[ Pobierz całość w formacie PDF ]
.0/0 -d 0.0/0 119D NewsNot yet written.64DHCPDDHCPD is something all network admins should use.It allows you to serve information toclients regarding their network settings/etc, typically meaning that the only client setupneeded for networking is leaving the defaults and turning the machine on.It also allows youto reconfigure client machines (say move from using 10.1.0 to 10.2.0).In the long run(and short run) DHCP will save you enormous amounts of work, money and stress.I run it athome with only 8 client machines and have found life to be better even for a LAN this small.Problems with DHCPD and RedHat 'out of the box':" Nasty little root hack in previous version, that which ships with 5.2 is ok." It runs non chrooted, as root.This is very easy to fix.I also highly recommend you run DHCPD version 2.x (3.x is in extreme pre alpha stages), it'sgot a lot of new features, and is easier to setup and work with.The absolute latest version(s)of this tend to be a bit neurotic however, be warned it is beta software.Definitely firewallDHCPD off from the Internet.DHCP traffic should only be on local segments, possiblyforwarded to a DHCP server on another segment, but the only DHCP traffic you would seecoming over the Internet would be an attack/DOS (they might reserve all your IP's, thusleaving your real clients high and dry).If you are forwarding DHCP traffic over the Internet,DON'T.This is a really bad idea for a variety of reasons (primarily performance / reliability,but security as well).I recommend the DHCPD server be only a DHCP server, locked up somewhere, allowed to doit's job quietly, if you need to span subnets (i.e.you have multiple ethernet segments, only oneof which has a DHCP server physically connected to it) use a DHCP relay (NT has one builtin, the DHCP server has one, etc).There are also several known problems with NT andDHCP, NT RAS has a rather nasty habit of sucking up IP addresses like crazy (I have seen anNT server grab 64 and keep them indefinitely), because it is trying to reserve IP's for theclients that will be dialing in/etc.Either turn NT's RAS off, or put it on it's own subnet, theMAC address it sends to the DHCP server is very strange (and spells out RAS in the first fewbytes) and is not easy to map out.Chroot'ing DHCPDDHCPD consists of 2 main executables:" dhcpd - the DHCP" dhcrelay - a DHCP relay (to relay requests to a central DHCP server since DHCP isbased on broadcasts, which typically don't (and shouldn't) span routers/etc.DHCPD requires 2 libraries:" /lib/ld-linux.so.2" /lib/libc.so.6A config file:" /etc/dhcpd.conf - configuration info, location of boot files, etc.And a few other misc.files:" /etc/dhcpd.leases - a list of active leases" /etc/functions - a copy of /etc/rc.d/init.d/functions so that one can gracefully 'stop' and'start' dhcpd65The latest DHCPD in rpm format for RedHat 5.x is at contrib.redhat.com, look for dhcpd-2.x.x, i.e.the latest (currently shipping with RedHat 5.2 is 2.0b1pl6-2).The simplest way to setup named chrooted is to simply install dhcpd (latest one preferably)and move/edit the necessary files.A good idea is to create a directory (such as/chroot/dhcpd/), preferably on a separate filesystem from /, /usr, etc (symlinks.), and thencreate a file structure under it for dhcpd.The following is an example, simply replace/chroot/dhcpd/ with your choice.You must of course execute these steps as root for it to work.# Install bind so we have the appropriate files#rpm -i dhcpd-2.0b1pl0-1.i386.rpm## Create the directory structure#cd /chroot/dhcpd/ # or wherevermkdir./etcmkdir./usr/sbinmkdir./usrmkdir./var/dhcpdmkdir./varmkdir./lib## Start populating the files#cp /usr/sbin/dhcpd./usr/sbin/dhcpdcp /etc/dhcpd.conf./etc/dhcpd.confcp /etc/rc.d/init.d/dhcpd./etc/dhcpd.initcp /etc/rc.d/init.d/functions./etc/functions## Now to get the latest libraries, change as appropriate#cp /lib/ld-linux.ld-linux.so.2./lib/cp /lib/libc.so.6./lib/## And create the necessary symbolic links so that they behave# Remember that named thinks /chroot-dns/ is /, so use relative links## Done, now to manually edit some config files#where you see:daemon namedreplace with:cd /chroot-dns/chroot /chroot-dns/./usr/sbin/dhcpd -d -q 2>&1 | tee etc/dhcpd.log &and also get rid of the:# Check that networking is up.[ ${NETWORKING} = "no" ] && exit 0if your networking isn't up you ain't gonna be serving DHCP requests.Some notes on file permissions.Since the server is running as 'root', it can do anything itwants.This is why you should put it on a separate partition, to throttle hardlinks/etc.If there is66a way to run dhcpd as non-root easily in RedHat Linux I would be glad to find out since rootcan escape from chrooted jails.Once this is done simply remove /etc/rc.d/init.d/dhcpd and create a symlink from/etc/rc.d/init.d/named pointing to /chroot/dhcpd/etc/dhcpd.init, and dhcpd will behave'normally' while in fact it is separated from your system.You may also wish to remove the'original' DHCPD files laying about, however this is not necessary.If you have done the above properly you should have a /chroot/dhcpd/ (or other dir if youspecified something different) that contains everything required to run dhcpd.And a ps -xau should show something like:USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMANDroot 6872 0.0 1.7 900 532 p0 S 02:32 0:00./usr/sbin/dhcpd-d -qroot 6873 0.0 0.9 736 288 p0 S 02:32 0:00 tee./etc/dhcpd.logDHCPD should definitely be firewalled from external hosts as there is no reason an externalhost should be querying your DHCP server for IP s/etc, in addition to this making it availableto the outside world could result in an attacker starving the DHCP server of addresses, if itrequests all that are available (assuming you use a dynamic pool(s) of addresses) you could beout of luck for your internal network.DHCP runs on port 67, udp because the amounts of datainvolved are small and a fast response is critical.ipfwadm -I -a accept -P udp -S 10.0/8 -D 0.0/0 67ipfwadm -I -a accept -P udp -S some.trusted.host -D 0.0/0 67ipfwadm -I -a deny -P udp -S 0.0/0 -D 0.0/0 67oripchains -A input -p udp -j ACCEPT -s 10.0/8 -d 0.0/0 67ipchains -A input -p udp -j ACCEPT -s some.trusted.host -d 0.0/0 67ipchains -A input -p udp -j DENY -s 0.0/0 -d 0.0/0 6767NFSDNFS stands for Network File System and is just that, it is a good way to distribute filesystems,read only and read/write, while maintaining a degree of security and control assuming yournetwork is enclosed and secure.NFS is primarily meant for use in a high bandwidthenvironment (i.e.a LAN) where security risks are not high, or the information being shared isnot sensitive (i.e.a small trusted LAN behind a firewall exchanging CAD/CAM diagrams, ora large university lab using nfs to mount /usr/.If you need a high level of security, i.e.encrypted data between hosts, NFS is not the best choice.I personally use it at across myinternal LAN (this machine has 2 interfaces, guess which one is heavily firewalled), to sharefile systems containing rpm's, this website, etc.Safer alternatives include SAMBA (free) andnow IBM is porting AFS to Linux (costly but AFS is a sweet hunk of code).NFS has a few rudimentary security controls, the first one would be firewalling, using NFSacross a large, slow public network like the Internet just isn't a good idea in any case, sofirewall off port 2049, UDP.Since NFS runs as a set of daemons, tcp_wrappers are of no useunless NFS is compiled to support them
[ Pobierz całość w formacie PDF ]