<para>When it comes to networking, Linux is your operating system of choice, not only because networking is tightly integrated with the OS itself and a wide variety of free tools and applications are available, but for the robustness under heavy loads that can only be achieved after years of debugging and testing in an Open Source project.</para>
<para>Bookshelves full of information have been written about Linux and networking, but we will try to give an overview in this chapter. After completing this, you will know more about</para>
<para>A protocol<indexterm><primary>networking</primary><secondary>protocols</secondary></indexterm> is, simply put, a set of rules for communication.</para>
<para>In order to get data over the network, for instance an E-mail from your computer to some computer at the other end of the world, lots of different hard- and software needs to work together.</para>
<para>All these pieces of hardware and the different software programs speak different languages. Imagine your E-mail program: it is able to talk to the computer operating system, through a specific protocol, but it is not able to talk to the computer hardware. We need a special program in the operating system that performs this function. In turn, the computer needs to be able to communicate with the telephone line or other Internet hookup method. And behind the scenes, network connection hardware needs to be able to communicate in order to pass your E-mail from one appliance to the other, all the way to the destination computer.</para>
<para>All these different types of communication protocols are classified in 7 layers, which are known as the <emphasis>Open Systems Interconnection Reference Model<indexterm><primary>networking</primary><secondary>OSI Model</secondary></indexterm></emphasis>, the <emphasis>OSI Model<indexterm><primary>OSI Model</primary></indexterm></emphasis> for short. For easy understanding, this model is reduced to a 4-layer protocol description, as described in the table below:</para>
<para>Each layer can only use the functionality of the layer below; each layer can only export functionality to the layer above. In other words: layers communicate only with adjacent layers. Let's take the example of your E-mail message again: you enter it through the application layer. In your computer, it travels down the transport and network layer. Your computer puts it on the network through the network access layer. That is also the layer that will move the message around the world. At the destination, the receiving computer will accept the message through it's own network layer, and will display it to the recepient using the transport and application layer.</para>
<note><title>It's really much more complicated</title>
<para>The above and following sections are included because you will come across some networking terms sooner or later; they will give you some starting points, should you want to find out about the details.</para>
</note>
</sect2>
<sect2id="sect_10_01_02"><title>Some popular networking protocols</title>
<para>Linux supports many different networking<indexterm><primary>networking</primary><secondary>protocol overview</secondary></indexterm> protocols. We list only the most important:</para>
<para>The <emphasis>Transport Control Protocol<indexterm><primary>Transport Control Protocol</primary></indexterm></emphasis> and the <emphasis>Internet Protocol<indexterm><primary>Internet Protocol</primary></indexterm></emphasis> are the two most popular ways of communicating on the Internet. A lot of applications, such as your browser and E-mail program, are built on top of this protocol suite.</para>
<para>Very simply put, IP provides a solution for sending packets of information from one machine to another, while TCP<indexterm><primary>protocols</primary><secondary>TCP/IP</secondary></indexterm> ensures that the packets are arranged in streams, so that packets from different applications don't get mixed up, and that the packets are sent and received in the correct order.</para>
<para>A good starting point for learning more about TCP and IP is in the following documents:</para>
<itemizedlist>
<listitem><para><command>man <option>7</option><parameter>ip</parameter></command>: Describes the IPv4 protocol implementation on Linux (version 4 currently being the most wide-spread edition of the IP protocol).</para></listitem>
<listitem><para><command>man <option>7</option><parameter>tcp</parameter></command>: Implementation of the TCP protocol.</para></listitem>
<listitem><para>RFC793, RFC1122, RFC2001 for TCP, and RFC791, RFC1122 and RFC1112 for IP.</para>
<para>The <ulinkurl="http://www.ietf.org/rtf/">Request For Comments</ulink> documents contain the descriptions of networking standards, protocols, applications and implementation. These documents are managed by the Internet Engineering Task Force<indexterm><primary>networking</primary><secondary>IETF</secondary></indexterm>, an international community concerned with the smooth operation of the Internet and the evolution and development of the Internet architecture.</para>
<para>Nobody expected the Internet to grow as fast as it does. IP proved to have quite some disadvantages when a really large number of computers is in a network, the most important being the availability of unique addresses to assign to each machine participating. Thus, IP version 6 was deviced to meet the needs of today's Internet.</para>
<para>Unfortunately, not all applications and services support IPv6<indexterm><primary>protocols</primary><secondary>IPv6</secondary></indexterm>, yet. A migration is currently being set in motion in many environments that can benefit from an upgrade to IPv6. For some applications, the old protocol is still used, for applications that have been reworked the new version is already active. So when checking your network configuration, sometimes it might be a bit confusing since all kinds of measures can be taken to hide one protocol from the other so as the two don't mix up connections.</para>
<para>The Linux kernel has built-in support<indexterm><primary>protocols</primary><secondary>PPP</secondary></indexterm> for PPP (Point-to-Point-Protocol), SLIP (Serial Line IP), PLIP (Parallel Line IP) and PPPP Over EThernet. PPP is the most popular way individual users access their ISP (Internet Service Provider), although in densely populated areas it is often being replaced by PPPOE, the protocol used for ADSL (Asymmetric Digital Subscriber Line) connections.</para>
<para>Most Linux distributions provide easy-to-use tools for setting up an Internet connection. The only thing you basically need is a username and password to connect to your Internet Service Provider (ISP), and a telephone number in the case of PPP. These data are entered in the graphical configuration tool, which will likely also allow for starting and stopping the connection to your provider.</para>
<para>The Linux kernel has built-in ISDN<indexterm><primary>protocols</primary><secondary>ISDN</secondary></indexterm> capabilities. Isdn4linux controls ISDN PC cards and can emulate a modem with the Hayes command set (<quote>AT</quote> commands). The possibilities range from simply using a terminal program to full connection to the Internet.</para>
<para>Appletalk is the name of Apple's<indexterm><primary>protocols</primary><secondary>AppleTalk</secondary></indexterm> internetworking stack. It allows a peer-to-peer network model which provides basic functionality such as file and printer sharing. Each machine can simultaneously act as a client and a server, and the software and hardware necessary are included with every Apple computer.</para>
<para>Linux provides full AppleTalk networking. Netatalk is a kernel-level implementation of the AppleTalk Protocol Suite, originally for BSD-derived systems. It includes support for routing AppleTalk, serving UNIX and AFS file systems using AppleShare and serving UNIX printers and accessing AppleTalk printers.</para>
<para>For compatibility with MS Windows environments, the Samba suite, including support for the NMB<indexterm><primary>protocols</primary><secondary>SMB/NMB</secondary></indexterm> and SMB protocols, can be installed on any UNIX-like system. The Server Message Block protocol (also called Session Message Block, NetBIOS or LanManager protocol) is used on MS Windows 3.11, NT, 95/98, 2K and XP to share disks and printers.</para>
<para>The basic functions of the Samba<indexterm><primary>networking</primary><secondary>Samba</secondary></indexterm> suite are: sharing Linux drives with Windows machines, accessing SMB shares from Linux machines, sharing Linux printers with Windows machines and sharing Windows printers with Linux machines.</para>
<para>Most Linux distributions provide a <emphasis>samba</emphasis> package, which does most of the server setup and starts up <command>smbd</command>, the Samba server, and <command>nmbd</command>, the netbios name server, at boot time by default. Samba can be configured graphically, via a web interface or via the command line and text configuration files. The daemons make a Linux machine appear as an MS Windows host in an MS Windows My Network Places/Network Neighbourhood window; a share from a Linux machine will be indistinguishable from a share on any other host in an MS Windows environment.</para>
<para>More information can be found at the following locations:</para>
<listitem><para><command>man <filename>smb.conf<indexterm><primary>smb.conf</primary></indexterm></filename></command>: describes the format of the main Samba configuration file.</para></listitem>
<listitem><para>The <ulinkurl="http://www.samba.org/">Samba Project Documentation</ulink> (or check your local samba.org mirror) contains an easy to read installation and testing guide, which also explains how to configure your Samba server as a Primary Domain Controller. All the man pages are also available here.</para></listitem>
<para>Linux also has support for Amateur Radio, WAN internetworking (X25, Frame Relay, ATM), InfraRed and other wireless connections, but since these protocols usually require special hardware, we won't discuss them in this document.</para>
<para>All the big, userfriendly Linux distributions come with various graphical tools, allowing for easy setup of the computer in a local network, for connecting it to an Internet Service Provider or for wireless access. These tools can be started up from the command line or from a menu<indexterm><primary>network configuration</primary><secondary>graphical tools</secondary></indexterm>:</para>
<listitem><para>RedHat Linux comes with <command>redhat-config-network</command>, which has both a graphical and a text mode interface.</para></listitem>
<listitem><para>Suse's YAST or YAST2 is an all-in-one configuration tool.</para></listitem>
<listitem><para>Mandrake/Mandriva comes with a Network and Internet Configuration Wizard, which is preferably started up from Mandrake's Control Center.</para></listitem>
<listitem><para>For connecting to the local network, for instance with your home computers, or at work: hostname, domainname and IP address. If you want to set up your own network, best do some more reading first. At work, this information is likely to be given to your computer automatically when you boot it up. When in doubt, it is better not to specify any information than making it up.</para></listitem>
<listitem><para>For connecting to the Internet: username and password for your ISP, telephone number when using a modem. Your ISP usually automatically assigns you an IP address and all the other things necessary for your Internet applications to work.</para></listitem>
<para>The graphical helper tools edit a specific set of network configuration files, using a couple of basic commands. The exact names of the configuration files and their location in the file system is largely dependent on your Linux distribution and version. However, a couple of network configuration files<indexterm><primary>network configuration</primary><secondary>files</secondary></indexterm> are common on all UNIX systems:</para>
<para>The <filename>/etc/hosts<indexterm><primary>hosts</primary></indexterm></filename> file always contains the <emphasis>localhost<indexterm><primary>localhost</primary></indexterm></emphasis> IP address, 127.0.0.1, which is used for interprocess communication. Never remove this line! Sometimes contains addresses of additional hosts, which can be contacted without using an external naming service such as DNS (the Domain Name Server).</para>
<para>The <filename>/etc/resolv.conf<indexterm><primary>resolv.conf</primary></indexterm></filename> file configures access to a DNS server, see <xreflinkend="sect_10_04_07"/>. This file contains your domain name and the name server(s) to contact:</para>
<para>The <filename>/etc/nsswitch.conf<indexterm><primary>nsswitch.conf</primary></indexterm></filename> file defines the order in which to contact different name services. For Internet use, it is important that <emphasis>dns</emphasis> shows up in the <quote>hosts</quote> line:</para>
<para>This instructs your computer to look up hostnames and IP addresses first in the <filename>/etc/hosts</filename> file, and to contact the DNS server if a given host does not occur in the local <filename>hosts</filename> file. Other possible name services to contact are LDAP, NIS and NIS+.</para>
<para>More in <command>man <filename>nsswitch.conf</filename></command>.</para>
<para>The distribution-specific scripts and graphical tools are front-ends to <command>ip<indexterm><primary>ip</primary></indexterm></command> (or <command>ifconfig<indexterm><primary>ifconfig</primary></indexterm></command> and <command>route<indexterm><primary>route</primary></indexterm></command> on older systems) to display and configure the kernel's networking configuration.</para>
<para>The <command>ip</command> command is used for assigning IP addresses to interfaces, for setting up routes to the Internet and to other networks, for displaying TCP/IP configurations etcetera.</para>
<para>The following commands show IP address<indexterm><primary>networking</primary><secondary>display IP address</secondary></indexterm> and routing<indexterm><primary>networking</primary><secondary>display routes</secondary></indexterm> information:</para>
<listitem><para>two network interfaces, even on a system that has only one network interface card: <quote>lo</quote> is the local loop, used for internal network communication; <quote>eth0</quote> is a common<indexterm><primary>networking</primary><secondary>device names</secondary></indexterm> name for a <emphasis>real</emphasis> interface. Do not ever change the local loop configuration, or your machine will start mallfunctioning! Wireless interfaces are usually defined as <quote>wlan0</quote>; modem interfaces as <quote>ppp0</quote>, but there might be other names as well.</para></listitem>
<listitem><para>IP addresses, marked with <quote>inet</quote>: the local loop<indexterm><primary>networking</primary><secondary>local loop</secondary></indexterm> always has 127.0.0.1, the physical interface can have any other combination.</para></listitem>
<listitem><para>The hardware address of your interface, which might be required as part of the authentication procedure to connect to a network, is marked with <quote>ether</quote>. The local loop has 6 pairs of all zeros, the physical loop has 6 pairs of hexadecimal characters, of which the first 3 pairs are vendor-specific.</para></listitem>
<para>While <command>ip</command> is the most novel way to configure a Linux system, <command>ifconfig</command> is still very popular. Use it without option for displaying network interface<indexterm><primary>networking</primary><secondary>show IP address</secondary></indexterm> information:</para>
<para>Both <command>ifconfig</command> and <command>ip</command> display more detailed configuration information and a number of statistics about each interface and, maybe most important, whether it is <quote>UP</quote> and <quote>RUNNING</quote>.</para>
<para>On your laptop which you usually connect to the company network using the onboard Ethernet connection, but which you are now to configure for dial-in at home or in a hotel, you might need to activate the PCMCIA<indexterm><primary>networking</primary><secondary>PCMCIA</secondary></indexterm> card. This is done using the <command>cardctl<indexterm><primary>cardctl</primary></indexterm></command> control utility, or the <command>pccardctl<indexterm><primary>pccardctl</primary></indexterm></command> on newer distributions.</para>
<para>However, a good distribution should provide PCMCIA support in the network configuration tools, preventing users from having to execute PCMCIA commands manually.</para>
<para>Further discussion of network configuration is out of the scope of this document. Your primary source for extra information is the man pages for the services you want to set up. Additional reading:</para>
<listitem><para><ulinkurl="http://www.tldp.org/HOWTO/Modem-HOWTO.html">The Modem-HOWTO</ulink>: Help with selecting, connecting, configuring, trouble-shooting, and understanding analog modems for a PC.</para></listitem>
<listitem><para><ulinkurl="http://www.tldp.org/HOWTO/HOWTO-INDEX/networking.html#NETGENERAL">LDP HOWTO Index, section 4.4</ulink>: categorized list of HOWTOs about general networking, protocols, dial-up, DNS, VPNs, bridging, routinfg, security and more.</para></listitem>
<listitem><para>Most systems have a version of the <filename>ip-cref</filename> file (locate it using the <command>locate</command> command); the PS format of this file is viewable with for instance <command>gv</command>.</para></listitem>
<para>On a Linux machine, the device<indexterm><primary>networking</primary><secondary>device names</secondary></indexterm> name <emphasis>lo</emphasis> or the <emphasis>local loop</emphasis> is linked with the internal 127.0.0.1 address. The computer will have a hard time making your applications work if this device is not present; it is always there, even on computers which are not networked.</para>
<para>The first ethernet device, <emphasis>eth0</emphasis> in the case of a standard network interface card, points to your local LAN IP address. Normal client machines only have one network interface card. Routers, connecting networks together, have one network device for each network they serve.</para>
<para>There are many more names, for instance for Virtual Private Network interfaces (VPNs), and multiple interfaces can be active simultaneously, so that the output of the <command>ifconfig</command> or <command>ip</command> commands might become quite extensive when no options are used. Even multiple interfaces of the same type can be active. In that case, they are numbered sequentially: the first will get the number 0, the second will get a suffix of 1, the third will get 2, and so on. This is the case on many application servers, on machines which have a failover configuration, on routers, firewalls and many more.</para>
<para>Apart from the <command>ip</command> command for displaying<indexterm><primary>networking</primary><secondary>display routes</secondary></indexterm> the network configuration, there's the common <command>netstat</command> command which has a lot of options and is generally useful on any UNIX system.</para>
<para>This is a typical client machine in an IP network. It only has one network device, <emphasis>eth0</emphasis>. The <emphasis>lo</emphasis> interface is the local loop.</para>
<para>When this machine tries to contact a host that is on another network than its own, indicated by the line starting with 0.0.0.0, it will send the connection requests to the machine (router) with IP address 192.168.42.1, and it will use its primary interface, eth0, to do this.</para>
<para>Hosts that are on the same network, the line starting with 192.168.42.0, will also be contacted through the primary network interface, but no router is necessary, the data are just put on the network.</para>
<para>Machines can have much more complicated routing tables than this one, with lots of different <quote>Destination-Gateway</quote> pairs to connect to different networks. If you have the occasion to connect to an application server, for instance at work, it is most educating to check the routing information.</para>
<para>An impressive amount of tools is focused on network management and remote administration of Linux machines. Your local Linux software mirror will offer plenty of those. It would lead us too far to discuss them in this document, so please refer to the program-specific documentation.</para>
<para>We will only discuss some common UNIX/Linux text tools in this section.</para>
<para>To display information on hosts<indexterm><primary>networking</primary><secondary>host lookup</secondary></indexterm> or domains, use the <command>host</command> command<indexterm><primary>host</primary></indexterm>:</para>
<para>Similar information can be displayed using the <command>dig<indexterm><primary>dig</primary></indexterm></command> command, which gives additional information about how records are stored in the name server.</para>
<para>To check if a host is alive, use <command>ping<indexterm><primary>ping</primary></indexterm></command>. If your system is configured to send more than one packet, interrupt <command>ping</command> with the <keycap>Ctrl</keycap>+<keycap>C</keycap> key combination<indexterm><primary>networking</primary><secondary>check other hosts</secondary></indexterm>:</para>
<para>To check the route that packets follow to a network host, use the <command>traceroute<indexterm><primary>traceroute</primary></indexterm></command> command<indexterm><primary>networking</primary><secondary>trace hosts</secondary></indexterm>:</para>
<para>Specific domain name information can be queried using the <command>whois<indexterm><primary>whois</primary></indexterm></command> command, as is explained by many <command>whois</command> servers, like the one<indexterm><primary>networking</primary><secondary>info on hosts</secondary></indexterm> below:</para>
<para>The Linux system is a great platform for offering networking services. In this section, we will try to give an overview of most common network servers and applications.</para>
<para>Offering a service to users can be approached in two ways. A daemon or service can run in standalone mode, or it can be dependent on another service to be activated.</para>
<para>Network services that are heavily and/or continuously used, usually run in the standalone mode<indexterm><primary>server types</primary><secondary>standalone</secondary></indexterm>: they are independent program daemons that are always running. They are most likely started up at system boot time, and they wait for requests on the specific connection points or ports for which they are set up to listen. When a request comes, it is processed, and the listening continues until the next request. A web server is a typical example: you want it to be available 24 hours a day, and if it is too busy it should create more listening instances to serve simultaneous users. Other examples are the large software archives such as <ulinkurl="http://sourceforge.net">Sourceforge</ulink> or <ulinkurl="http://tucows.com">your Tucows mirror</ulink>, which must handle thousands of FTP requests per day.</para>
<para>An example of a standalone network service on your home computer might be the <command>named</command> (name daemon), a caching name server. Standalone services have their own processes running, you can check any time using <command>ps</command>:</para>
<para>However, there are some services that you can use on your PC, even if there is no server process running for that services. Examples could be the FTP service, the secure copy service or the finger service. Those services have the Internet Daemon (<command>inetd</command>) listening in their place.</para>
<para>On your home PC, things are usually a bit calmer. You may have a small network, for instance, and you may have to transfer files from one PC to another from time to time, using FTP or Samba (for connectivity with MS Windows machines). In those cases, starting all the services<indexterm><primary>server types</primary><secondary>managed services</secondary></indexterm> which you only need occasionally and having them run all the time would be a waste of resources. So in smaller setups, you will find the necessary daemons dependent on a central program, that listen on all the ports of the services for which it is responsible.</para>
<para>This super-server, the Internet services<indexterm><primary>daemons</primary><secondary>inetd</secondary></indexterm> daemon, is started up at system initialization time. There are two common implementations: <command>inetd<indexterm><primary>inetd</primary></indexterm></command> and <command>xinetd<indexterm><primary>xinetd</primary></indexterm></command> (the extended Internet services daemon). One or the other is usually running on every Linux system:</para>
<para>The services for which the Internet daemon is responsible, are listed in its configuration file, <filename>/etc/inetd.conf<indexterm><primary>inetd.conf</primary></indexterm></filename>, for <command>inetd</command>, and in the directory <filename>/etc/xinetd.d<indexterm><primary>xinetd.d</primary></indexterm></filename> for <command>xinetd</command>. Commonly managed services include file share and print services, SSH, FTP, telnet, the Samba configuration daemon, talk and time services.</para>
<para>As soon as a connection request is received, the central server will start an instance of the required server. Thus, in the example below, when user <emphasis>bob</emphasis> starts an FTP session to the local host, an FTP daemon is running as long as the session is active:</para>
<para>Of course, the same happens when you open connections to remote hosts: either a daemon answers directly, or a remote <command>(x)inetd</command> starts the service you need and stops it when you quit.</para>
<para><application>Sendmail<indexterm><primary>Sendmail</primary></indexterm></application> is the standard mail<indexterm><primary>mail</primary><secondary>servers overview</secondary></indexterm> server<indexterm><primary>servers</primary><secondary>mail</secondary></indexterm> program or Mail Transport Agent for UNIX platforms. It is robust, scalable, and when properly configured with appropriate hardware, handles thousands of users without blinking. More information about how to configure <application>Sendmail</application> is included with the <application>sendmail</application> and <application>sendmail-cf</application> packages, you may want to read the <filename>README</filename> and <filename>README.cf</filename> files in <filename>/usr/share/doc/sendmail</filename>. The <command>man <parameter>sendmail</parameter></command> and <command>man <parameter>aliases</parameter></command> are also useful.</para>
<para><application>Qmail<indexterm><primary>Qmail</primary></indexterm></application> is another mail server, gaining popularity because it claims to be more secure than <application>Sendmail</application>. While <application>Sendmail</application> is a monolithic program, <application>Qmail</application> consists of smaller interacting program parts that can be better secured. <application>Postfix<indexterm><primary>Postfix</primary></indexterm></application> is another mail server which is gaining popularity.</para>
<para>These servers handle mailing lists, filtering, virus scanning and much more. Free and commercial scanners are available for use with Linux. Examples of mailing list<indexterm><primary>mail</primary><secondary>mailing lists</secondary></indexterm> software are <application>Mailman</application>, <application>Listserv</application>, <application>Majordomo</application> and <application>EZmlm</application>. See the web page of your favorite virus scanner for information on Linux client and server support. <application>Amavis</application> and <application>Spamassassin</application> are free implementations of a virus<indexterm><primary>mail</primary><secondary>anti-spam/anti-virus</secondary></indexterm> scanner and a spam scanner.</para>
<para>The most popular protocols<indexterm><primary>mail</primary><secondary>protocols</secondary></indexterm> to access mail remotely are <emphasis>POP3<indexterm><primary>POP3</primary></indexterm></emphasis> and <emphasis>IMAP4<indexterm><primary>IMAP</primary></indexterm></emphasis>. IMAP and POP both allow offline operation, remote access to new mail and they both rely on an SMTP server to send mail.</para>
<para>There are plenty of both text and graphical E-mail<indexterm><primary>mail</primary><secondary>client applications</secondary></indexterm> clients, we'll just name a few of the common ones. Pick your favorite.</para>
<para>The UNIX <command>mail</command> command has been around for years, even before networking existed. It is a simple interface to send messages and small files to other users, who can then save the message, redirect it, reply to it etcetera.</para>
<para>While it is not commonly used as a client anymore, the <command>mail</command> program is still useful, for example to mail the output of a command to somebody:</para>
<para>The <command>elm</command> mail reader is a much needed improvement to <command>mail</command>, and so is <command>pine</command> (Pine Is Not ELM). The <command>mutt</command> mail reader is even more recent and offers features like threading.</para>
<para>For those users who prefer a graphical interface to their mail (and a tennis elbow or a mouse arm), there are hundreds of options. The most popular for new users are Mozilla Mail/Thunderbird, which has easy anti-spam configuring options, and Evolution, the MS Outlook clone. Kmail is popular among KDE users.</para>
<para>There are also tens of web mail applications available, such as <application>Squirrelmail</application>, <application>Yahoo!</application> mail, <application>gmail</application> from Google and <application>Hotmail</application>.</para>
<para>Most Linux distributions include <command>fetchmail<indexterm><primary>fetchmail</primary></indexterm></command>, a mail-retrieval and forwarding utility. It fetches mail from remote mail servers (POP, IMAP and some others) and forwards it to your local delivery system. You can then handle the retrieved mail using normal mail clients. It can be run in daemon mode to repeatedly poll one or more systems at a specified interval. Information and usage examples can be found in the Info pages; the directory <filename>/usr/share/doc/fetchmail[-<version>]</filename> contains a full list of features and a FAQ for beginners.</para>
<para>The <command>procmail<indexterm><primary>procmail</primary></indexterm></command> filter can be used for filtering incoming mail, to create mailing lists, to pre-process mail, to selectively forward mail and more. The accompanying <command>formail<indexterm><primary>formail</primary></indexterm></command> program, among others, enables generation of auto-replies and splitting up mailboxes. Procmail has been around for years on UNIX and Linux machines and is a very robust system, designed to work even in the worst circumstances. More information may be found in the <filename>/usr/share/doc/procmail[-<version>]</filename> directory and in the man pages.</para>
<para>Some people these days seem to think that an E-mail message shouldn't be too formal. That depends, of course. If you are writing to someone you don't know, best to keep some distance, just like you would do in a traditional letter. And don't forget: people you don't know might be male or female...
<para><application>Apache<indexterm><primary>Apache</primary></indexterm></application> is by far the most popular web<indexterm><primary>servers</primary><secondary>web</secondary></indexterm> server, used on more than half of all Internet web servers. Most Linux distributions include <application>Apache</application>. <application>Apache</application>'s advantages include its modular design, SSL support, stability and speed. Given the appropriate hardware and configuration it can support the highest loads.</para>
<para>On Linux systems, the server configuration is usually done in the <filename>/etc/httpd</filename> directory. The most important configuration file is <filename>httpd.conf</filename>; it is rather self-explanatory. Should you need help, you can find it in the <command>httpd</command> man page or on the <ulinkurl="http://www.apache.org">Apache website</ulink>.</para>
<para>A number of web browsers<indexterm><primary>web browsers</primary><secondary>overview</secondary></indexterm>, both free and commercial, exist for the Linux platform. <application>Netscape Navigator</application> as the only decent option has long been a thing of the past, as <application>Mozilla/Firefox</application> offers a competitive alternative running on many other operating systems, like MS Windows and MacOS X as well.</para>
<para>Amaya is the W3C browser. Opera is a commercial browser, compact and fast. Many desktop managers offer web browsing features in their file manager, like <command>nautilus</command>.</para>
<para>Among the popular text based browsers are <command>lynx</command> and <command>links</command>. You may need to define proxy servers in your shell, by setting the appropriate variables. Text browsers are fast and handy when no graphical environment is available, such as when used in scripts.</para>
<sect4id="sect_10_04_03_03_01"><title>What is a proxy server?</title>
<para>Companies and organizations often want their users to use a proxy server<indexterm><primary>servers</primary><secondary>proxy</secondary></indexterm>. Especially in environments with lots of users, a proxy server can enable faster downloads of web pages. The proxy server stores web pages. When a user asks for a web page that has already been requested previously, the proxy server will give that page to the user directly, so that s/he does not need to get it from the Internet, which would take longer. Of course, measures can be taken so that the proxy server does a quick check and always serves the most recent version of a page. In some environments, usage of the proxy server is compulsory, in other environments you may have the choice whether or not to use it.</para>
<para>If you have the proxy server<indexterm><primary>proxy</primary><secondary>configuration</secondary></indexterm> name and port, it should be rather obvious to feed that information into your browser. However, many (command line) applications depend on the variables <varname>http_proxy<indexterm><primary>http_proxy</primary></indexterm></varname> and <varname>ftp_proxy<indexterm><primary>ftp_proxy</primary></indexterm></varname> for correct functioning. For your convenience, you might want to add a line like the following to your <filename>~/.bashrc<indexterm><primary>.bashrc</primary></indexterm></filename>:</para>
<para>On a Linux system, an FTP server<indexterm><primary>servers</primary><secondary>FTP</secondary></indexterm> is typically run from <command>xinetd</command>, using the <application>WU-ftpd</application> server<indexterm><primary>FTP</primary><secondary>servers</secondary></indexterm>, although the FTP server may be configured as a stand-alone server on systems with heavy FTP traffic. See the exercises.</para>
<para>Other FTP servers include among others <application>vsftpd</application>, <application>Ncftpd</application> and <application>Proftpd</application>.</para>
<para>Most Linux distributions contain the <application>anonftp</application> package, which sets up an anonymous FTP server tree and accompanying configuration files.</para>
<para>Most Linux distributions include<indexterm><primary>FTP</primary><secondary>clients</secondary></indexterm><command>ncftp<indexterm><primary>ncftp</primary></indexterm></command>, an improved version of the common UNIX <command>ftp<indexterm><primary>ftp</primary></indexterm></command> command, which you may also know from the Windows command line. The <command>ncftp</command> program offers extra features such as a nicer and more comprehensible user interface, file name completion, append and resume functions, bookmarking, session management and more:</para>
<para>Don't use the File Transfer Protocol for non-anonymous login unless you know what you are doing. Your user name and password might be captured by malevolent fellow network users! Use secure<indexterm><primary>FTP</primary><secondary>secure FTP</secondary></indexterm> FTP instead; the <command>sftp<indexterm><primary>sftp</primary></indexterm></command> program comes with the Secure SHell suite, see <xreflinkend="sect_10_05_04_04"/>.</para></warning>
<para>Various clients<indexterm><primary>networking</primary><secondary>chatting and conferencing</secondary></indexterm> and systems are available in each distribution, replacing the old-style IRC text-based chat. A short and incomplete list of the most popular programs:</para>
<listitem><para><command>gaim</command>: multi-protocol instant messaging client for Linux, Windows and Mac, compatible with MSN Messenger, ICQ, IRC and much more; see the Info pages or <ulinkurl="http://gaim.sourceforge.net">the Gaim site</ulink> for more.</para></listitem>
<listitem><para><command>xchat</command>: IRC client for the X window system:</para>
<listitem><para>aMSN: an MSN clone.</para></listitem>
<listitem><para><command>Konversation</command>, <command>kopete</command>, <command>KVIrc</command> and many other K-tools from the KDE suite.</para></listitem>
<listitem><para><command>jabber</command>: Open Source Instant Messenging platform, compatible with ICQ, AIM, Yahoo, MSN, IRC, SMTP and much more.</para></listitem>
<listitem><para><command>skype</command>: program for making telephone-like calls over the Internet to other <application>Skype</application> users, see <ulinkurl="http://www.skype.com"/> for more info. <application>Skype</application> is free but not open.</para></listitem>
<listitem><para><application>Gizmo</application>: a free (but not open) phone for your computer, see <ulinkurl="http://www.gizmoproject.com"/>.</para></listitem>
<para>Running a <application>Usenet</application> server<indexterm><primary>servers</primary><secondary>news</secondary></indexterm> involves a lot of expertise and fine-tuning, so refer to the <ulinkurl="http://www.isc.org">INN homepage</ulink> for more information.</para>
<para>There are a couple of interesting newsgroups in the <emphasis>comp.*</emphasis> hierarchy, which can be accessed using a variety of text and graphical clients. A lot of mail clients support newsgroup browsing as well, check your program or see your local Open Source software mirror for text clients such as <command>tin</command>, <command>slrnn</command> and <command>mutt</command>, or download Mozilla or one of a number of other graphical clients.</para>
<para><ulinkurl="http://deja.com">Deja.com</ulink> keeps a searchable archive of all newsgroups, powered by Google. This is a very powerful instrument for getting help: chances are very high that somebody has encountered your problem, found a solution and posted it in one of the newsgroups.</para>
<para>All these applications need DNS<indexterm><primary>servers</primary><secondary>DNS</secondary></indexterm> services to match IP addresses to host names and vice versa. A DNS server does not know all the IP addresses in the world, but networks with other DNS servers which it can query to find an unknown address. Most UNIX systems can run <command>named<indexterm><primary>named</primary></indexterm></command>, which is part of the BIND (<application>Berkeley Internet Name Domain</application>) package distributed by the Internet Software Consortium<indexterm><primary>ISC</primary></indexterm>. It can run as a stand-alone caching <emphasis>nameserver<indexterm><primary>nameserver</primary></indexterm></emphasis>, which is often done on Linux systems in order to speed up network access.</para>
<para>Your main client configuration file is <filename>/etc/resolv.conf<indexterm><primary>resolv.conf</primary></indexterm></filename>, which determines the order in which Domain Name Servers are contacted:</para>
<para>More information can be found in the Info pages on <command>named</command>, in the <filename>/usr/share/doc/bind[-<version>]</filename> files and on the <ulinkurl="http://www.isc.org/products/BIND">Bind project</ulink> homepage. The <ulinkurl="http://www.tldp.org/HOWTO/DNS-HOWTO.html">DNS HOWTO</ulink> covers the use of BIND as a DNS server.</para>
<para>DHCP<indexterm><primary>protocols</primary><secondary>DHCP</secondary></indexterm> is the <application>Dynamic Host Configuration Protocol<indexterm><primary>DHCP</primary></indexterm></application>, which is gradually replacing good old <command>bootp</command> in larger environments. It is used to control<indexterm><primary>servers</primary><secondary>DHCP</secondary></indexterm> vital networking parameters such as IP addresses and name servers of hosts. DHCP is backward compatible with <command>bootp</command>. For configuring the server, you will need to read the HOWTO.</para>
<para>DHCP client machines will usually be configured using a GUI that configures the <command>dhcpcd<indexterm><primary>dhcpcd</primary></indexterm></command>, the DHCP client daemon. Check your system documentation if you need to configure your machine as a DHCP client.</para>
<para>Traditionally, users are authenticated locally, using the information stored in <filename>/etc/passwd<indexterm><primary>passwd</primary></indexterm></filename> and <filename>/etc/shadow<indexterm><primary>shadow</primary></indexterm></filename> on each system. But even when using a network service for authenticating<indexterm><primary>servers</primary><secondary>authentication</secondary></indexterm>, the local files will always be present to configure system accounts for administrative use, such as the root account, the daemon accounts and often accounts for additional programs and purposes.</para>
<para>These files are often the first candidates for being examined by hackers, so make sure the permissions and ownerships are strictly set as should be:</para>
<para>Linux can use PAM, the <application>Pluggable Authentication Module</application>, a flexible method of UNIX authentication. Advantages of PAM<indexterm><primary>PAM</primary></indexterm>:</para>
<listitem><para>A common authentication scheme that can be used with a wide variety of applications.
</para></listitem>
<listitem><para>PAM can be implemented with various applications without having to recompile the applications to specifically support PAM.</para></listitem>
<listitem><para>Great flexibility and control over authentication for the administrator and application developer.
</para></listitem>
<listitem><para>Application developers do not need to develop their program to use a particular authentication scheme. Instead, they can focus purely on the details of their program.</para></listitem>
</itemizedlist>
<para>The directory <filename>/etc/pam.d</filename> contains the PAM configuration files (used to be <filename>/etc/pam.conf</filename>). Each application or service has its own file. Each line in the file has four elements:</para>
<listitem><para><option>auth</option>: provides the actual authentication (perhaps asking for and checking a password) and sets credentials, such as group membership or Kerberos tickets.</para></listitem>
<listitem><para><option>account</option>: checks to make sure that access is allowed for the user (the account has not expired, the user is allowed to log in at this time of day, and so on).</para></listitem>
<listitem><para><option>password</option>: used to set passwords.</para></listitem>
<listitem><para><option>session</option>: used after a user has been authenticated. This module performs additional tasks which are needed to allow access (for example, mounting the user's home directory or making their mailbox available).</para>
</listitem>
</itemizedlist>
<para>The order in which modules are stacked, so that multiple modules can be used, is very important.</para>
</listitem>
<listitem><para><emphasis>Control Flags</emphasis>: tell PAM which actions to take upon failure or success. Values can be <option>required</option>, <option>requisite</option>, <option>sufficient</option> or <option>optional</option>.</para></listitem>
<listitem><para><emphasis>Module Path</emphasis>: path to the pluggable module to be used, usually in <filename>/lib/security</filename>.</para></listitem>
<listitem><para><emphasis>Arguments</emphasis>: information for the modules</para></listitem>
</itemizedlist>
<para>Shadow password files are automatically detected by PAM.</para>
<para>More information can be found in the <command>pam</command> man pages or at <ulinkurl="http://www.kernel.org/pub/linux/libs/pam">the Linux-PAM project</ulink> homepage.</para>
<para>The Lightweight Directory Access Protocol<indexterm><primary>protocols</primary><secondary>LDAP</secondary></indexterm> is a client-server system for accessing global or local directory services over a network. On Linux, the <application>OpenLDAP</application> implementation<indexterm><primary>LDAP</primary></indexterm> is used. It includes <command>slapd<indexterm><primary>slapd</primary></indexterm></command>, a stand-alone server; <command>slurpd</command>, a stand-alone LDAP replication server; libraries implementing the LDAP protocol and a series of utilities, tools and sample clients.</para>
<para> The main benefit of using LDAP is the consolidation of certain types of information within your organization. For example, all of the different lists of users within your organization can be merged into one LDAP directory. This directory can be queried by any LDAP-enabled applications that need this information. It can also be accessed by users who need directory information.
</para><para>
Other LDAP or X.500 Lite benefits include its ease of implementation (compared to X.500) and its well-defined Application Programming Interface (API), which means that the number of LDAP-enabled applications and LDAP gateways should increase in the future.
</para><para>
On the negative side, if you want to use LDAP, you will need LDAP-enabled applications or the ability to use LDAP gateways. While LDAP usage should only increase, currently there are not very many LDAP-enabled applications available for Linux. Also, while LDAP does support some access control, it does not possess as many security features as X.500.
</para>
<para> Since LDAP is an open and configurable protocol, it can be used to store almost any type of information relating to a particular organizational structure. Common examples are mail address lookups, central authentication in combination with PAM, telephone directories and machine configuration databases.</para>
<para>See your system specific information and the man pages for related commands such as <command>ldapmodify</command> and <command>ldapsearch</command> for details. More information can be found in the <ulinkurl="http://www.tldp.org/HOWTO/LDAP-HOWTO.html">LDAP Linux HOWTO</ulink>, which discusses installation, configuration, running and maintenance of an LDAP server on Linux. The author of this Introduction to Linux document also wrote an <ulinkurl="http://tille.garrels.be/training/ldap/">LDAP Operations HOWTO</ulink>, describing the basics everyone should know about when dealing with LDAP management, operations and integration of services.</para>
<para>There are a couple of different ways to execute commands or run programs on a remote<indexterm><primary>commands</primary><secondary>remote execution</secondary></indexterm> machine and have the output, be it text or graphics, sent to your workstation. The connections<indexterm><primary>networking</primary><secondary>remote execution</secondary></indexterm> can be secure or insecure. While it is of course advised to use secure connections instead of transporting your password over the network unencrypted, we will discuss some practical applications of the older (unsafe) mechanisms, as they are still useful in a modern networked environment, such as for troubleshooting or running exotic programs.</para>
<para>The <command>rlogin<indexterm><primary>rlogin</primary></indexterm></command> and <command>rsh<indexterm><primary>rsh</primary></indexterm></command> commands for remote login and remote execution of commands are inherited from UNIX. While seldom used because they are blatantly<indexterm><primary>remote execution</primary><secondary>security</secondary></indexterm> insecure, they still come with almost every Linux distribution for backward compatibility with UNIX programs.</para>
<para>Telnet, on the other hand, is still commonly used, often by system and network administrators. Telnet is one of the most powerful tools for remote access to files and remote administration, allowing connections from anywhere on the Internet. Combined with an X server, remote graphical applications can be displayed locally. There is no difference between working on the local machine and using the remote machine.</para>
<para>Because the entire connection<indexterm><primary>security</primary><secondary>remote commands</secondary></indexterm> is unencrypted, allowing <command>telnet<indexterm><primary>telnet</primary></indexterm></command> connections involves taking high security risks. For normal remote execution of programs, <application>Secure SHell</application> or <command>ssh<indexterm><primary>ssh</primary></indexterm></command> is advised. We will discuss the secure method later in this section.</para>
<para>However, <command>telnet</command> is still used in many cases. Below are some examples in which a mail server and a web server are tested<indexterm><primary>telnet</primary><secondary>examples</secondary></indexterm> for replies:</para>
<para>This is perfectly safe, because you never have to give a username and/or password for getting the data you want, so nobody can snoop that important information off the cable.</para>
<para>As we already explained in Chapter 7 (see <xreflinkend="sect_07_03_03"/>), the <application>X Window<indexterm><primary>X Window</primary><secondary>features</secondary></indexterm></application> system comes with an X server which serves graphics to clients that need a display.</para>
<para>It is important to realize the distinction between the X server and the X client application(s). The X server controls the display directly and is responsible for all input and output via keyboard, mouse and display. The X client, on the other hand, does not access the input and output devices directly. It communicates with the X server which handles input and output. It is the X client which does the real work, like computing values, running applications and so forth. The X server only opens windows to handle input and output for the specified client.</para>
<para>In normal operation (graphical mode), every Linux workstation is an X server to itself, even if it only runs client applications. All the applications you are running (for example, <application>Gimp</application>, a terminal window, your browser, your office application, your CD playing tool, and so on) are clients to your X server. Server and client are running on the same machine in this case.</para>
<para>This client/server nature of the X system makes it an ideal environment for remote execution of applications and programs. Because the process is actually being executed on the remote machine, very little CPU power is needed on the local host. Such machines, purely acting as servers for X, are called X terminals and were once very popular. More information may be found in the <ulinkurl="http://www.tldp.org/HOWTO/Remote-X-Apps.html">Remote X applications mini-HOWTO</ulink>.</para>
<para>If you would want to use <command>telnet</command> to display<indexterm><primary>remote execution</primary><secondary>X Window</secondary></indexterm> graphical applications running on a remote machine, you first need to give the remote machine access to your display (to your X server!) using the <command>xhost<indexterm><primary>xhost</primary></indexterm></command> command, by typing a command similar to the one below in a terminal window on your local machine:</para>
<para>After that, connect to the remote host and tell it to display graphics on the local machine by setting the environment variable <varname>DISPLAY<indexterm><primary>DISPLAY</primary></indexterm></varname>:</para>
<para>After completing this step, any application started in this terminal window will be displayed on your local desktop, using remote resources for computing, but your local graphical resources (your X server) for displaying the application.</para>
<para>This procedure assumes that you have some sort of X server (<application>XFree86</application>, <application>X.org</application>, <application>Exceed</application>, <application>Cygwin</application>) already set up on the machine where you want to display images. The architecture and operating system of the client machine are not important as long as they allow you to run an X server on it.</para>
<para>Most UNIX and Linux systems now run <application>Secure SHell<indexterm><primary>Secure SHell</primary><secondary></secondary></indexterm></application> in order to leave out the security<indexterm><primary>security</primary><secondary>Secure SHell</secondary></indexterm> risks that came with <command>telnet</command>. Most Linux systems will run a version of <application>OpenSSH</application>, an Open Source implementation of the SSH protocol, providing secure encrypted communications between untrusted hosts over an untrusted network. In the standard setup X connections are automatically forwarded, but arbitrary TCP/IP ports may also be forwarded using a secure channel.</para>
<para>The <command>ssh<indexterm><primary>ssh</primary></indexterm></command> client connects and logs into the specified host name. The user must provide his identity to the remote machine as specified in the <filename>sshd_config<indexterm><primary>sshd_config</primary></indexterm></filename> file, which can usually be found in <filename>/etc/ssh</filename>. The configuration file is rather self-explanatory and by defaults enables most common features. Should you need help, you can find it in the <command>sshd</command> man pages.</para>
<para>When the user's identity has been accepted by the server, the server either executes the given command, or logs into the machine and gives the user a normal shell on the remote machine. All communication with the remote command or shell will be automatically encrypted.</para>
<para>The session terminates when the command or shell on the remote machine exits and all X11 and TCP/IP connections have been closed.</para>
<para>When connecting to a host for the first time, using any of the programs that are included in the SSH collection, you need to establish the authenticity of that host and acknowledge<indexterm><primary>Secure SHell</primary><secondary>example</secondary></indexterm> that you want to connect:</para>
<para>It is important that you type <quote>yes</quote>, in three characters, not just <quote>y</quote>. This edits your <filename>~/.ssh/known_hosts</filename> file, see <xreflinkend="sect_10_03_04_03"/>.</para>
<para>If you just want to check something on a remote machine and then get your prompt back on the local host, you can give the commands that you want to execute remotely as arguments to <command>ssh</command>:</para>
<para>If the <varname>X11Forwarding<indexterm><primary>Secure SHell</primary><secondary>X11Forwarding</secondary></indexterm></varname> entry is set to <emphasis>yes</emphasis> on the target machine and the user is using X applications, the <varname>DISPLAY<indexterm><primary>DISPLAY</primary></indexterm></varname> environment variable is set, the connection to the X11 display is automatically forwarded to the remote side in such a way that any X11 programs started from the shell will go through the encrypted channel, and the connection to the real X server will be made from the local machine. The user should not manually set <varname>DISPLAY</varname>. Forwarding of X11 connections can be configured on the command line or in the <command>sshd</command> configuration file.</para>
<para>The value for <varname>DISPLAY</varname> set by <command>ssh</command> will point to the server machine, but with a display number greater than zero. This is normal, and happens because <command>ssh</command> creates a <emphasis>proxy</emphasis> X server on the server machine (that runs the X client application) for forwarding the connections over the encrypted channel.</para>
<para>This is all done automatically, so when you type in the name of a graphical application, it is displayed on your local machine and not on the remote host. We use <command>xclock</command> in the example, since it is a small program which is generally installed and ideal for testing:</para>
<para>SSH will also automatically set up Xauthority data on the server machine. For this purpose, it will generate a random authorization cookie, store it in <filename>Xauthority<indexterm><primary>Xauthority</primary></indexterm></filename> on the server, and verify that any forwarded connections carry this cookie and replace it by the real cookie when the connection is opened. The real authentication cookie is never sent to the server machine (and no cookies are sent in the plain).</para>
<para>Forwarding of arbitrary TCP/IP connections over the secure channel can be specified either on the command line or in a configuration file.</para>
<para>This procedure assumes that you have a running X server on the client where you want to display the application from the remote host. The client may be of different architecture and operating system than the remote host, as long as it can run an X server, such as <application>Cygwin</application> (which implements an <application>X.org</application> server for MS Windows clients and others) or <application>Exceed</application>, it should be possible to set up a remote connection with any Linux or UNIX machine.</para></note>
<para>The <command>ssh</command> client/server system automatically maintains and checks a database containing identifications<indexterm><primary>Secure SHell</primary><secondary>server authentication</secondary></indexterm> for all hosts it has ever been used with. Host keys are stored in <filename>$HOME/.ssh/known_hosts</filename> in the user's home directory. Additionally, the file <filename>/etc/ssh/ssh_known_hosts</filename> is automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's identification ever changes, <command>ssh</command> warns about this and disables password authentication to prevent a Trojan horse from getting the user's password. Another purpose of this mechanism is to prevent man-in-the-middle attacks which could otherwise be used to circumvent the encryption. In environments where high security is needed, <command>sshd</command> can even be configured to prevent logins to machines whose host keys have changed or are unknown.</para>
<para>The SSH suite provides <command>scp<indexterm><primary>Secure SHell</primary><secondary>secure copy</secondary></indexterm></command> as a secure alternative to the <command>rcp</command> command that used to be popular when only <command>rsh</command> existed. <command>scp<indexterm><primary>scp</primary></indexterm></command> uses <command>ssh</command> for data transfer, uses the same authentication and provides the same security as <command>ssh</command>. Unlike <command>rcp</command>, <command>scp</command> will ask for passwords or passphrases if they are needed for authentication<indexterm><primary>scp</primary><secondary>example</secondary></indexterm>:</para>
<para>Any file name may contain a host and user specification to indicate that the file is to be copied to/from that host. Copies between two remote hosts are permitted. See the Info pages for more information.</para>
<para>If you would rather use an FTP-like interface, use <command>sftp</command><indexterm><primary>sftp</primary><secondary>example</secondary></indexterm>:</para>
<para>Don't feel comfortable with the command line yet? Try <application>Konqueror</application>'s capabilities for secure remote copy, or install <application>Putty</application>.</para>
<para>The <command>ssh-keygen<indexterm><primary>ssh-keygen</primary></indexterm></command> command generates, manages and converts authentication<indexterm><primary>Secure SHell</primary><secondary>authentication keys</secondary></indexterm> keys for <command>ssh</command>. It can create RSA keys for use by SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2.</para>
<para>Normally each user wishing to use SSH with RSA or DSA authentication runs this once to create the authentication key in <filename>$HOME/.ssh/identity</filename>, <filename>id_dsa</filename> or <filename>id_rsa</filename>. Additionally, the system administrator may use this to generate host keys for the system.</para>
<para>Normally this program generates the key and asks for a file in which to store the private key. The public key is stored in a file with the same name but <emphasis>.pub</emphasis> appended. The program also asks for a passphrase. The passphrase may be empty to indicate no passphrase (host keys must have an empty passphrase), or it may be a string of arbitrary length.</para>
<para>There is no way to recover a lost passphrase. If the passphrase is lost or forgotten, a new key must be generated and copied to the corresponding public keys.</para>
<para>VNC or <application>Virtual Network Computing</application> is in fact a remote display<indexterm><primary>VNC</primary></indexterm> system<indexterm><primary>remote execution</primary><secondary>VNC</secondary></indexterm> which allows viewing a desktop environment not only on the local machine on which it is running, but from anywhere on the Internet and from a wide variety of machines and architectures, including MS Windows and several UNIX distributions. You could, for example, run MS Word on a Windows NT machine and display the output on your Linux desktop. VNC provides servers as well as clients, so the opposite also works and it may thus be used to display Linux programs on Windows clients. VNC is probably the easiest way to have X connections on a PC. The following features make VNC different from a normal X server or commercial implementations:</para>
<listitem><para>No state is stored at the viewer side: you can leave your desk and resume from another machine, continuing where you left. When you are running a PC X server, and the PC crashes or is restarted, all remote applications that you were running will die. With VNC, they keep on running.</para></listitem>
<listitem><para>It is small and simple, no installation needed, can be run from a floppy if needed.</para></listitem>
<listitem><para>Platform independent with the Java client, runs on virtually everything that supports X.</para></listitem>
<listitem><para>Sharable: one desktop may be displayed on multiple viewers.</para></listitem>
<para>More information can be found in the VNC client man pages (<command>man <parameter>vncviewer</parameter></command>) or on the <ulinkurl="http://www.realvnc.com/">VNC website</ulink>.</para>
<para>In order to ease management of MS Windows hosts, recent Linux distributions support the Remote Desktop Protocol (RDP<indexterm><primary>protocols</primary><secondary>RDP</secondary></indexterm>), which is implemented in the <command>rdesktop<indexterm><primary>rdesktop</primary></indexterm></command> client. The protocol<indexterm><primary>remote execution</primary><secondary>RDP</secondary></indexterm> is used in a number of Microsoft products, including Windows NT Terminal Server, Windows 2000 Server, Windows XP and Windows 2003 Server.</para>
<para>Surprise your friends (or management) with the fullscreen mode, multiple types of keyboard layouts and single application mode, just like the real thing. The <command>man <parameter>rdesktop</parameter></command> manual provides more information. The project's homepage is at <ulinkurl="http://www.rdesktop.org/"/>.</para>
<para><ulinkurl="http://www.cygwin.com">Cygwin</ulink> provides<indexterm><primary>remote execution</primary><secondary>Cygwin</secondary></indexterm> substantial UNIX functionality on MS Windows systems. Apart from providing UNIX command line tools and graphical applications, it can also be used to display a Linux desktop on an MS Windows machine, using remote X. From a <application>Cygwin Bash<indexterm><primary>Cygwin</primary></indexterm></application> shell, type the command</para>
<para>The connection is by default denied. You need to change the <application>X Display Manager</application> (XDM) configuration and possibly the <application>X Font Server</application> (XFS) configuration to enable this type of connection, where you get a login screen on the remote machine. Depending on your desktop manager (<application>Gnome</application>, <application>KDE</application>, other), you might have to change some configurations there, too.</para>
<para>If you do not need to display the entire desktop, you can use SSH in <application>Cygwin</application>, just like explained in <xreflinkend="sect_10_05_04"/>. without all the fuss of editing configuration files.</para>
<para>As soon as a computer is connected to the network, all kinds of abuse becomes possible, be it a UNIX-based or any other system. Admittedly, mountains of papers have been spilled on this subject and it would lead us too far to discuss the subject of security<indexterm><primary>security</primary><secondary>considerations</secondary></indexterm> in detail. There are, however, a couple of fairly logical things even a novice user can do to obtain a very secure system, because most break-ins are the result of ignorant or careless users.</para>
<para>Maybe you are asking yourself if this all applies to you, using your computer at home or working at your office on a desktop in a fairly protected environment. The questions you should be asking yourself, however, are more on the lines of:</para>
<itemizedlist>
<listitem><para>Do you want to be in control of your own system?</para></listitem>
<listitem><para>Do you want to (unwittingly) participate in criminal activities?</para></listitem>
<listitem><para>Do you want your equipment to be used by someone else?</para></listitem>
<listitem><para>Do you want to take risks on losing your Internet connection?</para></listitem>
<listitem><para>Do you want to rebuild your system every time it has been hacked?</para></listitem>
<listitem><para>Do you want to risk personal or other data loss?</para></listitem>
<para>Presuming you don't, we will quickly list the steps you can take to secure your machine. Extended information can be found in the <ulinkurl="http://www.tldp.org/HOWTO/Security-HOWTO.html">Linux Security HOWTO</ulink>.</para>
<para>The goal is to run as few services<indexterm><primary>security</primary><secondary>disable services</secondary></indexterm> as possible. If the number of ports that are open for the outside world are kept to a minimum, this is all the better to keep an overview. If services can't be turned off for the local network, try to at least disable them for outside connections.</para>
<para>A rule of thumb is that if you don't recognize a particular service, you probably won't need it anyway. Also keep in mind that some services are not really meant to be used over the Internet. Don't rely on what <emphasis>should</emphasis> be running, check which services are listening<indexterm><primary>security</primary><secondary>check open ports</secondary></indexterm> on what TCP ports using the <command>netstat<indexterm><primary>netstat</primary></indexterm></command> command:</para>
<listitem><para><command>exec<indexterm><primary>exec</primary></indexterm></command>, <command>rlogin<indexterm><primary>rlogin</primary></indexterm></command> and <command>rsh<indexterm><primary>rsh</primary></indexterm></command>, and <command>telnet<indexterm><primary>telnet</primary></indexterm></command> just to be on the safe side.</para></listitem>
<listitem><para>X11 on server machines.</para></listitem>
<listitem><para>No lp if no printer is physically attached.</para></listitem>
<listitem><para>No MS Windows hosts in the network, no Samba required.</para></listitem>
<listitem><para>Don't allow FTP unless an FTP server is required.</para></listitem>
<listitem><para>Don't allow NFS and NIS over the Internet, disable all related services on a stand-alone installation.</para></listitem>
<listitem><para>Don't run an MTA if you're not actually on a mail server.</para></listitem>
<listitem><para>...</para></listitem>
</itemizedlist>
<para>Stop running services using the <command>chkconfig</command> command, the initscripts or by editing the <command>(x)inetd</command> configuration files.
<para>Its ability to adapt quickly in an ever changing environment is what makes Linux thrive. But it also creates a possibility that security updates<indexterm><primary>security</primary><secondary>updates</secondary></indexterm> have been released even while you are installing a brand new version, so the first thing you should do (and this goes for about any OS you can think of) after installing is getting the updates as soon as possible. After that, update <emphasis>all</emphasis> the packages you use regularly.</para>
<para>Some updates may require new configuration files, and old files may be replaced. Check the documentation, and ensure that everything runs normal after updating.</para>
<para>Most Linux distributions provide mailing list services for security update announcements, and tools for applying updates to the system. General Linux only security issues are reported among others at <ulinkurl="http://linuxsecurity.com">Linuxsecurity.com</ulink>.</para>
<para>Updating is an ongoing process, so it should be an almost daily habit.</para>
<para>In the previous section we already mentioned firewall<indexterm><primary>security</primary><secondary>firewall</secondary></indexterm> capabilities in Linux. While firewall administration is one of the tasks of your network admin, you should know a couple of things about firewalls.</para>
<para><emphasis>Firewall</emphasis> is a vague term that can mean anything that acts as a protective barrier between us and the outside world, generally the Internet. A firewall can be a dedicated system or a specific application that provides this functionality. Or it can be a combination of components, including various combinations of hardware and software. Firewalls are built from <quote>rules</quote> that are used to define what is allowed to enter and/or exit a given system or network.</para>
<para>After disabling unnecessary services, we now want to restrict accepted services as to allow only the minimum required connections. A fine example is working from home: only the specific connection between your office and your home should be allowed, connections from other machines on the Internet should be blocked.</para>
<para>The first line of defense is a <emphasis>packet filter<indexterm><primary>security</primary><secondary>packet filters</secondary></indexterm></emphasis>, which can look inside IP packets and make decisions based on the content. Most common is the <application>Netfilter</application> package, providing the <command>iptables</command> command, a next generation packet filter for Linux.</para>
<para>One of the most noteworthy enhancements in the newer kernels is the <emphasis>stateful inspection</emphasis> feature, which not only tells what is inside a packet, but also detects if a packet belongs or is related to a new or existing connection.</para>
<para>The <application>Shoreline Firewall</application> or <application>Shorewall</application> for short is a front-end for the standard firewall functionality in Linux.</para>
<para>TCP wrapping<indexterm><primary>security</primary><secondary>TCP wrappers</secondary></indexterm> provides much the same results as the packet filters, but works differently. The wrapper actually accepts the connection attempt, then examines configuration files and decides whether to accept or reject the connection request. It controls connections at the application level rather than at the network level.</para>
<para>TCP wrappers are typically used with <command>xinetd</command> to provide host name and IP-address-based access control. In addition, these tools include logging and utilization management capabilities that are easy to configure.</para>
<para>The advantages of TCP wrappers are that the connecting client is unaware that wrappers are used, and that they operate separately from the applications they protect.</para>
<para>The host based access is controlled in the <filename>hosts.allow</filename> and <filename>hosts.deny</filename> files. More information can be found in the TCP wrapper documentation files in <filename>/usr/share/doc/tcp_wrappers[-<version>/]</filename> or <filename>/usr/share/doc/tcp</filename> and in the man pages for the host based access control files, which contain examples.</para>
<para>Proxies<indexterm><primary>servers</primary><secondary>proxy</secondary></indexterm> can perform various duties, not all of which have much to do with security. But the fact that they are an intermediary make proxies<indexterm><primary>security</primary><secondary>proxies</secondary></indexterm> a good place to enforce access control policies, limit direct connections through a firewall, and control how the network behind the proxy looks to the Internet.</para>
<para>Usually in combination with a packet filter, but sometimes all by themselves, proxies provide an extra level of control. More information can be found in the <ulinkurl="http://www.tldp.org/HOWTO/Firewall-HOWTO.html">Firewall HOWTO</ulink> or on the Squid website.</para>
<para>Some servers may have their own access control features. Common examples include <application>Samba</application>, <application>X Window</application>, <application>Bind</application>, <application>Apache</application> and CUPS. For every service you want to offer check which configuration files apply.</para>
<para>If anything, the UNIX way of logging<indexterm><primary>files</primary><secondary>logging</secondary></indexterm> all kinds of activities into all kinds of files confirms that <quote>it is doing something.</quote> Of course, log<indexterm><primary>security</primary><secondary>logs</secondary></indexterm> files should be checked regularly, manually or automatically. Firewalls and other means of access control tend to create huge amounts of log files, so the trick is to try and only log abnormal activities.</para></sect3>
<para> Intrusion Detection Systems<indexterm><primary>security</primary><secondary>intrusion detection</secondary></indexterm> are designed to catch what might have gotten past the firewall. They can either be designed to catch an active break-in attempt in progress, or to detect a successful break-in after the fact. In the latter case, it is too late to prevent any damage, but at least we have early awareness of a problem. There are two basic types of IDS: those protecting networks, and those protecting individual hosts.</para>
<para> For host based IDS, this is done with utilities that monitor the file system for changes. System files that have changed in some way, but should not change, are a dead give-away that something is amiss. Anyone who gets in and gets root access will presumably make changes to the system somewhere. This is usually the very first thing done, either so he can get back in through a backdoor, or to launch an attack against someone else, in which case, he has to change or add files to the system. Some systems come with the <command>tripwire</command> monitoring system, which is documented at the <ulinkurl="http://www.tripwire.org">Tripwire Open Source Project</ulink> website.</para>
<para>Network intrusion detection is handled by a system that sees all the traffic that passes the firewall (not by portscanners, which advertise usable ports). <ulinkurl="http://www.snort.org">Snort</ulink> is an Open Source example of such a program. Whitehats.com features an open Intrusion detection database, <ulinkurl="http://www.whitehats.com">arachNIDS</ulink>. </para>
<listitem><para>Do not allow root logins. UNIX developers came up with the <command>su</command> over two decades ago for extra security.</para></listitem>
<listitem><para>Direct root access is always dangerous and susceptible to human errors, be it by allowing root login or by using the <command>su <option>-</option></command> command. Rather than using <command>su</command>, it is even better to use <command>sudo</command> to only execute the command that you need extra permissions for, and to return afterwards to your own environment.</para></listitem>
<listitem><para>Try to always use SSH or SSL. Avoid <command>telnet</command>, FTP and E-mail clients and other client programs which send unencrypted passwords over the network. Security is not only about securing your computer, it is also about securing your passwords.</para></listitem>
<para>The <ulinkurl="http://www.sans.org">SANS institute</ulink> has more tips and tricks, sorted per distribution, with mailing list service.</para></listitem>
<para>How can you tell? This is a checklist of suspicious<indexterm><primary>security</primary><secondary>intrusion detection</secondary></indexterm> events:</para>
<para>In short, stay calm. Then take the following actions<indexterm><primary>security</primary><secondary>recovery</secondary></indexterm> in this order:</para>
<listitem><para>Backup important non-system data. If possible, check these data against existing backups, made before the system was compromised, to ensure data integrity.</para></listitem>
<para>Linux and networking go hand in hand. The Linux kernel has support for all common and most uncommon network protocols. The standard UNIX networking tools are provided in each distribution. Next to those, most distributions offer tools for easy network installation and management.</para>
<para>Linux is well known as a stable platform for running various Internet services, the amount of Internet software is endless. Like UNIX, Linux can be just as well used and administered from a remote location, using one of several solutions for remote execution of programs.</para>
<para>We briefly touched the subject of security. Linux is an ideal firewall system, light and cheap, but can be used in several other network functions such as routers and proxy servers.</para>
<para>Increasing network security is mainly done by applying frequent updates and common sense.</para>
<listitem><para>Display network information for your workstation: IP address, routes, name servers.</para></listitem>
<listitem><para>Suppose no DNS is available. What would you do to reach your neighbour's machine without typing the IP address all the time?</para></listitem>
<listitem><para>How would you permanently store proxy information for a text mode browser such as <command>links</command>?</para></listitem>
<listitem><para>Which name servers handle the redhat.com domain?</para></listitem>
<listitem><para>Send an E-mail to your local account. Try two different ways to send and read it. How can you check that it really arrived?</para></listitem>
<listitem><para>Does your machine accept anonymous FTP connections? How do you use the <command>ncftp</command> program to authenticate with your user name and password?</para></listitem>
<listitem><para>Does your machine run a web server? If not, make it do so. Check the log files!</para></listitem>
<listitem><para>From your local workstation, display a graphical application, such as <command>xclock</command> on your neighbour's screen. The necessary accounts will have to be set up. Use a secure connection!</para></listitem>
<listitem><para>Set up SSH keys so you can connect to your neighbour's machine without having to enter a password.</para></listitem>
<listitem><para>Make a backup copy of your home directory in <filename>/var/tmp</filename> on your neighbour's <quote>backup server,</quote> using <command>scp</command>. Archive and compress before starting the data transfer! Connect to the remote host using <command>ssh</command>, unpack the backup, and put one file back on the original machine using <command>sftp</command>.</para></listitem>
<listitem><para>Make a list of open (listening) ports on your machine.</para></listitem>
<listitem><para>Supposing you want to run a web server. Which services would you deactivate? How would you do that?</para></listitem>
<listitem><para>Install available updates.</para></listitem>
<listitem><para>How can you see who connected to your system?</para></listitem>
<listitem><para>Make a repetitive job that reminds you to change your password every month, and preferably the <emphasis>root</emphasis> password as well.</para></listitem>