well as for the individual machines are divided up into three sections includ ing sys network etc All the different setting are then entered into related tcf files structured as shown in the following SEARCH yoga S DAES lt TAG2 gt lt TAG2 gt File 7 2 1 Basic Structure of an ALICE Configuration File where anything between lt TAG gt lt TAG gt is seen as a value including all special characters The name of the tcf file is comprised of lt classname hostname gt lt section gt tcf 7 3 Creating a Simple Configuration The speed and simplicity of installing a machine with ALICE is well illustrated by the following simple example These steps are to be carried out by root because
91. emarks The corporation SuSE GmbH essentially conforms to the written format of the vendor Other products named here can be trademarks of their respective vendors Contents Foreword 1 Why Linux 1 1 1 2 1 3 1 4 The Alternative Called Linux The Technical Side of Things 2 222220 The Philosophy Behind It s esa a 0 2 8 2 28 SS Conclusion 6 una near in 2 Support and Services 2 1 22 2 9 2 4 25 2 6 No Product Support or Maintenance without Registration Support Services for SuSE Linux Connectivity Server Product Support j apot no 0 mu 5 a ee a Maintenance f r den SuSE Linux Connectivity Server 3 Installation with YaST2 3 1 3 2 33 3 4 3 5 3 6 Dek 3 8 Starting Your System from CD ROM The Opening Sereen saos tie 64 unsern 3 2 1 Other Installation Options Yas T2 Takes IE u arena sehe selecting a Language u 8 sea ner eA we Re eS Mouse Pointer os 64 3 bb ads ba eher Keyboard and Mme Zone 2 2 4 2 a en RR SS Selecting the Hard Disk os ss raue ee ss EO we 3 7 1 Selecting Partitions s os 644 4 ew awe ow bs 3 7 2 Note for Advanced Partitioning Logical Volume Manager LVM 2 2 2222 3 8 1 Configuring LVM with YaST2 3 8 2 LVM Partitioning oaoa a 3 8 3 LVM Setting Up Physical Volumes 384 Logical Volumes s cy vk ae eee ers 3 9 Configuring the Crypt
92. emely careful with manually entering the permissible deflection fre quencies The wrong values could destroy your monitor Look up the values in your monitor manual To be safe choose a standard resolution to start Highlight the item vesa and the values 640x480 The Vesa mode is however limited to a 75 Hz image rep etition rate For modern monitors anywhere between 75 and 90 Hz is a suitable repetition rate Sometimes display errors can be attributed to hardware limita tions Alternatively you may have the option of using the existing driver disk To do this click on Driver floppy insert the monitor vendor s floppy and con firm with ox If this works the monitor data will then appear in the selection list 4 1 3 Keyboard The preferred keyboard layout usually corresponds to the selected language Use the test field to try out the configuration Make sure that the z y and special characters are correct on your keyboard 4 2 Internet Access 4 2 1 Basic Internet Connection All the machines on the Internet make up a large network where various oper ating systems are running with different hardware The Internet uses a standard communication protocol that can be understood regardless of hardware or soft ware used This is done by the Internet Protocol IP together with the Trans mission Control Protocol TCP the User Datagram Protocol UDP and the 40 4 2 Internet Access Inter
93. ent to make it boot right into your 101 8 Security and Confidentiality desktop without even asking for a password but in most cases that would not be such a good idea as anybody could change data or run programs In the list above the first case is the one where the highest amount of human interaction is involved such as when you are contacting a bank employee and are required to prove that you are the person owning that bank account Then you will be asked to provide a signature a PIN or a password to prove that you are the person you claim to be In some cases it might be possible to elicit some intelligence from an informed person just by mentioning known bits and pieces here and there to win the confidence of that person by using clever rhethoric The victim could be led to gradually reveal more information maybe without even becoming aware of it Some people are rather unmindful of what they say or act unconsciously in the way they give answers so that even a question which they believe was left unan swered might provide enough information to proceed with an even more precise question Piece after piece gets added to the puzzle until the picture is nearly complete No Mr Smith is on vacation right now it s at least three weeks before he ll be back in He s not my boss anyway you know he s up there in the fourth floor while I m here in the third Among hackers this is called social engineering
94. er overflow Often a DoS attack is done with the sole purpose of making the service disap pear However once a given service has become unavailable communications could become vulnerable to so called man in the middle attacks sniffing TCP connection hijacking spoofing and DNS poisoning explained below Man in the middle sniffing tcp connection hijacking spoofing In general any remote attack performed by an attacker who puts himself be tween the communicating hosts is called a man in the middle attack What almost all types of man in the middle attacks have in common is that the victim is usually not aware that there is something happening There are many possi ble variants for example the attacker could pick up a connection request and forward that to the target machine himself Now the victim has unwittingly es tablished a connection with the wrong host because the other end is posing as the legitimate destination machine The simplest form of a man in the middle attack is called sniffer the attacker is just listening to the network traffic passing by As a more complex attack the man in the middle could try to take over an already established connection hijacking To do so the attacker would have to analyze the packets for some time to be able to predict the TCP sequence numbers belonging to the connection When the attacker finally seizes the role of the target host the victims will notice t
95. er systems The Kernel The innermost core of the Linux system the kernel harbors some of the most key secrets to this operating system s success Comprehensive hardware support The kernel is laid out in such a way that it can support practically the entire spectrum of available hardware from the smallest hand held to the mainframe Thanks to open source it is relatively easy to port Linux to new hardware Network capability Since its childhood days Linux s main focus has been on network capability Through its TCP IP protocol support and its support of other open Internet standards networked communication was already an option even in Linux s early developmental stages Once again it was its network capability gave Linux the leverage it needed for further development Linux was and is continuing to be developed over the Internet Security The development of system security gates also accompanied network capability After all the personal computer also has to be guarded from attacks originating from the Internet Linux already provided support for IP filtering even in its early developmental stages In any case the original code has time and time again undergone rigorous restructuring to ensure that it remains compatible to the constantly changing face of the Internet Performance Linux supports some essential tricks for dealing with system resources designed to significantly improve its performance in compa
96. error of the boot device or a faulty disk geometry LIL The second stage boot loader has been loaded at an incorrect address This is typically caused by a subtle geometry mismatch or by moving boot boot b without reinstalling LILO LIL The descriptor table in the map file is corrupt This can either be caused by a geometry mismatch or by moving boot boot b without reinstalling LILO LILO All parts of LILO have been successfully loaded Removing causes of error The most common causes for geometry errors are not physical defects or invalid partition tables but errors in LILO installation including disregarding the 1024 cylinder limit see next section or an unsuccessful attempt at starting LILO from a logical partition In most cases errors can be resolved using the following three methods 1 Install the LILO data below the 1024 cylinder limit if you have not already done so This applies to the required Linux kernel the directory contents of boot as well as the boot sector which will incorporate the LILO start code 116 9 2 LILO Problems 2 Install LILO from scratch with lilo as root lilo will issue an informa tive log if you increase its verbosity and create log files This can be done with earth lilo v v v gt boot lilo log 2 gt boot lilo logerr If the configuration is correct boot lilo logerr should be empty for a boot configuration boot 1lilo 1log include
97. erver which makes the directories and files of all the hosts available to those permitted access to it There are many applications which can be provided for your employees for example without having to install them locally on their hosts For installation select Network Advanced in YaST2 then NFS Server Figure 4 11 on the facing page 48 4 4 Server Services A Software E 3 Expert network Q Configure NIS Server GE configuration I Hardware a 5 LDAP client IS Nes client af NetworkBasic OK nes server Qs client SQ Security and Users amp NIS client u Routing xe System g OR en E ce Configure NFS server Figure 4 11 YaST2 NFS Server Configuration Tool Next activate Start NFS Server and click on Next Now only one step remains to be taken In the upper text field you will need to enter the directories to be exported Then below enter the hosts which are to have access to them Figure 4 12 There are four options which can be set for each host lt single host gt lt netgroups gt lt wildcards gt and lt IP networks gt A more thorough explanation of these options is provided by the manpages on package exports man exports The upper box contains Directories to export to the others all the directories which Directories will be exported If a directory is selected the lower box shows the hosts allowed to mount this directory Hosts wild c
98. es 9 ttyS1 COM2 Logitech busmouse have to use the Sun M dieu keyboard as described Sun MoUs 2 Ue SUNMOUSE in the manual apply and test the selected settings Figure 3 4 Selecting the mouse type 14 3 6 Keyboard and Time Zone To select your mouse type use the and Q keys If you have documentation for your mouse this should provide you with a description of the mouse type Select the mouse type from the list The first three items in the list are the most common mouse type Try these first if you don t know the type of your mouse Confirm your selection either by pressing the C keys or pressing tab and then confirming this with gt Now test if the mouse pointer on the screen follows your movements If the cursor does not move select a different mouse type and try again 3 6 Keyboard and Time Zone The next step Figure 3 5 the keyboard layout and the time zone are selected In the field Hardware clock set to you can choose between local time and GMT Your selection depends on the clock settings in the BIOS of your computer If this is set to GMT SuSE Linux will automatically apply the time change for Daylight Savings Standard Time and vice versa Now select the desired keyboard layout Usually this corresponds to the lan guage you chose Select the correct time zone in the other column Test your keyboard with special characters such as and to see if they appear c
99. etwork security As with the local variants of such bugs buffer overflows in network programs when successfully exploited are mostly used to obtain root permissions Even if that is not the case an attacker could use the bug to gain access to an unprivileged local account to exploit any other vulnerabilities which might exist on the system Buffer overflows and format string bugs exploitable over a network link are cer tainly the most frequent form of remote attacks in general Exploits for these programs to exploit these newly found security holes are often posted on the security mailing lists They can be used to target the vulnerability without knowing the details of the code Over the years experience has shown that the availability of exploit codes has contributed to more secure operating systems obviously due to the fact that operating system makers were forced to fix the problems in their software With free software anyone has access to the source code SuSE Linux comes with all available source codes and anyone who finds a vulnerability and its exploit code can submit a patch to fix the corresponding bug DoS Denial of Service The purpose of this kind of attack is to force down a server program or even an entire system something which could be achieved by various means over 8 2 Local Security and Network Security loading the server keeping it busy with garbage packets or exploiting a remote buff
100. fic via caching Your system administrator can provide you with proper proxy settings w Direct connection to the internet w Manual proxy configuration ver Automatic proxy configuration Configuration location URL http sics intra net proxy pac Reload Cancel Figure 5 3 Proxy Configuration in Netscape for Linux proxy as respectively 192 168 0 1 as address at the port 3128 We wish you a lot of fun surfing Further Settings If you do not want to use a proxy server but still want to have access to FTP servers on the Internet then you should activate the option Use Web Based FTP in Internet Explorer of Windows 95 98 or ME which you will find in In ternet Options Advanced Otherwise if you have Windows 2000 you will need to deactivate Active Folder View for FTP Sites inorder to guarantee a perfect FTP data trans fer Internet Access Controls If you have configured your SLCS to set up connections to the Internet only when you specify them manual connection rather than automatically acti vate connections each time when necessary automatic connection a special web front end is available for this purpose Start your browser e g Netscape Communicator or Microsoft Internet Explorer and enter the address http lt NameofyourSLES gt internet html A screen will appear where con nections can be established or terminated whenever you like just by clicki
101. formation saved on the SuSE Linux Connectivity Server Tip Wis If you want to create a new user you can also make use of the YaST2 Control Center See Chapter 4 5 1 on page 53 After a logging in MacOS will present you with a list of all shares available on 75 5 Workstation Configuration the SuSE Linux Connectivity Server Choose one and confirm this dialog with OK The chosen file share will now be available on the desktop 5 2 Internet Access One of the most important functions of SuSE Linux Connectivity Servers is un doubtedly the option of conveniently and safely surfing in the Internet using computers in your own local network In the following sections we would like to show you how easily you can profit from these possibilities at a workstation Proxy Server Setup It is generally advisable to use a proxy server every time you retrieve Internet data This program runs on the server and to put it simply receives queries from the internal network retrieves the relevant data from the Internet and trans mits them in compressed form back to the internal computer A proxy as buffer between your network and the Internet represents a relevant security innovation as Internet queries HTTP FTP coming from both sides only arrive so far as the proxy which will then take over the rest of the transfer with Netscape Communicator In order to get Netscape to use a proxy server open the
102. g DHCP_REQUEST for 10 10 1 6 10 sugano dhcpcd 30589 DHCP_ACK received from Siddhartha suse 6 28 sugano automount 30633 expired mounts config 7 42 sugano dhcpcd 30773 broadcasting DHCP_DISCOVER 7 42 sugano dhcpcd 30773 broadcasting second DHCP_DISCOVER 42 sugano plea Spee DHCP_OFFER received from Siddhartha s 4 16 4 16 4 16 4 16 4 16 4 16 4 16 4 16 3 4 16 4 16 4 16 4 16 4 16 4 16 4 16 4 16 4 16 1 03 sugano automount 604 attempting to mount entry mounts waork3 All _ Te Figure 4 30 YaST2 Displaying the System Protocol 4 6 4 Loading the Vendor s Driver CD With this module auto install the device drivers from a SuSE Linux driver CD If you do not need to install your SuSE Linux from scratch you can load the required drivers from the vendor s CD later with the help of this YaST2 module 65 4 SLCS Server Configuration with YaST2 4 6 5 Creating Backups This option helps you to back up all modified and new files and packages to a file or tape These are configuration files in most cases If yeu inter d Lu beck up Files alle ace rl iemsdindad i anug iishal ar aarkage you may tmp fvareedm enter a list of c r2ctor c warscatran opccify a set of ilcs cser t fes var locs fvar iran alhiel sual be EXCLUDED fium he vanz urn art fvaresput 1 fvar texsfants fvaretnp Figure 4 31 Backup with YaST
103. garding your selected model the horizontal HSync and the vertical VSync frequency deflection rates will appear in the bottom portion of the screen If the preferred model is not included in the list you can manually enter the data in the entry fields or choose pre defined settings VESA modes Please use the relevant values listed in your monitor manual Otherwise you can use a driver floppy To do this click on Driver disk Insert the disk into the drive and confirm with ox If no file could be found or if the floppy is not readable you will receive the respective warning Then the monitor data will appear in the selection list In the following display Figure 3 22 on the facing page define whether SuSE Linux should run in text mode or in graphical mode in the future In the 28 3 16 Monitor Settings Please select your monitor s vendor and model If your monitor is not listed here use VESA most monitors comply with this standard You can use a monitor driver disk technical data Notice MICROSCAN 17 that you do not need MICROSCAN 17X a special Linux monitor driver disk most common monitor driver disks will do Just try the floppy that came with your monitor If you do not wish to use the X Window Figure 3 21 Selecting the monitor model case of the SuSE Linux Connectivity Server running it in a graphical interface is advisable for reasons of user friendliness Please
104. gram has to be entered gt The Linux Experts d va SuSE If you fill out the fields First Name and Last Name anew user account is created for this name with the password given in the corresponding field When entering a password you must distinguish between uppercase and lowercase A password should have at least 5 Characters and as a rule not contain any special characters e g accented characters Possible characters are 3 Add a new user First name Last name User login Suggestion Enter a password Reenter the password for verification Figure 4 17 Adding new users with YaST2 Adding and Changing Users After calling up this configuration tool a screen will open labeled Managing users and groups You will then be able to change users and groups Group administration is under the Changing and Adding Groups module and is de scribed there YaST2 provides a list of all users to assist in user administration see Figure 4 18 on the facing page To remove a user simply click on the user in the list so that the line is highlighted dark blue then click Delete To Add a user proceed as described in Adding New Users Under Edit find the editing options under Details Creating a new group Adding a new group is easy with YaST2 see Figure 4 19 on page 56 For more information read the YaST2 help text When yo
105. guage HTML format e The Simple Mail Transfer Protocol SMTP is responsible for sending e mails to another machine and Post Office Protocol POP3 for downloading e mails from a mail server The File Transfer Protocol FTP is used to transfer files For several application programs such as a web browser and an e mail program to use the same Internet connection at the same time separate TCP IP connec tions are used for each application Large amounts of TCP IP data are also split up into small packets so that HTTP packets from the web browser can be sent over its TCP IP connection while alternating with SMTP or POP3 packet trans fers from the e mail program via other TCP IP connections Since several applications are using the same Internet connection the IP address which only identifies the machine is not enough A port number is needed to sort out which TCP IP data belongs to which application These standard services are usually provided on their particular server at the following port numbers DNS on port 53 HTTP on port 80 SMTP on port 25 POP3 on port 110 FTP on ports 20 and 21 The client can only implement the right service if it addresses the correct port number at the server 41 4 SLCS Server Configuration with 42 YaST2 4 2 2 Instructions for all Types of Internet Access Personal Firewall The Personal Firewall is especially intended for preventing Internet machines from setting up a connection
106. guration file squid conf accordingly Reasonable exten sion are for example Refined Internet access rules by way of ACLs or Access Control Lists limit Internet access for particular user groups only to certain times of day for example Here an example acl mysurfer srcdomain my domain com AGI TESACINERS Sre 192 lee l 0 255 255 2155 0 all Sieweleines sre LIA 68 70 192 68 90 255 255 255 0 acl afternoons time MTWHF 12 00 15 00 http_access allow localhost http_access allow teachers http_access allow students afternoon http_access deny all File 6 4 1 Excerpt from a squid conf with Access Restrictions This configuration allows the user group teachers unlimited Internet ac cess at any time of the day the user group students only during the afternoon and all other users no access at all Internet access only for authenticated users If you only want to allow ac cess for authorized users integrate an authentication program such as pam_auth which asks every user for his login and password authenticate_program usr sbin pam_auth acl password proxy_auth REQUIRED http_access allow password http access deny all File 6 4 2 Proxy Authentication in squid conf 91 6 Network Services Behind the Scenes Additionally another ACL will have to be set up so that only clients with a valid login can surf Alternatively REQUIRED can be substituted by a list of permitted user names
107. hat the logins i e user names and their passwords of the server are available to every Linux 78 5 3 Configuration of SuSE Linux Clients The table contains all Configuration of the NFS client the NFS entries that will Server Remote file system Mount point Options be written to fetcifstab shared shared defaults For changing the home home defaults configuration use the Add Edit and Delete buttons To confirm the changes use the Next button To dismiss them use Back For more information about fstab type man fstab in a terminal Figure 5 4 YaST2 Module for NFS Configuration client on your network If you would like to have access to private file areas on your server such as home directories you will not be able to do without configuring an NIS as only authorized users are supposed to have access to this secured area To activate an NIS open the Control Center and select the module NIS Client under the category Network Advanced Activate Use NIS and enter the domain configured during the installation in the NIS Domain section e g suse net The IP Address of NIS Server is usually 192 168 0 1 Confirm your changes with Finish Finished 79 5 Workstation Configuration 80 6 Network Services Behind the Scenes 6 Network Services Behind the Scenes This chapter is intended to provide you with more informatio
108. he right password Further Information on Apache Find out more about Apache at the project web site http httpd apache org Quite extensive information as to the current state of development FAQs tutorials and an excellent explanation of its configuration is available here If you are interested in additional modules for your web server http modules apache org is a good place to start For extremely in depth questions and higher standards several books have been published most notably the O Reilly publication Apache The Definitive Guide by Ben and Peter Laurie A weekly newsletter is published in ApacheWeek http www apacheweek org providing information on the most current developments in the project 95 6 Network Services Behind the Scenes 96 7 ALICE The automatic installation and configuration of Linux systems enables the setup of a unified server landscape The automatic method is even preferable to manual installation and configuration for clients beyond a certain number of units This standardization affects system and software versions file system structures and configuration files Automation garantees that a previously determined and successful installation method can be reapplied on a machine at any time even without professional knowledge Thus expanding the network landscape is also made easy Stan dardization simplifies the administration as well given the same configu
109. his because they get an error message saying the connection was terminated due to a failure What often makes things easier for attackers is the fact that there are protocols which are not secured against hijacking through encryption but only perform a simple authentication procedure upon establishing the connection Finally we want to mention spoofing an attack where packets are modified to contain counterfeit source data mostly the IP address Most active forms of attack rely on sending out such fake packets something that on a Linux machine can only be done by the superuser root Many of the attacks mentioned are carried out in combination with a DoS If an attacker sees an opportunity to abruptly bring down a certain host even if only for a short time it will make it easier for him to push the active attack because the host will not be able to interfere with the attack for some time DNS poisoning DNS poisoning means that the attacker corrupts the cache of a DNS server by replying to it with spoofed DNS reply packets trying to get the server to send certain data to a victim who is requesting information from that server To foist such false information onto the server in a credible way normally the attacker must have received and analyzed some packets from it Given that many servers are configured to maintain a trust relationship with other hosts based on IP ad dresses or host names such an attack may be succes
110. illing to access the proxy and with the help of other applica tions allowing or denying access to specific web pages It also can obtain statistics about the most visited web sites user usage of the Internet and many others 4 Squid is not a generic proxy It proxies normally only between HTTP connec tions It does also support the protocols FTP Gopher SSL and WAIS but it does not support other Internet protocols such as Real Audio news or videocon ferencing Because Squid only supports the UDP protocol to provide commu nication between different caches many other multimedia programs will not be supported Squid and the SuSE Linux Small Business Server Squid will already run when you boot your system for the first time without having to do anything on your part The basic functions it takes care of for you are 6 4 Proxy Server Squid Web Site Caching All clients on the internal network can benefit from caching the requested web sites Restricted access inside the network The configuration of Squid is structured in such a way that only local clients have access to its services Cache Management If you have an Apache web server set up the Cache Man ager application allows you to query current statistics on your server this at any time regarding the amount of memory required for Squid s caching functions You can supplement this basic functionality with some other useful features by modifying the confi
111. in the field shown in the dialog window for creating partitions Figure 3 15 on the following page The mountpoint where the encrypted partition is to be accessed can be arbitrarily defined Now click on the item File system encryption to the right and enter OK You will now be asked for the password in the next dialog window which is confirmed by entering it twice It must be at least five characters long and should be a combination of upper and lower case letters or numbers Caution Be especially careful when entering the password here This password cannot be changed later If you forget it your data will be irrevocably lost Once this is accomplished the new partition will now appear in the partitioning table where the entry CF for Crypto Filesystem will appear in the column marked F see Figure 3 16 on page 25 23 3 Installation with YaST2 First please choose the type of the new partition and whether this partition should be formatted or not Then you must enter the mount point 4 boot usr var Now you can enter the location of the new partition on your hard disk Create a primary partition on dev hda r Size Start cylinder 140 End 2000 9 or 9M or 3 2GB r Format Do not format Ale Suter 1D 0x83 Linux Format Data with ReiserFS Please enter the Data with Ext starting cylinder Q swap number ofthe Mount Poit
112. ing SuSE Linux System Finally you should definitely browse the Installation Protocol to make sure all steps were completed successfully with ox Caution Once you have completed installation all server services will be activated for more on this see the tip on page 11 3 19 Graphical Login SuSE Linux is now installed and configured so that you can log on to your sys tem Your monitor will now display the graphical login Enter next to the username the the login name of the administrator account you specified earlier in Section 3 12 on page 26 Caution N Due to security reasons we discourage starting the graphical interface as root see Chapter 3 11 on page 25 We advise you to only log in as root in absolutely dire circumstances 32 3 19 Graphical Login If your login was successful the desktop environment will be started Your ad ministrator account already provides several icons on your desktop If administration tasks are on hand click on the YaST icon A window will open up where you must enter the root password Once YaST2 has been started you can carry out your configuration tasks If other users require use of your network more explanations on this procedure can be found in Chapter 4 5 on page 53 33 3 Installation with YaST2 34 4 SLCS Server Configuration with YaST2 4 SLCS Server Configuration with YaST2 With the help of YaST2 enhanc
113. inst problems of all kinds is to get and install the updated packages recommended by security announcements as quickly as possible SuSE security announcements are published on a mail ing list to which you can subscribe by following the link http www suse de security The list suse security announce suse de is a first hand source of information regarding updated packages and includes members of SuSE s security team among its active contributors The mailing list suse security suse de is a good place to discuss any se curity issues of interest Subscribe to it under the URL as given above for suse security announce suse de bugt raq securityfocus comis one of the best known security mailing lists worldwide We recommend that you read this list which receives between 15 and 20 postings per day More information can be found at http www securityfocus com The following is a list of rules which you may find useful in dealing with basic security concerns e According to the rule of using the most restricive set of permissions possible for every job avoid doing your regular jobs as root This reduces the risk of getting a cuckoo egg or a virus and protects you from your own mistakes e If possible always try to use encrypted connections to work on a remote machine Use ssh secure shell to replace telnet ftp rsh and rlogin 110 8 3 Some General Security Tips and Tricks Avoid using authentication methods ba
114. ion if you are certain that your already installed systems are bootable from LILO usually Windows 95 98 has this capabil ity If you are in doubt select the option Create boot floppy Create boot floppy If your machine is to run with multiple operating systems generate a boot floppy for SuSE Linux The previous boot mecha nism is thus left unchanged SuSE Linux can be booted from this floppy at any time 24 3 11 Root Password Partition your hard disk s This is intended for experts if you are not familiar with the concepts of hard disk partitions and how to use them you might want to go back and select automatic partitioning Please note that nothing will be written to your hard disk until you confirm the entire installation in the last installation dialog Until that point you can safely abort the installation The table to the right shows the current partitions on all your hard disks Hard disks are designated like this dev hda 1St EIDE disk dev hdb 2nd EIDE disk dev hde 3rd EIDE disk etc or dev sda 1st SCSI disk dev sdb_ 2nd SCSI disk KD Device stan Jena see LF Vdew hda 9924 19 0 GB dev hda1 0 8 17 7MB Linux native Vdewhda2 9 139 257 9MB Linux swap swap dev hda3 1402000 3 5 GB CF Linux native Ext2 usr local secret Greate Delete J Edit Reset and Re Read Ce Figure 3 16 YaST2 Encrypted Partition Do not instal
115. ion number of the package con cerned SuSE will try to send areply as soon as possible You are encouraged to pgp encrypt your e mail messages SuSE s pgp key is as follows ID 3D25D3D9 1999 03 06 SuSE Security Team lt security suse de gt Key fingerprint 73 5F 2E 99 DF DB 94 C4 8F 5A A3 AE AF 22 F2 D5 This key is also available for download from http www suse de security 9 Troubleshooting 9 Troubleshooting 9 1 Creating a Boot Disk 9 1 1 Creating a Boot Disk In DOS Requirements You need a formatted 3 5 floppy disk and a bootable 3 5 floppy drive If you are working in Windows launch setup from MS DOS mode not from inside a DOS window Additional information The disk images can be found on CD 1 in the directory disks These images can be copied to a floppy disk with the relevant utilities The necessary disk images can be found on CD 1 in the directory disks These images can be copied to a floppy disk with the relevant utilities CD 1 in the directory disks contains a number of disk images Such an image can be copied to a disk with the help of suitable auxiliary programs This disk is then called a boot disk CD 1 in the directory disks contains a number of disk images Such an image can be copied to a disk with the help of suitable auxiliary programs this disk is then called a boot disk Included in these disk images are the loader SYSLINUX as well as the program linuxrc SYSLINUX allows se
116. ippp0 Note Be careful with the Automatic dialing mode unless you have a flat rate connection You can also configure after how many seconds the connection should be ter minated if data transfer is no longer taking place 60 seconds are recommended for this Along these lines when enabled chargeHUP also exists to make sure that the connection is not terminated until the next payable unit However this does not work with every provider Itis highly recommended to select the item Initialize ISDN System when booting so that the necessary drivers are loaded This alone will not set up an Internet connection You can also enable the firewall This way your machine will refuse external connection requests while you can continue to use the net work as normal Note that there are two different firewall packages the SuSE firewall and the Personal Firewall Unlike the SuSEfirewall Personal Firewall cannot be custom configured The only specification which can be made for Personal Firewall is the name of the network interface ipppO ethO etc where incoming packets can be blocked You should just accept the addresses suggested by YaST2 under IP Settings The preselected items Dynamic IP Address and Dynamic DNS ensure that the IP address and name server assigned by the provider are forwarded dur ing the connection which is usually necessary Under callback settings Callback off should
117. is does not work if there are more addresses on the network than hosts System administrators benefit from DHCP in two different ways For one thing extensive modifications can even be made to network addresses or to the overall configuration in the DHCP server s central configuration file without having to configure a large number of clients on an individual basis Secondly especially new machines can very easily be integrated into the network as IP numbers are assigned automatically out of the address pool The ability to import the appropriate network configuration from a DHCP server is an especially useful feature for laptops which are often connected to several different networks Along with the IP address and the netmask the client is informed of the host and domain names as well as the gateway and the name server addresses to be used Moreover numerous other parameters can be configured centrally such as a time server from which the current clock time can be queried or a print server 83 6 Network Services Behind the 84 Scenes Finally even clients without hard disks diskless clients can import their oper ating systems and all their configuration files from the network However that is material for a chapter in itself and will therefore only be briefly addressed here Further Information Additional information on DHCP can be found at the web sites the for Internet Software Consortium at http
118. it a group proceed as directed in the YaST2 help texts displayed in the left pane 4 5 2 System Security In the start screen Local security configuration which can be accessed under Security Users there are four selection items Level 1 is for stand alone computers preconfigured Level 2 is for workstations with a network preconfigured Level 3 for server with a network preconfig ured and custom defined is for your own settings If you click one of the three items you will have the option of incorporating one of the levels of preconfigured system security options To do this simply click Finish Under Details access the individual settings which can modified If you choose Custom settings you will be taken to the different dialogs with Next automatically Here find the default installation values l Password settings Define how long the password should be for future users minimum and maximum length Five to eight characters is a reasonable number Set for how long a password should be valid when it expires and how many days in advance an expiration warning should be issued the warning is issued when logging into the text console 2 Boot settings This screen involves two things First How should the key combination 55 4 SLCS Server Configuration with 56 YaST2 vi I YaST provides Add a new group an easy means of maintaining Group name Group id
119. it Next Figure 4 23 YaST2 Changing the Installation Source 4 5 5 Online Update The YaST Online Update enables installation of important upgrades and im provements see Figure 4 24 on the following page Note that an online update can only be carried out if you have completed registration You can find out more information on this in Section 2 1 on page 7 59 4 SLCS Server Configuration with YaST2 The corresponding patches are available on the SuSE support server for down loading The current packages can be installed automatically On the other hand you also have the option of personally specifying which patches to add to your SuSE Linux system via Manual update Click Details to obtain information about your last update and the avail able packages Find out about their contents by clicking on Display patch information With Next reach a list of all the available patches if you chose Manual update from which to make your selection With ox or by double clicking activate the individual objects By clicking on Next or Finish the Online Update will be completed The Linux Experts I gt peta SuSE SUSE online update is Welcome to SuSE Package Update the easy way to get all recommended patches and security fixes from the SuSE ftp server Automatic Update will connect to the server fetch the files and install the patches Manual Update will dis
120. itions called physical volumes to your volume group The volume group form the storage pool where your logical volumes like virtual partitions are Linux LYM system allocated from Linux LVM system Under normal Linux LVM system circumstances there Linux LVM system is no need to have Linux LYM system more than one volume group but if you need more than one volume group for special reasons you can create them here Each volume group must have at least one partition that Figure 3 12 YaST2 Overview of the Partitions The volume group currently being edited can be modified in the selection box above to the left The buttons above to the right enable you to create additional volume groups and to delete existing volume groups However only volume groups without any more partitions assigned to them can be removed For a 21 3 Installation with YaST2 standard SuSE Linux system that is installed you do not need to create more than one volume group A partition assigned to a volume group is also called a physical volume often abbreviated to PV To add a previously unassigned partition to the volume group you selected first select the partition and then click on the button Add volume below the selection list This allows the name of the volume group to be entered next to the partition selected You should assign all partitions to a volume group meant for LVM otherwise the space on the partition will re
121. l LILO other boot manager Here you can continue to use your own boot manager Nothing is changed in the MBR Master Boot Record LILO will be configured on the boot partition However in this case you will be on your own in reconfiguring the existing boot manager To another partition Select this option if you want to or have to specify another partition variant see the previous item You will only need to fill out the remaining fields under specific circumstances In case of doubt please consult the YaST2 Online Help 3 11 Root Password root is the name of the superuser or the system administrator root is permitted to do all the things that the normal user is not permitted to do The superuser may make changes to the system such as installing new applications or setting up new hardware If someone has forgotten their password or has problems with software root is able to help them For verification purposes the password has to be entered twice Figure 3 18 on the following page Be particularly careful not to forget the root password Caution If you forget the root password it can be quite complicated to restore your system Do not keep the password where a third party could have access to it Due to security reasons we recommend that you do not log in as root Use the administrator account for this purpose see Section 3 12 Da A 25 3 Installation with YaST2 LILO the Linu
122. l ask herself what could motivate these countless developers to push free soft ware The traditional idea of wage labor does not apply here of course Some motivating factors for working on open source projects are outlined in the following e Due to the sheer number of open software programmers each one benefits from work done by the others She receives more in return than she could program herself e The collaboration on a free software project offers as in the academic world as well the opportunity to gain good standing and respect among like minded people e In the open source sector software technology belongs to everyone Anyone can join in and do what they want with the code Previously this was only the privilege of a few companies e The programmer can develop free software with completely free developer s tools compilers developer s environment This extends the developer com munity to many programmers who might otherwise not have had the means to participate in the development process Many companies whether they are Linux distributors or consulting firms smaller or larger hard and software manufacturers take advantage of this motivating potential and either directly or indirectly finance development on open software projects 1 4 Conclusion The strengths of an open source solution are obvious The software critical to your enterprise will be running and stable since the software has already
123. l file corresponding to the device e g dev hdcl OPTIONS a This option does the same thing as the p option It is provided for backwards compatibility only it is suggested that people use p option whenever possible b superblock Instead of using the normal superblock use an alternative superblock specified by superblock This option is normally used when the primary superblock has been corrupted The location of the backup superblock is dependent on the file system s block size For file systems with 1k block sizes a backup superblock can be found at block 8193 for file systems with 2k block sizes at block 16384 and for 4k block sizes at block 32768 Additional backup superblock can be determined by using the mke2fs program using the n option to print out where the superblock were created The b option to mke2fs which specifies block size of the file system must be specified in order for the superblock locations that are printed out to be accurate If an alternative superblock is specified and the file system is not opened read only e2fsck will make sure that the primary superblock is updated appropriately upon completion of the file system check B blocksize Normally e2fsck will search for the superblock at various different block sizes in an attempt to find the appropriate block size This search can be fooled in some cases This option forces e2fsck to only try locating the superblock at a particular
124. lection of a specific kernel for the booting process and to add parameters for your hardware if necessary The program linuxrc supports the loading of kernel modules for your hardware then starts the installation Normally the SuSE boot disk supplied can be used to boot Only for exotic hardware not supported by the modularized kernel of this boot disk or if you download a disk image from the Internet for example from ftp ftp suse com do you need to create your own boot disk as described here With Setup Step by step To create a boot disk 1 Start setup directly from CD 1 2 Select floppy and press gt Next select Boot and press lt gt 113 9 Troubleshooting 114 3 Select a disk with a suitable kernel for example that supports your SCSI adapter if you have one setup shows the essential part of the kernel descrip tions If you need further information look it up in disks readme dos Remember the name of your kernel You will need it later Now press 4 Create the boot disk Insert the DOS formatted disk into the 3 5 drive and select the disk to create Only the boot disk is needed Root is not needed anymore for SuSE Linux Move the cursor onto Boot and press setup requests confirmation of disk insertion Press and the disk is written e When this is finished press Now select Done to exit this screen and setup With rawrite Alternatively you might
125. ls that LILO should boot A few megabytes is enough It does not matter where you put the rest of your partitions There are no more restrictions As soon as the kernel runs you have unrestricted access to all installed drives But what to do if there is no space for such a partition If you neither want to repartition your hard disk upgrade to SCSI or purchase a new BIOS version there are still two makeshift possibilities e Use a boot disk instead of LILO on the hard disk or if you are also running MS DOS use loadlin Install the LILO boot machinery onto a Linux partition in the permitted sec tion and where Linux has write access e g a FAT or VFAT drive We cannot put the LILO boot sector there as well So there are only two places to put it Either at the start of an extended partition on the first drive as long as it is beneath the 1024 cylinder limit or on the MBR Suppose that the partition in question is mounted on mnt that LILO is in stalled in the MBR dev hda and that you also boot DOS from dev hdal Proceed as follows Create a new directory e g mnt LINUX and copy the LILO files men tioned above to it boot b map message as well as the chain loader of other operating systems normally chain b and the Linux kernels that LILO should boot Create a mnt LINUX 1ilo conf where all paths point to mnt LINUX see File 9 2 1 on the next page 9 3 The SuSE Rescue System
126. main unused Before you can exit the dialog you will have had to assign at least one physical volume to each volume group 3 8 4 Logical Volumes Add edit or remove logical volumes in this dialog Click Add if you want to create a logical volume Specify a size format reiserFS or ext2 for exam ple and a mountpoint in your file system for the volume The Linux Experts P Yasi5 SuSE 042 3 4 5 6 7 Logical Volume Manager Logical Volumes Here you create the logical volumes that are used to store your Volume Group ised data sem 4 0 GB 4160 Logical volumes are usable in almost every place where normal disk partitions can 156 0 MB Linux r dev sda2 swap 156 0 MB Linux be used You can create AA on devisystem opt fopt system 596 0 MB logical volumes use dew systemitmp fusr system 30GB dewisystem var Nar system 496 0MB them as swap use them as raw partitions for databases an so on If there is still unallocated physical M view all mountpaints not only the current volume group storage in a volume reiserfs on your menaa Bl Tem er Figure 3 13 YaST2 Management of the Logical Volumes If you have created several volume groups you can switch between the different volume groups in the selection list above to the left The new logical volumes are all located in the volume group shown at the upper left After you have created all the logical volumes as they are
127. ming from in ternal clients destined for the Internet will not be tagged with their originating network address but appear as if they originated the network interface on your server recognized in the Internet On one hand your internal network received additional protection in that the individual clients are only locally known and on the other this saves space for Internet addresses If you choose not to activate the firewall network traffic on your Internet connection will not be filtered at all synonymous with a no in the configuration file 6 4 Proxy Server Squid The following chapter describes how caching web sites assisted by a proxy server works and what the advantages of using Squid are Squid is the most popular proxy cache for Linux UNIX platforms What is a Proxy Cache Squid acts as a proxy cache It behaves like an agent which receives requests from clients in this case web browsers and passes them to the specified server provider When the requested objects arrive at the agent it stores a copy in a disk cache Benefits arise when different clients request the same objects these will be served directly from the disk cache much faster than obtaining them from the Internet and at the same time saving overall bandwith from the system Tip Squid covers a wide range of features including intercommunicating hierar chies of proxy servers to divide the load defining strict access control lists to all clients w
128. misc snd card sb16 0 insmod snd card sb16 failed failed dib modules 2 4 7 4GB misc snd card sh1 6 0 insmod snd card sb16 failed failed lt notice gt etc init d rc5 d S21alsasound start exits with status 0 lt notice gt etc init d rcS d S21 apache start Starting httpd lt notice gt startproc execve usr sbinshttpd usr sbin httpd f fetc done lt notice gt etc init d rc5 d S2 1 apache start exits with status 0 lt notice gt Starting personal firewall final etc init d rcS d S22personal fireweall final lt notice gt checkproc opt kde2 bin kdm 724 not activelunused lt notice gt Master Resource Control runlevel 5 has been reached Skipped services in runlevel 5 personal firewall initial pcmcia personal firewall fir etc init d rc5 d S22personal firewall final start exits with status 6 lt notice gt killoroc kill 16 3 m f J n Figure 4 29 YaST2 Displaying the Start Protocol 4 6 3 System Protocol The system protocol documents the running operation of your computer and is stored in the var log messsages file The kernel messages appear here sorted according to date and time System log var log messages 4 16 31 31 sugano automount 29860 expired suse sigi 4 16 36 09 sugano dhcpcd 30589 broadcasting DHCP_DISCOVER 36 10 sugano dhcpcd 30589 broadcasting second DHCP_DISCOVER 6 10 sugano dhcpcd 30589 DHCP_OFFER received from Siddhartha st 6 10 sugano dheped 30589 broadcastin
129. n Configure NIS server If an NIS server still does not exist on your network you will first have to activate the item Configure NIS Master Server in the next screen If you already have an NIS server that is a master add an NIS slave server if you are configuring a new subnetwork First you will be presented with an explanation of how to configure the master server Enter the domain name at the top of the next configuration screen Figure 4 13 In the checkbox underneath define whether the host will also be an NIS client that is whether users who can also access the data from the NIS server will also be able to log in to it The Linux Experts a Fa SuSE Network Information Service Master Server Setup Please enter a NIS domain If this host is also a NIS client NIS Domain Name pet the appropriate susede If you want slave M This host is also a NIS client servers to cooperate _ with this master m an O Active Slave NIS server exists Active Slave NIS O Fast Map distribution rpc ypxfrd server exists f you check the button Fase Changing of passwords Map distribution it will O Allow changing of passwords speed up the transfer of maps to the slaves oO Allow changing ot El passwords lets the ae is W Other global settings presence of NIS KID Buttons to allow C m Tb Figure 4 13 YaST2 NIS Server Configuration Tool 50 4 4
130. n on network ser vices working for you in the background Their features are essential for the functioning of your entire network 6 1 Basic Functions This section briefly addresses the most basic services required for a functioning network Name Resolution The Domain Name Service DNS manages names and IP addresses of your local hosts and retrieves the name information from the entire Internet Configuration of the Network Interface Takes care of assigning IP addresses for your internal clients by way of DHCP Dynamic Host Configuration Protocol Management and System File Sharing Important user data can be centrally managed and maintained from one main database The data is exported over NIS Network Information System 6 1 1 Domain Name Service DNS ensures that you never need to memorize an IP address with the help of DNS an IP address can be assigned to one or even several names and in turn a name to an IP address In Linux this conversion is usually taken care of by a special software called bind The host responsible for this conversion is called a name server In doing so the names comprise a hierarchical system wherein the individual name components are separated by periods The name hierarchy however does not have anything to do with the IP address hierarchy described above Let us take a look at a complete name laurent suse de hostname domain A complete name or as they are referred to in the professi
131. n with YaST2 The Linux Experts j Ya SuSE Network base configuration The base configuration of your network devices is set here Use Edit to interface edit the network device address or Delete Q Hardware button to remove the entry No Active Type Device name IP Address PCMCIA Use Add to configure 0 Active Ethernet etho 10 10 1 170 No your hardware and set up the device address With the Hardware button get a list of hardware you can change If you configure modem or ISDN for connect you can use kinternet Caution Only change the configuration of the interface etho or the server s IP ad dress if you know exactly what your are doing The IP address must be left at 192 168 0 1 in order to correspond accurately with the other network service configurations The dialog shown in Figure 4 7 will appear With Add add the network card to the configuration With Remove remove it from the configuration With Edit modify the network card configuration Activate the item Hardware to modify the hardware data for an already con figured network card with Edit You will arrive at the menu for changing the settings of the network card This menu is shown in Figure 4 8 on the next page Normally the correct driver for your network card has already been configured by YaST2 during installation and is activated Therefore manual hardware p
132. nables you to install more software on your machine In addition unwanted programs can be removed To install from a CD insert the first CD into the drive In the dialog the package series will be shown to the left commercial packages are often located in the pay series On the right all the packages belonging to the series selected are listed Packages already installed on your computer are marked with i 57 4 SLCS Server Configuration with YaST2 3 Local security configuration With this module change the local security settings The local security settings consist of the boot configuration Current security settings US AS Q Level 1 Home workstation password settings some user creation Q Level 2 Networked workstation settings file Level 3 Network Server permissions and some 3 other settings Custom settings All particular settings are described in the respective dialogs me You can choose one of the preset configurations or you can make your own settings Use Home a eax g wnrkstatinn fnr a Figure 4 21 YaST2 System Security Configuration Select and deselect a package by double clicking or by selecting the line then clicking ox The packages selected for installation are marked with x and ones to remove with a If a package requires additional packages these will be automatically selected by YaST2 label a or you have the option
133. net Control Message Protocol ICMP These protocols comprise the com mon language used by all machines on the Internet The abbreviation for this is TCP IP Every machine on the Internet has an ID number the IP address It can only be addressed by TCP IP with this number Normally a machine also has a text name used by application programs to refer to them The Domain Name System DNS is responsible for converting the IP address to atext name This particular service is offered by name servers A machine or an application offering a service is called a server for instance DNS server and a machine or application making use of a service is called a client Below TCP IP there are various standardized protocols for forwarding the ap propriate TCP IP data transfers to the given transmission method For network connections via a network card this is the ethernet protocol For modem and ISDN telephone connections it is the Point to Point Protocol PPP and for ADSL T DSL connections the Point to Point over Ethernet Protocol PPPoE The ethernet PPP or PPPoE connection followed by the TCP IP connection be tween your own machine and a machine on Internet provider must be established before setting up an Internet connection On top of TCP IP there are various standardized protocols for proper data trans fer to the application e The HyperText Transfer Protocol HTTP serves for the transfer of web sites in HyperText Markup Lan
134. net Server The following section will basically provide you with a compact description of how to configure the Apache running on your system to work for you as an In tranet server Please understand that we cannot offer you a complete explanation of all the configuration options and supplementary modules For this informa tion refer to the information sources on page 95 The Apache configuration file is nearly 1500 lines long and not necessarily in tended to enthuse the newcomer with intuitive user friendliness However the default configuration provided with the application package is more than suffi cient for most purposes The selected default settings are designed so that the web server can run smoothly on most systems straight out of the box In order to derive a powerful Intranet server from a newly installed Apache the following steps are required 1 Which contents should be presented The directory from which Apache typically awaits the contents to be pre sented is usr local httpd htdocs Store all files here which are to ultimately be displayed by Apache and with read permissions for other users rw r r 1 me my_group 0 Mar 2010 14 26 my_file Directories are created with read write and execute permissions for you and read execute permissions for your group and others SuSE Apache expects your own personal home page to be called index html If you do not have your home page under this name Apache will acce
135. ng data stock such as databases MP3 archives or user directories etc the Logical Volume Manager might be just the right thing for you With this you could have file systems for instance which are larger than a physical hard disk Another advantage of the LVM is that you can create up to 256 LVs But please be aware that working with the LVM is quite different than working with conventional partitions Further information on configuring the Logical Volume Manager LVM can be found in the official LYM Howto http www sistina com lvm Pages howto html or at usr share doc howto en html LVM HOWTO html 3 8 1 Configuring LVM with YaST2 You can activate the YaST2 LVM configuration by selecting Custom parti tioning with LVM while you are in the initial phase of preparing the hard disk see Figure 3 6 on page 16 3 8 2 LVM Partitioning First you will reach a dialog where you can change the partitioning of your hard disk see Figure 3 9 on the next page If needed add partitions and vol umes After clicking on Ada select the LVM type in the screen which follows by clicking on Do not format then specifying 0x8e Linux LVMas File System ID The LVM partitions do not need to be created yet Therefore you can ignore the warning which appears after clicking on Next Also keep in mind that no mountpoint has to be given yet This is done at a later point 19 3 Installation with YaST2
136. ng on the buttons Connect and Disconnect 5 3 Configuration of SuSE Linux Clients After having configured several Windows platforms in the previous section we would now like to show you how to use a SuSE Linux system as client of your 77 5 Workstation Configuration SuSE Linux Connectivity Server Basic Configuration As described above for Windows 95 98 ME 2000 we will first have to make sure that the network card is configured properly Start the YaST2 Control Cen ter and select the option Network Card configuration from the category Network Basic This will open a window where both hardware and software settings for your network card can be defined Under Interface now select your network card and click on Edit Make sure that the Automatic Address Setup via DHCP is active and confirm your changes with Next followed by Finish Answer yes when the system asks whether or not you would like to save the settings Your network card is now configured to automatically adapt itself to the DHCP server of the SuSE Linux Connectivity Server Set up the access to file server and user database NIS in order to access to the file service of the SuSE Linux Connectivity Servers also from a SuSE Linux system File Server Settings As compared to the previously mentioned Windows solutions a SuSE Linux system is much easier to configure for accessing your SuSE Linux Connectivity
137. nic Here the only chance is to repair the system from the outside using a rescue system The SuSE Linux rescue system contains the utilities e2fsck and dumpe2fs for diagnosis These should remedy most problems In an emergency man pages often are not available That is why we have included them in this manual in Appendix 9 3 1 on page 123 121 9 Troubleshooting 122 Example If mounting a file system fails due to an invalid superblock the e2fsck program would probably fail too If this were the case your superblock may be corrupted too There are copies of the superblock located every 8192 blocks 8193 16385 etc If your superblock is corrupted try one of the copies instead This is accomplished by entering the command earth e2fsck f b 8193 dev damaged_partition The option forces the file system check and overrides e2fsck s error so that since the superblock copy is intact everything is fine 9 3 The SuSE Rescue System e2fsck Manual Page E2FSCK 8 E2FSCK 8 NAME e2fsck check a Linux second extended file system SYNOPSIS e2fsck pacnyrdfvstFSV b superblock B block size l L bad_blocks_file C fd j external journal device DESCRIPTION e2fsck is used to check a Linux second extended file sys tem e2fs E2fsck also supports ext2 file systems coun taining a journal which are also sometimes known as ext3 file systens device is the specia
138. not test whether the backup will work it might actually be worthless 111 8 Security and Confidentiality 112 Check your log files Whenever possible write a small script to search for suspicious entries Admittedly this is not exactly a trivial task In the end only you can know which entries are unusual and which are not Use tcp_wrapper to restrict access to the individual services running on your machine so you have explicit control over which IP addresses can con nect to a service For further information regarding tcp _wrappers con sult the manual page of tcpd 8 and hosts _access man tepd man hosts_access Use SuSEfirewall to enhance the security provided by tcpd tcp_wrapper However if you do not intend to provide any services from your host you should probably install SuSE personal firewall instead Con figuring SuSE personal firewall is as simple as providing the name of the network interface on which inbound traffic should be rejected Find more in formation on this in the files sbin SuSEpersonal firewall and etc rce config d security rc config Design your security measures to be redundant a message seen twice is much better than no message at all 8 4 Using the Central Security Reporting Address If you discover a security related problem please check the available update packages first write an e mail to security suse de Please include a de tailed description of the problem and the vers
139. nsive memory test which takes quite some time to run through It will however more accurately pin point the memory error than the BIOS memory test when booting Now by pressing the selected system will be started 3 3 YaST2 Takes Over Now the actual installation of SuSE Linux starts with the YaST2 installation pro gram Figure 3 2 shows you what the screen will look like During this phase the hardware available on your system is checked and prepared for the installation A bar in the middle of the screen shows the progress of the installation All YaST2 screens have a common format On the left help texts are shown providing information on the current help topic All entry fields lists and buttons on the YaST2 screens can also be accessed by your mouse If your cursor doesn t move your mouse has not been automatically recognized by Linux You will then need to use your keyboard as explained in the above section Following the language selection screen you will be able to manually configure your mouse YasT2 Initializing Checking system TI PUTT 42 Back Figure 3 2 The hardware analysis 13 3 Installation with YaST2 3 4 Selecting a Language SuSE Linux and YaST2 are adapted to use the language you have selected En glish is the default setting for the English distribution of SuSE Linux These settings can be changed individually Please choose the language to be used for the install
140. nts Internet and Intranet file server print server Internet gateway with proxy and firewall This is accomplished by the SuSE Linux Connectivity Server following a rela tively simple installation procedure and does not necessitate complication sys tem maintenance If you have special requirements extending beyond the preconfigured settings you can obtain support services from SuSE Professional Support The SuSE Linux Connectivity Server which is quite robust as compared to other products features long release cycles It combines the proven stability of a Linux system with constant up to dateness Online Updates can be automatically installed at any time Moreover this will spare you an unnecessary burden on your finances SuSE designed the SuSE Linux Connectivity Server in order to ensure utmost productivity and profitability in terms of your business network so that you are free to concentrate on the essentials Have a lot of fun Your SuSE Team vii Foreword viii 1 Why Linux 1 1 The Alternative Called Linux Linux stands out from other established operating systems in terms of its unique product philosophy The principle of open source and free distribution the suc cess of the open develepor s model and the integrated technical features consti tute Linux s strengths 1 2 The Technical Side of Things This section will focus on a few technical aspects which distinguish Linux from oth
141. o File System 23 3 10 Boot Manager for System Start Up 24 3 11 Root Password lt oa o hada 2 84 bene eee Di bas 25 3 12 Creating an Administrator Account 26 3 13 Lefts Gol ae cots be edhe eae oh 27 3 14 Preparing the Hard Disk 27 3 15 Installation of Software Packages 27 3 16 Monitor Settings satge 2 Avo Ge ee a REES 28 Salt MNetworkCard 4 ccd Y ee Ge we oy be we RO ae eee ee a 30 3 18 Finishing the Installation osso oce ee ee 32 3 19 GraphicalLogin i s e meci m Emmen 32 SLCS Server Configuration with YaST2 35 4 1 Hardware speedstar i pianga ia pe in ee 36 4 1 1 Printer Configuration 04 2 Wer ans 37 4 1 2 Graphical Interface X11 2 222200 39 4 13 Keyboard eip ae tok Be A Ae 40 AD TIntemet ACCESS en a ES he 40 4 2 1 Basic Internet Connection 40 4 2 2 Instructions for all Types of Internet Access 42 4 2 3 Internet Connection and Local Network 42 424 ISDN 24 amp 20 de die oe Ao Bethe es 43 4 25 Modem 2 204 2244 eee E bee ba ewe eee 44 4 3 Network Card 2 a Ga ae ee ee Ae Ea 45 4 4 Server Services 2 2 2 2 nenn 48 4 4 1 Basic Samba Configuration 48 4 4 2 NFS Server Configuration 48 4 4 3 NIS Network Information Service 50 4 4 4 E mail Sendmail 52 AS OYE s 2 ha Bet Se by Se ecto die ee re e 53 4 5 1 M
142. ocols have been installed and all nec essary settings completed we should first check that the network connection card is correctly recognized by the system In the start menu please click on the control panel and select system In the System Properties window select the tab Hardware and click on Device Manager approximately in the middle of the said window You should find there the details of your network card together with the name of its manufacturer and model under Network Adapter Otherwise install your network card with the driver which came with the pack age manually by following the instructions contained in the relevant documen tation Installing TCP IP Just like in Windows 95 98 ME you will now have to make sure that TCP IP is installed so that other services can use it as well Double click on the item Network and DialUp Connection in the control panel and select the menu item Properties after right clicking on your network card A window willnow appear containing your network card as well as the Internet Protocol TCP IP and the Client for Microsoft Networks Otherwise click on the tab General and select Protocol Add In the di alog Choose Network Protocol select Internet Protocol TCP IP or Client for Microsoft Networks and confirm with ok Make sure that both your network card name and the Internet Protocol
143. oftware to Linux The most recent example of this is Oracle s Linux offensive Support The usage of free software is often discouraged since no professional support exists in this sector These reservations can be addressed in two different ways An e mail to the respective supporter mailing list can provide short term free as sistance Anyone regardless of whether they are an individual user or acompany client can go through these channels relatively unhindered by red tape How ever with the increasing success of free software the ratio of users to developers is changing in such a way that individual developers are finding it increasingly difficult to respond to requests This is why this more traditional method is being supplemented by professional services specializing in the support of free software products These are not only the Linux distributors SuSE Red Hat Caldera etc independent compa nies and small specialized companies but also more and more frequently large companies such as IBM which is in the process of evaluating free software s po tential Here companies in need of support can purchase it and can even reach the corresponding developer if they have dire support needs 1 3 The Philosophy Behind It Open Source At the very beginning of UNIX history the tradition of distributing software sim ply by passing along the source code was born The recipient took the code ad justed it to his hardwar
144. om the slcs com domain even if the Internet connection is fully insulated by a firewall For the newly created htaccess file to be read at the start up of Apache the following option must be enabled in the etc httpd httpd conf file This controls which options the htaccess files in directories can override Can also be All or any combination of i MOSER Wisk israel gt ANENE OE y har AN AllowOverride All If the option above is not enabled all ht access entries will be ignored e The same effect as in htaccess is also achieved by making the parallel entries in the main httpd conf file Either individual lt Directory gt entries are specified or permission restrictions are set according to cate gory This method has the same effect as if you were to secure the highest di rectory level of the web server the DocumentRoot including all its sub directories by way of htaccess 94 6 5 Intranet Server Controls who can get stuff from this server Order deny allow Deny from all Allow from slcs com This brief overview serves as an introduction to the basics of the security of directories rather than to serve as a set of detailed instructions In addition a large selection of other complex security mechanisms exists which can be implemented by an administrator to shake off unwanted visitors In the same vein certain regions on a server can likewise be restricted to only authorized users with t
145. on The mountpoint is the directory in your file system to which the partition is mounted This option will most likely be useful if you want to store the home or opt directories for ex ample on separate partitions Note SuSE Linux Connectivity Server uses a shared directory for exporting common data for Samba and netatalk to all network clients on the sys tem If you want to use a separate partition for this shared directory specify shared as mountpoint 18 3 8 Logical Volume Manager LVM 3 8 Logical Volume Manager LVM The Logical Volume Manager LVM enables flexible distribution of your hard disk space on several file systems Since partitions can only be changed on a running system with relative difficulty LVM was developed this makes a virtual pool volume group or VG for short of memory space available which can generate logical volumes LV as needed The operating system will then access the LVs instead of the physical partitions Characteristics Several hard disks partitions can be merged into one large logical partition If an LV suchas usr gets filled up you can enlarge it given the appropriate configuration You can even extend hard disks or LVs on a running system using LVM provided that the hot swappable hardware is suitable for such procedures of course Using LVM is already quite beneficial for home PCs or small servers placed under high demand If you have a growi
146. on files that programs could use such files with the permissions of root This significantly increases the possibilities of an attacker Attacks like this are called cuckoo eggs because the program the egg is executed hatched by a different user bird Just like a cuckoo would trick other birds into hatching its eggs A SuSE Linux system includes the files permissions permissions easy permissions secure andpermissions paranoid all in the directory etc The purpose of these files is to define special permissions such as world writable directories or for files the setuser ID bits which means the corresponding pro gram will not run with the permissions of the user that has launched it but with the permissions of the file owner root in most cases An administra tor may use the file etc permissions local to add his own settings The variable PERMISSION_SECURITY set in etc rc config defines which of the above files is used by SuSE s configuration programs to set permissions ac cordingly As a more convenient way to select the files use the submenu Se curity in YaST1 or YaST2 To learn more about the topic read the comments in etc permissions or consult the manual page of chmod man chmod File race conditions Assume that a program wants to create a file in a directory which is world writable such as tmp First the program checks whether the file already ex ists and if that is not the case creates
147. onal world a fully qualified domain name or FODN consists of a hostname and a domain seg ment The domain segment consists of an arbitrary component in the above example suse and the Top Level Domain or TLD 81 6 Network Services Behind the Scenes Due to historical reasons TLD assignment is somewhat confusing In the USA for example three lettered TLDs are used but in other places ISO descriptions only consist of two letters Several TLDs are listed in Table 6 1 to give you an idea com Commercial Private companies in the USA edu Educational schools universities and other non commercial ed ucational institutions in the USA gov Government Government institutions and offices in the USA org Organizational Non commercial non profit organizations in the USA de Hosts in Germany at Hosts in Austria Table 6 1 Some Top Level Domains As you can see hosts in Germany normally obtain de at in Austria and ch in Switzerland In the early days of the Internet before 1990 the names of all the hosts in the Internet were stored in one single file called etc hosts However in light of the rapidly growing number of hosts online this method was no longer efficient Therefore a decentralized and distributed database was designed The local name server only knows very few of all host names and forwards requests for unknown hosts to other name servers in the Internet R
148. only root has the nec essary permissions to do so This example only shows one method of installing with ALICE and places the least amount of demand on the infrastructure AL ICE also enables you to install without using any floppy disks at all but the disk less method does burden the infrastructure somewhat and it requires NFS DHCP and TFTP servers as well as PXE compatible network cards or a PXE or NETBOOT boot floppy In the typical scenario one server functions as an installation and configuration server The various machines are then booted using a boot floppy and then installed The procedure is as follows First the environment variable SALICE_HOME must be set to usr lib alice samples in the bash with export ALICE_HOME usr lib alice samples If the machine has a disk smaller than 6 GB the file usr lib alice sample Creating a Simple Configuration lt SYS_PART_hda gt if 6000 num 1 fsys reiser SWAP 256 num 2 lt SYS_PART_hda gt info simple sample de sys tcf must be edited substituting 6000 for the disk size minus 256 MB SWAP If the CD ROM is not dev hdc Secondary master on IDE bus the following tag must be changed lt SYS_CDROM_DEVICE gt dev hdc lt SYS_CDROM_DEVICE gt If the network is to also be configured both of the following tags must be modi fied e Specify module name of the network driver lt SYS_INSMOD_MODULES gt tulip lt SYS_INSMOD_MODULES gt
149. oot name servers can be found at the top of the hierarchy They manage top level domains Root name servers are administrated by the Network Information Center or NIC for short The root name server recognizes each name server responsible for a top level domain In the case of the German top level domain de the DE NIC is responsible for domains ending with the TLD de More information on DE NIC can be obtained at the web site http www denic de and more information on the top level domain NIC can be found at http www internic net In order for your machine to be able to resolve a name into an IP address it must be made public by at least one name server with an IP address The configuration of a name server is easy with YaST2 If you dial in over modem you might not need to manually configure a name server at all The protocol needed for the dialup connection is transmitted along with the address of the name server during the dialing process Running the Name Server BIND The name server BIND8 as well as the new version BIND9 is already precon figured in SuSE Linux so that you can easily start it up right after you have installed the Linux distribution 82 6 1 Basic Functions With the configuration files included your name server will already implicitly recognize all the hosts on your local network Your name server is able to inform each host on the entire network of your colleague s IP address or fully qualified n
150. open containing your private directory bearing your name as well as the Shared Data area 71 5 Workstation Configuration Tip If your login or trial access to the server fails there might be a network or password problem A web front end at http password along with YaST2 user module on the server can be used to change your password This web front end can even be run from a client host A If you enter the URL http password you will be referred to an https address There are things to keep in mind for this 1 Note that older clients Windows 95 often do not provide any support for the https protocol so in this case this page will not be accessible 2 When the connection is first established the user is informed that this host is not yet known Normally the browser will then ask whether this host or key should be accepted This procedure strictly depends on the browser you are using If you are using an older version of Windows 95 which does not support the transfer of coded passwords to Samba you will have to download an update from ftp ftp microsoft com softlib mslfiles vrdrupd exe and install it to make the encrypted login work Linking Drives Storing data in some deep recess of the network neighborhood would be very complicated indeed Luckily you can resort to an easy and convenient solution linking the network drives of the servers to drive letters In 95 98 ME sele
151. or rectly on your keyboard If it does not work you chose the wrong layout The installation will be continued with Next Choose the keyboard layout to use for installation and in the Keyboard layout installed system ish Then select the appropriate Finnish Pacific Guam time zone Choose the country French Pacific Midway or region where you are French Switzerland Pacific Nauru located German Pacific Palau Specify whether the hardware German Swiss Pacific Pitcairn clock of your machine is set to Greek local time or GMT Hungarian Most PCs that also have other Itallan operating systems installed Japanese such as Microsoft Windows Norwegian use local time Polish Machines which have only Linux Portugese US East Indiana installed should be set to Portugese Brazil US Eastern Greenwich Mean Time GMT Russian US Hawail If you are unsure use the Slovak default values already selected Slovak qwerty Spanish m Swedish el Turkish el keyboard test Hardware clock set to anon m LJ Bor rain Ey Figure 3 5 Selecting the keyboard layout and time zone 3 7 Selecting the Hard Disk Next select the hard disk where the SuSE Linux System is to be installed All the hard disks found on your system will be listed see Figure 3 6 on the next page Select the hard disk you want to install SuSE Linux Connectivity Server on 15 3 Installation with YaST2 Normally the SuSE Linux Connectivity
152. or account This account is for taking care of daily tasks Give yourself a memorable login name which can be your first or last name but not includ ing any special characters or spaces In conclusion confirm your password by entering it twice Use a combination of lower and upper case letters as well as numbers for your password Next log into the system using this account In contrast to a normal user account the administrator account provides cer tain features which simplify the administration of the SuSE Linux Connectivity Server 26 3 13 Let s Go In the following dialog box Figure 3 19 you will see your previously chosen settings listed You can also Abort installation here The installation of SuSE Linux will then be ended and your system will remain unchanged If you want to change some of your settings you can click repeatedly on Back until you ve reached the dialog box where you want to make your changes If you click on Next however a dialog box will appear asking you if you are sure you want to proceed with the installation If you answer Yes install the installation will begin If you want to save your selections for later retrieval click on Save settings to floppy and all the installation settings will be saved to a disk Confirm installation YaST2 now has all the required information Please read all the information F iti carefully before you HERIIDESI
153. ource directory usually tc Select if passwe file should be merged with shadow file and if the YP Source directory group file should be Fete merged with gshadow file Merge passwords p Merge groups gt You can also adjust the O no O No minimum user and group id ves ves Minimum UID Minimum GUID fioo El 100 Figure 4 14 YaST2 NIS server Changing the directory and synchronizing files If you previously enabled Active NIS Slave Server exists you must now give the host names to be used as slaves Specify the name and go to Next The menu that follows can be directly accessed provided you did not activate the slave server setting before Now the maps the partial databases to be transferred from the NIS server to the individual clients can be configured The default settings can be applied under most circumstances so nothing usually needs to be changed here If you still want to make changes here however you should be very familiar with the material Next brings you to the last dialog where you can define which networks are to be allowed to send requests to the NIS server see Figure 4 15 on the next page 51 4 SLCS Server Configuration with YaST2 Normally this is your company network If this is the case there should be two entries 255 0 0 0 127 0 0 0 0 0 0 0 0 0 0 0 The first one enables connections to your own host while the second one allows all hosts which ha
154. play all available patches and you can choose which patches should be installed Information about the last update will be shown if you click on the Details button If you click on button r Last update information Last update was executed petals en r Choice of update mode Q Automatic Update Manual Update r Choice of installation source Installation source Cec Lamon Figure 4 24 YaST2 Online Update Online Update from the Console To the benefit of system administrators and command line fans the Online Up date can be started in a shell As root load the current patch list and all related rpms from the first server in the etc suseservers list using the com mand earth root yast2 online_update auto get If you just want to load certain patches you can add options to the command Among these options are security recommended document YaST2 and optional security retrieves security related patches recommended fetches updates recommended by SuSE document provides you with information on the patches or on the FTP server YasT2 fetches YaST2 patches and optional gets minor updates The command for downloading the security patches for example reads earth root yast2 online_update auto get security The FTP server list from etc suseservers is typically loaded when you en ter auto get To disable it deactivate the function in the etc rc config To do this set yes to
155. r Issues Many printers are sold as Windows printers or GDI printers GDI stands for the Windows Graphical Device Interface such printers are designed to work with only one operating system They are often difficult or impossible to con figure to work with Linux some of them are capable of using other standard printer languages and are thus usable while others will only work at all with Windows TM Consult the CDB at http cdb suse de or check with the hardware manufacturer if you are unsure 38 BENEL The Linux Experts uSE Manufacturer and model of the printer Select model Manufacturer Select manufacturer of Select manufacturer your printer 5 pee Model After selecting a manufacturer the list of models is updated with printers made by the selected manufacturer Choose one If you cannot find your printer try the Generic printers or Ghostscript devices If you do not know which protocol your printer uses consult the printer s Mantitacsurer manual or contact the A lot of the Lexmark inkjet printers are so called GDI manufacturer printers Normally such printers are not supported by Linux Please find information regarding GDI printers and normal printer languages in your manual or in the support database articles GDI printer and Purchase of printers and compatibility which are also online available under http sdb suse de sdb en html ke_printer gdi html and http sdb suse de sdb en htmljsmeix
156. rams kind of software group do you want to have Update and add features which are new in current version If you only want to in the following selection update your existing system and programs All packages very time consuming you can deselect this Q Minimal opon Q Default Default with Office Back Abort Installation Figure 4 25 YaST2 Updating the System 4 5 7 Boot Mode The boot mode is normally specified during installation If you already can boot your SuSE Linux system you do not need to change anything at this point unless you have been booting from a floppy and now want to boot from the hard disk 61 4 SLCS Server Configuration with YaST2 Otherwise configuring the boot mode on a running system is only relevant for experts especially to set kernel parameters after installing a new kernel In this dialog under system define where LILO LInux LOader should be installed Four options are available to you 1 Write LILO to the boot disk MBR In the MBR Master Boot Record of your hard disk in dev hda on IDE systems or dev sda on pure SCSI systems 2 Create a boot floppy 3 Do not use LILO a different boot manager is required 4 Write LILO to a different partition If SuSE Linux is the only operating system on your computer select Option 1 which installs LILO in the MBR of your hard disk Also choose this option if you want to u
157. ration structures configuration files do not have to be tracked down again and again on each server The software behaves in a predictable manner due to its equal version status Bug fixes prevail over the entire network landscape All these aspects contribute to improved production quality 7 1 What is ALICE ALICE Automatic Linux Installation and Configuration Environment is an application package consisting of various modules which are responsible for in stalling and configuring workstations and servers This is carried out in two steps In the first step configuration files and the boot medium are generated The second step proceeds with the installation and configuration of the machines in accordance with he configuration files With ALICE you can install individual machines such as servers as well as numerous related machines cluster nodes server farms To simplify the configuration process a different configuration is not created for each individual machine Instead the machines can be classed When using this classing system only the unique characteristics of each machine have to be specified such as the network IP address Some basic understanding of system administration in Linux Unix is required to be able to use ALICE 7 2 How ALICE is Installed ALICE is needed to prepare the configuration on a workstation and the target system to be installed Of course ALICE is installed automatically on the target syst
158. required the LVM configuration will be complete You can then exit the dialog and continue on to software selection if you are currently in the process of installation ra Caution Implementing the LVM is also associated with increased risk factors such as data loss Possible dangers are application crashes power outages and faulty commands Please secure your data before putting LVM to use or before reconfiguring volumes that is do not work without backup _ Z 22 3 9 Configuring the Crypto File System Create Logical Volume Logical volume name e g var opt home Mount Point shore Size max 4 1GB 1 0 GB e g 4 1G 210MB A Format with Filesytem Stripes ReiserFS O Crypt filesystem Cx J exe Lee Figure 3 14 YaST2 Creating Logical Volumes 3 9 Configuring the Crypto File System Partitioning in YaST2 gives you the option of completely encrypting a parti tion that is by creating a file system which is subsequently encoded with the twofish algorithm While the partition is being mounted the data is not en crypted and can thus be read by anybody Once it is unmounted however the data will be absolutely secure Even if the hard disk or laptop get stolen there is no way the data be retrieved without a password If you want to encrypt a partition specify the beginning and ending cylinder and finally the desired partition size as suggested
159. res ee eevee ee 65 Initanet Server 4 2 2 sea ew nen kin 69 1 Apache 2 5644 2a a4 eo hee eee eae ALICE TI Whats ALICE on s 0 2 ee ee ee en 7 2 How ALICE is Installed lt o o ee 20 8 ew ee ent 7 3 Creating a Simple Configuration 7 4 FurtherInformation 0 2 0 0005 Security and Confidentiality 8 1 Basic Considerations o s s aparada ema p a 8 2 Local Security and Network Security o a oaa aa Sal Bocal Security sss 4 ee oo al A S22 Network Security 2 de eden Rees 8 3 Some General Security Tips and Tricks 8 4 Using the Central Security Reporting Address 69 69 69 72 75 76 77 81 81 81 83 84 85 85 87 88 88 90 93 93 97 97 97 98 100 vi 9 Troubleshooting 113 24 4 2 93 Creating a Boot Disk 6 dk ie se ana Ree re ah 113 9 1 1 Creating a Boot Disk In DOS 113 9 1 2 Creating a Boot Disk with UNIX 114 LILO Problems cos cor d o ui 2 48 4 80 eee ae ee 115 9 2 1 Diagnosis of Errors LILO Start Messages 116 9 2 2 The 1024 Cylinder Limit 2 2 2222 222200 117 The SuSE Rescue System 222 20m nee 119 9 3 1 Working with the Rescue System 120 Foreword Foreword The SuSE Linux Connectivity Server is the ideal tool for small commercial net works designed for small business without an on site system administrator This server offers you an all in one solution for your clie
160. rison to other systems For example Linux automatically generates dynamic hard disk data caches during operation In this vein it works in read ahead mode provisionally reading sectors in advance and delayed write mode reserves write access for execution these permissions in one go The de layed write procedure is also the reason why you should not just switch off a Linux machine Both of these aspects are responsible for the main memory only seeming to fill up with time and are the reason why Linux is so fast as well In particular as of Version 6 3 SuSE Linux features full support for LVM Log ical Volume Manager As of Version 7 2 the LVM can even be configured in an installed system with the help of its own YaST2 modules This option is espe cially useful for those who working with memory management of a large scale such as for databases Multiuser and Multitasking Just like its UNIX ancestors Linux is a real multiuser system That means that a system can be used simultaneously by multiple users They can be working directly from affiliated terminals or and which is usually the case access it over the network In contrast to Windows NT environments where the server must communicate with the client applications on the client itself the user logged in to Linux has access to a complete user environment with all its services Even for stand alone workstations which do not have access to a ne
161. rivers not for ATAPI network modules Select the corresponding item shown on the screen Insert a preferably empty or formatted disk and click Next The respective contents will be written to the disk The above mentioned boot disks should not be confused with the boot disks used to boot an already installed system This type of disk will be created for example during installation and will start your Linux installed on the hard disk when the floppy is in the drive while your computer is booting If all else fails you can also start an already installed system with the boot disk created above For this boot from the floppy disk then once it asks you to insert the first CD exit the dialog to prevent the start of a reinstallation After making the following language and keyboard entries you will reach a menu where can choose Start installation system In the following window Boot installed system will appear 4 6 Miscellaneous 4 6 1 Hardware Information YaST2 detects the hardware for the configuration of its components The techni cal data it recognizes is displayed in this screen This is especially useful if you 63 4 SLCS Server Configuration with YaST2 Create boot Create boot rescue or module disk ae or module Boat disks Select one of the Standard boot disk pointes to generate Q Fallback boot disk for i386 and older Cyrix boot rescue or processors has no frame buffer suppo
162. rpc nfsd They are started by the etc init d portmap and etc init d nfsserver scripts when booting the system After starting these daemons you must state which file systems to be exported to which hosts Do this in the etc exports file One line should exist for each directory indicating which hosts are to access it and how All subdirectories in these directories will likewise be exported auto matically The permissable hosts are usually indicated by their names including the domain The wildcards and can also be used which have the same function known in the bash If no host name has been given each machine may access this directory with the appropriate permissions The permissions to exported along with the directory are given inside paren theses The most important options for access permissions are described in the following table ro File system will only be exported read only default tw File system will only be exported with write and read per missions root_squash This option causes the user root of the specified host not to have the special permissions on this file system which root would otherwise have This is achieved by converting accesses by the root user ID 0 to user ID 65534 2 This user ID should be assigned to user nobody default no_root_squash Do not covert root accesses root permissions are thus re tained link_relative Convert absolute symbolic links those
163. rt module disk Press button Next ta follow the workflow r Rescue disks Boot disks Rescue disk You can use this new boot floppy to boot either the installed Module disks system or the rescue system from CD or SCSVRAID EIDE and PCMCIA modules old Rescue cles non ATAPI CDROM drivers Rescue disks Network modules To start the rescue system boot from a floppy disk or CD and select the line Start Back installation 4 c1ictem Figure 4 27 YaST2 Creating a Boot Module Disk want to post a support request for instance You will need hardware information to do this The Linux Experts Hardware info module Hardware info displays the hardware All entries details of your computer T er Click any node for more rchitecture 386 info Boot architecture Boot disk amp CDRom CPU amp Disk Display amp Floppy disk Has APM No Has PCMCIA No Has SMP No Keyboard Network devices amp Network interface Storage media System Te Close Figure 4 28 YaST2 Displaying Hardware Information 4 6 2 Start Protocol Start protocol is the screen messages which appear when the system is booting This protocol is stored in the var log boot msg file View it easily with this YaST2 module and confirm that all services and functions were started as anticipated 64 4 6 Miscellaneous lib modules 2 4 7 4GBy
164. s exact information as to how LILO stores the locations of its files which BIOS device numbers LILO uses for their respective hard disks and more 3 Check the consistency of the hard disk geometry data In actuality up to four areas of interest here a The geometry LILO uses See the log file mentioned above Is influenced by the disk specification in lilo conf b Geometry which was recognized by the Linux kernel See the boot mes sages var log boot msg or the command output dmesg Informed by kernel parameters to a certain extent Geometry which the partition table is based on See the output of fdisk 1 Influenced by fdisk expert commands Very risky for data A full backup is under any circumstances highly recommended and really only for experts c Nee d Geometry recognized by the BIOS LILO discovers this geometry later when the system starts and is must be able to work with it See the BIOS setup and if applicable the SCSI host adapter if available This is influenced by the BIOS setup If there are discrepancies making a good decision as to where should I make adjustments is often the best method leading to the path of least resistance The following data should be examined when attempting to solve problems e etc lilo conf e Command output fdisk 1 partitioning e Above mentioned log files e BIOS and SCSI BIOS hard disk settings 9 2 2 The 1024 Cylinder Limit ya Note
165. sages 116 troubleshooting 116 problems with 115 troubleshooting 116 Linux essen 1 hin xte i rengana aneres 113 loadlin 2 2 222 0 118 Logical Volume Manager see YaST2 Logical Volume Manager EVM 25 3 see YaST2 LVM M MKS jeisavwaiekils ean vate 120 MKSWAP un 120 modem see YaST2 modem module disks 62 MOUNE une 85 120 mountd 22 4 2408 85 86 multitasking system 2 multiuser system 2 N name server BIND 4 4 0000 020 82 Delst t sans nase 120 network card see YaST2 network card Network File System see NFS Network Information Service see NIS see NIS networks Internet connections and 42 NES nes een 85 NFS client 2 00 00 85 NFS server 48 85 THES un near 85 86 NIS 4 rar 49 49 84 nmbd 24 008 88 nmblookup 88 o Online Update 58 see YaST2 Online Update OPEN source 22 nee 4 P package ALLEE 26 ra EE 97 PINAS asian 83 ERDOFTE Sen 48 pam_auth 22 2 8 passwords 05 54 PBX esse 43 personal firewall 88 Personal Firewall 41 42 44 pident cc dssotantagnicwdees 92 portmap cur 85 print service 85 printer GDI printers 38 Lexmark 2c0 cca cse8 ees 38 Windows only 38 printing see YaST2 printing proxy client configuration 76 Proxy anche ii 90
166. samba html is the official mirror of the Samba site In the subdirectory http de samba org samba docs you will find a summary of the most important and current information sources including man pages on this topic 6 3 Security 6 3 1 Firewall Your server is protected from attacks coming from the Internet by an easy to use packet filter The personal firewall works almost maintenance free and ready for 88 implementation following a single configuration step When it is active it allows access to the Internet from the inside out but blocks connections from the outside in Since the SuSE Linux Small Business Server was conceived as a pure file and print server for private networks and does not offer any Internet services FTP HTTP etc it can be easily but very effectively secured with this solution When the personal firewall is active all data packets belonging to any one of these three categories will be refused e UDP packets e Attempted external TCP requests e ICMP Redirect Subtypes ICMP Redirects can be used to trigger your ma chine to change its routing table Personal Firewall is exclusively configured using a single variable stored in the file etc rc config d security rc config The variable which needs to be configured is REJECT_ALL_INCOMING_CONNECTIONS As soon as a reasonable configuration option has been chosen for this the fire wall will automatically start after configuration
167. se LILO as a boot manager for multiple operating systems First make sure your operating system can be booted by LILO usually MS DOS and Windows 9x Me If you are using several operating systems but are not sure whether they can be booted by LILO or you want to leave the previous start mechanism unchanged use the option Create a boot floppy Thus you can boot SuSE Linux from the floppy disk If you already have a boot manager installed and you want to add SuSE Linux to it select Write LILO to the boot partition if you have an other boot manager After installing SuSE Linux reconfigure the exist ing boot manager and integrate SuSE Linux into the booting process The items Write LILO to a different partition and Kernel boot parame ters are for advanced users Click on Next to install LILO Tip To install LILO on a boot disk you do not need to change anything on your previous boot mechanism and can start SuSE Linux from the floppy disk any time The option Create a boot floppy is therefore the best alter native for the implementation of additional operating systems 4 5 8 Creating a Boot Rescue or Module Disk Using the YaST2 module under System create two different types of boot disks a rescue disk and two kinds of module disks Both boot disks enable initial installation if you have problems booting from CD The disks are actually not intended for booting an already installed
168. sed on IP addresses alone Try to keep the most important network related packages up to date and subscribe to the corresponding mailing lists to receive announcements on new versions of such programs bind sendmail ssh etc The same should apply to software relevant to local security Change the etc permissions file to optimize the permissions of files cru cial to your system s security If you remove the setuid bit from a program it might well be that it cannot do its job anymore in the way it is supposed to On the other hand consider that in most cases the program will also have ceased to be a potential security risk You might take a similar approach with world writable directories and files Disable any network services you do not absolutely require for your server to work properly This will make your system safer plus it prevents your users from getting used to a service that you had never intended to be available in the first place the so called legacy problem Open ports with the socket state LISTEN can be found with the program netstat As for the options we suggest that you use netstat ap Or netstat anp The p option allows you to see which process is occupying a port under which name Compare the netstat results with those of a thorough port scan done from outside your host An excellent program for this job is nmap which not only checks out the ports of your machine but also draws some conclusions as to which
169. services are waiting behind them However port scanning may be interpreted as an aggressive act so do not do this on a host without the explicit approval of the administrator Finally remember that it is important that you not only scan TCP ports but also UDP ports options sS and sU To monitor the integrity of the files of your system in a reliable way use the program tripwire Encrypt the database created by tripwire to pre vent someone from tampering with it Furthermore keep a backup of this database available outside your machine stored on an external data medium not connected to it by a network link Take proper care when installing any third party software There have been cases where a hacker had built a trojan horse into the tar archive of a se curity software package which was fortunately discovered very quickly If you install a binary package have no doubts about the site from which you downloaded it Note that SuSE s RPM packages are gpg signed The key used by SuSE for signing reads as follows ID 9C800ACA 2000 10 19 SuSE Package Signing Key lt build suse de gt Key fingerprint 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C80 OACA The command rpm checksig package rpm shows whether the check sum and the signature of an uninstalled package are correct Find the key on the first CD of the distribution and on most key servers worldwide Check your backups of user and system files regularly Consider that if you do
170. sful in a relatively short 109 8 Security and Confidentiality time On the other hand it also requires quite an effort In any case the attacker will need a good understanding of the actual structure of the trust relationships between hosts The attacker often needs to target a well timed DoS attack at the name server as well Protect yourself by using encrypted connections that are able to verify the identity of the hosts to which to connect Worms Worms are often confused with viruses but there is a clear difference between the two Unlike viruses worms do not need to infect a host program to live Rather they are specialized to spread as quickly as possible on network structures The worms that appeared in the past such as Ramen Lion or Adore make use of well known security holes in server programs like bind8 or 1prNG Protection against worms is relatively easy Given that some time will elapse between the discovery of a security hole and the moment the worm hits your server there is a good chance that an updated version of the affected program will be available on time Of course that is only useful if the administrator actually installs the security updates on the systems in question 8 3 Some General Security Tips and Tricks Information To handle security competently it is important to keep up with new developments and to stay informed about the latest security issues One very good way to protect your systems aga
171. shell client which is actually a much better option as ssh encrypts all network traffic To do so the host and the network need to be connected and the user needs to log in and authenticate The possible actions are still restricted however by the file permissions Reading a file locally on a host requires other access rules than opening a network connection with a server on a different host There is a distinction between local security and network security The line is drawn where data has to be put into packets to be sent somewhere else 8 2 1 Local Security Local security starts with the physical environment in the location where the computer is running Assume that your machine is set up in a place where secu rity is in line with your expectations and needs The main goal of local security is to keep users separate from each other so that no user can assume the permissions or the identity of another one This is a general rule to be observed but it is especially true for the user root who holds the supreme power on the system User root can take on the identity of any other local user without being prompted for the password and read any locally stored file For an attacker who has obtained access to local resources from the command line there is certainly no shortage of things that could be done to compromise the system Passwords On a Linux system passwords are of course not stored as plain text and th
172. sources 1 2 The Technical Side of Things Due to this reason it is significantly more difficult for computer viruses to cause damage Linux systems A virus inside a mail attachment can never access the system resources and thereby afflict the entire system e The user lacks the file permissions to run a program in an attachment such that it could affect any changes to the entire system e A virus can only cause damage to a system if the virus obtains root access by carelessly being run by superuser root or by taking advantage of security gaps e There are dozens of Linux mail programs it is more difficult to cause damage across the board in a mixed environment than in a monoculture In addition security gaps in programs whose code could potentially be read by anybody on this planet are detected and fixed more quickly than in software whose sources are not freely available There potential security gaps may linger without ever being detected Free software on the other hand is transparent and anybody who finds a security gap can draw attention to it To this end there are even special mailing lists web sites and forums such as SecurityFocus http www securityfocus com Usually the developers of the affected software often in collaboration with those who have discovered the security gap can quickly solve the problem Frequently what are known as code audits are instituted Project developers
173. spective data of different users must be stored separately Security and privacy need to be guaranteed Data security was al ready an important issue even before computers could be linked through net works Just like today the most important concern was the ability to keep data available in spite of a lost or otherwise damaged data medium a hard disk in most cases This chapter is primarily focused on confidentiality issues and on ways to pro tect the privacy of users but it cannot be stressed enough that a comprehensive security concept should always include procedures to have a regularly updated workable and tested backup in place Without this you could have a very hard time getting your data back not only in the case of some hardware defect but also if the suspicion arises that someone has gained unauthorized access and tampered with files 8 2 Local Security and Network Security There are several ways of accessing data e Personal communication with people who have the desired information or access to the data on a computer e directly from the console of a computer physical access e over a serial line e using a network link In all these cases a user should be authenticated before accessing the resources or data in question A web server might be less restrictive in this respect but you still would not want it to disclose all your personal data to any surfer out there On a SuSE system a few tweaks are suffici
174. ss its own default home page 2 Now the most basic entries can be made as root in the etc httpd httpd conf file These include 93 6 Network Services Behind the Scenes ServerRoot usr local httpd the file tree in which all Apache specific files are located are stored here ServerAdmin the administrator s e mail address if a page cannot be dis played on the new server this address will be relayed along with other data ServerName fully qualified name of the server DocumentRoot the DocumentRoot variable is usr local httpd htdocs as specified in Step 1 CustomLog var log httpd access_logcommon By default access attempts are logged on your server here ErrorLog var log httpd error_log error messages are archived here 3 If individual directories or even the contents of the server are to be protected from unauthorized entry there are several simple security mechanisms which can be implemented for this e Protection of specific directories via htaccess Every directory you want to have secured receives its own htaccess file containing the following relevant lines order deny allow deny from all allow from slcs com The directory and all subdirectories where this file is located is now secured against external access attempts and only allows the sending of data to hosts in the internal domain slcs com You can proceed in the same manner in order to block certain hosts fr
175. st button Select from list i Figure 4 8 Configuration of the Hardware Parameters specify the IP address and other IP network data Look at Figure 4 9 for more information Select the card number then click 1 Edit A new dialog will appear where the IP address and the rest of the IP network data can be specified Normally no additional information new needs to be entered here This dialog allows you to configure your IP address You can select dynamic address assignment if you have a DHCP server running on your local network Network address setup Network device etho r Choose the setup method Automatic address setup via DHCP Static address setup You also should Aerei Sune mask select this if you do not have a static IP address assigned to you by your cable or r Detailed settings DSL provider Network addresses will then be obtained automatically from the server Configuration will be ished hu i g Figure 4 9 Configuration of Network Addresses 47 4 SLCS Server Configuration with YaST2 4 4 Server Services 4 4 1 Basic Samba Configuration With the program package Samba SuSE Linux Connectivity Server can be en hanced to a powerful file and print server for DOS and Windows machines as well Normally no changes need to be made here provided you have adopted the de fault values domain workgroup
176. system With a little trick however you can still use them to boot an already installed system e Boot disks The default boot disk is the one found in your SuSE Linux box Otherwise create a boot disk for i386 and older Cyrix processors 62 4 6 Miscellaneous The Linux Experts RT SuSE LILO the Linux Custom LILO installation LOader can be ee Write LILO to the boot disk MER In the MBR the Create a boot floppy Master Boot Record Do not use LILO a different boot manager is required This is recommended whenever SuSE Linux 4 7 ds is the only operating QO Write LILO to a different partition system on the hard drive or if you definitely know that Kernel boot parameters you can boot all the other operating systems with LILO F The old MBR should O use the linear option be saved to disk as a 4 ae precaution O Activate partition On a floppy disk if your system has a floppy disk drive if you want to avoid the Figure 4 26 YaST2 Configuring the Boot Mode e Rescue disk The rescue disk can help you regain control access to your system A minimal Linux will be loaded which contains all the helpful tools needed to resolve most problems e Module disks If you need additional modules or drivers for your hardware for example for installing over the network create one of these disks Modules for SCSI RAID EIDE and PCMCIA and old CDROM d
177. tart the installation switch on your computer and insert the first SLCS CD into the drive In order to be able to proceed with the installation your system must be bootable from CD If this is not the case you might have to change your BIOS settings or if SCSI systems are being implemented the boot sequence of your SCSI controller Then consult your manufacturer documentation If your machine does not boot from the CD ROM you will have to change the settings in the computer s BIOS depending on what kind of CD ROM drive is in the machine You can find more information on this in Chapter 9 1 on page 113 3 2 The Opening Screen A screen as in Figure 3 1 on the following page shows you that the system is ready to be booted for the installation Be sure to select Installation here the default selection Either wait a few seconds or just press to load the kernel 11 3 Installation with YaST2 A few seconds later a minimal Linux system is loaded which takes over the rest of the installation procedure A number of messages and copyright notices will then appear on the screen At the end of the loading process the YaST2 program will start and a few seconds later the graphical interface of YaST2 the SuSE Linux installation program will be displayed THE LINUX EXPERTS Installation Manual Installation Rescue System Memory Test boot options linux F2 Text mode F3 VGA 640x480 F4 SVGA 800x600 Figure
178. tected a dialog appears where you can make your Selec tion of ISDN protocol Euro ISDN EDSS1 is the standard for this refer to Scenarios and 2a below in Europe 1TR6 is a protocol used by older and larger phone systems refer to Scenario 2b below N11 is the standard in the USA If this automatic recognition fails choose the correct ISDN card Fig ure 4 5 on page 45 Then specify the ISDN protocol and go on to Next In the screen which follows specify your country and provider The ones listed here are Call by Call providers If you want to use a provider not included in this list click new The ISP parameters screen will appear where you can make all the necessary settings pertaining to your preferred provider ISDN SyncPPP is the standard ISDN type Specify the provider name for the Connection Name then the provider s telephone number In the case of an interposed PBX you might need an additional number in front of the phone number itself to dial out usually a zero or nine but it is best to refer to the instructions for your PBX The entire telephone number may not contain any separators such as commas or blank spaces Enter the username and password received from your provider Next proceed to the ISDN connection parameters The following scenarios re quire various specification for your Phone Number 1 The ISDN card is connected directly to the phone
179. that begin with into a relative series of This option only makes sense when the entire file system of a host is mounted default link_absolute Symbolic links remain unchanged map_identity The same user IDs are used on the client as on the server default map_daemon Clients and servers do not have matching user IDs This option instructs the nfsd to generate a conversion table for the user IDs The daemon ugidd has to be activated before this entry can be made Table 6 2 Access permissions for exported directories The exports file could appear as shown in File Output 6 2 1 on the facing page The etc exports file is read by mountd and nfsd Therefore if this file has been modified mountd and nfsd will have to be restarted to apply these changes 6 2 File and Print Service etc exports home sun rw venus rw usr x11 sun ro venus ro usr lib texmf sun ro venus rw earth ro root_squash home ftp ro End of exports File 6 2 1 etc exports This is most easily done with the command earth renfsserver restart 6 2 2 Samba The program package Samba enables you to convert any UNIX machine into a powerful file and print server for DOS Windows and OS 2 machines The Samba Project is run by the Samba Team and was originally developed by the Australian ANDREW TRIDGELL Samba uses the SMB protocol Server Message Block from Microsoft Due to the initiative of
180. the disk and CD ROM drives are bootable If necessary you will need to change the boot series in the CMOS setup Following are the steps for starting the rescue system 1 Start your system with the SuSE boot disk or with the first SuSE Linux CD inserted in your CD ROM drive 119 9 Troubleshooting 2 Launch the entire system or at the boot prompt either enter yast or manual where you can define which kernel modules should be loaded 3 Make the respective settings for language keyboard and screen 4 Select the item Installation Start system in the main menu 5 If you started with the boot disk you should now insert the installation CD or the rescue disk with the compressed image of the rescue system 6 Inthe menu Start installation system select the item Start res cue system then specify the desired source medium Subsequently we will introduce a few tips on selection options CD ROM When loading the rescue system the path cdrom is exported This makes the installation from this CD possible Note You now still need to enter the required values in SuSEconfig Network NFS To start the rescue system via NFS from the network you must have the driver for your network card already installed Network FTP To start the rescue system via FTP from the network you have to have your network card driver ready hard disk Load the rescue system from the hard disk
181. the network card In the unexpected event that no such item is listed you will have to configure the network card first You will find the necessary information in your network card documentation Now close the window System Properties by clicking ox 69 5 Workstation Configuration Installation of Required Components Once your system detects the network card make sure that it has all software components needed to allow the Windows system to access the server In the control panel select the item Network It will open a window with three tabs and one overview of the network components installed see Figure 5 1 Along with the network card this list should at least included the installed Client for Microsoft Networks and the TCP IP Protocol Some PCs have those components If your PC does not you will have to install them separately Select add and double click on Client in the new win dow select Microsoft as well as Client for Microsoft Networks and confirm your selection with Ok For the manufacturer Microsoft you will find the TCP IP under Protocols Please remember that you will probably need a Windows CD as well as to restart the system after the installation Client for Microsoft Networks Realtek RTL8139 4 PCI Fast Ethernet Adapter TCP IP Client for Microsoft Networks Figure 5 1 Network Configuration in Windows 95 98 M
182. thing that runs over the wires What can be achieved with a printer can also be accomplished in other ways depending on the effort that goes into the attack Networks make it easier for us to access data remotely but they do this with the help of network protocols which are often rather complex This might seem paradoxical at first but is really indispensable if you wish to remotely control a computer or to retrieve data from it no matter where you are It is necessary to have abstract modular designs with layers that are more or less separate from each other We rely on such modular designs in many daily computing situa tions Modularity means that your text processor for example does not need 102 8 2 Local Security and Network Security to know about the kind of hard disk you use or your e mail program should not be concerned with whether you have a modem or an ethernet card Components of your operating system Linux in this case provide the necessary functions and make these available to the system through a predefined interface With this modularity a text processor or a mail user agent MUA can function on a variety of hardware platforms and you can run them from some place in the world with the necessary equipment Regarding the data there is no difference between opening a file from a com mand line or looking at it with a web browser The file could also be read via a network using a telnet program or with a secure
183. tion disk inserted in its place Following that wait until all packages have been installed and you have been asked for the root password The root password can also be automatically set by ALICE by inserting the following tags in the simple sample de sys tcf file lt SYS_SET_ROOT_PWD gt yes lt SYS_SET_ROOT_PWD gt lt SYS_ROOT_START_PWD gt laM8LehhunciE lt SYS_ROOT_START_PWD gt The password will then be blank YaST may prompt you to insert additional CDs for installing the remaining packages e Finally the system will reboot and ALICE will finish the configuration Voila the new system is installed and configured ALICE provides many other options as well above and beyond those described in the example presented above 7 4 Further Information Here you will find further information about ALICE http www suse de fabian http list2 suse com alice 100 8 Security and Confidentiality 8 Security and Confidentiality 8 1 Basic Considerations One of the main characteristics of a Linux or UNIX system is its ability to handle several users at the same time multiuser and to allow these users to perform several tasks multitasking on the same computer simultaneously Moreover the operating system is network transparent The users often do not know whether the data or applications they are using is provided locally from their machine or made available over the network With the multiuser capability the re
184. tween users and developers e Decisions on design are openly discussed Errors can be detected in a timely manner and eradicated The consistent use of the Internet contributes to the enormous progress in de velopment and to the world wide propagation of the system Developmental decisions are discussed on mailing lists and over special Internet forums The various software versions are managed in CVS and are consistently maintained The newest versions including bug fixes and updates are distributed world wide over FTP servers Free Software The definition of free software extends beyond just the open availability of the source code at no cost Strictly speaking the concept of free software entails more and is defined in the GNU General Public License GPL Open source also implies the freedom to do what you want with the software and also to modify and adjust it according to your own needs not to mention to pass the source code along To protect this freedom the GPL contains restrictive clauses guaranteeing the open availability of GPL code Thus any code derived from GPL code must ultimately fall under the definition of GPL The program source must be publicly accessible and remain available free of purchase Those who pass along this source code may not receive compensation for doing so apart from material costs Motivation Sooner or later anyone who is grappling with the phenomenon of open source wil
185. twork and where only one user is working multiuser capability has real advantages Even the normal desktop station features additional virtual consoles along with a graphical interface If for some reason the graphical user interface is not re sponding you still have the option of switching to a virtual console and logging in to a shell from there and then restarting the graphical user interface This way rebooting is practically unnecessary since usually in Linux only one pro gram at a time might crash but not the entire operating system all at once This aspect leads to the next clincher for multitasking capability In Linux several processes can be running at simultaneously The operating system has direct control over the processes and decides when a process is sus pended This design improves system performance even if you do not have two actual parallel functioning processors Security Linux system design and that of its UNIX ancestors automatically entails some important security advantages in comparison to to other systems As a multiuser system Linux is designed to support multiple users working si multaneously on one machine but where no normal user has full control over the system This way no user can cause harm to any other user environments by corrupting the entire system Which user and which group a given directory process or file belongs to is strictly regulated Only root has access to the system re
186. u specify members of a new group in the field below be sure not to add any blank spaces before the commas separating the user and login names YaST2 will suggest a group ID which you can just accept Changing and adding groups After opening this module a screen will open User and Group Management You will then be presented with the option of either editing users or groups 54 The Linux Experts A a Axe SuSE A User and group administration Linux is a multiuser system Several User administration Group administration aferent users canbe Login Name uid Groups logged in the system est at the same time To avoid confusion each user must have a unique identity if they want to use Linux Furthermore every user at least belongs to one group In this dialog you can get information about existing users To shift to the group dialog push the radio button Groups group i Test Person 500 users uucp dialout audio video O Also view system users administration Edit To create a new user push the button Add 7 Abort Figure 4 18 User Administration with YaST2 User administration is under the Changing and adding users module and was described there YaST2 offers a list of all groups to assist in group administration To remove a group click the group in the list so that the line is highlighted dark blue then click on Delete To Add or Ed
187. ultaneously on the screen You might want to choose at least 16 Bit 65535 colors if possible to avoid color flickering when switching from one window to Figure 3 23 Changing the settings for the graphical interface can test the resolution you have selected The installation program will issue a message telling you that the screen will now switch over to the new resolution If you don t see a steady screen please stop the test immediately by pressing sc 3 17 Network Card The first step in setting up the network is configuring the server s network card which will be connected to the internal network YaST2 automatically recog nizes all network cards on your system and displays a list of these as shown in Figure 3 24 Please select which card you want to configure as a main in the SUSE Linux Conectivity Server twill be set up and ready for use You will still be able to configure other cards or change the network configuration after installation is complete by selecting Network from the control center Please realize that not all hardware can be detected automatically If your hardware is not shown here you will stil be able to configure it manually dust select the item Use the unrecognized card if present Figure 3 24 Selecting the network card The card selected at this juncture is to be connected to your local network All server services will only be available over this interface eth0 th
188. upport also provides you with suport in the configuration of the network services listed below with YaST2 Windows and Apple network drives samba and netatalk Proxy server for Minimizing Internet Traffic squid Mail relay sendmail Central user management for UNIX clients over NIS Automatic Internet dialup if necessary Support for configuring the following services on your clients SuSE Linux DHCP DNS NFS NIS NTP Proxy Samba Windows DHCP DNS Proxy Samba Mac AppleTalk DHCP DNS Proxy 2 4 Maintenance fur den SuSE Linux Connectivity Server The maintenance of the SuSE Linux Connectivity Server III is an active main tenance contract preventative support customized according to your specific IT requirements You will receive the following services which is up to date and which guarantees utmost user friendliness SuSE Linux Connectivity Server Maintenance is an active maintenance contract preventitive support which will meet your highest standards You will receive the following services guaranteeing that your technology is always curent and easy to use Fixes and patches for resolving critical errors security data loss of the SuSE Linux Connectivity Servers Each patch includes thorough documentation You will be contacted by SuSE Enterprise Support Services by mail The patches themselves will be made available on a secure web server for downloading 2 5 The fastest way to help e You will
189. uthority or if you deleted the file from your home directory by acci dent you would not be able to open any new windows or X clients Read 107 8 Security and Confidentiality 108 more about X Window security mechanisms in the man page of xsecurity man Xsecurity Apart from that ssh secure shell can be used to completely encrypt a network connection and forward it to an X server transparently without the encryption mechanism being perceived by the user This is also called X forwarding X forwarding is achieved by simulating an X server on the server side and setting a DISPLAY variable for the shell on the remote host Before being displayed the client opens a connection with sshd secure shell daemon the server side program which then gets the connections through to the real X server If your setup requires that X clients are displayed remotely consider using ssh and have a closer look at it The man page of ssh has more information about the functionality of this program Caution Sn If you do not consider the host where you log in to be a secure host do not use X forwarding With X forwarding enabled an attacker could authenticate via your ssh connection to intrude on your X server and sniff your keyboard input for instance Buffer overflows and format string bugs As discussed in the section on local security buffer overflows and format string bugs should be classified as issues concerning both local and n
190. ve access to your network to send requests to the server The Linux Experts SuSE an NIS Server Query Hosts Setup hosts are allowed to query the NIS server 255 0 0 0 127 0 0 0 A host address will be 0 0 0 0 0 0 0 0 allowed if network is equal to the bitwise AND of the host s address and the netmask The entry with netmask 255 0 0 0 and network 127 0 0 0 must exist to allow connections from the local host if netmask 0 0 0 0 and network 0 0 0 0 is entered it gives access W ali hosts Cen Lee Figure 4 15 YaST2 NIS server setting request permissions 4 4 4 E mail Sendmail In the configuration dialog located under Network Advanceg the following items will be listed Select the right one for you e Host with permanent network connection SMTP This is normally a leased line as is often found at companies or other institutions which work with the Internet The Internet connection is always running so no dial up is necessary This menu item is also meant for members of a local network where no permanent Internet connection exists but where a central mail server is used for sending e mail e Single user machine without network connection If you do not have an Internet connection and do not belong to a network you can only send e mails locally e Host with temporary network connection Modem or ISDN Most home users need this option It is for computers
191. without this having to physically exist on any of Linux client machines As with NIS NFS is likewise an asymmetrical service There are NFS servers and NFS clients A machine can also be both in other words it can simulta neously make file systems available to the network export as well as mount file systems from other machines import In the typical scenario however servers with a larger hard disk capacity are used for this purpose and their file systems are usually mounted by clients Importing File Systems Importing file systems from an NFS server is quite simple The only requirement for this is that the RPC portmapper has to have been started which is automati cally the case following installation If this condition has been met remote file systems can be integrated into the file system alongside the local disks by using the command mount provided that the remote file systems are exported by the respective hosts The syntax is as follows mount t nfs lt host gt lt remote path gt lt local path gt So for example use the following command to import user directories on sun earth mount t nfs sun home home Exporting File Systems A host which exports file systems is known as an NFS server The following network servers must be started on an NFS server e RPC portmapper portmap e RPC mount daemon rpc mountd 85 6 Network Services Behind the 86 Scenes e RPC NFS daemon
192. works as intended On the other hand none of these viruses have been spotted in the wild so far Viruses would not be able to survive and spread without a host on which they can live In our case the host would be a program or an important storage area of the system such as the master boot record which needs to be writable for the program code of the virus Owing to its multiuser capability Linux can restrict write access to certain files which is the case especially with system files Therefore if you did your normal work with root permissions you would increase the chance of the system being infected by a virus By contrast if you follow the principle of using the lowest possible privileges as mentioned above chances of getting a virus are slim Apart from that you should never rush into executing a program from some Internet site that you do not really know SuSE s RPM packages carry a cryptographic signature as a digital label that the necessary care was taken to build them Viruses are a typical sign that the administrator or the user lacks the required security awareness putting at risk even a system that should be highly secure by its very design Viruses should not be confused with worms which belong to the world of net works entirely Worms do not need a host to spread 106 8 2 Local Security and Network Security 8 2 2 Network Security Local security is concerned with keeping different users on one
193. x LOader can be installed in numerous ways Inthe MBR the Master Boot Record This is recommended whenever SuSE Linux is the only operating system on the hard operating systems with LILO The old MBR should be saved to disk as a precaution On a floppy disk if your system has a floppy drive Use this to avoid the risk of Hated rated existing boot mechanism You KEN may need to enable booting from floppy disk in the BIOS of your machine if you select this option In the boot partition You can always choose this option if you have installed several operating systems on your hard drive and wish to continue using your old boot a Unlike normal users of the system who for instance system and is called into action whenever administrative tasks have to be performed In other words login as root whenever you need or want to be the system administrator and only then Because the root user is equipped with extensive permissions the password for root should be chosen Carefully A combination of letters and numbers is recommended To ensure that the password was entered correctly you are asked to reenter itin a second fiel All the rules for user passwords apply to the root uppercase and lowercase A 4 Figure 3 18 Setting the password for user root 3 12 Creating an Administrator Account Once you have assigned a password for root you will have to create your ad ministrat
194. y normal users It is even more important that passwords are not easy to guess in case the password file becomes visible due to some error Consequently it is not really useful to translate a password like tantalise into t nt 11s3 Replacing some letters of a word with similar looking numbers is not safe enough Password cracking programs which use dictionaries to guess words also play with substitutions like that A better way is to make up a word with no com mon meaning something which only makes sense to you personally like the first letters of the words of a sentence or the title of a book such as The Name of the Rose by Umberto Eco This would give the following safe password TNotRbUE9 By contrast passwords like beerbuddy or jasmine76 are easily guessed even by someone who has only some casual knowledge about you The boot procedure Configure your system so it cannot be booted from a floppy or from CD either by removing the drives entirely or by setting a BIOS password and configuring the BIOS to allow booting from a hard disk only Normally a Linux system will be started by a boot loader allowing you to pass additional options to the booted kernel This is crucial to your system s secu rity Not only does the kernel itself run with root permissions but it is also the first authority to grant root permissions at system start up Prevent others from using such parameters during boot b
195. y using the options restricted and pass word your_own_password in etc lilo conf Execute the command lilo after making any changes to etc 1ilo conf and look for any unusual output the command might produce If you forget this password you will have to know the BIOS password and boot from CD to read the entry in etc lilo conf from a rescue system File Permissions As a general rule always work with the most restrictive privileges possible for a given task For example it is definitely not necessary to be root to read or write e mail If the mail program you use has a bug this bug could be exploited for an attack which will act with exactly the permissions of the program when it was started By following the above rule minimize the possible damage The permissions of the more than 200 000 files included in a SuSE distribution are carefully chosen A system administrator who installs additional software 104 8 2 Local Security and Network Security or other files should take great care when doing so especially when setting the permission bits Experienced and security conscious system administrators al ways use the 1 option with the command 1s to get an extensive file list which allows them to detect any wrong file permissions immediately An incorrect file attribute does not only mean that files could be changed or deleted These modi fied files could be executed by root or in the case of configurati
196. yntax error 128 Shared library error SIGNALS The following signals have the following effect when sent to e2fsck SIGUSR1 This signal causes e2fsck to start displaying a completion bar See discussion of the C option SIGUSR2 This signal causes e2fsck to stop displaying a com pletion bar REPORTING BUGS Almost any piece of software will have bugs If you man age to find a filesys tem which causes e2fsck to crash or which e2fsck is unable to repair please report it to the author Please include as much information as possible in your bug report Ideally include a complete transcript of the e2fsck run so I can see exactly what error messages are displayed If you have a writeable filesys tem where the transcript can be stored the script 1 program is a handy way to save the output of e2fsck to a file It is also useful to send the output of dumpe2fs 8 If a specific inode or inodes seems to be giving e2fsck trou ble try running the debugfs 8 command and send the out put of the stat lu command run on the relevant inode s If the inode is a directory the debugfs dump command will allow you to extract the contents of the directory inode which can sent to me after being first run through uuen code 1 Always include the full version string which e2fsck dis plays when it is run so I know which version you are run ning 125 9 Troubleshooting AUTHOR This version of e2fsck was written by Theodor
Download Pdf Manuals
Related Search