More Linux Server Topics - Network Diagram - About This Site

 

Appendix I

Miscellaneous Topics

 

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In This Chapter

Appendix I

Miscellaneous Topics

VPN Terminologies

Running Linux Without A Monitor

Make Your Linux Box Emulate A VT100 Dumb Terminal

Disk Partitioning Explained

The OSI Networking Model

TCP/IP Packet Format

 

© Peter Harrison, www.linuxhomenetworking.com

 

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

We briefly discuss some miscellaneous topics in this chapter that are beyond the scope of this book with the intention that you will be stimulated to consider utilizing some of the technologies discussed to improve your website and / or your SOHO network.

VPN Terminologies

A Virtual Private Network (VPN) provides security for transmission of sensitive information over unprotected networks such as the Internet. VPN relationships are established between trusted sites on the Internet making the public network appear to be virtually the same as a private network to the VPN members. What follows is an introduction to VPN terminology 

Authentication

The process of ensuring that the VPN data received is both unchanged and from the expected source.

 

Encryption

The process of encoding VPN data to protect it from unauthorized viewing except by the intended recipient who has the decoder key.

IPSec

The name given to a number of data communications protocols designed to authenticate and encrypt VPN data to protect it from unauthorized viewing or modification as it is transmitted across a network.

Authentication Header (AH)

One of two IPSec security protocols. Provides authentication and anti-replay services, without encryption. It does this by adding its own security header to the original IP packet.

Encapsulating Security Protocol (ESP)

The other IPSec security protocol. Provides authentication, encryption, and anti-replay services. It does this by encrypting the data within the packet and then adding its own security header to the original IP packet. As ESP headers don't authenticate the outer IP header like AH headers, AH and an ESP are often used in combination with each other. This is called Transport Adjacency.

Transport mode VPNs

The original source and destination address of the data being sent over the VPN is unchanged. Here are some examples of what transport mode VPN IP packets will look like. (For more information on the IP protocol, please refer to the OSI model page)

Transport mode AH packet format

 

 

Transport mode AH / ESP packet format

 

 

 

Tunnel mode VPNs

The original source and destination address of the data being sent over the VPN is changed by encapsulating the original IP packet within another IP packet. The original packet is frequently encrypted, header and all in an effort to provide an additional layer of security by not revealing the true identities of the servers communicating with each other.

 

Here are some examples of what tunnel mode VPN IP packets will look like. (For more information on the IP protocol, please refer to the OSI model page)

Tunnel mode AH packet format

 

 

Tunnel mode AH / ESP packet format

 

 

Authentication methods

IPSec data integrity is usually provided by one of two Hashed Message Authentication Code (HMAC) methods:

o        Message Digest 5 (MD5)

o        Secure Hash Algorithm (SHA-1). 

Encryption methods

IPSec usually uses one of two methods to encrypt data:

o        The Data Encryption Standard (DES) using a 56-bit encryption key

o        Triple DES using a 168-bit encryption key.

Internet Key Exchange (IKE)

IKE provides authentication of the IPSec peers, negotiates IPSec security associations, and establishes IPSec keys. 

 

IKE authentication methods 

There are two main methods of establishing a trusted relationship between two devices that want to create a VPN between themselves:

Public key cryptography using RSA encryption

RSA overview 

 

Each VPN device has its own public and private keys. Anything encrypted with one of the keys can only be decrypted with the other. This allows you to create a signature when the message is encrypted with a sender's  private key. The receiver verifies the signature by decrypting the message with the sender's public key.

As the message could be decrypted using the sender's public key means that the holder of the private key created the message. A successful exchange requires the receiver to have a copy of the sender's public key and knowing with a high degree of certainty that it really does belong to the sender, and not to someone pretending to be the sender. This is done using Certification  Authorities.

 

CA overview

 

A digital certificate contains information that identifies a user or device, such as a name, serial number, company, department, or IP address. It will also contain a copy of the entity's public key.  

Certificates are managed and issued by Certification authorities (CAs). A CA can either be a trusted public third party, such as VeriSign, or a "in-house" private  server that you establish within your organization. 

Prior to installing a certificate based VPN, each VPN device must be pre-configured with the certificate generated for them by the CA. The VPN devices will also be pre-configured with the CA's certificate. 

During the key exchange, the VPN peers authenticate by sending each other the certificate issued to them by the CA, but encrypted using their private key.  

Each peer then uses the pre-installed CA certificate they have to authenticate with the CA and securely receive the other peer's certificate from the CA using public key cryptography. 

Each peer then extracts the public key from the certificate they receive from the CA and then uses it to decrypt the certificate they just received from the other peer. 

Once the the certificates received from the CA and the other peer match, authentication is complete.

Shared keys

The devices at each end of the VPN use a shared key or password. The disadvantage is that each pair of VPN connections need set of keys, making it difficult for large scale implementations. Unlike the RSA method, there is no CA to provide an impartial audit trail of VPN connection initiations.

IKE's role in creating Security Associations

Once authentication is complete, IKE is then used by the VPN peers to negotiate the security associations (SAs) to be used at each end point. SAs are comprised of two factors:

Transforms 

Describes how the data will be transformed by the VPN to provide the desired security. This includes:

·         Packet encryption methods

·         Packet authentication methods

·         Transport versus tunnel mode

·         AH and or ESP usage

·         SA lifetime before it is renegotiated. (SAs are permanent for when manually established)

Shared keys 

The actual keyword used by the encryption and authentication to protect the data. 

IKE and ISAKMP

IKE uses special ISAKMP IP packets using "protocol 50" to establish an Security Association.  

VPN Security And Firewalls 

o        All security devices in the path of a VPN connection will have to allow "protocol 50" between the two VPN devices to ensure that IKE works properly.

o        The VPN uses a separate channel through which the encrypted data passes. This uses UDP packets using port 500. Unusually, the source and destination port is 500. This must also be allowed to pass through unimpeded.

o        In permanent VPNs, you may have to open up these ports and protocols to the CA as well.

 

VPN User Authentication Methods For Temporary Connections

The above sections have been slanted towards a permanent connection between purpose built VPN devices. Frequently the device at the other end of the connection is a PC. Here are some authentication methods used in such

Types Of Dial Up VPN Authentication

 

 

Running Linux Without A Monitor

You can reduce the cost of ownership of your Linux system by not using a VGA monitor. This creates what is also known as a “headless” system. Operating costs may not be important at home, but will be in a corporate environment with large numbers of Linux servers racked in data centers. In such cases, access to the Linux box can be more cheaply provided via the COM port.

I’ve included this section as I have occasionally hosted the website www.linuxhomenetworking.com at friends’ homes and felt badly about borrowing their monitors. Having access via the COM ports has also helped me in both the home and business situations. The most common occurrence is when the system is hung, locking out network access, and I need to get to it by using:

·     A notebook PC with a console cable connected to the COM port.

·     A modem connected to the COM port

·     Telnet to login to a terminal server that has one of its ports connected to the Linux box’s COM port

Preparing To Go “Headless” 

o        One of the advantages of this method is that you don't need a keyboard either. Unfortunately your BIOS may halt the system during the Power On Self Test (POST) if it doesn't detect a keyboard. Make sure you disable this feature in the BIOS setup of your PC before proceeding. This feature can usually be found on the very first screen under the “Halt On” option.

o        You will also need to make sure that you have activated your COM ports in your BIOS settings.

o        For non-modem connectivity (PC to PC) connect a NULL modem cable to the COM port you want to test, connect the other end to the client PC running "Hyperterm" or whatever terminal emulation software you are using. One popular Linux equivalent to Hyperterm is “minicom”. A brief configuration guide for minicom follows the section below.

o        If you're using a modem for connectivity, then you'll need a FULL modem cable and testing will have to be done using a dial up connection.

Configuration Steps

In RedHat Linux, the COM1 and COM2 ports are controlled by a program called "agetty", but "agetty" usually isn't activated when you boot up unless its configuration file /etc/inittab is modified. In other versions of Linux, "agetty" may be called just plain "getty". Here is a table that lists the physical ports to their equivalent Linux device names. 

 

 

The following lines added to /etc/inittab will configure your COM ports for terminal access:

 

# Run COM1 and COM2 gettys in standard runlevels

S0:235:respawn:/sbin/agetty -L 19200 ttyS0 vt102

S1:235:respawn:/sbin/agetty -L 19200 ttyS1 vt102

 

In summary, these lines mean: 

o        At boot time, when the system enters runlevels 2, 3 or 5, "agetty" must attach itself to devices ttyS0 and ttyS1 and emulate a VT102 terminal running at 19200 baud.  

o        The "-L" means ignore modem control signals, this option should be omitted if you are connecting the port to a modem.

o        The respawn means that agetty will restart automatically if, for whatever reason, it dies.

 

The next step is to restart the "init" process to re-read /etc/inittab

 

[root@bigboy tmp]# init q

 

Now you need to configure the terminal client such “as Hyperterm” to match the speed settings in /etc/inittab. Connect the console / modem cable between the client and your Linux box. Hit "enter" a couple times, and celebrate when you see something like this:

 

Red Hat Linux release 8.0 (Psyche)
Kernel 2.4.18-14 on an i586

bigboy login:

 

Note: By default, user "root" will not be able to log in from a terminal. To do this you'll have to edit the /etc/securetty file which contains the device names of tty lines on which root is allowed to login. Just add ttyS0 and ttyS1 to the list if you need this access.

Make Your Linux Box Emulate A VT100 Dumb Terminal

Dumb terminals can be loosely defined as devices that allow you to log in to your system via the COM port. You can make your Linux box emulate a dumb terminal quite easily. There are a number of reasons to do this:

 

·     You run Linux on a notebook and you need to use it to access a hung “headless” Linux server via the COM port

·     You need to gain access to a modem connected to the COM port. (This section will focus on the notebook scenario, not the use of using Linux to dial a modem.)

Configuration Steps

The most commonly used Linux terminal emulation program is minicom. It is simple to use mainly because it uses a text based GUI. Here are the steps you’ll need to go through to get it working.

o        You will first need to go through all the relevant steps listed in the “Preparing to go Headless” section of this chapter to ensure you have the right type of cable and correct BIOS settings.

o        Minicom will clash with your agetty configuration explained in the previous section. In other words a “headless” system cannot be used to access another “headless” system using the “headless” COM port. You therefore have to disable the agetty configuration for the port on which you wish to run minicom.

In the case below we disable agetty on COM1 by commenting out the ttyS0 agetty statements in the /etc/inittab file.

COM1 will therefore be used for outbound minicom connections to other systems. Other systems using minicom can use COM2 to access this system. 

We then need to restart the init process to reload the new /etc/inittab settings.

 

Edit /etc/inittab

# Run COM1 and COM2 gettys in standard runlevels

#S0:235:respawn:/sbin/agetty -L 19200 ttyS0 vt102

S1:235:respawn:/sbin/agetty -L 19200 ttyS1 vt102

 

Restart init 

[root@bigboy tmp]# init q

 

o        Run minicom in setup mode using the minicom –s command

[root@bigboy tmp]# minicom –s

 

o        You will get the setup menu

------[configuration]-------

| Filenames and paths      |

| File transfer protocols  |

| Serial port setup        |

| Modem and dialing        |

| Screen and keyboard      |

| Save setup as dfl        |

| Save setup as..          |

| Exit                     |

| Exit from Minicom        |

----------------------------

 

o        Select the serial port setup menu item. Make the speed match that of the remote “headless” system and make sure the correct serial COM device is chosen. Device /dev/ttyS0 is COM1 and /dev/ttyS1 is COM2. Also make sure that flow control is off.

 

-------------------------------------------

| A -    Serial Device      : /dev/ttyS0  |

| B - Lockfile Location     : /var/lock   |

| C -   Callin Program      :             |

| D -  Callout Program      :             |

| E -    Bps/Par/Bits       : 19200 8N1   |

| F - Hardware Flow Control : No          |

| G - Software Flow Control : No          |

|                                         |

|    Change which setting?                |

-------------------------------------------

 

o        Select the “Modem and dialing” option and make sure the “Init string” and “Reset string” settings are blank.

o        Select the “Save setup as dfl” to make this your saved default setting and then “Exit from Minicom”

o        Make sure the other system is correctly configured for headless operation. Connect the cables between the systems

o        Re-enter minicom, this time without the “-s”

 

[root@bigboy tmp]# minicom

 

o        Hit enter and you should get a login prompt

 

Welcome to minicom 2.00.0

 

OPTIONS: History Buffer, F-key Macros, Search History Buffer, I18n

Compiled on Jun 23 2002, 16:41:20.

 

Press CTRL-A Z for help on special keys

 

bigboy login:

 

o        To exit minicom you type CTRL-A, then Z, then X

o        Non “root” users will get a “permission denied” message if they use minicom as the COM ports are not normally accessible to regular users. The way to get around this is for user “root” to either give everyone read/write access using the chmod command below, or add selected trusted users to your sudo configuration.

Remember that  minicom will reset the privileges to the COM port each time you change the configuration with “minicom –s” so you may find yourself having to run chmod  from time to time.

 

[root@bigboy tmp]# chmod o+rw /dev/ttyS0

What Is A Partition? 

A partition is a means of dividing your hard disk into multiple sections, each of which is treated as a separate disk by your operating system. This allows you to be able to boot  different operating systems from the same disk, for example, Linux and Windows. Partitions cannot be moved or resized without destroying the data on them. 

What Is A Filesystem? 

Filesystems can be considered as being the directory structures on a disk partition that contains all the files. Most Windows users would be familiar with the analogous terms "folders" and "sub-folders", whereas Linux users would be familiar with the terms "directories" and "sub-directories".

How Linux Links Filesystems And Partitions 

In Windows, a disk with two partitions would most likely find itself with a "C:" drive and a "D:" drive each with a separate set of folders.  

In Linux, everything appears to be a single set of "folders" or directories, the partitions hide underneath unseen to the regular user. In other words, Linux partitions handle all files in the subdirectory of your choice. The choice of which subdirectories belong in which partition is made when you partition the hard drive. 

If you create a file system called "/var" and another called "/var/log". The directory allocation will be:

 

 

 

What Partitions Are Mandatory?

 The mandatory partitions are: 

"/", Also Known As "root"

The root filesystem ("/") contains the files necessary for the system to boot up in single user mode with the bare minimum of functionality. Most Linux systems then will then become multi-user systems  by changing their runlevel and executing the associated startup scripts including those that will mount the remaining file systems. 

In most cases, a corrupted root filesystem will make your system unbootable from the hard drive. Usually recovery requires reformatting the root file system and doing a Linux reinstall. If all your files are located in a root filesystem that becomes corrupted, there is a high possibility that you will lose all your data. It is for this reason that you should consider placing similar files in dedicated partitions.

/boot

The /boot partition contains the Linux kernel which is the "master control program", not only for controlling the boot process, but also the normal functioning of Linux. 

Redhat Linux creates this partition automatically. This reduces the need to reformat the "root" partition if it becomes corrupted.

swap

Used as a location to place data temporarily if RAM memory becomes full. RedHat automatically creates this partition and usually makes it about twice the amount of system RAM.

Recommended Sizes For Disk Partitions

Here are some allocation suggestions that may be useful. This is a generous guide, you may look at the bottom of the table to see the settings I used for the 4GB hard disk I used to first run www.linuxhomenetworking.com 

The RedHat default partitioning scheme used during the Linux installation should be sufficient for most home / SOHO systems, especially if you have more than 4GB.

 

Some Recommended Partition Sizes

 

How Much Space Do I Have On My Partitions?

You can use the "df" command. These are the settings I used for the hard disk I used to first run this site.

 

[root@bigboy root]# df -k

Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/hda3               505636     90002    389529  19% /
/dev/hda1                46636      9164     35064  21% /boot
/dev/hda5               505605     87915    391586  19% /home
/dev/hda7               830104     17632    770304   3% /tmp
/dev/hda2              4633108   1797504   2600252  41% /usr
/dev/hda6               256667    169577     73838  70% /var
[root@bigboy root]#  

 

What Can I Do When I Run Out Of Disk Space?

o        If it is in the /home partition, you can ask users to delete unnecessary files such as downloaded software and MP3s

o        If it is in the /var partition, then you can consider deleting some of your log files in /var/log. See the logging page for a description of the log files and how you can use the "logrotate" command to help reduce their size.

o        You may want to also consider backing up files and then deleting them.

Layer	Name	Description	Application
7	Application	·     The user interface to the application	Telnet FTP Sendmail
6	Presentation	·     Converts data from one presentation format to another. For example, email text entered into Outlook express being converted into SMTP mail formatted data.
5	Session	·     Manages continuing requests and responses between the applications at both ends over the various established connections.
4	Transport	·     Manages the establishment and tearing down of a connection. Ensures that unacknowledged data is retransmitted. Correctly re-sequences data packets that arrive in the wrong order.	TCP UDP
3	Network	·     Handles the routing of data between links that are not physically connected together. ·     Used as a means of not tying the address of the server to its MAC address. Your network address can stay the same if the NIC is replaced. ·     Also allows you to select your own numbering scheme for the global network independent of the MAC address which in rare cases could also be duplicated. ·     Also provides the option of having multiple  addresses of the same networking protocol being assigned to the same MAC address.	IP ARP
2	Link	·     Error control and timing of bits speeding down the wire between two directly connected devices. In the home environment, data is frequently sent using the MAC addresses of the NIC cards of the communicating devices.	Ethernet ARP
1	Physical	·     Defines the electrical and physical characteristics of the network cabling and interfacing hardware	Ethernet

IP Header

TCP/UDP Header

DATA

Field	Description
IP Version	The version of IP being used. Version 4, is the current version used by most devices on the Internet. Version 6, is a newer format which allows for a much more vast range of addresses.
IHL	Internet Header Length. Total length of the IP header
Total Length	Total length of the IP packet
DF Bit	Indicator to tell whether the data in the packet may be fragmented into smaller packets due to limitations of the communications line
MF Bit	Indicator to tell whether this data in this packet is the last one of a stream of fragments.
Fragment Offset	If this packet is part of a fragmented datagram, then this specifies where in the complete datagram the data in this packet should be inserted.
TTL	Time to live. This value is decremented by each router through which the packet has passes. When the value reaches zero, the packet is discarded by the router. The server sending the data usually sets the TTL to a value high enough to reach it's destination without being discarded. The TTL decrement feature is used by routers as an additional precaution to prevent the packet from  mistakenly being routed around the Internet in an infinite loop due to a routing error.
Protocol	Defines the type of protocol header to expect at the end of this header. For example, 6 = TCP. 17 = UDP
Header checksum	Used to ensure that the header contents are error free.
Source Address	Indicates the IP address of the server sending the data
Destination Address	Indicates the IP address of the server intended to receive the data

Field	Description
Source and Destination Port	Identifies points at which upper-layer source and destination processes receive TCP services.
Sequence Number	Usually specifies the number assigned to the first byte of data in the current message. In the connection-establishment phase, this field also can be used to identify an initial sequence number to be used in an upcoming transmission.
Acknowledgment Number	Contains the sequence number of the next byte of data the sender of the packet expects to receive.
Data Offset	Length of the TCP header.
Flags	Carries a variety of control information, including the SYN and ACK bits used for connection establishment, and the FIN bit used for connection termination.
Window	Specifies the size of the sender's receive window (that is, the buffer space available for incoming data)
Checksum	Used to ensure that the header contents are error free.
Data	Contains upper-layer information

Field	Description
Source and Destination Port	Identifies points at which upper-layer source and destination processes receive TCP services.
Length	Specifies the length of the UDP header and data
Checksum	Used to ensure that the header contents are error free.