LPI Linux Certification in a Nutshell Part 40

Thepa.s.swordforthebinaccountwaslastchanged onThuApr2400:00:00CDT2008 The accounts for bin bin, daemon daemon, adm adm, and lp lp are all examples of system accounts. These accounts are never meant to have interactive logins; they exist to run system processes and to maintain owners.h.i.+p of files. The are all examples of system accounts. These accounts are never meant to have interactive logins; they exist to run system processes and to maintain owners.h.i.+p of files. The * * in the encrypted pa.s.sword fields means that these accounts are disabled from logging in interactively. in the encrypted pa.s.sword fields means that these accounts are disabled from logging in interactively.

Although this file is a text file and can be edited directly to modify these values, the command /usr/bin/chage /usr/bin/chage should be used to maintain the pa.s.sword aging settings for accounts. should be used to maintain the pa.s.sword aging settings for accounts.

Setting Limits on Users So far, the security concerns we have discussed regarding a Linux system have all revolved around the filesystem. Since everything in Linux is a file, this makes sense. However, security isn't solely concerned with which user can access what resource at what time. Security must also take into consideration the sharing of resources among users (both system and human users). A good security administrator will ensure that no insecure SUID or SGID binaries exist on his system that could give a normal user root access. But what measures are in place to ensure that a normal user doesn't run so many processes that a server is ground to a halt? What exists to make sure a user doesn't open so many network sockets that no memory is available to allocate to new connections? At first these might seem like capacity planning issues, but when we are dealing with systems that reside in a hostile environment (such as the Internet), they become the responsibility of the security administrator.

The Linux kernel has the ability to control many limits on what users can and can't do. These limits are defined in the file /etc/security/limits.conf /etc/security/limits.conf and are viewed or modified interactively by the and are viewed or modified interactively by the ulimit ulimit command. command. ulimit ulimit is a command built into the bash sh.e.l.l, so it does not exist as a separate binary on a Linux system. is a command built into the bash sh.e.l.l, so it does not exist as a separate binary on a Linux system.

Querying System Services Previous chapters have discussed the importance of the /bin/ps /bin/ps command. It is vitally important that a system administrator knows exactly what processes are running on her machine and why. The first step toward maintaining a secure system is knowledge about that system. However, in this age of always-connected systems, understanding processes by themselves is not enough; you must also understand how they interact across the network. This can be accomplished with these Linux utilities: command. It is vitally important that a system administrator knows exactly what processes are running on her machine and why. The first step toward maintaining a secure system is knowledge about that system. However, in this age of always-connected systems, understanding processes by themselves is not enough; you must also understand how they interact across the network. This can be accomplished with these Linux utilities: netstat netstat, nmap nmap, and lsof. lsof.

Name su Syntax su[OPTION]...[-][USER[ARG]...]

Description The su su command (short for command (short for s subst.i.tute u user) allows you to run a sh.e.l.l with subst.i.tute user and group IDs. It is most commonly used to allow a normal user to "become" the root user (a.s.suming they know the root pa.s.sword). It is also used by the root user to "become" a regular user.

Frequently used options - Make the sh.e.l.l that is sp.a.w.ned a login sh.e.l.l (i.e., process .bash_profile .bash_profile and set appropriate login environment variables, such as and set appropriate login environment variables, such as $PATH $PATH) -cCOMMAND Pa.s.s a single command to the sh.e.l.l, useful for one-line commands that need to be run as root root.

Examples A normal user becoming root: $whoami adam $su- Pa.s.sword: #whoami root Running a command as the root user: $wc-l/etc/shadow wc:/etc/shadow:Permissiondenied $su-cwc-l"/etc/shadow"

Pa.s.sword: 48/etc/shadow Root becoming a regular user: #whoami root #suadam $whoami adam The - - (or (or -l -l) option to su su determines whether or not the new sh.e.l.l is a login sh.e.l.l. The most obvious impact of this decision is the determines whether or not the new sh.e.l.l is a login sh.e.l.l. The most obvious impact of this decision is the $PATH $PATH variable. The most common usage of variable. The most common usage of su su is for a regular user to become the root user, to enable that user to run a command or perform a task that only is for a regular user to become the root user, to enable that user to run a command or perform a task that only root root can do. By default, the can do. By default, the $PATH $PATH environment variable contains different directories for the root user than for regular users. Specifically, the directories environment variable contains different directories for the root user than for regular users. Specifically, the directories /sbin /sbin and and /usr/sbin /usr/sbin store binary programs that only the superuser should run. Regular users can read these directories, but it doesn't make sense to have those directories in a regular user's store binary programs that only the superuser should run. Regular users can read these directories, but it doesn't make sense to have those directories in a regular user's $PATH $PATH, because they will never need to use them.

If a regular user uses the command su su to become root, the to become root, the $PATH $PATH environment variable does not change, because this is not a login sh.e.l.l. This means that the directories environment variable does not change, because this is not a login sh.e.l.l. This means that the directories /sbin /sbin and and /usr/sbin /usr/sbin are not in that user's are not in that user's $PATH $PATH. This is often a source of confusion for new system administrators. Note the following example: $whoami adam $su Pa.s.sword: #fdiskl/dev/sda bash:fdisk:commandnotfound #whichfdisk /usr/bin/which:nofdiskin (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/adam/bin) #exit $su Pa.s.sword: #fdiskl/dev/sda Disk/dev/sda:200.0GB,200049647616bytes ....etc....

#whichfdisk /sbin/fdisk #echo$PATH /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin: /sbin:/bin:/usr/sbin:/usr/bin:/root/bin Initially, the fdisk fdisk command by itself did not work because it was not in the command by itself did not work because it was not in the $PATH $PATH variable. Once the user returned to her user sh.e.l.l and used variable. Once the user returned to her user sh.e.l.l and used su su to become to become root root, the $PATH $PATH environment variable then contained the environment variable then contained the /sbin /sbin and and /usr/sbin /usr/sbin directories, so directories, so fdisk fdisk was found. was found.

Name sudo Syntax sudo[OPTION]...[-aauth_type][-ccla.s.s][-pprompt][-uusername]

Description sudo ( (subst.i.tute u user do do) allows a permitted user to execute a command as the superuser or another user, as specified in the /etc/sudoers /etc/sudoers file. file.

Frequently used options -b Run the given command in the background.

-uUSERNAME Attempt to run the command as user USERNAME USERNAME instead of root. instead of root.

The sudo sudo command lives somewhere between SUID and command lives somewhere between SUID and su su. sudo sudo is used when you want to give certain users (or groups of users) access to run certain commands with elevated privileges (usually as is used when you want to give certain users (or groups of users) access to run certain commands with elevated privileges (usually as root root). Sudo Sudo is extremely useful for a number of reasons: is extremely useful for a number of reasons: You don't have to hand out the root pa.s.sword to people just so they can run a few commands.

It logs every command (completed and attempted).

In the /etc/sudoers /etc/sudoers file, you can limit its use by user account, by group, by machine, or by pathname. file, you can limit its use by user account, by group, by machine, or by pathname.

The design of /etc/sudoers /etc/sudoers is such that you can replicate it across multiple systems without modification of the file. is such that you can replicate it across multiple systems without modification of the file.

The /etc/sudoers /etc/sudoers configuration file is a standard text file (like most other Linux configuration files), but the syntax for the rules that define the behavior of configuration file is a standard text file (like most other Linux configuration files), but the syntax for the rules that define the behavior of sudo sudo is formatted in Extended Backus-Naur Form (EBNF), which is a way to describe the grammar of a language. This is relatively unique to the Linux configuration file world, so your is formatted in Extended Backus-Naur Form (EBNF), which is a way to describe the grammar of a language. This is relatively unique to the Linux configuration file world, so your /etc/sudoers /etc/sudoers file will look quite a bit different than other configuration files you are used to. Because of the security implications of file will look quite a bit different than other configuration files you are used to. Because of the security implications of sudo sudo, and the somewhat challenging format of the file itself, it is recommended that the command visudo visudo be used to edit be used to edit /etc/sudoers /etc/sudoers instead of editing the file directly. instead of editing the file directly. visudo visudo will not only make a backup copy of the will not only make a backup copy of the /etc/sudoers /etc/sudoers file for editing (replacing the previous version of file for editing (replacing the previous version of /etc/sudoers /etc/sudoers when the backup copy is saved), but it also does syntax checking of the format of the file, warning you if the syntax is incorrect. If you prefer an editor other than when the backup copy is saved), but it also does syntax checking of the format of the file, warning you if the syntax is incorrect. If you prefer an editor other than vi vi, just make sure your $EDITOR $EDITOR environment variable contains the path to your preferred editor, and environment variable contains the path to your preferred editor, and visudo visudo will invoke that editor instead of will invoke that editor instead of vi vi.

On the ExamThe configuration options available in /etc/sudoers /etc/sudoers can be very complicated. You will not be required to answer questions about every possible option on the LPI exams. You should know what can be very complicated. You will not be required to answer questions about every possible option on the LPI exams. You should know what sudo sudo is for and some example command-line usage, and have a general idea of what the is for and some example command-line usage, and have a general idea of what the /etc/sudoers /etc/sudoers file should look like. file should look like.

Example 1 A simple /etc/sudoers /etc/sudoers file: file: #Formatis: #userMACHINE=COMMANDS # #TheCOMMANDSsectionmayhaveotheroptionsaddedtoit.

# Defaultsrequiretty,pa.s.swd_timeout=10 #Allowsmembersoftheusersgrouptomountandunmountthecdromasroot %usersALL=/sbin/mount/mnt/cdrom,/sbin/umount/mnt/cdrom #Allowtheuseradamtorunthedumpe2fscommandonanylocallyattached #diskusingscsiemulation(/dev/sd*)onthecomputer'fileserv', #don'tpromptforapa.s.sword adamfileserv=NOPa.s.sWD:/sbin/dumpe2fs/dev/sd*

The NOPa.s.sWD NOPa.s.sWD option will allow the user option will allow the user adam adam to run the to run the dumpe2fs dumpe2fs command without being prompted for a pa.s.sword. Normally, command without being prompted for a pa.s.sword. Normally, sudo sudo will prompt a user for his pa.s.sword (not the root pa.s.sword! If the user knew the root pa.s.sword, he wouldn't need will prompt a user for his pa.s.sword (not the root pa.s.sword! If the user knew the root pa.s.sword, he wouldn't need sudo sudo, would he?). Once the user's pa.s.sword is given correctly, sudo sudo will cache the pa.s.sword and not ask again for a default of five minutes (configurable in the will cache the pa.s.sword and not ask again for a default of five minutes (configurable in the /etc/sudoers /etc/sudoers file). Setting the file). Setting the NOPa.s.sWD NOPa.s.sWD option allows the option allows the sudo sudo command to be called from command to be called from cron cron and other noninteractive, scripted situations. and other noninteractive, scripted situations.

The detailed logging that sudo sudo offers by default is another reason why it is so popular. It is a common scenario to have multiple people acting as system administrators in a corporate environment. If all of these people log in as offers by default is another reason why it is so popular. It is a common scenario to have multiple people acting as system administrators in a corporate environment. If all of these people log in as root root to perform maintenance, there is no way to tell exactly which user was logged in as to perform maintenance, there is no way to tell exactly which user was logged in as root root and ran what command at a certain time. and ran what command at a certain time. sudo sudo handles this for you. It is good practice to use handles this for you. It is good practice to use sudo sudo to run superuser commands when you are in a shared administrator environment. to run superuser commands when you are in a shared administrator environment.

Example 2 A sample log line from sudo sudo: Dec415:07:20fileservsudo:adam:TTY=pts/0;PWD=/sbin;USER=root; COMMAND=/sbin/dumpe2fs/dev/sda3 By default, sudo sudo uses the uses the syslog syslog service to log all events. Depending upon your service to log all events. Depending upon your syslog syslog configuration, these events will probably be logged to either configuration, these events will probably be logged to either /var/log/messages /var/log/messages or or /var/log/secure /var/log/secure.

sudo will also log instances when a user attempts to run a command and is denied, shown next. will also log instances when a user attempts to run a command and is denied, shown next.

Example 3 Sudo denying access to user joe joe, who tried to run sudo /bin/ls /tmp sudo /bin/ls /tmp: Dec415:27:29fileservsudo:joe:userNOTinsudoers;TTY=pts/0; PWD=/home/joe;USER=root;COMMAND=/bin/ls/tmp Other important things to remember about sudo sudo: Be sure you are giving the exact path to applications in the /etc/sudoers /etc/sudoers file. The file. The visudo visudo command will give you an error if you try to use relative path names. command will give you an error if you try to use relative path names.

Be aware of commands that sp.a.w.n subsh.e.l.ls! This is the same issue that was discussed earlier with regards to SUID programs and subsh.e.l.ls. A subsh.e.l.l (or child process) will always inherit the security context of the parent process. So if you have a line in /etc/sudoers /etc/sudoers that looks like this: that looks like this:adamALL=NOPa.s.sWD:/bin/vi then the user "adam" will be able to run /bin/vi /bin/vi as root. By typing as root. By typing !bash !bash in a in a vi vi session, adam will have an interactive sh.e.l.l as root. If you are in a situation where you need to let non-root users edit protected files, use the command session, adam will have an interactive sh.e.l.l as root. If you are in a situation where you need to let non-root users edit protected files, use the command sudoedit sudoedit (an alias to " (an alias to "sudo e"). This tells sudo sudo that a file needs to be edited. The that a file needs to be edited. The sudo sudo command will make a temporary copy of the file and open an editor in the security context of the user (not root). Once the temporary file is saved, command will make a temporary copy of the file and open an editor in the security context of the user (not root). Once the temporary file is saved, sudo sudo will copy the temporarily file over the original file. This bypa.s.ses the root subsh.e.l.l dilemma. will copy the temporarily file over the original file. This bypa.s.ses the root subsh.e.l.l dilemma.

The file /etc/sudoers /etc/sudoers can be a little daunting at first, but remember it was designed to allow you to have one copy of can be a little daunting at first, but remember it was designed to allow you to have one copy of /etc/sudoers /etc/sudoers work across multiple servers. If this is not your situation, you can follow the simple examples above to create and maintain an work across multiple servers. If this is not your situation, you can follow the simple examples above to create and maintain an /etc/sudoers /etc/sudoers file that is a little easier to read. file that is a little easier to read.

Name usermod Syntax chage[OPTIONS][USERNAME]

Description usermod is used to maintain the settings for accounts in is used to maintain the settings for accounts in /etc/pa.s.swd /etc/pa.s.swd and and /etc/group /etc/group (and, by extension, (and, by extension, /etc/shadow /etc/shadow and and /etc/gshadow /etc/gshadow).

Frequently used options -c COMMENT COMMENT Set or change the value of the Comment field (field 5).

-d HOMEDIRECTORY HOMEDIRECTORY Set or change the value of the user's home directory (field 6).

-g GROUPID GROUPID Set the primary GID (group ID) of the user.

-G comma-delimited GROUPID(S) comma-delimited GROUPID(S) Set the supplementary group ID(s) for a user.

-l USERNAME USERNAME Change the username to USERNAME USERNAME.

-s Sh.e.l.l Sh.e.l.l Change the user's sh.e.l.l to Sh.e.l.l Sh.e.l.l.

Name chage Syntax chage[OPTIONS][USERNAME]

Description chage (change aging) is used to maintain the pa.s.sword aging limits on a user account. (change aging) is used to maintain the pa.s.sword aging limits on a user account.

Frequently used options -d LASTDAY LASTDAY Set the number of days (since January 1, 1970) when the pa.s.sword was last changed.

-E EXPIREDATE EXPIREDATE Set a user account to expire on a certain date.

-I INACTIVEDAYS INACTIVEDAYS How many days of inactivity after a pa.s.sword has expired must pa.s.s before the account is locked.

-l Show pa.s.sword aging information for an account. A nonprivileged user can run this to view his pa.s.sword aging status.

-m MINDAYS MINDAYS Set the minimum number of days between pa.s.sword changes.

-M MAXDAYS MAXDAYS Set the maximum number of days a pa.s.sword is valid.

-W WARNDAYS WARNDAYS The number of days before the pa.s.sword expiration that the system will start warning the user.

Examples View the pa.s.sword aging information for the root root user: user: #chage-lroot Lastpa.s.swordchange:Jan08,2010 Pa.s.swordexpires:never Pa.s.swordinactive:never Accountexpires:never Minimumnumberofdaysbetweenpa.s.swordchange:0 Maximumnumberofdaysbetweenpa.s.swordchange:99999 Numberofdaysofwarningbeforepa.s.swordexpires:7 Force a user to change his pa.s.sword on the next login: #chage-d0adamh #chage-ladamh Lastpa.s.swordchange:pa.s.swordmustbechanged Pa.s.swordexpires:never Pa.s.swordinactive:never Accountexpires:never Minimumnumberofdaysbetweenpa.s.swordchange:0 Maximumnumberofdaysbetweenpa.s.swordchange:99999 Numberofdaysofwarningbeforepa.s.swordexpires:7 Now when the user adamh adamh next logs in, he will see: next logs in, he will see: loginas:adamh [email protected]'spa.s.sword: Youarerequiredtochangeyourpa.s.swordimmediately(rootenforced) Lastlogin:FriJan814:50:422010from10.0.0.112 WARNING:Yourpa.s.swordhas.e.xpired.

Youmustchangeyourpa.s.swordnowandloginagain!

Changingpa.s.swordforuseradamh.

Changingpa.s.swordforadamh.

(current)UNIXpa.s.sword: NewUNIXpa.s.sword: RetypenewUNIXpa.s.sword:On the ExamThe chage chage command can be a little confusing. Take the time to learn its different options and practice configuring different pa.s.sword aging settings on a test Linux system. It is likely that you will encounter questions about the syntax of the command can be a little confusing. Take the time to learn its different options and practice configuring different pa.s.sword aging settings on a test Linux system. It is likely that you will encounter questions about the syntax of the chage chage command on the LPI exams. command on the LPI exams.

Name ulimit Syntax ulimit[OPTIONS]limit Description Provides control over the resources available to the sh.e.l.l and to processes started by it, on systems that allow such control.

Frequently used options -a Report all current limits.

-u NUMBER NUMBER The maximum number of processes available to a single user.

-x NUMBER NUMBER The maximum number of file locks.

-v NUMBER NUMBER The maximum amount of memory available to the sh.e.l.l, in kilobytes.

-H Indicates that a hard limit is being specified.

-S Indicates that a soft limit is being specified.

Example View the current limits for a user: $ulimit-a corefilesize(blocks,-c)0 datasegsize(kbytes,-d)unlimited schedulingpriority(-e)0 filesize(blocks,-f)unlimited pendingsignals(-i)8192 maxlockedmemory(kbytes,-l)32 maxmemorysize(kbytes,-m)unlimited openfiles(-n)1024 pipesize(512bytes,-p)8 POSIXmessagequeues(bytes,-q)819200 real-timepriority(-r)0 stacksize(kbytes,-s)10240 cputime(seconds,-t)unlimited maxuserprocesses(-u)8192 virtualmemory(kbytes,-v)unlimited filelocks(-x)unlimited Limits are defined on Linux as being either hard hard or or soft soft limits. A hard limit is set by the superuser for a user or group of users and cannot be exceeded. A soft limit is also set by the superuser, but it may be temporarily overridden by a user if the need arises (by the user calling the limits. A hard limit is set by the superuser for a user or group of users and cannot be exceeded. A soft limit is also set by the superuser, but it may be temporarily overridden by a user if the need arises (by the user calling the ulimit ulimit command). For example, a user may have a soft limit of 100 on the maximum number of open files, with a hard limit of 1,000. If the user is running a short-term process that needs to open 200 files, they can temporarily increase her limit in order for that program to run. That increase lasts only for the life of the user's sh.e.l.l. Hard and soft limits are set up by the superuser for all users in the file command). For example, a user may have a soft limit of 100 on the maximum number of open files, with a hard limit of 1,000. If the user is running a short-term process that needs to open 200 files, they can temporarily increase her limit in order for that program to run. That increase lasts only for the life of the user's sh.e.l.l. Hard and soft limits are set up by the superuser for all users in the file /etc/security/limits.conf /etc/security/limits.conf.

The file limits.conf limits.conf takes four values, s.p.a.ce- or Tab-delimited, on each line: takes four values, s.p.a.ce- or Tab-delimited, on each line: Table22-3 describes the options for entries in describes the options for entries in limits.conf limits.conf.

Table22-3.Options in /etc/security/limits.conf

Field name Possible values Domain Username Group name, prefixed by @ * to indicate the default Type hard soft Item core (limits the core file size, set in KB) (limits the core file size, set in KB) data (maximum data size in KB) (maximum data size in KB) fsize (maximum file size in KB) (maximum file size in KB) memlock (maximum locked-in-memory address s.p.a.ce in KB) (maximum locked-in-memory address s.p.a.ce in KB) nofile (maximum number of open files) (maximum number of open files) rss (maximum resident set size in KB) (maximum resident set size in KB) stack (maximum stack size in KB) (maximum stack size in KB) cpu (maximum CPU time in minutes) (maximum CPU time in minutes) nproc (maximum number of processes (maximum number of processes as (address s.p.a.ce limit in KB) (address s.p.a.ce limit in KB) maxlogins (maximum number of logins for this user) (maximum number of logins for this user) maxsyslogins (maximum number of logins on the system) (maximum number of logins on the system) priority (the priority with which to run the user process) (the priority with which to run the user process) locks (maximum number of file locks the user can hold) (maximum number of file locks the user can hold) sigpending (maximum number of pending signals) (maximum number of pending signals) msgqueue (maximum memory used by POSIX message queues in bytes) (maximum memory used by POSIX message queues in bytes) nice (maximum nice priority allowed) (maximum nice priority allowed) rtprio (maximum real-time priority) (maximum real-time priority) Value Integer

Here are some example lines from a limits.conf limits.conf file: file: #useradamhcannotcreateafilelargerthan200MB adamhhardfsize204800 #useradamhcannotcreateafilelargerthan100MB #unlessheincreases.h.i.+sownulimitvalue adamhsoftfsize102400 #don'tcreatecorefilesforanyuserunlessthey #changethisulimitvalueforthemselves *softcore0 #limitallusersinthegroup'students'tonomore #than20processesrunningatonce @studenthardnproc20 #limitallusersinthegroup'faculty'tonomore #than20processesrunningatonce,butallow #themtoincreasetheirownlimittemporarily @facultysoftnproc20 Let's see ulimit ulimit in action with the user in action with the user adamh adamh, given the example limits.conf limits.conf file just shown. First, prove that user file just shown. First, prove that user adamh adamh cannot create a file larger than 102400 blocks (100 MB, a.s.suming we're dealing with blocks that are each 1 KB in size): cannot create a file larger than 102400 blocks (100 MB, a.s.suming we're dealing with blocks that are each 1 KB in size): $whoami adamh $ulimita corefilesize(blocks,-c)0 datasegsize(kbytes,-d)unlimited schedulingpriority(-e)0 filesize(blocks,-f)102400 pendingsignals(-i)8192 maxlockedmemory(kbytes,-l)32 maxmemorysize(kbytes,-m)unlimited openfiles(-n)1024 pipesize(512bytes,-p)8 POSIXmessagequeues(bytes,-q)819200 real-timepriority(-r)0 stacksize(kbytes,-s)10240 cputime(seconds,-t)unlimited maxuserprocesses(-u)8192 virtualmemory(kbytes,-v)unlimited filelocks(-x)unlimited $ddif=/dev/zeroof=largefilebs=1Mcount=200 Filesizelimitexceeded $ls-lhlargefile -rwxrwxrwx1rootroot100M2010-01-0816:09largefile The dd dd command used in this example is attempting to create a 200 MB file by copying the contents of command used in this example is attempting to create a 200 MB file by copying the contents of /dev/zero /dev/zero (a special device that returns zero-valued bytes to all read requests) to the file (a special device that returns zero-valued bytes to all read requests) to the file largefile largefile. It is doing this by attempting to copy 200 1-megabyte segments. After dd dd has reached 100 MB, the copy is aborted and the error "File size limit exceeded" appears. An has reached 100 MB, the copy is aborted and the error "File size limit exceeded" appears. An ls ls of the file shows that user of the file shows that user adamh adamh was allowed to create a 100 MB file, but no larger. Now was allowed to create a 100 MB file, but no larger. Now adamh adamh will use will use ulimit ulimit to increase his file size limit to 200 MB and try the command again: to increase his file size limit to 200 MB and try the command again: $ulimit-f204800 $ulimit-a corefilesize(blocks,-c)0 datasegsize(kbytes,-d)unlimited schedulingpriority(-e)0 filesize(blocks,-f)204800 pendingsignals(-i)8192 maxlockedmemory(kbytes,-l)32 maxmemorysize(kbytes,-m)unlimited openfiles(-n)1024 pipesize(512bytes,-p)8 POSIXmessagequeues(bytes,-q)819200 real-timepriority(-r)0 stacksize(kbytes,-s)10240 cputime(seconds,-t)unlimited maxuserprocesses(-u)8192 virtualmemory(kbytes,-v)unlimited filelocks(-x)unlimited $ddif=/dev/zeroof=largefilebs=1Mcount=200 200+0recordsin 200+0recordsout 209715200bytes(210MB)copied,13.0589s,16.1MB/s $ls-lhlargefile -rwxrwxrwx1rootroot200M2010-01-0816:14largefile This time, the dd dd command completed without an error, and command completed without an error, and adamh adamh was allowed to create a 200 MB file. However, if he tries to use was allowed to create a 200 MB file. However, if he tries to use ulimit ulimit to increase the limit beyond the hard limit, he is denied: to increase the limit beyond the hard limit, he is denied: $ulimit-f204801 -bash:ulimit:filesize:cannotmodifylimit:OperationnotpermittedOn the ExamSetting limits for users is an often-overlooked activity, but it will appear on the LPI exam. Be familiar with the format of the /etc/security/limits.conf /etc/security/limits.conf file and some of the more common options for file and some of the more common options for ulimit ulimit. Also be sure to understand the difference between hard and soft limits and how those differences affect a user's ability to use system resources.

Name netstat Description The command /bin/netstat /bin/netstat is a generic, all-purpose network information tool. It will give you information about network connections, routing tables, interface statistics, and many other low-level details of your current network configuration. From a security standpoint, one of the most useful options of is a generic, all-purpose network information tool. It will give you information about network connections, routing tables, interface statistics, and many other low-level details of your current network configuration. From a security standpoint, one of the most useful options of netstat netstat is its ability to tell you what network ports are currently "open" on your system, what network connections exist, and what state those connections are in. is its ability to tell you what network ports are currently "open" on your system, what network connections exist, and what state those connections are in. netstat netstat was defined, with examples, in was defined, with examples, in Chapter21 Chapter21. Here are few more examples, focusing on the security-related information provided by netstat netstat.

Examples Show protocol statistics. This is an example from a moderately busy public web server that has been up for 41 days: #netstat-s Ip: 996714394totalpacketsreceived 0forwarded 0incomingpacketsdiscarded 996354233incomingpacketsdelivered 743668424requestssentout Icmp: 308127ICMPmessagesreceived 488inputICMPmessagefailed.

ICMPinputhistogram: destinationunreachable:669 timeoutintransit:2 redirects:277573 ech.o.r.equests:29877 ech.o.r.eplies:6 48625ICMPmessagessent 0ICMPmessagesfailed ICMPoutputhistogram: destinationunreachable:18748 ech.o.r.eplies:29877 Tcp: 4092366activeconnectionopenings 6613024pa.s.siveconnectionopenings 28785failedconnectionattempts 479914connectionresetsreceived 46connectionsestablished 995776060segmentsreceived 742269993segmentssendout 1026415segmentsretransmitted 7056badsegmentsreceived.

135994resetssent Udp: 30804packetsreceived 18657packetstounknownportreceived.

0packetreceiveerrors 323385packetssent TcpExt: 77483invalidSYNcookiesreceived 22981resetsreceivedforembryonicSYN_RECVsockets ArpFilter:0 6555736TCPsocketsfinishedtimewaitinfasttimer 2463timewaitsocketsrecycledbytimestamp 1004packetsrejectsinestablishedconnectionsbecauseoftimestamp 17501900delayedackssent 24177delayedacksfurtherdelayedbecauseoflockedsocket Quickackmodewasactivated92779times 16609timesthelistenqueueofasocketoverflowed 16609SYNstoLISTENsocketsignored 465508199packetsdirectlyqueuedtorecvmsgprequeue.

2188914674packetsdirectlyreceivedfrombacklog 1015042059packetsdirectlyreceivedfromprequeue 414843326packetsheaderpredicted 421778135packetsheaderpredictedanddirectlyqueuedtouser TCPPureAcks:52593173 TCPHPAcks:313477583 TCPRenoRecovery:3251 TCPSackRecovery:109485 TCPSACKReneging:219 TCPFACKReorder:409 TCPSACKReorder:61 TCPRenoReorder:287 TCPTSReorder:1367 TCPFullUndo:1433 TCPPartialUndo:5607 TCPDSACKUndo:75787 TCPLossUndo:60128 TCPLoss:93645 TCPLostRetransmit:31 TCPRenoFailures:1693 TCPSackFailures:44900 TCPLossFailures:10718 TCPFastRetrans:182057 TCPForwardRetrans:21100 TCPSlowStartRetrans:167274 TCPTimeouts:428080 TCPRenoRecoveryFail:2148 TCPSackRecoveryFail:19641 TCPSchedulerFailed:107692 TCPRcvCollapsed:0 TCPDSACKOldSent:89093 TCPDSACKOfoSent:1003 TCPDSACKRecv:165272 TCPDSACKOfoRecv:521 TCPAbortOnSyn:0 TCPAbortOnData:11898 TCPAbortOnClose:2165 TCPAbortOnMemory:0 TCPAbortOnTimeout:11617 TCPAbortOnLinger:0 TCPAbortFailed:0 TCPMemoryPressures:0 Display all the active TCP connections: #netstat--tcp-n ActiveInternetconnections(w/oservers) ProtoRecv-QSend-QLocalAddressForeignAddressState tcp00192.168.23.11:80209.34.195.194:4898SYN_RECV tcp00192.168.23.11:8071.126.90.107:50254SYN_RECV tcp00192.168.23.11:769192.168.23.10:2049ESTABLISHED tcp00192.168.23.11:992192.168.23.10:2049ESTABLISHED tcp00192.168.23.11:8066.199.0.164:32211TIME_WAIT tcp00192.168.23.11:8068.13.184.187:3249ESTABLISHED tcp00192.168.23.11:8068.13.85.103:2972TIME_WAIT tcp00192.168.23.11:8070.165.111.157:14068TIME_WAIT tcp00192.168.23.11:8068.110.27.241:32808TIME_WAIT tcp00192.168.23.11:8071.199.119.34:49469TIME_WAIT This output shows us that there are a number of connections to TCP port 80 on our server (192.168.23.11). These connections are from many different hosts, as is typical with a busy web server. One of the interesting things about a report like this is the "State" information. A TCP connection goes through a number of different states as the connection is requested and created, data is transmitted, and the connection is completed and closed. From a security standpoint, it's a good idea to be familiar with the different states a TCP connection will be in. Some high-profile denial of service attacks in the past have taken advantage of the relatively long timeout values in TCP connections to completely exhaust the kernel memory of a system, by making thousands of TCP connections but never completing the response, and thus causing the system under attack to hold these thousands of TCP connections open until they finally time out. If you see a lot of connections in the "TIME_WAIT" state for long periods, you may be the victim of such an attack. To modify the default value, edit the file /proc/sys/net/ipv4/tcp_fin_timeout /proc/sys/net/ipv4/tcp_fin_timeout. For more information on the /proc /proc filesystem and how to use it to tune your running system, refer to the text file filesystem and how to use it to tune your running system, refer to the text file Doc.u.mentation/filesystems/proc.txt Doc.u.mentation/filesystems/proc.txt in your Linux kernel source. in your Linux kernel source.

Table22-4 displays the different states a TCP connection goes through. displays the different states a TCP connection goes through.

Table22-4.States of a TCP connection

State name Description CLOSED The connection is closed.

LISTEN Listening for an incoming connection.

SYN_RCVD SYN stands for SYNCHRONIZE, used to initiate and establish a connection. Named for the synchronization of sequence numbers that takes place throughout a TCP connection. This state indicates the connection is receiving packets.

SYN_SENT This state indicates the connection is sending packets.

ESTABLISHED In this state, the TCP three-way handshake has been completed, and a TCP connection is now established.

FIN_WAIT_1 FIN stands for FINISH, meaning that one of the devices wants to terminate the connection.

FIN_WAIT_2 After one end receives an acknowledgement (ACK) of a FIN, it goes into state FIN_WAIT_2.

CLOSING The connection is in the process of closing.

CLOSE_WAIT The state a connection is in after sending an ACK in response to an initial FIN.

LAST_ACK One end of the connection is in the process of sending a FIN.

TIME_WAIT After a TCP connection is closed, the kernel will keep the connection around in TIME_WAIT state, waiting for any delayed duplicate packets. This prevents another socket from using this same port and receiving data meant for an old connection.

On the Examnetstat is an important tool that you will encounter often in your Linux career. Become familiar with the more common command-line options, and understand when it is appropriate to use the is an important tool that you will encounter often in your Linux career. Become familiar with the more common command-line options, and understand when it is appropriate to use the netstat netstat command, because you will see a number of references to it on the LPI exams. command, because you will see a number of references to it on the LPI exams.

Name nmap Syntax nmap[scantype][options](targetspecifications) Description nmap (the network mapper) is a very powerful port-scanning tool. Its primary purpose is to scan a remote host (or entire subnet) and report back what TCP or UDP ports are open on each system. However, this powerful tool can do much more, including OS fingerprinting and vulnerability scanning. (the network mapper) is a very powerful port-scanning tool. Its primary purpose is to scan a remote host (or entire subnet) and report back what TCP or UDP ports are open on each system. However, this powerful tool can do much more, including OS fingerprinting and vulnerability scanning.

Frequently used options -sP Don't port scan; just report what hosts respond to a ping request. This is commonly called a ping sweep ping sweep. See the later examples.